Loading…
← Back to schedule
Defending the Hypervisor: Using Offensive Tooling to Validate vSphere Security
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
VMWare (Broadcom) represents the most commonly used enterprise Hypervisors.  This means a compromised vCenter or ESXi host gives attackers access to every virtual machine and credential in your my environment. Defenders often lack visibility into what a post-exploitation attack against the hypervisor layer looks like. So, I built a tool to find out.
  In this session, I'll walk through the real-world attack chains that threat actors use against VMware vSphere environments: extracting Kerberos keytabs and credential caches from ESXi  hosts, decrypting stored VPX database passwords to pivot across every managed host, dumping JVM heap memory from vCenter to harvest SAML tokens, and forging certificates using stolen VMCA private keys. These are the techniques behind campaigns and APT operations targeting virtualization infrastructure today.
The core of this talk is a live demo of VEXED (vSphere EXploitation Extraction and Detection), an open-source tool I developed to automate these attack chains against vCenter and ESXi. Starting from a single SSH session, I'll show how VEXED chains credential extraction through VPX password decryption to automatically pivot across an entire vSphere cluster — mirroring the lateral movement patterns we as defenders need to detect and prevent.
But I didn't build this as a red team tool. I built it to answer a blue team question: what should I be looking for? For each attack chain I demonstrate, I'll map the corresponding detection opportunities: what logs are generated, what telemetry to forward to your SIEM, and what hardening controls actually break the chain. I'll cover VEXED's built-in hardening audit module, which checks over 20 security configurations across ESXi and vCenter, giving you a repeatable way to validate vSphere security posture. I'll also walk through the interactive attack graph output that visualizes the relationships between compromised credentials, certificates, and pivot paths… something I've found quite useful when communicating to leadership.
 Attendees will leave with:
  - A clear understanding of the most critical vSphere post-exploitation attack chains and how to detect them
  - Practical SIEM detection logic for credential extraction, memory dumping, and lateral movement across vSphere infrastructure
  - A hardening checklist validated against real attack tooling, not just vendor best practices
  - An open-source tool you can run in your own lab to validate defenses before an attacker does
 
  This session is for SOC analysts, infrastructure security teams, and anyone responsible for defending virtualized environments. No prior vSphere security experience is required. Just a desire to understand what happens when the hypervisor layer is compromised and how to stop it.
Speakers
avatar for Darryl Baker, DFIRDeferred

Darryl Baker, DFIRDeferred

Senior Staff Security Researcher, Netwrix
Darryl Baker is a Senior Staff Security Researcher at Netwrix, where he focuses on identity security and emerging attack techniques targeting enterprise authentication systems. With a background spanning security research, consulting, and adversary simulation, he specializes in uncovering... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning Software Privacy Terms
Share Modal

Share this link via

Or copy link