IT security is a matter of trust.

Memdumps, Volatility, Mimikatz, VMs – Part 9: Logging & Monitoring ESXi

So why might this be relevant anyway? All management consoles should be in your separated management network anyway, right? Well, unfortunately that is not always the case:


As you can see about 85.000 ports from the VMware Authentication Deamon are open over the internet.
And you can even bruteforce accounts:
Further, during an onsite test you might find some esxi machines and credentials for management consoles. Also vulnerabilites might exist where it is possible to pwn the vm hypervisor via a virtual machine.
So what is to do for the blue team?
Here are some ideas:
– log network connections to the esxi servers
– log logins
– log changes to vms
– log creation of snapshots
– log reboots and uploads
… and when I say log I mean mainly, collect em. In the links section is an example for Elk and for Splunk.
Relevant log file entries in the vmware.log file for snapshots
The log for can be found in the datastore:
And here is some output from the relevant logfiles after making a snapshot with VMWare Wokstation connected to the ESXi server:
And when doing a snapshot over ssh:

Published by

One response to “Memdumps, Volatility, Mimikatz, VMs – Part 9: Logging & Monitoring ESXi”

  1. […] The last weeks I experimented around with how to get user crendentials from memory dumps, and hopefully I will have the time to contiue this little “research” (I know, it is not really research when you just writup stuff 😉 ). There are many different ways to dump credentials as hashes or in cleartext from various types of memory dumps, so I think that will become a few short articles. I added links for sources and more in depth information. Highly interesting for me is how to obtain memory dumbs from virtual machines when you have access to the host system. Further I will have a look at countermeasures in a later part (whereby I mean monitoring and logging). Overview Part 1: Mimikatz & lsass.exe Dump Part 2: Windows 7 Full Memory Dump & Get Hashes Part 3: WinDBG Mimikatz Extension Part 4: Volatility & Mimikatz Part 5: Virtualbox & LM/NTLM Hashes Part 6: VMWare Workstation Part 7: ESXi Server Part 8: Attacking Scenario – Volatility on ESXi Part 9: Logging & Monitoring ESXi […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: