Updated on

In this section we will walk through VMware NSX Advanced Threat Prevention platform features

1. Ransomware Attack with NSX ATP Use-case

VMware NSX Advanced Threat Prevention platform features (Malware Prevention, Network Detection and Response) provide visibility and protection against ransomware threats, allowing you to act  quickly to mitigate attacks in your network.

To resolve the attack scenario in this lab, you will use these features across four primary steps as shown above:

2. Attack Story

The lab has deployed the NSX Advanced Threat Prevention security features in detect mode only. This allows us to observe the entire multi-stage malware attack chain, from Initial access to Execution to its last phase, the Exfiltration of the stolen data. An Attacker has gained access to one of your employees VDI Desktop through phishing. Laterally moving through your network, the Attacker drops DarkSide executable ransomware in a customer relationship management production Database Server (CRM-DB). As a final step, the attacker exfiltrates the confidential data from the Database Server.

The following lab flow will walk you through how to navigate this scenario using the capabilities of NSX Advanced Threat Prevention.

Note: The attacks simulations are automatically generated in this lab, so you can directly start investigating the threat events.

3. Investigate malicious file downloads

Your first step will be to inspect the malicious file downloads captured by Malware Prevention.

Let's start the investigation of the attack from the NSX console, using it to review the threat events. 

1. Navigate to Malware Prevention to start investigating the compromised VDI Desktop & Database workload.

  • From the top menu, click on Security (1) in NSX manager
  • From the side menu, click on Malware Prevention (2) under Threat Event Monitoring.
  • Change the Timeline (3) to Last 14 Days.

NSX NDR identifies threat movements in your network perimeter (North-South) as well as attacks that move laterally (East-West). It provides you with a visualization of the entire attack, including a complete campaign blueprint and detailed threat timeline.

4. Observe Potential Malware

Under Potential Malware, observe that a malicious file has been detected in inspected files. Click the expand icon (1) to investigate. If you aren't able to see this, toggle the Graph near top right of the manager console to OFF to further expand details of the malware. These are the details you will find: 

  • DarkSide malware is downloaded from Attacker to VDI Desktop and the Database Server.
  • Attacker ( --> VDI Desktop (
  • Attacker ( --> CRM Database Server (192.168.20.xx)

Next, click the number next to Total Inspections (2)


Note: IP addresses in the lab will be different from the lab guide but subnet of the each VM will be the same.

5. Total Inspections

  • Clicking the number next to Total Inspections (2) will bring you here. You will see the malicious files activity detected by the NSX deployed on NSX Edge Nodes. The Darkside.exe file has been downloaded from the server ( to the VDI Desktop ( and Database Server (192.168.20.x)
  • Click CLOSE (1) once you have reviewed the file activity.

6. Report Analysis

Back on our Inspected file, click on View Reports for the file darkside.exe as shown above for a detailed analysis.

7. Analysis Overview

  • The malicious file Analysis Overview provides quick access to understand the malicious file type and its threat level. In this scenario, the malicious file was delivered inside a Zip-type archive. You will see the files first submission time as well as different hashes calculated for the Zip archive.


  • Next, scroll down to Threat Level. Under Threat Level, you'll find the complete risk assessment including the antivirus family and class, malware family, and the maliciousness score for the identified malware. The risk score for the detected malware artifact is set to high, which indicates a critical risk and that action should be prioritized.

8. Archive Inflation

  • Click on Report->Archive inflation
  • With the Advanced Malware Analysis NSX Sandbox, you can investigate the file further.

9. Advanced Malware Analysis NSX Sandbox - 1

  • The sandbox provides a dynamic analysis of the file with full-system emulation to enable accurate detection and prevention of unknown and advanced threats.
  • To access the dynamic analysis report, click on link icon as highlighted under Score details.

10. Advanced Malware Analysis NSX Sandbox - 2

  • Inside the NSX Sandbox, you can access analysis of the malware artifacts complete behavior and a list of actions observed during the dynamic analysis. The malware activity types are mapped to the MITTRE ATT&CK technique for a better understanding of the malware attack chain.
  • Click CLOSE (1) after viewing the threat level report.

11. NSX Network Detection and Response (NDR)

2. NSX Network Detection and Response (NDR) enables you to visualize complete campaign blueprint.

A Campaign is a correlated set of incidents that affect one more workload over a period. It provides the visibility of entire cycle with the list of compromised hosts and threats detected along with their timeline of attack occurred.

To access the campaign blueprint:

  • Click Security Overview (1).
  • Under Security Overview, click Threat Event Monitoring.
  • Select Last 2 weeks (3) from the filter dropdown menu.
  • Click Go To Campaigns (4), it will open a new tab NSX NDR Network Detection and Response Tab in your browser.

12. NSX Security campaign

3. The NSX Security campaign page displays campaign. On these cards you'll find information like Campaign ID, calculated threat score, latest attack stage, hosts affected, number of threats and status of campaign

  • Click Campaign ID (1) to explore further details.

Note: Select the campaign that's at the EXFILTRATION stage.

13. Select the campaign ID

4. When you select the campaign ID, you will find details and an interactive graphical blueprint for that campaign.

  • View the THREATS widget (1) for current threats that NSX NDR has detected. The severity of threat is color-coded Red for High, Yellow for Medium, and Blue for Low.
  • View the HOSTS widget (2) to see current hosts affected. The severity of threat is color-coded the same as threats. Note: The host is defined as any device with an IP address, not a hypervisor in this context.

14. Attack Stages widget

View the Attack Stages widget (top right) to find the current campaign attack stages mapped with the MITRE ATT&CK framework. Mouse hover on the each attack stage to view detailed information of each attack stage.

15. Campaign blueprint widget

View the Campaign blueprint widget for an interactive graphical representation of the campaign. It highlights hosts involved in the campaign (both internal and external to the network) and threats that affected the hosts.

16. NDR campaign blueprint

  • The NDR campaign blueprint maps each threat detection along with techniques for greater understanding key events in the campaign. 
  • Drag the icons with your mouse to match (the placement of icons suggested as above)
  • Inspect it to map each step described in detail, as shown in the following table.

17. Hosts tab

5. The Hosts tab (1) displays a list of hosts affected with threat information so you can observe the latest activity for attack stages

18. Timeline view

6. The Timeline view shows the threats detected by NSX Network detection and Response in Threat Cards:

  • Click Timeline(1). Each threat cards under timeline have a host that is connected to a threat, calculated Threat score, Threat name, Class, and other actions.
  • Select Sort by Earliest (by start time) (2) to arrange the threat cards in the sequence of attacks with their timeline.

Observe the timeline on each threat card, event date and time, and IP address.

  • Expand the icon > (3) to view the related evidence summary about the threat, as shown in the following table. To better understand the threat, note the evidence of malware identified and overview of how the malware behaved.

Once the analysis is completed, close the NSX NDR tab and switch to the NSX-T Manager browser window.

Next, you'll need to determine how to prevent future incidents by following the steps in the following section to configure the IDS/IPS and Malware Prevention policies.

19. Attack Prevention with IDS/IPS

IDS/IPS policies help to detect and prevent unusual traffic, malicious attacks, and security breaches in the environment. Malware Prevention policies detect and prevent malicious file transfers.

IDS/IPS and Malware Prevention policies are deployed in the Detect-only mode. To prevent the attacks happening in your environment,  you should change the rules to Detect and Prevent.

Note: For this lab, users aren't allowed to publish the rules because the access level is read-only. However, the process of configuring IDS/IPS and Malware Prevention rules remains the same as described in the following steps.

20. Distributed Rules

1. Validate the Mode of the rules configured in IDS/IPS & Malware Prevention.

  • Click on Security (1).
  • Under Policy Management, click on IDS/IPS (2).
  • To validate the currently configured rules, click Distributed Rules.

21. Review Gateway Rules

  • Review the Gateway rules configured for Malware Prevention.
  • Click on Gateway Rules (1). Select  Gateway NSXSecOps-T1-VDI from the drop-down.
  • Expand NSXSecOps-VDI (2) to check the mode of Gateway rules in Malware Detection-Employees. You will see that both rules are configured in Detect-only mode.

22. Detect and Prevent mode

2. Change the IDS/IPS & Malware Prevention rules to Detect and Prevent mode.

  • In the same Distributed Rules view, select IDS-Employees (1).
  • Click the dropdown menu for the mode and change to Detect and Prevent.
  • Follow the same steps for the Malware Detection-Employee (2).
  • Once the changes are made, click PUBLISH (3) to apply the rules.

In the following section, you will learn about NSX Distributed Firewall, which provides visibility and control for virtualized workloads and networks. The section will take you through the methods to prevent attackers from moving laterally within the environment using micro-segmentation of East-West communication between workloads.

Note: For this lab, users aren't allowed to publish the rules because the access level is read-only. However, the process of configuring IDS/IPS and Malware Prevention rules remains the same as described in the following steps.