Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0646: Analytic 0646

Detects anomalous usage of ESXi Guest Operations APIs such as StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, or InitiateFileTransferFromGuest. Defender perspective focuses on unusual frequency of guest API calls, invocation from unexpected management accounts, or execution outside of business hours. These correlated signals indicate adversarial abuse of ESXi administrative services to run commands on guest VMs.

EnterpriseAN0646AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because ESXi guest operations APIs can allow administrative services to run commands or interact with files inside guest virtual machines. For leaders, the practical question is whether virtualization administration activity is visible, attributable to expected management accounts, and explainable by business need. Unusual API frequency, unexpected accounts, or after-hours activity can signal abuse of privileged ESXi management capability and should be treated as a resilience and incident-response readiness issue for virtualized workloads.

Executive priority

Prioritize this where ESXi hosts support critical business services. The decision value is not just detecting one API call; it is proving that privileged virtualization actions are logged, reviewed, and tied to accountable identities and approved operating windows. Security leaders should ask whether SOC, identity, and infrastructure teams can quickly answer: who invoked ESXi guest operations APIs, against which VMs, when, and whether that activity was expected. This supports operational resilience, privileged access governance, and audit evidence around administrative control of virtual infrastructure.

Technical view

For SOC and detection engineering teams, validate monitoring for anomalous use of ESXi Guest Operations APIs including StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, and InitiateFileTransferFromGuest. Since no official detection logic is provided, build or assess analytics around frequency anomalies, unexpected management accounts, and execution outside business hours. IR teams should ensure ESXi management activity can be correlated with account ownership, change windows, VM targets, and any related guest-side process or file activity where available. No ATT&CK tactic or relationship context was supplied, so local mapping to incident scenarios must be environment-driven.

Likely telemetry

  • ESXi management and administrative activity logs covering Guest Operations API usage
  • Records of API method names such as StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, and InitiateFileTransferFromGuest
  • Management account identity and authentication context
  • Timestamp and business-hours context for ESXi administrative actions
  • Target host and guest VM identifiers

Detection direction

  • Baseline normal ESXi Guest Operations API usage by account, host, VM, time of day, and expected administrative workflow.
  • Alert or review unusual frequency of guest API calls, especially when concentrated against sensitive or unusual guest VMs.
  • Flag invocation from unexpected management accounts or accounts not normally associated with ESXi guest operations.
  • Correlate after-hours API activity with approved maintenance windows to reduce false positives.
  • Tune for legitimate automation and backup or administration workflows that may use guest operations APIs at scale.

Mitigation priorities

  • Confirm that ESXi administrative and Guest Operations API activity is logged and retained for SOC and IR use.
  • Restrict guest operations capability to expected management accounts and approved administrative workflows.
  • Review privileged account governance for ESXi management access, including ownership and business justification.
  • Define expected maintenance windows and automation patterns so anomalous timing and frequency can be assessed.
  • Correlate virtualization management monitoring with guest VM telemetry where possible to support investigation.
Analyst notes and limits

This is a detection analytic for the ESXi platform. The supplied MITRE description focuses on anomalous use of ESXi Guest Operations APIs and highlights frequency, unexpected management accounts, and out-of-hours execution as defender-relevant signals. No official detection logic, tactics, aliases, labels, or relationship context were supplied, so the take emphasizes validation questions and telemetry requirements rather than claiming a complete detection pattern.

The object provides a concise analytic description but no formal detection query, no tactic mapping, and no relationships to techniques, campaigns, software, or mitigations. Business impact and prioritization depend on whether ESXi hosts support critical workloads and whether the environment collects sufficient ESXi management and guest telemetry. This summary does not claim active exploitation, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 0646

Detects anomalous usage of ESXi Guest Operations APIs such as StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, or InitiateFileTransferFromGuest. Defender perspective focuses on unusual frequency of guest API calls, invocation from unexpected management accounts, or execution outside of business hours. These correlated signals indicate adversarial abuse of ESXi administrative services to run commands on guest VMs.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c45182fd19cfc8eb...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c45182fd19cf…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0646
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use