Hypervisor Hangover: Persistence Mechanisms on ESXi
JC(Crashwire), Nathan
Cloud Village @ DEF CON 33 · Day 1 · Cloud Village
In the Cloud Village talk "Hypervisor Hangover: Persistence Mechanisms on ESXi," cyber threat analysts JC (also known as Crashwire) and Nathan (Wham) delve into the critical, yet often overlooked, area of post-exploitation persistence on VMware ESXi hypervisors. The presentation focuses on how attackers, once they've gained initial access to an ESXi host, can maintain a foothold across reboots and administrative actions, making detection and eradication significantly more challenging. This topic is particularly pertinent given the increasing targeting of hypervisors by both ransomware groups and sophisticated Advanced Persistent Threat (APT) actors.
AI review
Competent, well-structured walkthrough of ESXi persistence techniques with live demos and solid defensive context. Nothing here is new to anyone who followed the UNC3886 reporting or read the Mandiant VIB research, but it's packaged cleanly and the Secure Boot bypass for VIB acceptance levels is the one moment that earns its keep. Cloud Village tier, not Main Stage.