AN0572: Analytic 0572
Monitor for execution of hypervisor management commands such as `esxcli vm process list` or `vim-cmd vmsvc/getallvms` that enumerate virtual machines. Defenders observe unexpected users issuing VM listing commands outside normal administrative workflows.
Analyst context for executives and security teams
This analytic matters because VM enumeration on ESXi can be an early sign that someone is mapping virtual infrastructure outside normal administration. For leaders, the decision point is whether hypervisor activity is visible enough to distinguish routine operations from unexpected users listing virtual machines, especially where ESXi hosts support critical services.
Executive priority
Prioritize this as a visibility and governance check for virtualization environments. Security leaders should ask who is authorized to run ESXi management commands, whether that activity is logged centrally, and whether SOC or IR teams can quickly validate unusual VM inventory access during an incident. The supplied ATT&CK object is limited to ESXi and does not specify tactics or related techniques, so its business value is strongest as a control-validation item for hypervisor monitoring, privileged access review, and incident readiness.
Technical view
Validate monitoring for ESXi hypervisor management command execution that enumerates virtual machines, including commands such as `esxcli vm process list` and `vim-cmd vmsvc/getallvms`. Focus analysis on unexpected users, unusual timing, nonstandard administrative workflows, and command execution from accounts or access paths that do not normally perform VM listing. Because no official detection logic is provided and no relationships are supplied, teams should build local baselines from approved ESXi administration activity rather than rely on ATT&CK context alone.
Likely telemetry
- ESXi shell or management command execution logs where available
- Authentication and session records for users accessing ESXi hosts
- Administrative workflow records or change tickets for expected VM inventory activity
- Centralized log collection from ESXi hosts or hypervisor management infrastructure
- User/account context showing whether the command issuer is an expected virtualization administrator
Detection direction
- Confirm that ESXi command execution involving VM listing is captured and retained in a searchable location.
- Tune alerts around unexpected users issuing VM enumeration commands outside approved administrative workflows.
- Baseline normal virtualization administration activity to reduce false positives from routine inventory, troubleshooting, or maintenance.
- Correlate command execution with authentication/session data to identify the account and access path used.
- Document blind spots where ESXi shell activity, host-level logs, or management access logs are not centrally collected.
Mitigation priorities
- Define and review the set of users authorized to perform ESXi VM listing and other hypervisor management actions.
- Restrict hypervisor administrative access to approved workflows and accounts where operationally feasible.
- Ensure ESXi host and management logs are forwarded to the SOC or other monitored logging platform.
- Use change-management or maintenance records to separate expected administrative enumeration from unexpected activity.
- Include ESXi command visibility in incident response readiness checks for virtualized critical systems.
Analyst notes and limits
This is a detection analytic object, not a technique. The object specifically references ESXi and VM enumeration via hypervisor management commands. No ATT&CK tactics, related techniques, official detection pseudocode, mitigations, or relationship context were supplied, so the take emphasizes defensive validation and local baselining rather than broader adversary behavior claims.
Coverage and alert quality depend on whether the environment records ESXi management command execution and user/session context. The supplied ATT&CK fields do not support claims about active exploitation, attribution, impact, or coverage beyond ESXi VM enumeration command monitoring.
Analytic 0572
Monitor for execution of hypervisor management commands such as `esxcli vm process list` or `vim-cmd vmsvc/getallvms` that enumerate virtual machines. Defenders observe unexpected users issuing VM listing commands outside normal administrative workflows.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 39141a96b321… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0572Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.