AN0906: Analytic 0906
Detects shell or API usage of `esxcli network ip connection list` or `netstat` to enumerate ESXi host connections.
Analyst context for executives and security teams
This analytic matters because ESXi hosts are high-value infrastructure: visibility into attempts to list host network connections can help defenders spot early reconnaissance against virtualization systems before decisions about containment, credential review, or workload risk become urgent. The behavior is not inherently malicious—administrators may run these commands during troubleshooting—so its value is in confirming whether ESXi command/API activity is logged, attributable to an identity or source, and reviewable by the SOC.
Executive priority
Security leaders should treat this as a virtualization visibility and response-readiness check. If ESXi hosts support critical workloads, the business question is whether the organization can prove who enumerated host network connections, from where, and whether the action was expected. This supports incident triage, audit evidence for privileged administration, and prioritization of logging and access controls around virtualization infrastructure.
Technical view
AN0906 is an ESXi-focused detection analytic for shell or API use of `esxcli network ip connection list` or `netstat` to enumerate ESXi host connections. SOC and IR teams should validate whether ESXi administrative shell activity, API activity, command execution records, authentication context, and management-plane source information are collected and searchable. Because no ATT&CK tactics, detection logic, or relationships are supplied, detections should be tuned locally around expected administrator behavior, maintenance windows, jump hosts, and privileged account usage.
Likely telemetry
- ESXi shell command execution logs or equivalent administrative activity records
- ESXi API or management-plane audit events showing command invocation or network connection enumeration
- Authentication and session records for ESXi administrative access
- Source IP, management workstation, jump host, or automation system context
- Privileged account and role usage on ESXi hosts
Detection direction
- Alert or hunt for use of `esxcli network ip connection list` and `netstat` on ESXi hosts, with context for user, source, time, and host criticality.
- Baseline legitimate virtualization administrator and automation usage to reduce false positives from routine troubleshooting.
- Prioritize unexpected execution from non-standard admin sources, unusual times, newly used accounts, or hosts supporting critical workloads.
- Validate that API-based usage is covered, not only interactive shell commands.
- Correlate with ESXi login activity and other administrative actions because the supplied object provides no relationship context or tactic mapping.
Mitigation priorities
- Ensure ESXi administrative access is restricted to authorized users, management networks, and approved administration paths.
- Maintain audit logging for ESXi shell and API activity, and forward relevant records to centralized monitoring where feasible.
- Review privileged account governance for virtualization administrators, including role scope and accountability.
- Use change-management context to distinguish approved troubleshooting from unexpected enumeration.
- Confirm incident response playbooks include ESXi evidence collection, privileged session review, and workload risk assessment.
Analyst notes and limits
This take is based only on ATT&CK analytic AN0906. The object is a detection analytic, not a technique, and it specifically names ESXi plus the commands `esxcli network ip connection list` and `netstat`. No official detection logic, tactic mapping, relationships, aliases, or labels were supplied, so local baselining and environmental context are essential.
The supplied ATT&CK fields do not establish malicious intent, active exploitation, attribution, impact, or guaranteed detection coverage. Administrative use of these commands can be legitimate. The analytic’s value depends on whether the organization collects ESXi shell/API telemetry with sufficient identity, source, and time context.
Analytic 0906
Detects shell or API usage of `esxcli network ip connection list` or `netstat` to enumerate ESXi host connections.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ae1a8e9be866… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0906Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.