AN1541: Analytic 1541

Detect commands such as 'esxcli system shutdown' or 'vim-cmd vmsvc/power.shutdown' executed outside of maintenance windows or via unusual users. Reboot logs in hostd.log and shell logs should be correlated.

EnterpriseAN1541AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because unauthorized or unexpected ESXi shutdown or VM power-off activity can directly affect business continuity. The supplied ATT&CK object focuses on detecting ESXi shutdown-related commands run outside approved maintenance windows or by unusual users, with validation through host and shell logs.

Executive priority

Treat this as an operational resilience and privileged-access assurance check for VMware ESXi environments. Leaders should ask whether ESXi administrative actions are logged, reviewed against maintenance schedules, and attributable to approved users. The business value is evidence that critical virtualization infrastructure cannot be quietly powered down without detection and incident review.

Technical view

For ESXi platforms, validate monitoring for shutdown and reboot activity involving commands such as `esxcli system shutdown` and `vim-cmd vmsvc/power.shutdown`, especially when executed outside expected maintenance windows or by unusual users. SOC and IR teams should correlate hostd.log reboot evidence with shell logs to confirm who initiated the action, when it occurred, and whether it aligns with authorized change activity.

Likely telemetry

ESXi hostd.log entries related to reboot or shutdown activity
ESXi shell logs showing administrative command execution
User or administrative account context for ESXi command activity
Approved maintenance window or change-management records for correlation

Detection direction

Validate that ESXi host and shell logs are collected centrally and retained long enough for investigation.
Tune detections around shutdown or VM power commands that occur outside maintenance windows.
Compare executing users against expected ESXi administrative accounts and investigate unusual users.
Correlate reboot evidence in hostd.log with shell command activity to reduce ambiguity.
Account for legitimate maintenance and change activity to manage false positives.

Mitigation priorities

Define and enforce approved maintenance windows for ESXi shutdown and reboot activity.
Restrict ESXi administrative command access to authorized users only.
Ensure ESXi logging is enabled, centralized, and reviewable by SOC or IR teams.
Maintain change records that can be correlated with detected shutdown or reboot events.
Periodically test whether unexpected ESXi shutdown activity would generate actionable alerts.

Analyst notes and limits

This is a detection analytic rather than a technique object. The available ATT&CK content is narrow but operationally important: ESXi shutdown commands should be treated as high-signal when they occur outside authorized maintenance or under unexpected user context.

No official detection logic, tactics, relationships, adversary use, or broader procedure context were supplied. Local ESXi configuration, logging availability, account model, and maintenance processes are required to assess coverage and alert quality.

Official MITRE ATT&CK definition

Analytic 1541

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: b10517f09b8def2d...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`b10517f09b8d…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1541
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use