Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1392: Analytic 1392

Detects unexpected encrypted egress traffic from management services (e.g., hostd) or guest VMs utilizing symmetric encryption without traditional protocols (e.g., FTP with embedded AES ciphertext).

EnterpriseAN1392AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because encrypted outbound traffic from ESXi management services or guest VMs can hide activity from normal content inspection, especially when the encryption is embedded inside otherwise familiar traffic rather than using expected secure protocols. For leaders, the practical question is whether ESXi environments have enough network visibility to distinguish approved management, backup, replication, and application flows from unusual encrypted egress that could affect incident response confidence and operational resilience.

Executive priority

Prioritize this as a visibility and assurance issue for virtual infrastructure. ESXi systems often support critical workloads, so unexpected encrypted egress from management services such as hostd or from guest VMs should be treated as a control-validation topic: confirm what outbound paths are allowed, what is logged, who reviews exceptions, and whether SOC teams can produce evidence for audit, incident response, and segmentation decisions. This object does not specify a tactic or known actor, so the value is in validating defensive coverage rather than assuming a specific threat campaign.

Technical view

For SOC, detection engineering, and IR teams, validate whether ESXi network monitoring can identify encrypted payload patterns or anomalous encrypted egress from management services and guest VM traffic when the traffic is not using traditional encrypted protocols. Because the official object provides no detection logic, teams should baseline normal ESXi management, storage, backup, replication, and guest workload egress, then investigate deviations such as unusual destinations, ports, volumes, timing, or encrypted-looking content embedded in protocols like FTP. Treat hostd-originating egress as especially important to separate from expected management behavior, but confirm locally how process-to-network attribution is collected on ESXi.

Likely telemetry

  • Network flow records for ESXi hosts and guest VM egress
  • Firewall, proxy, or gateway logs showing outbound destinations, ports, volumes, and allow/deny decisions
  • Packet metadata or inspection outputs capable of identifying encrypted-looking payloads in nontraditional protocols
  • ESXi management service telemetry where available, including hostd-related activity
  • Asset and workload inventory mapping ESXi hosts, guest VMs, approved services, and expected external communications

Detection direction

  • Establish baselines for approved ESXi management, backup, replication, update, and guest VM outbound traffic before alerting on encrypted egress.
  • Tune for unexpected encrypted payload characteristics in protocols that are not normally used for encryption, including the ATT&CK example of FTP carrying embedded AES ciphertext.
  • Correlate anomalous network egress with source role: ESXi management service versus guest VM, because response ownership and containment steps may differ.
  • Review blind spots where traffic bypasses proxies, east-west monitoring is limited, or ESXi host process attribution is unavailable.
  • Account for false positives from legitimate file transfer, backup, replication, or application traffic that may compress or encrypt payloads without using standard TLS-like protocols.

Mitigation priorities

  • Document and enforce approved outbound paths for ESXi hosts and guest VMs, with exceptions tied to business owners and reviewed periodically.
  • Segment ESXi management interfaces and restrict unnecessary egress from management services wherever operationally feasible.
  • Ensure network monitoring covers ESXi host and guest VM egress, including traffic that does not traverse standard web proxies.
  • Maintain accurate asset, service, and workload inventories so anomalous egress can be triaged quickly.
  • Include this analytic in IR readiness exercises for virtual infrastructure to confirm evidence collection, containment decision points, and escalation paths.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for ESXi and has no tactic, technique relationship, procedure example, or official detection logic beyond the description. Glexia’s interpretation therefore focuses on defensive validation: visibility, baselining, segmentation, and triage readiness for unexpected encrypted egress from ESXi-related sources.

No active exploitation, attribution, impact, or detection guarantee is stated in the supplied fields. Local environment evidence is required to define normal ESXi traffic, determine whether hostd-to-network attribution is available, and separate suspicious encrypted egress from legitimate encrypted, compressed, backup, replication, or file-transfer activity.

Official MITRE ATT&CK definition

Analytic 1392

Detects unexpected encrypted egress traffic from management services (e.g., hostd) or guest VMs utilizing symmetric encryption without traditional protocols (e.g., FTP with embedded AES ciphertext).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
dbfe5416f4b2edd9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle dbfe5416f4b2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1392
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use