{
  "type": "x-mitre-analytic",
  "spec_version": "2.1",
  "id": "x-mitre-analytic--1cd8c844-575a-44be-9fee-80cd988dc781",
  "created": "2025-10-21T15:10:28.402Z",
  "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "external_references": [
    {
      "source_name": "mitre-attack",
      "url": "https://attack.mitre.org/detectionstrategies/DET0562#AN1554",
      "external_id": "AN1554"
    }
  ],
  "object_marking_refs": [
    "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
  ],
  "modified": "2025-10-21T15:10:28.402Z",
  "name": "Analytic 1554",
  "description": "ESXi hypervisor environmental validation behavioral chain: (1) Virtual machine inventory and configuration enumeration through vim-cmd and esxcli commands, (2) Host hardware and network configuration discovery for hypervisor environment validation, (3) Datastore and storage configuration reconnaissance, (4) vCenter connectivity and cluster membership validation, (5) Selective malware deployment based on virtualization infrastructure characteristics and target VM validation",
  "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "x_mitre_version": "1.0",
  "x_mitre_attack_spec_version": "3.3.0",
  "x_mitre_domains": [
    "enterprise-attack"
  ],
  "x_mitre_platforms": [
    "ESXi"
  ],
  "x_mitre_log_source_references": [
    {
      "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
      "name": "esxi:shell",
      "channel": "shell command execution for system discovery (vim-cmd, esxcli, vmware-cmd) targeting VM inventory and host configuration"
    },
    {
      "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
      "name": "esxi:hostd",
      "channel": "host daemon events related to VM operations and configuration queries during reconnaissance"
    }
  ],
  "x_mitre_mutable_elements": [
    {
      "field": "ESXiDiscoveryCommands",
      "description": "ESXi commands commonly used for hypervisor and VM reconnaissance"
    },
    {
      "field": "VMInventoryEnumerationThreshold",
      "description": "Number of VM inventory queries within time window indicating reconnaissance activity"
    },
    {
      "field": "HypervisorEnvironmentBaseline",
      "description": "Normal hypervisor management activity patterns for distinguishing malicious reconnaissance"
    },
    {
      "field": "DatastoreAccessPatterns",
      "description": "Unusual datastore access patterns indicating environmental validation or target selection"
    }
  ],
  "x_mitre_deprecated": false
}