Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0224: Analytic 0224

Adversary exploits exposed OpenSLP on ESXi or vCenter public endpoints. Chain: inbound request pattern to mgmt service → hostd/vpxd error/crash/restart → unexpected process behavior or datastore access → outbound callback.

EnterpriseAN0224AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic highlights a high-risk VMware management-plane scenario: exposed OpenSLP on ESXi or vCenter public endpoints followed by service instability, unusual host behavior, datastore access, and possible outbound callback activity. For leaders, the key issue is not just detection content; it is whether critical virtualization management services are internet-exposed and whether SOC/IR teams can see the chain of events quickly enough to protect business continuity.

Executive priority

Prioritize this as a virtualization resilience and exposure-management question. ESXi and vCenter often support critical workloads, so public management-plane exposure can become a material operational risk. Executives should ask whether ESXi/vCenter management services are externally reachable, whether OpenSLP exposure is tracked in vulnerability and attack-surface processes, and whether incident teams have evidence to distinguish a service fault from suspicious activity involving datastore access and outbound callbacks.

Technical view

The supplied analytic describes a behavioral chain on ESXi/vCenter: inbound request patterns to a management service, hostd or vpxd error/crash/restart events, unexpected process behavior or datastore access, and outbound callback activity. Because no official detection logic is provided, SOC teams should validate whether telemetry exists for each stage rather than assuming coverage. Focus validation on ESXi/vCenter management service logs, hostd/vpxd service health events, process/activity logging available for ESXi, datastore access records, and network traffic involving public endpoints and outbound connections.

Likely telemetry

  • Network telemetry for inbound requests to ESXi or vCenter public management endpoints
  • ESXi/vCenter management service logs related to OpenSLP or management service request handling
  • hostd and vpxd error, crash, and restart events
  • ESXi host process or service behavior telemetry where available
  • Datastore access logs or administrative activity records

Detection direction

  • Validate visibility across the full chain: inbound management-service activity, hostd/vpxd instability, unexpected process or datastore behavior, and outbound callback indicators.
  • Tune alerts to correlate service crashes or restarts with suspicious inbound traffic and subsequent outbound connections, rather than treating each signal in isolation.
  • Account for false positives from legitimate maintenance, service restarts, backup operations, datastore administration, and monitoring systems.
  • Identify blind spots where ESXi hosts lack process-level telemetry, datastore access auditing, or egress monitoring.
  • Because ATT&CK provides no official detection logic for this object, local baselining and environment-specific thresholds are required.

Mitigation priorities

  • Reduce exposure of ESXi and vCenter management interfaces, especially public reachability of services associated with OpenSLP.
  • Restrict management access to approved administrative networks and authenticated administrative paths.
  • Include OpenSLP and ESXi/vCenter public endpoint exposure in vulnerability management and attack-surface review workflows.
  • Ensure incident response playbooks cover virtualization management-plane events, including service crashes, datastore access review, and outbound network investigation.
  • Maintain audit-ready evidence showing management-plane exposure controls, logging coverage, and response procedures for ESXi/vCenter systems.
Analyst notes and limits

This object is a detection analytic, not a full ATT&CK technique entry. Its value is in prompting a coverage review for exposed ESXi/vCenter management services and the post-request signals that may indicate suspicious activity. The absence of relationship context means no specific tactic, technique, campaign, or actor linkage should be inferred.

Official detection logic was not supplied, tactics are not specified, and no relationships were provided. This take is limited to the official description, platform field, and external reference. Local architecture, logging configuration, exposure data, and incident history are required to determine actual risk and detection coverage.

Official MITRE ATT&CK definition

Analytic 0224

Adversary exploits exposed OpenSLP on ESXi or vCenter public endpoints. Chain: inbound request pattern to mgmt service → hostd/vpxd error/crash/restart → unexpected process behavior or datastore access → outbound callback.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
dd44e12a3de058c6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle dd44e12a3de0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0224
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use