AN0636: Analytic 0636
VM services or management daemons communicating on ports not defined by VMware defaults, such as vpxa or hostd processes initiating traffic over high-numbered or unexpected ports.
Analyst context for executives and security teams
This analytic matters because unexpected network communication from ESXi management services can indicate a breakdown in the normal management-plane baseline. For executives and security leaders, the decision value is not that a specific attack is proven, but that ESXi hosts are high-value infrastructure: if management daemons such as vpxa or hostd communicate over non-default or unusual ports, teams should be able to explain whether that activity is approved, misconfigured, or suspicious.
Executive priority
Prioritize this as a control-validation and resilience question for virtualization infrastructure. Leaders should ask whether ESXi management traffic is baselined, whether exceptions are documented, and whether the SOC can quickly distinguish approved VMware administration from unexpected daemon communications. This supports incident triage, audit evidence for infrastructure monitoring, and risk decisions around critical virtualization platforms.
Technical view
The supplied ATT&CK object describes an ESXi-focused detection analytic for VM services or management daemons communicating on ports outside VMware defaults, including vpxa or hostd initiating traffic over high-numbered or unexpected ports. SOC and detection teams should validate visibility into ESXi host network connections, process-to-network attribution where available, and known-good VMware management port baselines. Because no official detection logic or tactic mapping is provided, implementation should be environment-specific and tested against approved management workflows.
Likely telemetry
- ESXi host network connection records
- Firewall or network flow logs involving ESXi management interfaces
- Process-to-network telemetry for ESXi services where available
- VMware management service logs for hostd and vpxa activity
- Asset inventory and configuration records defining expected ESXi management ports
Detection direction
- Baseline default and organization-approved VMware management communications for ESXi hosts before alerting on deviations.
- Focus on vpxa, hostd, and other VM services or management daemons initiating traffic over high-numbered or unexpected ports.
- Tune for known administrative tools, backup systems, monitoring systems, and maintenance windows to reduce false positives.
- Investigate deviations by correlating destination, port, process/service identity, host role, and recent configuration changes.
- Treat lack of process-level telemetry on ESXi as a blind spot; network-only detections may identify unusual flows but may not prove which daemon initiated them.
Mitigation priorities
- Document expected ESXi management services, destinations, and ports, including approved deviations from VMware defaults.
- Restrict ESXi management-plane access to authorized administrative networks and systems where operationally feasible.
- Review firewall and segmentation policy for unexpected outbound or lateral communications from ESXi hosts.
- Maintain change-control evidence for VMware service configuration changes so SOC investigations can separate approved changes from anomalies.
- Ensure incident response playbooks include escalation paths for unusual ESXi management daemon traffic.
Analyst notes and limits
This Glexia take is based only on the supplied ATT&CK analytic fields. The object is a detection analytic for ESXi and describes unexpected port usage by VM services or management daemons such as vpxa or hostd. No related techniques, tactics, mitigations, groups, malware, campaigns, or detection implementation details were supplied.
Official detection content is not provided, and no relationship context is supplied. Local VMware topology, approved management ports, logging depth, and network segmentation design are required to turn this into reliable detection logic. This summary does not assert active exploitation, attribution, or guaranteed detection coverage.
Analytic 0636
VM services or management daemons communicating on ports not defined by VMware defaults, such as vpxa or hostd processes initiating traffic over high-numbered or unexpected ports.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4e9b2d1ec436… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0636Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.