ANSSI-FR/DFIR4vSphere ANSSI-FR/DFIR4vSphere

  • Stars
    star
    138
  • Rank 264,508 (Top 6 %)
  • Language
    PowerShell
  • License
    GNU General Publi...
  • Created over 2 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
ANSSI-FR/DFIR4vSphere
github

ANSSI-FR

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Powershell module for VMWare vSphere forensics

DFIR4vSphere

Docker Image CI

Table of contents:

  1. Module description
  2. Installation and pre-requisites
  3. Start-VC_Investigation data collection
  4. Start-ESXi_Investigation data collection
  5. Files generated
  6. Log analysis with Splunk
  7. When threat actors encrypts the vCenter

Module description:

The DFIR4vSphere PowerShell module collects logs and forensics artefacts on both ESXi hosts and the vCenter console.

The module has two main functions:

  • Start-VC_Investigation: This function will collect all vSphere API calls registered on the vCenter, these logs are called VI events. You can also collect only events considered of interest. ESXi inventory, vCenter permissions and users report is also generated by the function. Optionally, a support bundle for the vCenter appliance can be generated.
  • Start-ESXi_Investigation: Collects forensics data on a single or multiple ESXi hosts. Optionally, a support bundle for each hypervisor targeted can be generated.

DFIR4vSphere was first presented at the CoRI&IN 2022 (Conférence sur la réponse aux incidents et l’investigation numérique). Slides of the presentation, in french language, are available here. It was also presented at the SANS DFIR Summit 2022, a recording of the presentation is available here.

Installation and pre-requisites:

Manual Installation.

DFIR4vSphere uses the VMware PowerCLI module, please install it before using the module:

 Install-Module VMware.PowerCLI -Scope CurrentUser

Once installed locate your PowerShell modules path with the following command:

PS> $env:PSModulePath

Copy the DFIR4vSphere folder in one of the modules path, for example:

    %USERPROFILE%\Documents\WindowsPowerShell\Modules
    %ProgramFiles%\WindowsPowerShell\Modules
    %SYSTEMROOT%\system32\WindowsPowerShell\v1.0\Modules

The DFIR4vSphere module is installed, restart the PowerShell console and load the module:

PS> Import-module DFIR4vSphere

You should then connect to the vCenter you are investigating before launching the data collection:

PS> Connect-VIServer %VC_Name%

Use Docker to run DFIR4vSphere.

Use docker-compose to build the image, run the container and mount a volume to retrieve logs:

sudo docker-compose run dfir4vsphere

The module is ready to use.

Start-VC_Investigation data collection:

Collect vCenter VI events for the last 30 days:

$enddate = get-date
$startdate = $enddate.adddays(-30)
Start-VC_Investigation -StartDate $startdate -Enddate $enddate

Perform the same collection with the vCenter support bundle, do this in case you suspect a compromise on the vCenter appliance itself, in that case you should also perform a classic linux forensics investigation on the vCenter host:

$enddate = get-date
$startdate = $enddate.adddays(-30)
Start-VC_Investigation -StartDate $startdate -Enddate $enddate -VCBundle

The LightVIEvents parameter, will collect only event types considered of interest. Use this option if the infrastructure beeing investigated is large and normal collection is too slow.

$enddate = get-date
$startdate = $enddate.adddays(-30)
Start-VC_Investigation -StartDate $startdate -Enddate $enddate -LightVIEvents

With the LightVIEventTypesId you can filter out what specific event types you would like to collect. A complete list of Event type IDs is available here. For example to retrieve only authentication events on the vCenter you can launch the following command:

$enddate = get-date
$startdate = $enddate.adddays(-30)
Start-VC_Investigation -StartDate $startdate -Enddate $enddate -LightVIEvents -LightVIEventTypesId "com.vmware.sso.LoginSuccess","com.vmware.sso.LoginFailure"

Default log retention for VI Events is 30 days, but you can try to retrieve older events. Sometimes logs are retrieved beyond configured retention strategy.

Start-ESXi_Investigation data collection:

This command will take as input an ESXi host by its name or retrieved with the Get-VMHost PowerCLI cmdlet. For example to perform a basic collection on all ESXi hosts attached to the vCenter:

Get-VMHost | Start-ESXi_Investigation

The above command will generate serveral CSV files describing running processes, open connections, local accounts and retrieve various configuration settings...

If you also need to retrieve local logs of the ESXi (such as shell.log or auth.log) you will need to generate a support bundle.

The below command retrieves every ESXi for a given cluster and generates for each hypervisor a support bundle.

Get-VMHost -Location %ClusterName% | Start-ESXi_Investigation -ESXBundle

You can also target a particular ESXi host and generate its support bundle by giving its name.

Start-ESXi_Investigation -Name %ESXi% -ESXBundle

Generating support bundles for every ESXi attached to a vCenter might take some time in large environments.

Files generated:

The files generated by each function are:

  • Start-VC_Investigation: A log and four CSV files are created in the root folder. VI Events are located in the VI_Events_%VC_Name% directory, if you collect all events they are a stored in a folder for each day, if you use the LightVIEvents parameter they are stored in a file by event type. Optionally if the VCBundle parameter is enabled, a tgz archive is generated in the Support_Bundles directory.
  • Start-ESXi_Investigation: A log is generated in the root folder. For each hypervisor investigated a folder %ESX_Name% is created, in that folder several CSV files are generated: Running processes, services, open connections are collected... Optionally if the ESXBundle parameter is enabled, a tgz archive is generated in the Support_Bundles directory.

Launching the various functions will generate a similar directory structure:

DFIR4vSphere_Collection
│   Start-ESXi_Investigation.log
│   Start-VC_Investigation.log
│   VC_ConnectionInfo_%VC_Name%.csv
|   VC_ESXiInventory_%VC_Name%.csv
│   VC_Permissions_%VC_Name%.csv
│   VC_Users_%VC_Name%.csv    
└───%ESX_Name1%
│    │   ESXi_%ESX_Name1%_DomJoin.csv
│    │   ESXi_%ESX_Name1%_General.csv
│    │   ESXi_%ESX_Name1%_Hostd.log
│    │   ESXi_%ESX_Name1%_Network_ARPCache.csv
│    │   ESXi_%ESX_Name1%_Network_DNS.csv
│    │   ESXi_%ESX_Name1%_Network_IPv4.csv
│    │   ESXi_%ESX_Name1%_Network_IPv4routes.csv
│    │   ESXi_%ESX_Name1%_Network_Netstat.csv
│    │   ESXi_%ESX_Name1%_Network_VMs.csv
│    │   ESXi_%ESX_Name1%_Network_vSwitchs.csv
│    │   ESXi_%ESX_Name1%_Services.csv
│    │   ESXi_%ESX_Name1%_Software_BaseImage.csv
│    │   ESXi_%ESX_Name1%_Software_Profile.csv
│    │   ESXi_%ESX_Name1%_Software_VIB.csv
│    │   ESXi_%ESX_Name1%_Software_VIBSigCheck.csv
│    │   ESXi_%ESX_Name1%_Storage_FileSystem.csv
│    │   ESXi_%ESX_Name1%_Storage_IOFilter.csv
│    │   ESXi_%ESX_Name1%_System_Accounts.csv
│    │   ESXi_%ESX_Name1%_System_Advanced-delta.csv
│    │   ESXi_%ESX_Name1%_System_Certstore.csv
│    │   ESXi_%ESX_Name1%_System_ExecPolicy.csv
│    │   ESXi_%ESX_Name1%_System_GuestRepo.csv
│    │   ESXi_%ESX_Name1%_System_modules.csv
│    │   ESXi_%ESX_Name1%_System_Kernel-Delta.csv
│    │   ESXi_%ESX_Name1%_System_permissions.csv
│    │   ESXi_%ESX_Name1%_System_process.csv
│    │   ESXi_%ESX_Name1%_System_version.csv
└───%ESX_Name2%
│    │   ESXi_%ESX_Name2%_DomJoin.csv
│    │   ESXi_%ESX_Name2%_General.csv
│    │   ...
└───Support_Bundles
│    │   esx-%ESX_Name1%-YYY-MM-DD.tgz
│    │   esx-%ESX_Name2%-YYY-MM-DD.tgz
│    │   vcsupport-%GUID%.tgz
└───VI_Events_%VC_Name%
│    │   VIEvents_%EventTypeId1%.json
│    │   VIEvents_%EventTypeId2%.json
│    │   ...
│    └───YYYY-MM-DD
│    |   │   VIEvents_YYYY-MM-DD_HH-00-00.json
│    |   │   ...
│    └───YYYY-MM-DD
│    │   │   VIEvents_YYYY-MM-DD_HH-00-00.json
│    │   │   ...
│    └───...

Log analysis with Splunk:

Once the collection is complete with both functions, you will get logs from:

  • Start-VC_Investigation: VI Events collected are in JSON format and can be easily indexed in Splunk by using the CreatedTime JSON field as timestamp.
  • Start-ESXi_Investigation: ESXi local logs retrieved in the support bundles and located in the /var/run/log directory can also be indexed by using source types available in the Splunk addon for ESXi.

When threat actors encrypts the vCenter:

In some ransomware case, the TA kills the VC and it can additionally reset local root ESXi accounts. In that case your only chance is to restore the vCenter from backup, compromised ESXi will then re-attach automatically to the vCenter and then you can launch DFIR4vSphere. To access again the compromised ESXi with local accounts you can perform a password reset through vCenter API calls (here is a script to perform the action https://www.hypervisor.fr/?p=5655)

More Repositories

1

AD-control-paths

Active Directory Control Paths auditing and graphing tools
C
650
star
2

rust-guide

Recommendations for secure applications development with Rust
Shell
591
star
3

ADTimeline

Timeline of Active Directory changes with replication metadata
PowerShell
466
star
4

bmc-tools

RDP Bitmap Cache parser
Python
465
star
5

polichombr

Collaborative malware analysis framework
Python
373
star
6

MLA

Multi Layer Archive - A pure rust encrypted and compressed archive file format
Rust
322
star
7

SecuML

Machine Learning for Computer Security
Python
271
star
8

libecc

Library for elliptic curves cryptography
C
258
star
9

DFIR-O365RC

PowerShell module for Office 365 and Azure log collection
PowerShell
240
star
10

ORADAD

Outil de récupération automatique des données de l'Active Directory / Automated tool for dumping Active Directory data
C++
215
star
11

SmartPGP

SmartPGP is a JavaCard implementation of the OpenPGP card specifications
Java
178
star
12

ASCAD

Side Channels Analysis and Deep Learning
Python
174
star
13

cry-me

CRY.ME (CRYptographic MEssaging application)
Kotlin
168
star
14

ultrablue

User-friendly Lightweight TPM Remote Attestation over Bluetooth
Kotlin
163
star
15

ctf

Epreuves de sélection de la TeamFR pour l'ECSC 2019.
Python
156
star
16

AD-permissions

Active Directory permissions (ACL/ACE) auditing tools
PHP
144
star
17

tabi

BGP Hijack Detection
Python
109
star
18

bootcode_parser

A boot record parser that identifies known good signatures for MBR, VBR and IPL.
Python
97
star
19

SysvolExplorer

Active Directory Group Policy analyzer
C++
94
star
20

Binacle

Full-bin indexation of binary files
Rust
92
star
21

audit-radius

A RADIUS authentication server audit tool
Python
79
star
22

AnoMark

Algorithme d'apprentissage statistique permettant de créer un modèle sur les lignes de commandes des évènements "Création de Processus", afin de détecter des anomalies dans les évènements futurs
Python
78
star
23

bits_parser

Extract BITS jobs from QMGR queue and store them as CSV records
Python
73
star
24

route_leaks

BGP Route Leaks Detection
Python
69
star
25

transdep

Discover SPOF in DNS dependency graphs
Go
67
star
26

SecAESSTM32

Bibliothèque C et assembleur permettant le chiffrement/déchiffrement AES-128 de messages pour des composants grand public (famille STM32F3/STM32F4)
C
67
star
27

x509-parser

a RTE-free X.509 parser
C
58
star
28

guide-journalisation-microsoft

Guide journalisation Microsoft
PowerShell
56
star
29

mabo

MRT Parser
OCaml
46
star
30

chipsec-check

Tools to generate a Debian Linux distribution with chipsec to test hardware requirements
Shell
45
star
31

lidi

Transfer a raw TCP or Unix stream or files through a unidirectional link with forward error correction
Rust
44
star
32

shovel

Web interface to explore Suricata EVE outputs
JavaScript
38
star
33

picon

Picon
C
38
star
34

nogaxeh

Tools for analyzing hexagon code
C++
38
star
35

secAES-ATmega8515

Secure AES128 Encryption Implementation for ATmega8515
Assembly
34
star
36

OVALI

Generic graph exploration, manipulation and visualization tool (Outil de Visualisation et Analyse de Liens Inter-objets)
JavaScript
34
star
37

Open-ISO7816-Stack

This project aims to provide an open-source implementation of the ISO7816-3 communication protocol from the reader side. This protocol is ruling the interactions between a smartcard and a card-reader when using its contacts to communicate
C
33
star
38

packetweaver

A Python framework for script filing and task sequencing
Python
26
star
39

IPECC

A VHDL IP for ECC (Elliptic Curve Cryptography) hardware acceleration
VHDL
26
star
40

ADCP-DirectoryCrawler

AD-control-paths LDAP submodule
C
18
star
41

WAAD

Détection d'anomalie à partir des journaux d'authentification Windows
Python
17
star
42

cardstalker

CardStalker provides a UART-driven smartcard reader at the T=1 (see ISO7816-3) level (link and physical layer), where most of the smartcard reader devices on the market are only providing an APDU interface (application layer).
C
17
star
43

sftp2misp

Automation script to download JSON MISP files from a SFTP server and import them via API to a MISP instance.
Python
15
star
44

mdbook-checklist

mdbook preprocessor for generating checklists and indexes
Rust
13
star
45

cornetto

Outil de gestion de version statique de site web
JavaScript
10
star
46

pciemem

Linux kernel module for driving an USB3380 board, exposing a /dev/pciemem device node on the analysis machine representing the physical memory of the machine under test
C
10
star
47

ORADAZ

Outil de récupération automatique des données AZure / Automated tool for dumping Azure configuration data
Rust
10
star
48

xsvgen

XML Schema Validator Generator
OCaml
10
star
49

ProTIP

ProTIP permet de caractériser la connectivité réelle entre composants d'une architecture PCI Express
Prolog
9
star
50

coq-prelude

General-purpose monad typeclass hierarchy for Coq
Coq
8
star
51

scep

Security Contexts for Enhanced Protection Linux Security Module
C
7
star
52

libdrbg

A portable library implementing NIST SP 800-90A DRBGs
C
7
star
53

Faults_analyzer

Logiciel d'analyse de campagnes de perturbations sur composants
Python
6
star
54

hackropole-hugo

A Hugo theme to host Capture-The-Flag (CTF) challenges as a static website like hackropole.fr.
HTML
6
star
55

caradoc

A PDF parser and validator
6
star
56

WSUS_Audit

Auditing scripts for WSUS infrastructures
6
star
57

DroidWorks

Rust
5
star
58

libapn

libapn is a header-based C++ library developed to study vectorial Boolean functions, including but not limited to APN functions.
C++
5
star
59

pycrate

A Python library to ease the development of encoders and decoders for various protocols and file formats; contains ASN.1 and CSN.1 compilers.
5
star
60

ADCP-libdev

AD-control-paths libraries submodule
C
5
star
61

caml-crush

Caml Crush: an OCaml PKCS#11 filtering proxy
3
star
62

Faults_experiments

Résultats bruts de campagnes de perturbation de composants réalisées par le laboratoire de sécurité des composants de l'ANSSI
Python
2
star
63

eurydice

A user-friendly solution to transfer files through a physical diode using the Lidi utility, complete with data retention, file history, user accounts and admin management. Provides a scriptable API and a web interface.
2
star
64

DECODE

Malware detection tool for Windows PE files based on DFIR ORC data
Python
2
star
65

scantru

Non-Profiled Side Channel Analysis on NTRU
Jupyter Notebook
1
star
66

concerto

Toolset to analyse TLS datasets
1
star
67

opkcs11-tool

opkcs11-tool: managing and operating PKCS #11 security tokens in OCaml
1
star