AN0314: Analytic 0314
Detection of modification to ESXi rc.local.d or rc scripts that are used to execute on boot.
Analyst context for executives and security teams
This analytic focuses on changes to ESXi startup scripts, specifically rc.local.d or rc scripts that execute during boot. For security leaders, the practical concern is persistence and operational resilience: unauthorized boot-time execution on virtualization infrastructure can survive reboots and affect systems that host many business workloads. Because ATT&CK provides no detection logic here, organizations should treat this as a validation prompt: can we see and investigate ESXi boot-script changes at all?
Executive priority
Prioritize this where ESXi supports critical applications, regulated workloads, or recovery infrastructure. The key business question is whether the organization has enough visibility and change-control evidence to distinguish approved ESXi startup configuration changes from unauthorized persistence. This is relevant to incident readiness, audit evidence, virtualization hardening, and business continuity because compromise or misconfiguration at the hypervisor layer can have broad downstream impact.
Technical view
For SOC, detection engineering, and IR teams, validate monitoring for modification of ESXi rc.local.d or rc scripts used for boot-time execution. Since the object supplies no official detection query, tactic mapping, or relationship context, teams should build local logic around authorized-change baselines, file integrity monitoring, administrative activity review, and ESXi configuration change records. Investigation should focus on whether the modification was expected, who or what made it, when it occurred, and whether it aligns with approved maintenance.
Likely telemetry
- ESXi host file integrity or configuration-change telemetry for rc.local.d and rc scripts
- ESXi administrative logs showing shell, management, or configuration activity
- Change-management records for approved ESXi startup script modifications
- Host inventory or configuration baselines for ESXi boot-time scripts
- Backup or configuration-state snapshots that allow comparison before and after modification
Detection direction
- Confirm whether ESXi startup script paths covered by rc.local.d or rc scripts are monitored for creation, modification, permission changes, and unexpected content changes.
- Tune alerts against approved maintenance windows and documented administrator activity to reduce false positives from legitimate configuration work.
- Correlate script modifications with ESXi administrative access and change tickets; absence of matching authorization should raise priority.
- Account for blind spots where ESXi hosts are not sending logs, file integrity data is unavailable, or configuration baselines are not retained.
- Because ATT&CK does not provide detection logic for AN0314, validate any local analytic in a test environment before relying on it operationally.
Mitigation priorities
- Establish and enforce change control for ESXi boot-time scripts and startup configuration.
- Restrict administrative access to ESXi hosts to authorized personnel and managed workflows.
- Maintain known-good baselines of ESXi startup scripts and compare them during audits or incident response.
- Ensure ESXi logging, configuration monitoring, and retention are sufficient for post-incident reconstruction.
- Include ESXi startup-script review in virtualization hardening and recovery-readiness assessments.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for ESXi and describes detection of modifications to rc.local.d or rc scripts used to execute on boot. No official detection content, tactics, relationships, aliases, or labels were supplied, so this take emphasizes defensive validation and telemetry requirements rather than specific rule logic.
This assessment is limited to the official STIX fields, external reference, and absence of relationship context provided. It does not establish attacker intent, exploitation activity, attribution, prevalence, or guaranteed detection coverage. Local ESXi architecture, logging configuration, change-management maturity, and administrative workflows are required to determine real-world risk and coverage.
Analytic 0314
Detection of modification to ESXi rc.local.d or rc scripts that are used to execute on boot.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3c38b5f90980… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0314Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.