AN0305: Analytic 0305
ESXi daemons (e.g., hostd, vpxa) are wrapped or impersonated to send large outbound traffic using gzip/Base64 encoding over SSH or HTTP. These actions follow suspicious logins or shell access.
Analyst context for executives and security teams
This analytic matters because it points to suspicious outbound movement from ESXi infrastructure: core ESXi daemons such as hostd or vpxa may be wrapped or impersonated to send large encoded traffic over SSH or HTTP after suspicious logins or shell access. For leaders, the decision issue is whether virtualization hosts are monitored closely enough to distinguish legitimate management activity from possible data movement or post-access abuse.
Executive priority
Prioritize this where ESXi hosts support critical workloads. Validate whether security teams can answer three business-relevant questions quickly: who accessed ESXi shell or management functions, whether trusted daemon names were misused, and whether unusual outbound SSH or HTTP traffic occurred afterward. This supports incident triage, resilience planning, audit evidence for privileged access monitoring, and control decisions around ESXi management exposure and egress visibility.
Technical view
For SOC and IR teams, treat this as an ESXi-focused detection validation item. The supplied behavior combines suspicious login or shell access with daemon wrapping or impersonation and high-volume outbound traffic using gzip/Base64 encoding over SSH or HTTP. Because no official detection logic is provided, teams should build local analytics around correlation: ESXi authentication or shell-access events followed by unusual daemon execution/name patterns and abnormal outbound network volume or destinations over SSH/HTTP.
Likely telemetry
- ESXi authentication and management access logs showing suspicious logins
- ESXi shell access events or command/session audit evidence where available
- Host or management-plane evidence related to hostd, vpxa, or similarly named daemon activity
- Network flow, firewall, proxy, or perimeter telemetry showing outbound SSH or HTTP from ESXi hosts
- Traffic volume and destination baselines for ESXi management hosts
Detection direction
- Correlate suspicious ESXi logins or shell access with subsequent outbound SSH/HTTP traffic spikes from the same host.
- Validate whether monitoring can distinguish legitimate hostd/vpxa activity from daemon wrapping, impersonation, or unexpected process ancestry/name usage.
- Baseline normal ESXi outbound traffic; large outbound transfers from hypervisor management interfaces should be reviewed carefully.
- Tune for administrative maintenance windows and backup or management workflows to reduce false positives.
- Account for blind spots where ESXi hosts lack endpoint-style process telemetry or where encrypted SSH/HTTP limits payload inspection.
Mitigation priorities
- Restrict and monitor ESXi shell and SSH access, especially for privileged accounts.
- Limit outbound network paths from ESXi hosts to documented management destinations and required protocols.
- Maintain audit-ready records of ESXi management access, privileged sessions, and configuration changes.
- Validate integrity and expected behavior of critical ESXi management daemons through approved administrative processes.
- Prepare IR playbooks for suspicious ESXi access that include account review, network egress review, and host management-plane evidence preservation.
Analyst notes and limits
The object is a MITRE ATT&CK detection analytic for ESXi, external ID AN0305, tied to DET0108. It describes a behavior pattern but does not provide tactics, relationships, aliases, or official detection logic. The most useful operational value is in validating ESXi management-plane logging and outbound traffic visibility.
This take is limited to the supplied STIX fields and external reference. It does not establish active exploitation, adversary attribution, impact, or guaranteed detectability. Local ESXi architecture, logging configuration, network controls, and administrative workflows are required to determine real coverage and priority.
Analytic 0305
ESXi daemons (e.g., hostd, vpxa) are wrapped or impersonated to send large outbound traffic using gzip/Base64 encoding over SSH or HTTP. These actions follow suspicious logins or shell access.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 81d88433e6f9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0305Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.