AN0727: Analytic 0727
Detects local staging behavior via snapshot creation or files written into VMFS partitions by scripts or unauthorized shell access.
Analyst context for executives and security teams
This analytic matters because local staging on ESXi can affect the virtualization layer that many business services depend on. Snapshot creation or unexpected files written into VMFS partitions can be legitimate administration, but they can also indicate unauthorized preparation activity on a hypervisor. For leaders, the decision value is whether the organization can distinguish approved ESXi maintenance from suspicious local changes before virtualization availability, recovery, or evidence integrity is put at risk.
Executive priority
Prioritize this as a virtualization resilience and incident readiness control. Security and infrastructure leaders should confirm who is allowed to create snapshots, run scripts, or access ESXi shells; whether those actions are logged centrally; and whether SOC and IR teams can rapidly validate suspicious VMFS changes. This is also useful compliance evidence for privileged access control, change management, and monitoring of critical infrastructure systems that host business workloads.
Technical view
For SOC, detection engineering, and IR teams, validate monitoring on ESXi for two behavior classes described by the analytic: snapshot creation and files written into VMFS partitions by scripts or unauthorized shell access. Because ATT&CK does not provide an official detection query here and no tactic or relationship context is supplied, implementation should be environment-specific and baselined against approved administrator activity, backup operations, maintenance windows, and automation jobs.
Likely telemetry
- ESXi host logs related to snapshot creation and VM operations
- VMFS datastore file creation, modification, and path activity
- Shell access or local command execution logs on ESXi hosts where available
- Script execution or automation activity touching VMFS partitions
- Privileged authentication and session records for ESXi administrative access
Detection direction
- Inventory normal ESXi snapshot workflows and alert on snapshot creation outside approved tools, users, hosts, or maintenance windows.
- Monitor for unexpected files written to VMFS partitions, especially from local scripts or shell sessions rather than known management workflows.
- Correlate datastore file changes with privileged logons, shell access, and approved change tickets to reduce false positives from backup, patching, or administrator maintenance.
- Treat missing ESXi shell, datastore, or VM operation telemetry as a material blind spot; this analytic depends on visibility at the hypervisor and VMFS layers.
- Because no ATT&CK relationship context is supplied, avoid over-scoping the detection to a specific campaign, technique chain, or actor behavior.
Mitigation priorities
- Restrict ESXi shell access and administrative privileges to approved personnel and workflows.
- Require documented change control for snapshot creation and datastore maintenance on ESXi hosts.
- Centralize and retain ESXi host, authentication, VM operation, and datastore activity logs for SOC review and incident response.
- Baseline authorized automation that writes to VMFS partitions, then investigate deviations from known scripts, accounts, hosts, and time windows.
- Review recovery and evidence-preservation procedures for virtualization incidents so suspicious snapshots or VMFS changes are handled consistently.
Analyst notes and limits
This Glexia take is based only on the supplied ATT&CK analytic fields. The object is a detection analytic for ESXi local staging behavior involving snapshot creation or VMFS file writes. No official detection logic, tactics, labels, aliases, or relationship context were provided, so the most defensible use is as a validation prompt for ESXi telemetry, privileged access governance, and change-management correlation.
ATT&CK provides a short description but no detection query, no tactic mapping, and no related techniques or procedures in the supplied context. Local baselines are required to distinguish legitimate administration, backup, and maintenance from suspicious staging behavior. This summary does not assert active exploitation, attribution, impact, or guaranteed detection coverage.
Analytic 0727
Detects local staging behavior via snapshot creation or files written into VMFS partitions by scripts or unauthorized shell access.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d97c02c42596… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0727Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.