AN0078: Analytic 0078
Detects HTTP or HTTPS communication initiated by shell-based scripts or management daemons, especially those reaching public IPs over ports 80/443 using embedded curl or wget.
Analyst context for executives and security teams
AN0078 is an ESXi-focused detection analytic for outbound HTTP/HTTPS activity started by shell-based scripts or management daemons, especially to public IP addresses on ports 80/443 using embedded curl or wget. For leaders, the value is not the tool names themselves; it is whether critical virtualization infrastructure has enough egress visibility to distinguish approved management automation from unexpected outbound communications.
Executive priority
Treat this as a control-coverage question for virtualization resilience and audit readiness: can the organization prove what ESXi hosts are allowed to contact, which scripts or daemons initiate that traffic, and whether public Internet connections over common web ports are monitored? This helps prioritize ESXi management-plane logging, network segmentation, and incident response evidence collection without assuming any specific adversary or impact.
Technical view
SOC and IR teams should validate whether ESXi hosts generate usable evidence for outbound HTTP/HTTPS sessions, destination IP scope, ports 80/443, and initiating process or script context where available. Because ATT&CK provides no tactic, relationship, or analytic logic beyond the description, detection engineering should focus on environment-specific baselining of shell scripts, management daemons, curl, and wget usage on ESXi systems.
Likely telemetry
- ESXi host logs showing shell or management daemon activity, where collected
- Process or command-line evidence for curl, wget, or embedded web-client execution, where available
- Network flow, firewall, or proxy records for ESXi outbound traffic to public IP addresses
- Destination port and protocol metadata for HTTP/HTTPS over 80/443
- Asset inventory identifying which systems are ESXi hosts and which management networks they use
Detection direction
- Confirm ESXi outbound web traffic is visible; many environments monitor guest workloads better than hypervisor management planes.
- Baseline approved scripts, management daemons, update mechanisms, monitoring, and backup workflows that legitimately use HTTP/HTTPS.
- Prioritize alerts where shell-based scripts or daemons initiate connections to public IPs over 80/443 and the destination is not expected for that host or management function.
- Tune for false positives from authorized automation while preserving enough detail for incident responders to identify the initiating script, daemon, host, destination, and time window.
- Document gaps where process-level context is unavailable and compensate with network egress controls and stronger asset-based correlation.
Mitigation priorities
- Maintain a defined allowlist or policy for ESXi management-plane outbound destinations where operationally feasible.
- Restrict unnecessary outbound Internet access from ESXi hosts and route required traffic through monitored control points.
- Limit and govern shell access and administrative automation on ESXi systems.
- Ensure logging and retention support investigation of script or daemon-initiated outbound web connections.
- Use this analytic as evidence for virtualization security monitoring and segmentation control validation, not as a standalone guarantee of detection.
Analyst notes and limits
This object is a detection analytic, not a technique. It is limited to the ESXi platform and describes outbound HTTP/HTTPS initiated by shell scripts or management daemons, especially involving curl or wget to public IPs on ports 80/443. No relationships, tactics, or official detection logic were supplied, so local baselines and telemetry design determine practical value.
ATT&CK supplied no official detection query, no related techniques, no tactics, and no relationship context. The take therefore avoids attribution, exploitation claims, impact claims, and guaranteed coverage. Validation requires local ESXi logging, network visibility, asset inventory, and knowledge of approved management automation.
Analytic 0078
Detects HTTP or HTTPS communication initiated by shell-based scripts or management daemons, especially those reaching public IPs over ports 80/443 using embedded curl or wget.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 20d1658a16ad… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0078Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.