AN0654: Analytic 0654
Suspicious modification of file artifacts (e.g., logs, ISO templates) on ESXi datastores, followed by beaconing or POST operations to external IPs potentially hiding payloads in file-like traffic.
Analyst context for executives and security teams
This analytic describes suspicious changes to file artifacts on ESXi datastores, such as logs or ISO templates, followed by outbound beaconing or POST activity to external IP addresses. For leaders, the practical concern is that virtualization infrastructure can become both a high-value target and a blind spot: if datastore file changes and ESXi network egress are not monitored, malicious staging or file-like traffic may be missed until operational impact is already underway.
Executive priority
Prioritize this as a virtualization visibility and resilience question. Ask whether ESXi datastore activity, file integrity-relevant changes, and outbound network connections from ESXi environments are actually logged, reviewed, and retained. This matters for incident response readiness, audit evidence, and business continuity because ESXi platforms often support critical workloads, but may not receive the same monitoring depth as endpoints or cloud workloads.
Technical view
The supplied ATT&CK object is a detection analytic for the ESXi platform. SOC and IR teams should validate whether they can correlate suspicious datastore file modifications, especially to logs or ISO/template-like artifacts, with subsequent outbound beaconing or HTTP POST-style traffic to external IPs. Because no official detection logic, tactic mapping, or relationship context is provided, teams should treat this as a coverage-validation use case rather than a complete rule.
Likely telemetry
- ESXi datastore file modification events or equivalent file inventory/change records
- Logs or metadata showing changes to log files, ISO templates, or other datastore artifacts
- Network egress telemetry from ESXi hosts or management networks
- HTTP/HTTPS proxy, firewall, or network sensor records showing outbound POST operations
- External destination IP, timing, volume, and connection-frequency evidence for correlation
Detection direction
- Validate that ESXi datastore changes are visible, time-synchronized, and retained long enough for investigation.
- Correlate unusual file artifact changes with outbound connections from the same ESXi host or related management segment.
- Tune for expected administrative activity, backup operations, template maintenance, and patching to reduce false positives.
- Pay attention to environments where ESXi hosts have direct or weakly controlled outbound internet access.
- Document blind spots where datastore file telemetry or ESXi egress monitoring is absent, because the ATT&CK object provides no standalone detection logic.
Mitigation priorities
- Restrict and monitor outbound network access from ESXi hosts and management networks based on business need.
- Ensure ESXi datastore and management activity logging is enabled, centralized, and protected from tampering where feasible.
- Establish baselines for normal datastore template, ISO, and log file changes.
- Include ESXi telemetry requirements in incident response playbooks, compliance evidence collection, and managed detection onboarding.
- Review administrative processes so legitimate datastore maintenance can be distinguished from suspicious modification-and-egress patterns.
Analyst notes and limits
This take is based only on ATT&CK analytic AN0654. The object names ESXi as the platform and describes suspicious datastore artifact modification followed by beaconing or POST operations to external IPs. No ATT&CK tactics, related techniques, groups, software, campaigns, or official detection logic were supplied.
The source object is sparse: detection text is not provided, relationship context is absent, and no active exploitation, attribution, impact, or prevalence claims are supported. Local ESXi architecture, logging configuration, network routing, proxy coverage, and administrative baselines are required to turn this into reliable detection engineering.
Analytic 0654
Suspicious modification of file artifacts (e.g., logs, ISO templates) on ESXi datastores, followed by beaconing or POST operations to external IPs potentially hiding payloads in file-like traffic.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b3e4eab1218d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0654Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.