AN1515: Analytic 1515
ESXi guest OS or management interface processes establishing unexpected external HTTPS connections. Defender perspective: monitor vmx or hostd processes making outbound web requests with significant data transfer.
Analyst context for executives and security teams
This analytic matters because ESXi hosts often sit underneath business-critical workloads. Unexpected outbound HTTPS activity from ESXi-related processes such as vmx or hostd can indicate that a virtualization layer is communicating externally in a way the organization did not intend. For leaders, the decision value is whether the SOC can see and explain external web traffic from the hypervisor layer, not only from guest servers or perimeter devices.
Executive priority
Prioritize this as a control-validation question for virtualization resilience: do security teams know which ESXi management and guest-related processes are allowed to reach the internet, and can they produce evidence when those processes transfer significant data externally? This supports incident response readiness, audit evidence for infrastructure monitoring, and business-continuity protection for workloads dependent on ESXi.
Technical view
The supplied ATT&CK object is a detection analytic for ESXi. It focuses on vmx or hostd processes establishing unexpected external HTTPS connections, especially where outbound web requests involve significant data transfer. SOC and detection engineering teams should validate whether telemetry can associate outbound HTTPS sessions with ESXi host processes, destination context, and transfer volume. IR teams should be prepared to triage whether observed connections are expected management, update, backup, monitoring, or support activity versus unexplained external communication.
Likely telemetry
- ESXi host process/network telemetry showing vmx or hostd outbound connections
- Firewall, proxy, or secure web gateway logs for HTTPS egress from ESXi management networks
- Network flow records with source host, destination, port/protocol, timing, and bytes transferred
- ESXi management interface logs where available
- Asset inventory identifying ESXi hosts and expected management network placement
Detection direction
- Baseline normal HTTPS destinations and data-transfer volumes for ESXi hosts and management interfaces before alerting on anomaly alone.
- Validate that network monitoring distinguishes ESXi host traffic from guest workload traffic; otherwise the analytic may be noisy or blind.
- Tune for vmx or hostd making unexpected external web requests, with priority on significant outbound data transfer.
- Suppress or document known-good management, backup, monitoring, update, or support destinations only after ownership and purpose are confirmed.
- Investigate events with missing asset context, unmanaged ESXi hosts, or internet egress from management networks as higher-priority triage candidates.
Mitigation priorities
- Maintain an inventory of ESXi hosts, management interfaces, and expected external destinations.
- Restrict ESXi management network egress to approved destinations where operationally feasible.
- Ensure firewall/proxy/network flow logging covers ESXi management segments and retains sufficient byte-count and destination detail.
- Document approved management, monitoring, backup, and support traffic so SOC teams can separate expected activity from anomalies.
- Review incident response playbooks for virtualization-layer investigations, including evidence collection from ESXi hosts and network controls.
Analyst notes and limits
No tactics or relationships were supplied for this analytic, so the take is centered on the official description: unexpected external HTTPS connections from ESXi guest OS or management interface processes, specifically vmx or hostd, with significant data transfer. The most important validation is whether the organization can attribute outbound web traffic to the ESXi host layer and compare it against an approved baseline.
The official detection field is not provided, and no relationship context is supplied. This summary does not infer attacker intent, active exploitation, attribution, or guaranteed detection. Local ESXi architecture, logging configuration, network segmentation, and approved egress patterns are required to operationalize the analytic.
Analytic 1515
ESXi guest OS or management interface processes establishing unexpected external HTTPS connections. Defender perspective: monitor vmx or hostd processes making outbound web requests with significant data transfer.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a51950787ee6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1515Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.