Memdumps, Volatility, Mimikatz, VMs – Part 9: Logging & Monitoring ESXi

So why might this be relevant anyway? All management consoles should be in your separated management network anyway, right? Well, unfortunately that is not always the case:

shodandce1afd8621c8cf131afca4d7451dca5

As you can see about 85.000 ports from the VMware Authentication Deamon are open over the internet.
And you can even bruteforce accounts:
Further, during an onsite test you might find some esxi machines and credentials for management consoles. Also vulnerabilites might exist where it is possible to pwn the vm hypervisor via a virtual machine.
So what is to do for the blue team?
Here are some ideas:
– log network connections to the esxi servers
– log logins
– log changes to vms
– log creation of snapshots
– log reboots and uploads
… and when I say log I mean mainly, collect em. In the links section is an example for Elk and for Splunk.
Relevant log file entries in the vmware.log file for snapshots
The log for can be found in the datastore:
dslog4a7ef9d247c31587dd7399cf5a89bf55
And here is some output from the relevant logfiles after making a snapshot with VMWare Wokstation connected to the ESXi server:
log10c71e5f655bcec62fbf007ac4076d03c
And when doing a snapshot over ssh:
log27879476bcacfd758b78ccee433346b15
Advertisements

One thought on “Memdumps, Volatility, Mimikatz, VMs – Part 9: Logging & Monitoring ESXi

  1. Pingback: Memdumps, Volatility, Mimikatz, VMs – Overview | govolution

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s