As enterprise virtualization scales, hypervisors like VMware ESXi have become critical—and increasingly exploited—attack surfaces. High-profile breaches such as Scattered Spider, the MGM Resorts ($110M) incident, and the Johnson Controls ($51M) breach demonstrate the massive blast radius and operational fallout that follow when this layer is compromised.
This session offers a deep dive into the real techniques ransomware groups use to breach ESXi environments, including:
- Remote execution via Service Location Protocol (SLP)
- Identity escalation through misconfigured Active Directory integrations
- Credential cracking targeting ESXi management interfaces
With ATT&CK v17 formally adding the ESXi matrix, these attack paths now have a structured place in the framework—reflecting what defenders have already observed in the wild. Joseph Comps, Threat Intelligence Analyst at Vali Cyber, walks through how each phase of these intrusions maps to specific ATT&CK techniques and how this knowledge strengthens detection, hunting, and hardening strategies.
Viewers will leave with a practical grasp of hypervisor-layer tradecraft and a clear framework for closing visibility and coverage gaps. This talk is ideal for red teamers, blue teamers, and infrastructure defenders securing one of the most overlooked—and increasingly targeted—layers of enterprise infrastructure.
About the Speaker#
Joseph Comps, Threat Intelligence Analyst, Vali Cyber#
Joe is a Threat Intelligence analyst at Vali Cyber and conducts various Red Team assessments for the company. He has a Bachelor’s Degree in Cybersecurity from the University of Maryland, and spent the majority of his initial career in the Marine Corps and Air Force Special Warfare.