Skip to content

DET0232 Detection Strategy for ESXi Administration Command

Item Value
ID DET0232
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1675 (ESXi Administration Command)

Analytics

ESXi

AN0646

Detects anomalous usage of ESXi Guest Operations APIs such as StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, or InitiateFileTransferFromGuest. Defender perspective focuses on unusual frequency of guest API calls, invocation from unexpected management accounts, or execution outside of business hours. These correlated signals indicate adversarial abuse of ESXi administrative services to run commands on guest VMs.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) esxi:hostd Guest Operations API invocation: StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, InitiateFileTransferFromGuest
Mutable Elements
Field Description
ExpectedAdminUsers Whitelist of management accounts authorized to use ESXi Guest Ops APIs.
TimeWindow Business hours during which Guest Ops API usage is expected; activity outside may be suspicious.
OperationThreshold Number of Guest Ops API calls considered anomalous if exceeded in a given timeframe.
AuthorizedVMs List of VMs where Guest Ops usage is permitted; usage on other VMs may indicate malicious activity.