Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1083: Analytic 1083

Detects BusyBox or Ash shell execution from unauthorized logins or remote connections. Focus is on rare shell invocations from DCUI, SSH sessions, or remote management paths. Also watches for payload droppers or persistence artifacts using shell.

EnterpriseAN1083AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because ESXi shell access is a high-value control point for virtualization operations. Rare BusyBox or Ash shell execution from DCUI, SSH, or remote management paths can indicate activity that deserves rapid validation, especially when it appears tied to unauthorized logins, payload droppers, or persistence artifacts. For leaders, the decision value is confirming whether ESXi administrative access and shell usage are governed, monitored, and reviewable before an incident forces that question.

Executive priority

Prioritize this as an operational resilience and privileged access monitoring question for ESXi environments. Security and infrastructure leaders should ask: who is allowed to use ESXi shell paths, when is shell access expected, are remote management routes controlled, and can the SOC prove visibility into rare or unauthorized shell invocations? This can support incident triage, audit evidence for privileged access oversight, and control prioritization around virtualization management exposure.

Technical view

For SOC and IR teams, validate whether ESXi telemetry can show BusyBox or Ash shell execution associated with DCUI, SSH sessions, or remote management paths. Because the supplied ATT&CK object does not include a detection implementation, teams should translate the analytic into environment-specific logic: baseline legitimate ESXi shell use, identify rare shell invocations, correlate them with login source, user/account context, management path, and any nearby evidence of droppers or persistence artifacts. Treat unexpected shell execution as a triage lead rather than a standalone conclusion.

Likely telemetry

  • ESXi host authentication and login records
  • SSH session logs for ESXi management access
  • DCUI access or local console activity where available
  • Remote management access logs or administrative session records
  • Process or command execution evidence showing BusyBox or Ash shell invocation

Detection direction

  • Confirm that ESXi hosts actually produce and forward the logs needed to observe shell execution, login source, and remote management activity.
  • Baseline approved ESXi shell usage so rare invocations can be separated from maintenance activity.
  • Correlate shell execution with authentication events, DCUI or SSH session context, remote management paths, and privileged account ownership.
  • Tune for false positives from authorized troubleshooting, patching, or vendor-supported maintenance workflows.
  • Review blind spots where ESXi logs are not centralized, shell history is incomplete, SSH is inconsistently logged, or management access occurs through paths not monitored by the SOC.

Mitigation priorities

  • Define and document authorized ESXi shell access workflows, including who may use DCUI, SSH, and remote management paths.
  • Restrict ESXi shell and SSH access to approved administrators and controlled management networks where operationally feasible.
  • Ensure privileged access reviews include ESXi administrative accounts and remote management access paths.
  • Centralize and retain ESXi authentication, session, and relevant execution telemetry for SOC and IR use.
  • Create incident response playbooks for unexpected ESXi shell execution, including validation of account legitimacy, session origin, and nearby persistence or dropper artifacts.
Analyst notes and limits

The supplied object is a detection analytic for ESXi focused on BusyBox or Ash shell execution from unauthorized logins or remote connections, especially rare invocations from DCUI, SSH, or remote management paths. The strongest local validation step is to test whether expected telemetry can distinguish authorized maintenance from unusual or unauthorized shell activity.

The object provides no official detection logic, no ATT&CK tactic mapping, and no relationship context. This take is therefore limited to conservative defensive interpretation of the supplied description, platform, and external reference. Local ESXi configuration, logging maturity, access model, and approved maintenance practices are required to determine alert thresholds and response priority.

Official MITRE ATT&CK definition

Analytic 1083

Detects BusyBox or Ash shell execution from unauthorized logins or remote connections. Focus is on rare shell invocations from DCUI, SSH sessions, or remote management paths. Also watches for payload droppers or persistence artifacts using shell.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
12e8e28b0530e7bb...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 12e8e28b0530…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1083
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use