AN0987: Analytic 0987
Detects VIBs, scripts, or binaries placed into directories like /bin or /etc/vmware with names mimicking standard ESXi components. Also monitors unauthorized creation of services.
Analyst context for executives and security teams
This analytic matters because ESXi hosts often support critical virtualization workloads, and unauthorized files, VIBs, scripts, binaries, or services placed to look like normal VMware components can undermine trust in the hypervisor layer. For leaders, the key question is whether the organization can distinguish legitimate ESXi components from lookalike artifacts in sensitive paths such as /bin and /etc/vmware before those changes affect business-critical virtual infrastructure.
Executive priority
Prioritize this as a virtualization resilience and incident-readiness issue. Security and infrastructure leaders should confirm who is accountable for ESXi file integrity, service creation review, and change evidence. The decision value is not just alerting; it is proving that unauthorized hypervisor-level changes can be noticed, investigated, and tied back to approved maintenance activity.
Technical view
For ESXi platforms, validate monitoring for suspicious VIBs, scripts, binaries, or services created in sensitive ESXi directories, especially names that mimic standard components. Because the official ATT&CK object does not provide a detection implementation or tactic mapping, SOC and IR teams should focus on local baselining: known-good ESXi file inventories, expected service definitions, approved VIB lists, and change windows. Alerts should be reviewed against administrative activity and sanctioned VMware maintenance to reduce false positives.
Likely telemetry
- ESXi filesystem change records for sensitive directories such as /bin and /etc/vmware
- Installed VIB inventory and VIB change history
- ESXi service creation or service configuration changes
- Administrative change logs and maintenance records for ESXi hosts
- Host integrity or configuration baseline comparison data
Detection direction
- Baseline legitimate ESXi components, VIBs, scripts, binaries, and services, then detect new or renamed artifacts that imitate standard VMware naming patterns.
- Correlate suspicious file or service creation with approved maintenance windows and authorized administrator activity.
- Tune for legitimate patching, upgrades, and VMware component changes to avoid excessive false positives.
- Validate whether monitoring covers ESXi directly; many endpoint tools do not provide the same visibility on hypervisors as they do on general-purpose operating systems.
- Use this analytic as a coverage check for hypervisor file and service integrity rather than as a complete standalone detection, since no official detection logic is supplied.
Mitigation priorities
- Establish and maintain approved ESXi configuration, service, and VIB baselines.
- Restrict and review administrative access capable of modifying ESXi system paths or creating services.
- Require change control evidence for ESXi maintenance, patching, VIB installation, and service configuration changes.
- Implement integrity monitoring or configuration assessment for critical ESXi directories and service definitions where operationally feasible.
- Prepare IR procedures for validating suspect ESXi artifacts against known-good images, vendor components, and approved administrative actions.
Analyst notes and limits
The ATT&CK object is a detection analytic for ESXi focused on lookalike VIBs, scripts, binaries, and unauthorized service creation. No tactic, relationship context, or official detection query was supplied, so the most defensible use is as a control-validation and telemetry-coverage prompt for virtualization security operations.
This take is limited to the supplied STIX fields and external reference. It does not establish active exploitation, adversary attribution, business impact, or guaranteed detectability. Local ESXi architecture, logging configuration, administrative practices, and baseline quality are required to determine practical coverage.
Analytic 0987
Detects VIBs, scripts, or binaries placed into directories like /bin or /etc/vmware with names mimicking standard ESXi components. Also monitors unauthorized creation of services.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 06ab88bd3a48… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0987Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.