AN0359: Analytic 0359
Adversary places scripts or binaries with misleading names in /etc/rc.local.d or /var/spool/cron, or registers services with legitimate-sounding names not present in default ESXi builds.
Analyst context for executives and security teams
AN0359 highlights a practical ESXi risk: malicious or unauthorized startup, cron, or service entries may be hidden behind names that look legitimate. For leaders, the concern is not the filename itself but whether virtualization hosts have enough baseline, change-control, and monitoring evidence to distinguish expected ESXi configuration from disguised persistence-like additions.
Executive priority
Treat this as a control-validation item for critical virtualization infrastructure. If ESXi hosts support important workloads, executives should ask whether the organization can prove what files and services are expected on those hosts, detect unexpected changes in /etc/rc.local.d and /var/spool/cron, and respond quickly when a legitimate-sounding service is not part of the approved ESXi build. This supports resilience, incident triage, and audit evidence for privileged infrastructure change control.
Technical view
The supplied analytic applies to ESXi and describes adversary placement of misleadingly named scripts or binaries in /etc/rc.local.d or /var/spool/cron, or registration of services with legitimate-sounding names absent from default ESXi builds. SOC and IR teams should validate host baselines for default services, approved local startup scripts, cron content, and service registrations. Because no official detection logic is provided, coverage depends on local telemetry, file integrity monitoring, configuration collection, and baseline comparison against known-good ESXi builds.
Likely telemetry
- ESXi file and directory inventory for /etc/rc.local.d and /var/spool/cron
- File creation, modification, ownership, permission, and timestamp metadata for those paths
- Service registration and service configuration inventory from ESXi hosts
- Approved-build or gold-image baselines for default ESXi services and expected local scripts
- Administrative change records for host configuration changes
Detection direction
- Compare current ESXi startup, cron, and service configuration against approved baselines rather than trusting legitimate-looking names.
- Alert on new or modified scripts, binaries, cron entries, or services in the named locations that are not documented in change control.
- Tune for known administrative automation and vendor-supported additions to reduce false positives.
- Review service names that resemble default components but are not present in default ESXi builds for the relevant version and image.
- Validate whether telemetry is retained long enough to reconstruct when the file or service appeared; without this, IR scoping will be limited.
Mitigation priorities
- Establish and maintain approved ESXi build baselines, including expected services, startup scripts, and cron entries.
- Restrict and review administrative access capable of modifying ESXi host startup, cron, or service configuration.
- Use change control and periodic configuration attestation for virtualization hosts.
- Enable file/configuration integrity monitoring or equivalent collection for the referenced ESXi paths and service registrations where operationally feasible.
- Document exception handling for legitimate custom scripts or services so detections can distinguish approved administration from suspicious additions.
Analyst notes and limits
The ATT&CK object is a detection analytic, not a technique record, and no relationship context or official detection logic was supplied. The strongest defensive value is baseline validation for ESXi host configuration and monitoring of misleadingly named additions in the specified paths or service registry.
Tactics are not specified, and the official detection field is empty. This take does not assert active exploitation, attribution, impact, or guaranteed detection. Local ESXi versions, build images, administrative practices, and available telemetry determine whether the described behavior can be reliably identified.
Analytic 0359
Adversary places scripts or binaries with misleading names in /etc/rc.local.d or /var/spool/cron, or registers services with legitimate-sounding names not present in default ESXi builds.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9cd6c0c33d01… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0359Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.