AN1192: Analytic 1192
Detects guest VMs or management agents issuing HTTP(S) traffic to external services without a valid patch management or backup justification.
Analyst context for executives and security teams
This analytic matters because unexpected outbound HTTP(S) traffic from ESXi guest VMs or management agents can indicate unmanaged communication paths that weaken visibility, change control, and incident containment. For leaders, the key question is not simply whether ESXi hosts exist, but whether outbound connectivity from virtualization infrastructure is justified, monitored, and explainable by approved patch management or backup processes.
Executive priority
Prioritize this as a control-validation item for virtualization resilience and audit readiness. ESXi environments often support critical workloads, so unexplained external communications can complicate incident response, vendor accountability, and business-continuity decisions. Security leaders should ask whether virtualization management traffic is inventoried, whether patch and backup destinations are documented, and whether exceptions are reviewed as part of cloud/infra governance and compliance evidence.
Technical view
For SOC, detection engineering, and IR teams, validate whether telemetry can distinguish approved ESXi-related patching or backup traffic from guest VM or management-agent HTTP(S) connections to external services. Because the ATT&CK object provides no detailed detection logic, tactics, or relationships, teams should build this around local allowlists, asset roles, agent inventories, destination reputation/context, and change windows. The useful investigation pivot is: which ESXi guest VM or management component initiated the traffic, what external service was contacted, and is there a documented operational justification?
Likely telemetry
- ESXi host and management network flow logs showing outbound HTTP/HTTPS connections
- Firewall, proxy, secure web gateway, or egress filtering logs for virtualization management segments
- DNS query logs for guest VMs and ESXi management-related systems
- Patch management and backup platform logs identifying expected destinations and schedules
- Asset inventory and CMDB records mapping ESXi hosts, guest VMs, management agents, and approved owners
Detection direction
- Establish approved external destinations for patch management and backup workflows before alerting broadly.
- Segment detection logic by ESXi management networks, guest VM networks, and management-agent identities where telemetry allows.
- Tune for connections to external HTTP(S) services that lack a documented patch, backup, or maintenance justification.
- Use DNS, proxy, and firewall context together; network flows alone may not identify whether traffic is legitimate.
- Account for false positives from approved software updates, backup replication, monitoring tools, and vendor support connections.
Mitigation priorities
- Inventory ESXi assets, guest VMs, management agents, and their approved external communication requirements.
- Document and periodically review patch management and backup destinations, schedules, and owners.
- Apply least-privilege egress controls for virtualization management networks and require exceptions to be justified.
- Ensure firewall, proxy, DNS, and network-flow logging covers ESXi-related management paths.
- Integrate approved maintenance windows and change records into SOC triage to reduce noise and improve response speed.
Analyst notes and limits
This is a detection analytic for ESXi platforms focused on HTTP(S) traffic from guest VMs or management agents to external services without a valid patch-management or backup justification. The decision value depends heavily on local environment knowledge: approved destinations, agent inventory, backup design, patch tooling, and network segmentation.
The supplied ATT&CK fields do not include formal detection logic, tactics, related techniques, procedures, mitigations, or relationship context. This take therefore avoids claims about attacker behavior, active exploitation, attribution, or guaranteed coverage. Local telemetry and approved-business-process evidence are required to determine whether any observed traffic is suspicious.
Analytic 1192
Detects guest VMs or management agents issuing HTTP(S) traffic to external services without a valid patch management or backup justification.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 099586a7383f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1192Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.