SANS DFIR Summit 2022Speaker: Léonard Savina
vSphere is VMWare's virtualization platform composed of hypervisors (ESXi) and a management console (VCenter). According to VMWare more than 80 percent of virtualized workloads are running on VMware technology. As a consequence, it is a prime target for attackers. In this presentation I will show how to use the DFIR4vSphere PowerShell module to collect logs and forensics artefacts on both ESXi hosts and the VCenter console. With the combined analysis of both data sources, the forensic analyst is able to characterize malicious activity on the virtualization platform. This presentation will show how ransomware groups target the vSphere infrastructure for maximal damage. I will also present how espionage groups use this platform to maintain access and perform lateral movement and exfiltration on a Windows infrastructure without using a single Windows malware. By using the DFIR4vSphere collection tool the forensics analyst will be able to spot the TTPs used by attackers to bypass defenses and stay under the radar. After this presentation the attendee will know what is important to investigate on a vSphere infrastructure and will be given a few leads on how to secure it.
View upcoming Summits:
Download the presentation slides (SANS account required) at
Музыка
Фильмы
ТВ Шоу
Категории видео
