AN0371: Analytic 0371
Detects outbound traffic from hostd/vpxa or guest VM interfaces using unauthorized protocols such as FTP, HTTP POST bursts, or long-lived DNS tunnels.
Analyst context for executives and security teams
This analytic matters because ESXi management and guest VM network paths can become blind spots for unauthorized outbound traffic. For leaders, the practical question is whether virtualization infrastructure is monitored well enough to spot unexpected egress such as FTP, bursty HTTP POST activity, or long-lived DNS tunneling from hostd/vpxa or guest VM interfaces before it affects incident containment, audit confidence, or operational resilience.
Executive priority
Prioritize this where ESXi hosts support critical workloads or regulated systems. The decision value is not that this analytic proves compromise, but that it tests whether the organization can observe and govern outbound traffic from virtualization infrastructure. Executives should ask whether ESXi egress is restricted, logged, and reviewable during an incident, and whether SOC and IR teams can distinguish approved management or workload traffic from unauthorized protocols and tunneling patterns.
Technical view
For SOC, detection engineering, and IR teams, validate visibility for outbound ESXi-related traffic involving hostd/vpxa processes or guest VM interfaces. The supplied ATT&CK description points to unauthorized protocols including FTP, HTTP POST bursts, and long-lived DNS tunnels. Because no official detection logic is provided, teams should translate this into environment-specific analytics using ESXi network telemetry, firewall/proxy/DNS records, and approved baseline behavior for management services and VM networks. Pay particular attention to whether traffic can be attributed to ESXi management components versus guest VM interfaces, since response actions and ownership may differ.
Likely telemetry
- ESXi host network flow records or equivalent egress visibility
- Firewall logs for traffic leaving ESXi management and VM networks
- DNS query and response logs, especially duration/frequency patterns relevant to long-lived DNS tunneling
- Proxy or web gateway logs showing HTTP POST volume and burst patterns
- Network segmentation or access-control logs showing allowed versus denied outbound protocols
Detection direction
- Establish approved outbound protocol baselines for ESXi management interfaces and guest VM networks before alerting on deviations.
- Tune for unauthorized FTP, unusual HTTP POST bursts, and long-lived DNS activity as described by the analytic, but validate against legitimate backup, monitoring, update, or application traffic to reduce false positives.
- Confirm whether telemetry can separate hostd/vpxa-originated activity from guest VM interface activity; lack of attribution is a key blind spot.
- Correlate egress anomalies with asset criticality, VM ownership, and change windows to support triage and incident decision-making.
- Because ATT&CK provides no official detection logic for this analytic, document local thresholds, exclusions, and evidence sources for auditability.
Mitigation priorities
- Restrict ESXi management-plane outbound access to documented destinations and protocols wherever operationally feasible.
- Segment management networks from guest VM traffic so suspicious egress can be scoped and contained more quickly.
- Maintain an approved-services baseline for ESXi hosts and VM networks, including expected DNS, web, monitoring, backup, and management traffic.
- Ensure firewall, DNS, proxy, and network-flow logging covers ESXi-related paths and is retained for incident response.
- Review exceptions periodically so temporary or legacy outbound allowances do not become unmanaged exposure.
Analyst notes and limits
This is a detection analytic object, not a technique description. The available ATT&CK content is limited to the ESXi platform and a concise description of outbound traffic patterns from hostd/vpxa or guest VM interfaces using unauthorized protocols. No tactics, relationships, aliases, labels, or official detection logic were supplied.
Assessment must be grounded in local ESXi architecture, network segmentation, and logging coverage. The supplied object does not provide detection syntax, thresholds, data source mappings, adversary attribution, active exploitation claims, or impact details. It should be treated as a validation prompt for ESXi egress monitoring rather than a complete detection rule.
Analytic 0371
Detects outbound traffic from hostd/vpxa or guest VM interfaces using unauthorized protocols such as FTP, HTTP POST bursts, or long-lived DNS tunnels.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 573c79296e33… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0371Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.