AN0709: Analytic 0709
Monitor ESXi shell or API access to host logs under /var/log/. Abnormal enumeration of vmkernel.log, hostd.log, or vpxa.log by unauthorized accounts should be flagged.
Analyst context for executives and security teams
This analytic matters because ESXi host logs can reveal how virtual infrastructure is configured, what activity has occurred, and where follow-on investigation or tampering may be directed. For leaders, the practical question is whether access to sensitive hypervisor logs is limited, monitored, and attributable to approved administrators or automation. Unusual enumeration of /var/log/ files such as vmkernel.log, hostd.log, or vpxa.log by unauthorized accounts should be treated as a virtualization security review trigger.
Executive priority
Prioritize this where ESXi supports critical business services. The decision value is in confirming that hypervisor administration is auditable: who accessed host logs, by which interface, from where, and whether that access was expected. This supports incident response readiness, privileged access governance, compliance evidence for administrative activity, and operational resilience of virtualized workloads.
Technical view
For SOC and IR teams, validate visibility into ESXi shell and API access involving host log paths under /var/log/. Focus on abnormal enumeration or access to vmkernel.log, hostd.log, and vpxa.log, especially by accounts not authorized for ESXi administration or log collection. Because no ATT&CK detection logic or relationship context was supplied, implementation should be environment-specific: define approved accounts, approved management sources, expected log collection tools, and normal maintenance windows before alerting broadly.
Likely telemetry
- ESXi shell command or session activity where available
- ESXi API access records
- Authentication and authorization events for ESXi administrative accounts
- File access or audit evidence for /var/log/ on ESXi hosts where available
- Host management logs including references to vmkernel.log, hostd.log, and vpxa.log
Detection direction
- Inventory which accounts and services are authorized to access ESXi host logs and compare observed access against that baseline.
- Alert on enumeration or repeated access to /var/log/ host logs by unauthorized or unexpected accounts.
- Tune for legitimate administrative troubleshooting, backup, monitoring, and centralized log collection activity to reduce false positives.
- Correlate log access with ESXi authentication events, source address, management interface used, and change or incident windows.
- Identify blind spots where ESXi shell/API activity is not centrally collected or where shared administrator accounts prevent attribution.
Mitigation priorities
- Restrict ESXi shell and API access to approved administrators and service accounts.
- Enforce least privilege and remove or disable unauthorized accounts with access to host logs.
- Centralize relevant ESXi management and authentication telemetry for investigation and audit evidence.
- Document approved log collection and troubleshooting workflows so abnormal access can be distinguished from routine operations.
- Review privileged access practices for ESXi, including attribution, source restrictions, and periodic access recertification.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for ESXi log access monitoring. It specifically names host log paths under /var/log/ and examples vmkernel.log, hostd.log, and vpxa.log. No tactics, relationships, or official detection logic were provided, so this take emphasizes validation of telemetry, authorization baselines, and environment-specific tuning.
This assessment is limited to the supplied STIX fields, official description, external reference, and absence of relationships. It does not establish adversary intent, active exploitation, impact, or guaranteed detectability. Local ESXi configuration, audit settings, identity model, and log forwarding determine practical coverage.
Analytic 0709
Monitor ESXi shell or API access to host logs under /var/log/. Abnormal enumeration of vmkernel.log, hostd.log, or vpxa.log by unauthorized accounts should be flagged.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f6b2abc9ecc8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0709Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.