AN0207: Analytic 0207
ESXi shell execution of tools/scripts (`nc`, `socat`, `perl`) relaying network traffic to other internal hosts, especially when initiated by unauthorized users or VMs.
Analyst context for executives and security teams
This analytic points to a high-value ESXi host being used as a network relay or pivot point through shell-executed tools such as nc, socat, or perl. For leaders, the significance is not the tools themselves, but that virtualization infrastructure can provide a path into other internal systems if shell access is misused by unauthorized users or VMs.
Executive priority
Prioritize validation where ESXi hosts support critical workloads or network segmentation boundaries. The business question is whether privileged access, shell use, and east-west network paths from ESXi are governed and evidenced well enough for incident response, audit, and resilience decisions. Because no official detection logic is supplied, teams should treat this as a coverage-validation item rather than an assured detection.
Technical view
For SOC and IR teams, validate whether ESXi shell activity can be tied to user identity, source VM or management session, executed command, and outbound connections to internal hosts. Focus review on shell execution involving nc, socat, or perl where the process behavior suggests traffic relay, tunneling, or proxy-like activity, especially when initiated by users or VMs that are not expected to administer ESXi.
Likely telemetry
- ESXi shell command execution logs or equivalent host activity records
- ESXi authentication and authorization events for shell or management access
- Process execution evidence for nc, socat, perl, or script interpreters on ESXi
- Network connection records from ESXi hosts to internal systems
- Management plane access logs showing user, source address, and session context
Detection direction
- Confirm that ESXi shell execution is logged and retained with enough detail to identify command, user, time, and source context.
- Baseline legitimate administrative shell use on ESXi to reduce false positives from approved troubleshooting activity.
- Alert or investigate ESXi execution of nc, socat, or perl when paired with internal network connections that are unusual for that host.
- Correlate shell execution with authentication records to distinguish authorized administrators from unexpected users or VM-initiated activity.
- Review blind spots around ESXi hosts that are not covered by standard endpoint telemetry or centralized log collection.
Mitigation priorities
- Restrict and monitor ESXi shell access to authorized administrative users only.
- Harden management access paths and require strong identity controls for ESXi administration.
- Limit unnecessary outbound network reachability from ESXi hosts to internal systems where operationally feasible.
- Maintain documented administrative procedures so legitimate shell use can be distinguished from suspicious activity.
- Ensure incident response playbooks include ESXi log collection, account review, and network path analysis.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for ESXi focused on shell execution of tools or scripts that relay traffic to internal hosts. No tactics, relationships, or official detection logic were supplied, so the take emphasizes practical validation of telemetry, access governance, and investigation context.
This assessment is limited to the official object fields and external reference provided. It does not establish active exploitation, actor attribution, impact, or existing detection coverage. Local ESXi configuration, logging depth, identity controls, and network architecture are required to determine material risk and detection quality.
Analytic 0207
ESXi shell execution of tools/scripts (`nc`, `socat`, `perl`) relaying network traffic to other internal hosts, especially when initiated by unauthorized users or VMs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 83b79550529a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0207Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.