AN0262: Analytic 0262
Detects modification of ESXi cron jobs, local.sh scripts, or scheduled API calls to persist custom binaries or shell scripts.
Analyst context for executives and security teams
This analytic is relevant because persistence on ESXi can put core virtualization infrastructure at risk. If an attacker or unauthorized admin can modify ESXi cron jobs, local.sh scripts, or scheduled API calls to run custom binaries or shell scripts, they may be able to regain execution after reboot or routine maintenance. For leaders, the key question is whether the organization can prove that changes to ESXi scheduled execution paths are monitored, reviewed, and explainable.
Executive priority
Prioritize this where ESXi supports business-critical workloads. The decision value is not just detecting a file change; it is validating control over hypervisor persistence paths that can affect many dependent systems at once. Security leaders should ask whether ESXi configuration changes are logged centrally, whether authorized maintenance is documented, and whether incident responders can quickly distinguish approved automation from unauthorized persistence.
Technical view
For SOC, detection engineering, and IR teams, validate monitoring for modifications to ESXi cron jobs, local.sh scripts, and scheduled API calls that could launch custom binaries or shell scripts. Because the ATT&CK object provides no official detection logic and no relationship context, teams should build local baselines for legitimate ESXi administrative scheduling activity, then alert on unexpected creation, modification, or execution references tied to these persistence mechanisms. Investigation should focus on who made the change, when it appeared, what binary or script is being launched, and whether the change survives reboot or maintenance cycles.
Likely telemetry
- ESXi host configuration and system logs related to scheduled task or script modification
- File integrity or configuration monitoring for cron-related files and local.sh
- Administrative session and authentication logs for ESXi management access
- API activity logs showing scheduled or recurring actions where available
- Change management records for approved ESXi maintenance and automation
Detection direction
- Confirm whether ESXi logs and configuration changes are forwarded to central monitoring rather than remaining only on the host.
- Baseline legitimate cron, local.sh, and scheduled API usage to reduce false positives from approved maintenance scripts.
- Alert on new or modified scheduled execution entries that reference unusual custom binaries, shell scripts, or unexpected paths.
- Correlate detected changes with authenticated administrator activity and approved change tickets.
- Treat sparse or missing ESXi telemetry as a material blind spot, because the official ATT&CK object does not provide ready-made detection logic.
Mitigation priorities
- Restrict ESXi administrative access to authorized personnel and controlled management paths.
- Use change control for ESXi scheduled jobs, startup scripts, and API-based automation.
- Monitor integrity of persistence-relevant configuration and script locations on ESXi hosts.
- Review and remove unnecessary scheduled execution mechanisms on ESXi systems.
- Ensure incident response procedures include collection and review of ESXi persistence locations before rebuilding or returning hosts to service.
Analyst notes and limits
This take is based on ATT&CK analytic AN0262, which covers detection of modifications to ESXi cron jobs, local.sh scripts, or scheduled API calls used to persist custom binaries or shell scripts. No tactics, relationships, aliases, labels, or official detection logic were supplied, so the guidance focuses on defensive validation and telemetry requirements rather than a specific detection rule.
The supplied ATT&CK fields identify the platform and behavior but do not provide detection pseudocode, data sources, related techniques, adversary usage, or mitigation mappings. Local ESXi version, logging configuration, management architecture, and approved automation practices are required to determine detection fidelity and operational priority.
Analytic 0262
Detects modification of ESXi cron jobs, local.sh scripts, or scheduled API calls to persist custom binaries or shell scripts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e73d9f89054b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0262Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.