1. Home
  2. Detection Strategies
  3. Detection Strategy for ESXi Administration Command

Detection Strategy for ESXi Administration Command

Technique Detected:  ESXi Administration Command | T1675

ID: DET0232
Domains: Enterprise
Analytics: AN0646
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0646

Detects anomalous usage of ESXi Guest Operations APIs such as StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, or InitiateFileTransferFromGuest. Defender perspective focuses on unusual frequency of guest API calls, invocation from unexpected management accounts, or execution outside of business hours. These correlated signals indicate adversarial abuse of ESXi administrative services to run commands on guest VMs.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) esxi:hostd Guest Operations API invocation: StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, InitiateFileTransferFromGuest
Mutable Elements
Field Description
ExpectedAdminUsers Whitelist of management accounts authorized to use ESXi Guest Ops APIs.
TimeWindow Business hours during which Guest Ops API usage is expected; activity outside may be suspicious.
OperationThreshold Number of Guest Ops API calls considered anomalous if exceeded in a given timeframe.
AuthorizedVMs List of VMs where Guest Ops usage is permitted; usage on other VMs may indicate malicious activity.