AN1574: Analytic 1574

Unusual ESXi processes (vmx, hostd) reading datastore files and generating outbound HTTPS traffic toward external cloud storage endpoints. Defender perspective: anomalous datastore activity followed by network transfers to Dropbox, AWS S3, or other storage services.

EnterpriseAN1574AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because it focuses on a high-value virtualization layer: ESXi datastore files can represent critical server workloads and business systems. The behavior described is unusual ESXi processes such as vmx or hostd reading datastore files and then making outbound HTTPS connections to external cloud storage services such as Dropbox or AWS S3. For leaders, the decision point is whether the organization can see and control unexpected data movement from hypervisor infrastructure, not just from ordinary endpoints.

Executive priority

Treat this as a resilience and data-protection validation item for environments using ESXi. Security leaders should confirm whether hypervisor hosts are included in logging, network egress governance, and incident response playbooks. If ESXi management or datastore activity is outside normal SOC visibility, a material blind spot may exist for detecting unauthorized transfer of sensitive virtual machine data or operational assets. This can also support audit discussions around privileged infrastructure monitoring and outbound data movement controls.

Technical view

For SOC, detection engineering, and IR teams, the key validation is correlation: ESXi process activity involving datastore file reads by vmx or hostd followed by outbound HTTPS traffic to external cloud storage endpoints. Because ATT&CK does not provide a full detection implementation for AN1574, teams should define local baselines for normal ESXi process behavior, expected datastore access, approved backup or replication workflows, and permitted external destinations. Tuning should account for legitimate backup, disaster recovery, administrative, or storage-integration activity that may resemble the described pattern.

Likely telemetry

ESXi host process execution or process activity records for vmx and hostd where available
Datastore file access or audit logs showing reads of virtual machine-related files
Network flow logs from ESXi hosts, including destination IP, port, protocol, volume, and timing
TLS/HTTPS proxy, firewall, or egress gateway logs identifying outbound connections from ESXi hosts
DNS logs resolving external cloud storage services such as Dropbox, AWS S3, or other storage endpoints

Detection direction

Validate whether ESXi hosts generate sufficient process, datastore, DNS, and network telemetry to correlate file access with outbound HTTPS activity.
Baseline normal datastore reads by vmx and hostd and compare them with timing, volume, and destination patterns for outbound transfers.
Flag ESXi hosts initiating HTTPS sessions to external cloud storage services that are not part of approved backup, replication, or administrative workflows.
Tune for known legitimate infrastructure operations to reduce false positives, especially backup, disaster recovery, cloud storage integration, and maintenance windows.
Prioritize detections that combine datastore access and external egress rather than relying only on destination category or network volume.

Mitigation priorities

Inventory ESXi hosts and confirm they are covered by logging, monitoring, and incident response procedures.
Restrict outbound internet access from ESXi hosts to only documented and approved destinations required for operations.
Review and document legitimate backup, replication, and cloud storage workflows so detection teams can distinguish expected from unusual activity.
Centralize ESXi, DNS, firewall, proxy, and network flow telemetry where technically feasible.
Apply least-privilege administration and change-control practices around hypervisor management and datastore access.

Analyst notes and limits

AN1574 is a detection analytic for the ESXi platform. The official description identifies anomalous datastore activity followed by outbound HTTPS transfers to external cloud storage endpoints, with examples including Dropbox and AWS S3. No ATT&CK tactics, relationships, aliases, or detailed detection logic were supplied, so this take emphasizes validation questions and telemetry requirements rather than a specific rule.

The supplied ATT&CK object does not include official detection logic, tactic mapping, related techniques, threat actor context, or evidence of active exploitation. Local ESXi architecture, logging configuration, backup design, and egress controls are required to determine practical coverage and tuning.

Official MITRE ATT&CK definition

Analytic 1574

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 3aeaae40414d2a8b...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`3aeaae40414d…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1574
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use