AN0665: Analytic 0665
Adversary defaces internal VM-hosted portals or web UIs by modifying static content on datastore-mounted paths.
Analyst context for executives and security teams
This analytic concerns defacement of internal VM-hosted portals or web interfaces on ESXi by changing static content on datastore-mounted paths. For leaders, the practical issue is not just a changed webpage: it can signal unauthorized access to virtualization-hosted assets, weak control over datastore content, or an incident that may affect trust in internal systems and operational communications.
Executive priority
Treat this as a resilience and governance question for ESXi-hosted services: who is allowed to modify datastore-backed web content, how quickly would the organization notice unauthorized changes, and what evidence would support incident response or audit review? Because ATT&CK provides no detection logic for this analytic, priority should be placed on validating visibility and change-control evidence before assuming SOC coverage exists.
Technical view
For SOC, detection engineering, and IR teams, this object points to monitoring unauthorized modification of static files used by internal VM-hosted portals or web UIs on ESXi datastore-mounted paths. Validate whether the environment can observe file changes on relevant datastore locations, correlate those changes with authorized maintenance activity, and identify the account, host, VM, or administrative session involved. Since no tactic, detection text, or relationships are supplied, local asset knowledge and approved-content baselines are required to make this analytic actionable.
Likely telemetry
- ESXi datastore file creation, modification, deletion, or rename evidence where available
- vCenter or ESXi management events related to datastore browsing, file upload, or administrative access
- Guest operating system file integrity or web server logs for VM-hosted portal content
- Authentication and authorization logs for ESXi, vCenter, and relevant administrative accounts
- Change-management records for approved portal or web UI content updates
Detection direction
- Inventory VM-hosted portals and web UIs whose static content resides on datastore-mounted paths, then define expected update windows and owners.
- Validate whether file-integrity monitoring or equivalent logging covers the relevant datastore paths; absence of this visibility is a key blind spot.
- Correlate static content changes with authenticated ESXi/vCenter activity, guest OS activity, and approved change tickets to reduce false positives from legitimate maintenance.
- Tune for unexpected modification of web-facing static assets, especially outside maintenance windows or by accounts not normally associated with content deployment.
- Preserve changed files, timestamps, access records, and prior known-good versions during triage to support incident response and recovery decisions.
Mitigation priorities
- Establish ownership and change-control for internal VM-hosted portal content on ESXi-backed storage.
- Restrict datastore and management-plane write access to the minimum required administrators and service accounts.
- Maintain known-good baselines, backups, or snapshots for rapid comparison and restoration of static content.
- Ensure logging from ESXi/vCenter, guest systems, and relevant identity sources is retained long enough to investigate unauthorized content changes.
- Test incident response playbooks for unauthorized web content modification, including validation of scope, restoration, and executive communications.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for ESXi with a narrow description and no official detection text or relationship context. The strongest use is as a prompt to validate datastore content-change visibility and administrative accountability around VM-hosted internal portals.
No official detection logic, tactics, related techniques, adversary relationships, or active exploitation context were supplied. Applicability depends on whether the organization hosts internal portals or web UIs on ESXi datastore-mounted paths and whether telemetry exists to observe changes there.
Analytic 0665
Adversary defaces internal VM-hosted portals or web UIs by modifying static content on datastore-mounted paths.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3bafea649ccb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0665Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.