AN0433: Analytic 0433
Interactive or remote shell/API invocation of esxcli system clock get or querying time parameters via hostd/vpxa shortly followed by time/ntp configuration checks or scheduled task creation, executed by non-standard accounts or outside maintenance windows.
Analyst context for executives and security teams
This analytic points to suspicious ESXi administrative activity around checking host time and then reviewing or changing time/NTP settings or creating scheduled tasks. For leaders, the value is not the clock command itself; it is that unexpected ESXi management activity by non-standard accounts or outside maintenance windows can indicate weak change control, privileged access misuse, or activity that may complicate incident timelines and audit evidence.
Executive priority
Prioritize this as a control-validation item for virtual infrastructure governance. ESXi hosts are business-critical, and time synchronization, scheduled tasks, and management-plane access affect operational resilience, investigation quality, and compliance evidence. Executives should ask whether ESXi administrative actions are logged, attributable to approved accounts, and reviewed against maintenance windows.
Technical view
SOC and IR teams should validate whether ESXi management-plane telemetry can show interactive or remote shell/API invocation of `esxcli system clock get`, time/NTP configuration checks via hostd/vpxa-related activity, and scheduled task creation. Because no ATT&CK detection logic is supplied, teams should build environment-specific baselines for standard ESXi admin accounts, expected maintenance windows, and normal time-configuration workflows before alerting on deviations.
Likely telemetry
- ESXi host management logs
- hostd and vpxa activity related to time or NTP configuration queries
- ESXi shell or remote command execution records where available
- API invocation logs for ESXi/vCenter management actions
- Scheduled task creation records on ESXi management infrastructure
Detection direction
- Correlate time-query activity with subsequent time/NTP configuration checks or scheduled task creation, as described by the analytic.
- Prioritize events executed by non-standard accounts or outside approved maintenance windows.
- Tune against known administrative workflows to reduce false positives from legitimate time synchronization checks and routine maintenance.
- Validate visibility at both host and management-plane layers, especially hostd/vpxa-related evidence.
- Treat missing account attribution or lack of maintenance-window context as a detection blind spot rather than proof of benign activity.
Mitigation priorities
- Restrict ESXi administrative access to approved privileged accounts and documented operational processes.
- Maintain clear maintenance windows and change records for ESXi time/NTP and scheduled-task activity.
- Ensure ESXi and management-plane logging is enabled, retained, and usable for incident response and audit review.
- Review privileged account governance for virtual infrastructure, including separation of duties and periodic access validation.
- Baseline normal ESXi administrative activity before enforcing high-confidence alerts.
Analyst notes and limits
The supplied object is a detection analytic for ESXi and describes behavior centered on time-query commands, hostd/vpxa time-parameter checks, and scheduled task creation under suspicious account or timing conditions. No tactic, detection logic, relationships, aliases, or labels were supplied, so this take focuses on defensive validation and operational decision value rather than adversary attribution or impact.
Official detection content and relationship context were not provided. This summary cannot assert active exploitation, actor usage, affected environments beyond ESXi, or guaranteed detection. Local logging, identity context, vCenter/ESXi configuration, and change-management data are required to determine relevance and alert quality.
Analytic 0433
Interactive or remote shell/API invocation of esxcli system clock get or querying time parameters via hostd/vpxa shortly followed by time/ntp configuration checks or scheduled task creation, executed by non-standard accounts or outside maintenance windows.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 38fdc90d5769… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0433Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.