AN0426: Analytic 0426
Detects shell-based scripts accessing configuration files or snapshots and transmitting them over unencrypted protocols such as FTP or HTTP to non-management IPs.
Analyst context for executives and security teams
AN0426 is an ESXi-focused detection analytic for a risky behavior: shell scripts accessing configuration files or snapshots and sending them over unencrypted protocols such as FTP or HTTP to IP addresses that are not management destinations. For leaders, the practical concern is that ESXi configuration and snapshot material can expose operational, identity, and infrastructure details, while unencrypted transfer reduces control over sensitive data in transit.
Executive priority
Prioritize this analytic where ESXi supports critical workloads or regulated systems. The decision value is to confirm whether teams can see host-level shell activity, identify legitimate management destinations, and prove that insecure outbound transfer of sensitive infrastructure data would be noticed. This supports incident response readiness, audit evidence around administrative access and data movement, and control prioritization for management-plane hardening.
Technical view
SOC and IR teams should validate visibility on ESXi for shell-based script execution, file access involving configuration files or snapshots, outbound FTP/HTTP activity, and destination classification between approved management IPs and non-management IPs. Because ATT&CK provides no separate detection logic for this analytic, local engineering should define the exact file paths, process patterns, management subnets, and approved administrative workflows that distinguish suspicious activity from maintenance or backup operations.
Likely telemetry
- ESXi host shell command or process execution logs where available
- File access events for ESXi configuration files and snapshot-related paths
- Network connection or flow records from ESXi hosts
- Proxy, firewall, or network security logs showing FTP or HTTP egress
- Asset inventory or CMDB data identifying ESXi hosts and approved management IP ranges
Detection direction
- Build or validate correlation between shell-based script activity, access to configuration or snapshot files, and outbound FTP/HTTP transfer.
- Maintain an allowlist or authoritative inventory of management IPs so alerts can focus on transfers to non-management destinations.
- Tune for legitimate backup, migration, maintenance, or monitoring workflows that may access snapshots or configuration files.
- Review blind spots in ESXi logging, especially where host shell activity or file access is not centrally collected.
- Prioritize unencrypted FTP/HTTP egress from ESXi hosts as higher-fidelity context when combined with sensitive file access.
Mitigation priorities
- Restrict ESXi management access to approved administrative networks and accounts.
- Reduce or disable unnecessary use of ESXi shell where operationally feasible.
- Limit outbound FTP and HTTP from ESXi hosts, especially to non-management destinations.
- Use approved encrypted and authenticated channels for administrative transfer workflows.
- Document approved backup and maintenance processes so detection teams can distinguish expected activity from suspicious transfer behavior.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique, and no tactics or relationships were supplied. Its value depends heavily on local definitions of ESXi management IPs, legitimate script activity, snapshot handling, and available host/network telemetry.
Official detection content is not provided, and there are no relationship contexts. This take should not be read as evidence of active exploitation, actor attribution, or guaranteed detection coverage. Local ESXi logging and network architecture determine practical effectiveness.
Analytic 0426
Detects shell-based scripts accessing configuration files or snapshots and transmitting them over unencrypted protocols such as FTP or HTTP to non-management IPs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4c136b842173… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0426Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.