Many organizations make a critical mistake when responding to actively exploited zero-day vulnerabilities: they patch but don’t investigate.
Think about it this way: If your front door was left wide open for weeks, would you just lock it and walk away? If attackers had unrestricted access to your environment, simply closing the door won’t undo the damage. The real problem isn’t the vulnerability itself – it’s what happened while your systems were exposed.
The Real Threat is What You Don’t See
VMware recently just confirmed three newly exploited zero-day vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) affecting ESXi products. As expected, VMware has released patches. But patching alone won’t tell you if attackers already breached your systems.
The right question at this stage should be: Did attackers already gain access to your IT environments?
If your ESXi hosts were vulnerable, you must be able to answer the following:
- Were attackers already inside?
- Did they steal credentials, sensitive configurations, or data?
- Have they installed backdoors or persistence mechanisms?
- Did they move laterally and escalate privileges?
- Are there hidden scripts, tools, or logs covering their tracks?
A patch prevents future exploitation, but it doesn’t reveal what happened before. If you don’t investigate, you’re operating on blind trust. Simply locking the door doesn’t undo what might have already happened inside. If you rely on patching alone, you’re leaving the hardest question unanswered: Are they still inside?
Compromise Assessments: The Missing Piece in Zero-Day Response
A compromise assessment is not a routine security scan—it’s a deep forensic analysis designed to uncover hidden intrusions. Unlike traditional EDRs or antivirus tools, it searches for traces of past exploitation, persistence, and lateral movement.
With a compromise assessment, you can:
- Identify attacker tools and backdoors– Hidden scripts, web shells, or credential dumps
- Detect lateral movement– Signs of compromised accounts or unusual connections
- Uncover persistence mechanisms– Registry changes, scheduled tasks, or rogue services
- Analyze system integrity– Detect data exfiltration, file modifications, or deleted logs
Simply put: A compromise assessment answers the questions that patching ignores.
How to Investigate ESXi Compromises with THOR
VMware ESXi hosts are high-value targets for attackers due to their central role in virtualized environments and lack of built-in security tooling. Since traditional endpoint detection solutions cannot be deployed directly on ESXi, a specialized approach is required for forensic investigation and compromise assessment. THOR provides two effective methods for this purpose.
1. THOR Thunderstorm: File-Based Live Scanning on ESXi
THOR Thunderstorm enables agentless forensic scanning by collecting and analyzing forensic artifacts from ESXi hosts.
- One-time assessments: The Python-based Thunderstorm Collector is deployed to an ESXi system and executed locally to collect relevant files, such as configuration files and logs. The collector applies default filtering criteria but can be customized to collect files based on parameters like modification date, size, and type (e.g., all files modified within the last 30 days).
- Periodic compromise assessments: If Secure Boot is disabled, a persistent job can be configured to regularly collect artifacts from the ESXi host. If Secure Boot is enabled, periodic collection must be configured using Ansible, following Nextron’s implementation guidelines.
- Forensic analysis: Collected files are automatically uploaded to THOR Thunderstorm for real-time analysis, leveraging YARA and Sigma rules to detect hidden attacker activity, unauthorized changes, and persistence mechanisms.
Best for:
- Agent-less, forensic collection from ESXi hosts.
- Environments requiring continuous or scheduled compromise assessments.
- Situations where Secure Boot settings impact persistent collection methods.
2. THOR with SSHFS: Remote File System Scanning
THOR can be used to scan an ESXi system remotely by mounting its file system via SSHFS and analyzing files from a separate scanning host.
- Setup: The scanning host requires a direct and permanent SSH connection to the ESXi system.
- File transfer overhead: Unlike Thunderstorm, where only selected forensic artifacts are uploaded for analysis, SSHFS scanning transfers all files over SSH, resulting in higher network load.
- Deep forensic analysis: THOR is used to scan logs, binaries, and other suspicious files with custom YARA and Sigma rules, providing a comprehensive compromise assessment.
Best for:
- Thorough post-compromise forensic investigations.
- Cases where SSH access to ESXi is available and sustained network load is acceptable.
- Advanced hunting for persistence mechanisms and hidden threats.
For more details on ESXi compromise assessments using THOR, refer to: How to Scan ESXi Systems Using THOR.
Patching Alone Won’t Tell You If You’ve Been Breached – THOR Will
Patching is essential, but it must be combined with a compromise assessment to ensure your environment is truly secure. Instead of assuming you’re safe just because a patch is applied, leverage a deep forensic investigation to uncover any traces of an attacker’s presence.
If your security plan relies solely on waiting for patches, you’re always reacting too late – plus, you may already have an active breach.
Don’t leave your security to chance. Contact us to learn how THOR can help you verify whether attackers have already compromised your infrastructure.
