Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1152: Analytic 1152

Monitor VM-level DNS and network traffic logs for adversary-controlled domains or selective response behavior (e.g., dropped requests from security scanners).

EnterpriseAN1152AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because ESXi-hosted virtual machines can communicate with infrastructure that is intentionally evasive, including domains that respond differently to security scanners than to normal workloads. For leaders, the value is not simply “DNS monitoring”; it is confirming whether virtualization network visibility is strong enough to spot suspicious external dependencies and selective-response behavior before it affects investigation quality or operational resilience.

Executive priority

Prioritize this as a visibility and assurance question for virtualized environments: do security teams have usable VM-level DNS and network traffic evidence from ESXi workloads, and can they compare normal business traffic against suspicious domain behavior? This supports incident response readiness, SOC coverage validation, and compliance evidence for monitoring controls around critical virtual infrastructure. Because no ATT&CK tactic or technique relationship is supplied, treat this as a detection coverage analytic rather than proof of a specific adversary objective.

Technical view

For SOC and detection teams, validate collection and analysis of VM-level DNS queries, DNS responses, connection metadata, and network traffic logs for ESXi-hosted workloads. The analytic is focused on identifying adversary-controlled domains or selective response patterns, such as requests that appear normal for production systems but are dropped or altered when made by security scanners. Detection engineering should test whether VM traffic can be attributed to the correct guest workload and whether scanner-originated traffic is visible enough to compare against normal VM-originated requests.

Likely telemetry

  • VM-level DNS query and response logs for ESXi-hosted workloads
  • Network connection metadata from virtual machines, including destination domains, IPs, ports, and timing
  • Virtual networking or flow logs that can map traffic back to specific VMs
  • Security scanner request logs for comparison against production VM DNS/network behavior
  • Threat intelligence or allow/deny context for known or suspected adversary-controlled domains

Detection direction

  • Validate that DNS and network monitoring covers the VM level, not only perimeter or host aggregate views.
  • Look for inconsistent domain behavior across source types, especially differences between production VMs and security scanners.
  • Tune against expected business services that use geo-aware, rate-limited, or bot-protection behavior to reduce false positives.
  • Ensure detections preserve VM identity, timestamp, queried domain, response characteristics, and connection outcome for incident review.
  • Because the ATT&CK object provides no official detection logic or relationships, require local baselining and environment-specific thresholds.

Mitigation priorities

  • Establish reliable VM-level DNS and network telemetry collection for ESXi environments before depending on this analytic.
  • Maintain approved domain, service, and scanner inventories so selective response findings can be triaged against known business behavior.
  • Integrate relevant domain reputation or threat intelligence cautiously as enrichment, not as the sole detection basis.
  • Document monitoring coverage and gaps for critical virtual workloads to support audit and incident readiness.
  • Review scanner placement and egress paths so defensive testing reflects how production VMs actually reach external domains.
Analyst notes and limits

This is a detection analytic object for ESXi with a narrow official description: monitor VM-level DNS and network traffic logs for adversary-controlled domains or selective response behavior. No tactic, technique relationship, alias, label, or official detection procedure was supplied, so the practical value is mainly coverage validation and detection engineering guidance for virtualized network visibility.

The supplied ATT&CK data does not include tactic mappings, related techniques, procedures, mitigations, data components, or tested detection logic. It also does not establish active exploitation, attribution, impact, or guaranteed detection. Local telemetry quality, ESXi network architecture, scanner placement, and business traffic baselines are required to operationalize this analytic.

Official MITRE ATT&CK definition

Analytic 1152

Monitor VM-level DNS and network traffic logs for adversary-controlled domains or selective response behavior (e.g., dropped requests from security scanners).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
93cee1e5a93c6577...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 93cee1e5a93c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1152
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use