govolution

Memdumps, Volatility, Mimikatz, VMs – Part 9: Logging & Monitoring ESXi

So why might this be relevant anyway? All management consoles should be in your separated management network anyway, right? Well, unfortunately that is not always the case:

As you can see about 85.000 ports from the VMware Authentication Deamon are open over the internet.
And you can even bruteforce accounts:
https://www.rapid7.com/db/modules/auxiliary/scanner/vmware/vmauthd_login
Further, during an onsite test you might find some esxi machines and credentials for management consoles. Also vulnerabilites might exist where it is possible to pwn the vm hypervisor via a virtual machine.
So what is to do for the blue team?
Here are some ideas:
– log network connections to the esxi servers
– log logins
– log changes to vms
– log creation of snapshots
– log reboots and uploads
… and when I say log I mean mainly, collect em. In the links section is an example for Elk and for Splunk.
Relevant log file entries in the vmware.log file for snapshots
The log for can be found in the datastore:
And here is some output from the relevant logfiles after making a snapshot with VMWare Wokstation connected to the ESXi server:
And when doing a snapshot over ssh:
Overview:
https://govolution.wordpress.com/2016/02/06/memdumps-volatility-mimikatz-vms-overview/
Links:
https://github.com/harrytruman/logstash-vmware
https://mtalavera.wordpress.com/2015/05/18/monitoring-vmware-esxi-with-the-elk-stack/
http://www.vhersey.com/2012/02/configuring-virtual-machine-vmware-log-file-rotation/
https://wiki.splunk.com/Community:VMwareESXSyslog
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1007805