Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0898: Analytic 0898

ESXi host processes (vmx, hostd) initiating HTTPS sessions toward external code repositories. Defender perspective: detect datastore reads followed by outbound web traffic inconsistent with administrative baselines.

EnterpriseAN0898AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because it focuses on unusual outbound HTTPS activity from ESXi host processes such as vmx and hostd toward external code repositories, especially after datastore reads. For executives and security leaders, the decision value is not the specific repository destination alone; it is whether virtualization infrastructure is being monitored closely enough to distinguish normal administration from suspicious host-level behavior that could affect business-critical workloads.

Executive priority

Prioritize this as a virtualization and resilience visibility question. ESXi hosts often support critical applications, so unexplained outbound web traffic from host processes should be treated as a control-validation issue for SOC monitoring, egress governance, incident response readiness, and audit evidence around privileged infrastructure. Leaders should ask whether ESXi network activity, datastore access patterns, and administrative baselines are visible and reviewed, rather than assuming endpoint-style controls cover the hypervisor layer.

Technical view

For SOC, detection engineering, and IR teams, validate whether telemetry can show ESXi host processes, specifically vmx and hostd, initiating HTTPS sessions to external code repositories, and whether those sessions can be correlated with recent datastore reads. Because ATT&CK does not provide a formal detection body or tactic mapping for this analytic, implementation should focus on environment-specific baselining: known administrative tools, approved update workflows, backup activity, management-plane traffic, and expected repository access should be separated from anomalous external web sessions.

Likely telemetry

  • ESXi host network connection or flow logs showing outbound HTTPS destinations
  • Process-aware telemetry for ESXi host processes where available, especially vmx and hostd
  • Datastore access or read activity logs
  • Firewall, proxy, secure web gateway, or egress filtering logs for ESXi management networks
  • DNS resolution logs for external repository domains

Detection direction

  • Confirm that ESXi hosts are in scope for network monitoring; many environments monitor guest workloads better than the hypervisor layer.
  • Baseline normal outbound HTTPS activity from ESXi hosts and management networks, including approved administrative, patching, backup, and support workflows.
  • Tune for vmx or hostd-initiated HTTPS sessions toward external code repositories when preceded by datastore reads, as described by the analytic.
  • Use destination classification carefully: external code repositories may be legitimate for administrators or automation, so alert quality depends on baselines, change windows, and asset ownership context.
  • Correlate network events with datastore access and virtualization management activity instead of relying on a single outbound connection event.

Mitigation priorities

  • Establish and maintain approved egress paths for ESXi hosts and management networks, with exceptions documented and reviewed.
  • Restrict unnecessary outbound internet access from virtualization infrastructure where operationally feasible.
  • Maintain baselines for administrative workflows that legitimately access external repositories or web services.
  • Ensure datastore access logging and ESXi management-plane logging are enabled and retained at levels useful for investigation.
  • Include ESXi host telemetry requirements in SOC onboarding, incident response playbooks, and compliance evidence collection.
Analyst notes and limits

This is a detection analytic object for ATT&CK enterprise release 19.1, external ID AN0898, scoped to ESXi. The supplied description specifically names ESXi host processes vmx and hostd, outbound HTTPS to external code repositories, and the defender perspective of correlating datastore reads with outbound web traffic inconsistent with administrative baselines. No ATT&CK tactics, relationships, aliases, or formal detection logic were supplied.

The official detection field is not provided and no relationship context is supplied, so this take cannot infer related techniques, adversaries, campaigns, software, or expected impact. Practical detection depends heavily on local ESXi logging, network visibility, repository allowlists, and administrative baselines.

Official MITRE ATT&CK definition

Analytic 0898

ESXi host processes (vmx, hostd) initiating HTTPS sessions toward external code repositories. Defender perspective: detect datastore reads followed by outbound web traffic inconsistent with administrative baselines.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
98bef692a8a00f16...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 98bef692a8a0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0898
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use