AN0197: Analytic 0197
Detects remote writes or snapshots mounted from other systems into a central ESXi VMFS path or NFS store used for remote staging of files before exfiltration.
Analyst context for executives and security teams
This analytic matters because it focuses on ESXi storage being used as a staging location: remote writes or mounted snapshots from other systems into a central VMFS path or NFS store before files are taken out. For leaders, the practical issue is not only data theft risk; it is whether virtual infrastructure storage activity is visible enough for the SOC and incident responders to distinguish normal administrative movement from suspicious staging behavior.
Executive priority
Prioritize this where ESXi hosts, shared VMFS datastores, or NFS-backed virtualization storage support critical systems or sensitive data. The key business question is whether the organization can prove, during an incident or audit, who wrote data into central ESXi storage, from where, and whether that activity was expected. This supports resilience, data protection, incident scoping, and evidence readiness for virtualized environments.
Technical view
Validate monitoring around ESXi VMFS paths and NFS stores for remote writes, mounted snapshots, and unusual staging patterns. Because the ATT&CK object provides no specific detection logic and no tactic mapping, teams should treat AN0197 as a detection objective: confirm that ESXi storage events, NFS access records, administrative activity, and network context can be correlated to identify remote systems writing or mounting content into centralized datastore locations. Baseline legitimate backup, replication, migration, and administrative workflows before alerting on anomalies.
Likely telemetry
- ESXi host and datastore logs related to VMFS access or mount activity
- NFS server access logs for virtualization-backed storage
- Remote write activity into central ESXi datastore paths
- Snapshot mount or datastore mount events involving other systems
- Administrative authentication and session logs for ESXi or storage management
Detection direction
- Confirm whether the SOC receives logs from ESXi hosts, VMFS datastore activity, and NFS storage supporting ESXi workloads.
- Build baselines for expected backup, restore, replication, migration, and snapshot workflows to reduce false positives.
- Look for remote systems writing to central ESXi storage paths outside approved maintenance windows or from unexpected sources.
- Correlate storage activity with administrative logins, change tickets, and network flows to separate authorized operations from suspicious staging.
- Treat lack of datastore-level or NFS-level audit visibility as a material blind spot for this analytic.
Mitigation priorities
- Inventory ESXi VMFS and NFS datastore locations used by critical workloads and define approved systems allowed to write or mount snapshots there.
- Restrict access to ESXi-backed storage paths to authorized administrative, backup, and virtualization services.
- Enable and retain relevant ESXi, storage, authentication, and network telemetry needed for incident reconstruction.
- Review backup, replication, and snapshot processes so legitimate remote staging activity is documented and distinguishable.
- Test incident response playbooks for suspected staging in virtualization storage, including containment, evidence preservation, and business owner notification.
Analyst notes and limits
AN0197 is a detection analytic for ESXi environments, not a full ATT&CK technique description. The official description specifically references remote writes or snapshots mounted into central ESXi VMFS paths or NFS stores for remote staging before exfiltration. No relationships, tactic mappings, or detailed detection logic were supplied, so local engineering must define thresholds, allowlists, and correlation rules based on the organization’s storage architecture.
The supplied ATT&CK fields do not include a formal detection query, data source list, relationships, adversary attribution, active exploitation claims, or impact details. Conclusions should therefore be limited to ESXi VMFS/NFS staging visibility and should be validated against local logging, administrative workflows, and storage design.
Analytic 0197
Detects remote writes or snapshots mounted from other systems into a central ESXi VMFS path or NFS store used for remote staging of files before exfiltration.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5bb730ea7c90… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0197Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.