Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0790: Analytic 0790

ESXi services (vmx, hostd) generating outbound HTTPS POST requests to text storage sites. Defender perspective: anomalous datastore or log reads chained with traffic to pastebin-like destinations.

EnterpriseAN0790AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is relevant because ESXi management and VM processes are not normally expected to send outbound HTTPS POST traffic to pastebin-like or text storage services. If that pattern appears alongside unusual datastore or log reads, it can be a high-value signal that virtualization infrastructure data may be leaving the environment. For leaders, the business issue is not the destination category alone; it is whether core virtualization hosts have uncontrolled egress and whether the SOC can prove what ESXi services accessed before the outbound connection.

Executive priority

Prioritize this as a control-validation item for virtualization resilience and incident readiness. ESXi hosts often support critical workloads, so unmanaged outbound internet access from host services can create investigation and containment challenges during an incident. Leaders should ask whether ESXi egress is intentionally restricted, whether host logs and network telemetry are retained, and whether the SOC can correlate datastore or log access with outbound HTTPS activity for audit and response evidence.

Technical view

For ESXi platforms, validate whether telemetry can identify outbound HTTPS POST requests initiated by ESXi services such as vmx or hostd, especially to text storage or pastebin-like destinations. The analytic’s decision point is correlation: anomalous datastore or log reads followed by or occurring near outbound traffic to those destinations. Because MITRE does not provide a formal detection implementation for this object, teams should treat it as a detection design requirement rather than a ready rule.

Likely telemetry

  • ESXi host service/process activity for vmx and hostd where available
  • ESXi host logs showing datastore access, log reads, or management service activity
  • Network egress logs from ESXi management and host networks
  • Proxy, firewall, DNS, or TLS metadata identifying outbound HTTPS POST activity
  • Destination categorization or threat intelligence context for pastebin-like/text storage services

Detection direction

  • Inventory which ESXi hosts are allowed to initiate outbound HTTPS and compare observed behavior against that baseline.
  • Alert on outbound HTTPS POST activity from ESXi host services to text storage or pastebin-like destinations when such destinations are not approved for operations.
  • Correlate network egress with anomalous datastore or log reads rather than relying only on destination category, which may create false positives.
  • Validate whether process-level attribution is possible on ESXi; if not, use host identity, management network segment, firewall logs, and timing correlation as compensating evidence.
  • Tune for legitimate administrative workflows, support uploads, or automation that may post diagnostic text externally, and require documented business justification for exceptions.

Mitigation priorities

  • Restrict ESXi host egress to approved management, update, logging, and support destinations using network controls.
  • Separate and monitor ESXi management networks so outbound internet access from host services is visible and exception-based.
  • Centralize ESXi logs and retain network egress metadata long enough to support incident reconstruction.
  • Review administrative procedures that export logs or datastore content to external text storage services and replace them with approved internal or controlled channels.
  • Use this analytic to test SOC and incident response playbooks for virtualization-host data access followed by suspicious outbound HTTPS activity.
Analyst notes and limits

This object is a detection analytic, not a technique description. The supplied ATT&CK fields identify the platform as ESXi and describe a behavioral pattern involving vmx or hostd outbound HTTPS POST requests to text storage sites, with defender context around anomalous datastore or log reads. No tactics, relationships, aliases, or official detection logic were supplied.

Coverage depends on local ESXi logging, network visibility, destination categorization, and the ability to attribute traffic to host services. MITRE did not provide a detection implementation or relationship context for this analytic, so environment-specific baselining and validation are required before operational use.

Official MITRE ATT&CK definition

Analytic 0790

ESXi services (vmx, hostd) generating outbound HTTPS POST requests to text storage sites. Defender perspective: anomalous datastore or log reads chained with traffic to pastebin-like destinations.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
fbabb498739f30de...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle fbabb498739f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0790
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use