AN1074: Analytic 1074
Adversaries accessing datastore or configuration files via `vim-cmd`, `esxcli`, or SCP to extract logs, VMs, or host configurations.
Analyst context for executives and security teams
This analytic concerns suspicious access to VMware ESXi datastore or configuration files using administrative command-line or file transfer utilities such as vim-cmd, esxcli, or SCP. For leaders, the practical risk is that ESXi hosts often support critical virtualized workloads; unauthorized access to VM files, logs, or host configuration can undermine recovery, expose sensitive operational data, or support later disruption. Because ATT&CK provides no detection logic for this analytic, organizations should treat it as a coverage-validation prompt rather than an out-of-the-box rule.
Executive priority
Prioritize this where ESXi hosts run business-critical systems. Security leaders should ask whether ESXi administrative activity is logged, centrally retained, reviewed, and tied to named administrator identities. This is relevant to resilience planning, incident response readiness, privileged access governance, and audit evidence because datastore and host configuration access can affect the confidentiality and recoverability of virtualized infrastructure.
Technical view
SOC, detection engineering, and IR teams should validate visibility into ESXi host administration involving vim-cmd, esxcli, and SCP, especially activity that accesses datastore paths, VM-related files, logs, or host configuration. Since no official detection is provided and no ATT&CK tactics or relationships are supplied, teams should build local baselines for legitimate administrator workflows and investigate unusual timing, source systems, accounts, volume of file access, or access to sensitive VM/configuration locations.
Likely telemetry
- ESXi host shell and command execution logs where available
- ESXi management and authentication logs
- Administrative session records for SSH or console access
- SCP or file transfer activity involving ESXi hosts
- Datastore file access or inventory records
Detection direction
- Confirm whether ESXi command-line activity from vim-cmd and esxcli is collected and searchable in the SOC workflow.
- Validate visibility into SCP or other file transfer activity to and from ESXi hosts.
- Baseline normal administrator access to datastore, VM, log, and host configuration files before alerting on deviations.
- Tune for context such as authorized maintenance windows, backup operations, and virtualization administrator activity to reduce false positives.
- Flag access from unexpected source systems, unusual accounts, abnormal volumes of copied files, or access outside approved change windows.
Mitigation priorities
- Restrict ESXi administrative access to authorized administrators and approved management paths.
- Require strong privileged access controls for ESXi management interfaces and shell access.
- Limit or disable unnecessary SSH/SCP access where operationally feasible.
- Centralize and retain ESXi authentication, command, and management logs for investigation and audit support.
- Review access to datastore and configuration files as part of virtualization hardening and change-control processes.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for ESXi and describes adversaries accessing datastore or configuration files via vim-cmd, esxcli, or SCP to extract logs, VMs, or host configurations. No tactics, relationships, aliases, labels, or official detection logic were supplied, so the practical value is in using the object to assess monitoring and control coverage around ESXi administrative file access.
This take is limited to the supplied official STIX fields and external reference. It does not assert active exploitation, attribution, specific impact, or guaranteed detection. Local ESXi configuration, logging depth, administrator workflows, backup tooling, and SIEM ingestion must be reviewed to determine actual exposure and coverage.
Analytic 1074
Adversaries accessing datastore or configuration files via `vim-cmd`, `esxcli`, or SCP to extract logs, VMs, or host configurations.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 193fc29065a0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1074Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.