Introducing QELP: Parsing ESXi Logs for Incident Response

Threat actors frequently target ESXi servers to disrupt business environments and deploy ransomware to encrypt datastores. We have identified common tactics and techniques that threat actors have used to disrupt services on ESXi servers. Some of these TTPs include enabling SSH to access ESXi servers remotely, changing root user passwords to disrupt access to ESXi servers, and deploying ransomware binaries to encrypt ESXi servers and datastores. Detecting this malicious activity can be time consuming and challenging, especially when dealing with a significant number of logs from multiple ESXi servers or partial encryption of the logs during ransomware incidents.

To better overcome these analysis challenges, we are introducing an open-source CLI tool named Quick ESXi Log Parser (“QELP”) that will enhance investigations by swiftly parsing ESXi logs at scale and producing CSV reports in timeline format. Key features of QELP include:

1. Parsing ESXi logs from multiple ESXi servers in a timely and efficient manner.
2. Parsing partially encrypted ESXi logs.
3. Output to CSV reports for easy ingestion and analysis.
4. Timeline generation of the most relevant events to form an overall picture of the events that occurred
on ESXi server.

Additionally, we also touch upon how the logs can be collected from ESXi servers, ensuring a comprehensive approach to log analysis.

Attendees will gain insights into threat actor activities observed on ESXi servers, information on logs containing relevant information, as well as a tool (QELP) to overcome the challenges faced during parsing and analyzing ESXi logs.