AN0925: Analytic 0925
ESXi shell or guest VM tools initiate external connections via scripted traffic forwarding to Internet-based proxies. Detected by firewall or shell audit logs showing outbound connection spikes from hypervisor or guest VM to remote proxy nodes.
Analyst context for executives and security teams
This analytic matters because it focuses on unusual outbound Internet proxy traffic originating from an ESXi hypervisor or guest VM tooling. For leaders, the business issue is not the script itself but the possibility that virtualization infrastructure is being used as a forwarding point, which can complicate containment, monitoring, and continuity decisions if ESXi logging and egress visibility are weak.
Executive priority
Prioritize validation of ESXi egress monitoring and audit evidence. Virtualization platforms often host critical workloads, so security leaders should ask whether hypervisor-originated outbound connections are expected, logged, and reviewable during an incident. This analytic can support SOC readiness, incident response scoping, and compliance evidence around network monitoring, privileged administration, and control of Internet-bound traffic from infrastructure systems.
Technical view
The supplied ATT&CK description indicates detection through firewall or shell audit logs showing outbound connection spikes from the ESXi hypervisor or guest VM tools to remote proxy nodes. SOC and detection teams should validate whether ESXi shell activity and outbound firewall/proxy records can be correlated by source host, destination, time window, and connection volume. Because no official detection logic or ATT&CK relationships are supplied, implementation should be environment-specific and baseline-driven rather than relying on a fixed rule.
Likely telemetry
- Firewall logs for outbound connections from ESXi hosts and guest VM tooling paths
- Shell audit logs from ESXi where available
- Network egress records showing destination IPs, ports, connection counts, and time windows
- Asset inventory identifying ESXi hosts and expected management/network zones
- Change or administration records to distinguish approved maintenance from suspicious scripted activity
Detection direction
- Baseline normal outbound connectivity for ESXi hosts; alert on spikes or new Internet destinations that do not match approved management patterns.
- Correlate shell audit events with firewall egress activity to determine whether outbound traffic followed interactive or scripted shell use.
- Review guest VM tools-related activity carefully, since the analytic description includes guest VM tooling as a possible source of forwarded traffic.
- Tune for known administrative, backup, monitoring, or update workflows to reduce false positives.
- Identify blind spots where ESXi shell logging, firewall logging, or asset-to-IP mapping is incomplete.
Mitigation priorities
- Restrict and document expected Internet egress from ESXi hosts and management networks.
- Ensure ESXi shell access is governed, logged, and reviewed according to administrative need.
- Maintain accurate inventory of ESXi hosts, management interfaces, and guest tooling dependencies.
- Prepare incident response procedures for quickly validating whether hypervisor-originated outbound traffic is authorized.
- Use collected firewall and shell audit evidence to support compliance and control assurance where applicable.
Analyst notes and limits
This is a detection analytic object, not a technique description. The object does not specify tactics, related techniques, procedures, malware, groups, or campaigns. The key defensive value is validating visibility and control over outbound traffic from ESXi and related guest tooling.
Official detection logic is not provided, and no relationship context is supplied. The analytic identifies a telemetry pattern but does not provide thresholds, destination indicators, or validated rule content. Local baselines and environment-specific ESXi administration patterns are required.
Analytic 0925
ESXi shell or guest VM tools initiate external connections via scripted traffic forwarding to Internet-based proxies. Detected by firewall or shell audit logs showing outbound connection spikes from hypervisor or guest VM to remote proxy nodes.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c7116f651d11… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0925Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.