In a landmark update, MITRE ATT&CK v17 introduces a dedicated ESXi platform to its framework, bringing hypervisor threats into the spotlight. This move validates what security teams have been seeing for years: attackers are targeting hypervisors directly, and traditional defenses are falling short.
Framework Overview
Because ESXi is Linux-based, the new ESXi matrix carries over 30 Linux Tactics, Techniques, and Procedures (TTPs), adapts 34 existing TTPs to ESXi, and has 4 new ESXi-specific TTPs. The matrix spans 12 ATT&CK categories focused on the different steps that may be taken during an attack chain: Initial access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command & Control, Exfiltration, and Impact.
What MITRE ATT&CK v17 Means for Your ESXi Environment
With the ESXi matrix live, defenders finally have the framework support to:
- Build detections for ESXi-specific TTPs
- Align security controls to MITRE ATT&CK compliance expectations
- Prioritize risk at the virtual infrastructure layer, not just the endpoint
- Elevate hypervisor security to CISO-level attention
How will this impact compliance?
While MITRE ATT&CK isn’t a compliance standard, many organizations use the MITRE ATT&CK framework to help align their departments and map their operations to compliance standards like ISO, HIPAA, and NIST. With the new addition of an ESXi framework, now not securing the hypervisor layer could translate into an auditable gap in security that companies could be liable for. The addition of ESXi to the MITRE ATT&CK framework validates the attack risk many ESXi users have faced and the need for runtime ESXi security.
ZeroLock: Closing the ESXi Security Gap
As MITRE shines a spotlight on ESXi, many teams are realizing traditional tools weren’t built to secure the hypervisor layer. ZeroLock® fills that gap. Purpose-built for ESXi, it delivers the runtime controls, visibility, and enforcement legacy tools miss:
- SSH Multi-Factor Authentication to secure access points
- Lockdown Rules to reduce manual hardening efforts
- Application Filtering to block command line tools like esxcli and vim-cmd
- AI Detection to prevent unauthorized changes
- SIEM/SOAR Integration for streamlined response
ZeroLock enables teams to enforce ATT&CK-aligned defenses—without retrofitting endpoint solutions for the hypervisor.
Highlighting the new TTPs & ZeroLock’s capabilities
The ESXi techniques in ATT&CK v17 expose critical blind spots that most traditional endpoint security tools don’t cover. Here are four high-impact TTPs that stand out—and why they matter for organizations looking to improve ESXi ransomware protection to achieve better alignment with MITRE ATT&CK and greater compliance standards.
T1675: ESXi Administration Command
Adversaries can abuse native ESXi services—such as VMware Tools and Guest Operations APIs—to remotely execute commands on VMs without logging into the guest OS. This allows attackers to transfer files, run scripts, and perform reconnaissance across multiple virtual machines—all while mimicking legitimate administrative behavior. These actions often go undetected and can lead to downstream attacks like data exfiltration or credential harvesting.
ZeroLock protects against ESXi Administration Commands through a combination of SSH MFA and advanced lockdown rules:
- SSH-MFA enforces strong authentication for shell access to the ESXi host, reducing the risk of unauthorized command execution.
- Lockdown Rules restrict access, helping prevent unauthorized command execution or file manipulation via native ESXi mechanisms.
- Prevents malicious activity before it reaches your guest VMs.
T1059.012: Command and Scripting Interpreter – Hypervisor CLI
Attackers abuse native ESXi command-line tools to control the hypervisor—shutting down VMs, adjusting firewall settings, forwarding logs, and more. These tools are powerful, built-in, and often overlooked as a threat vector. Used in real attacks (e.g., Cheerscrypt, Royal ransomware), this technique allows adversaries to quietly execute commands that lead to disruption, lateral movement, or impact operations—all without triggering traditional security tools. To mitigate this, ZeroLock applies a layered approach that restricts usage, filters unauthorized tools, and surfaces suspicious behavior in real time.
ZeroLock protects against abuse of hypervisor CLIs through a combination of Lockdown Rules, Application Filtering, and real-time monitoring:
- Lockdown Rules enforce strict controls on which command-line tools and functions can be executed at runtime.
- Application Filtering blocks execution of unauthorized binaries and scripting interpreters.
- Real-time Monitoring flags and alerts on suspicious command behavior that may signal ransomware activity or lateral movement.
T1505.006: Server Software Component – vSphere Installation Bundles (VIBs)
Adversaries may use vSphere Installation Bundles (VIBs) to establish persistent access to an ESXi host—surviving reboots and reactivating malicious behavior. These bundles can be used to load unauthorized drivers, install startup scripts, modify firewall configurations, or plant backdoors. When installed with specific flags, malicious VIBs can bypass normal validation checks. To evade detection, attackers may also tamper with metadata, disguising their payloads as “Partner Supported.”
Whether the attacker is attempting to slip in a backdoor or modify startup behavior, ZeroLock detects and denies the activity before it can persist:
- Application Filtering prevents installation and execution of unauthorized or altered VIBs.
- Stops persistence before it takes root.
- Ensures only approved components can run on boot.
T1673: Virtual Machine Discovery
Once an attacker gains access to an ESXi host, one of their first moves is often to enumerate running virtual machines. Commands like “esxcli vm process list” or “vim-cmd vmsvc/getallvms” can reveal valuable insights—helping adversaries identify high-value targets for encryption, disruption, or further lateral movement. This discovery phase is critical to ransomware operations, allowing attackers to plan high-impact actions across the virtual environment. By mapping out virtual infrastructure, attackers can coordinate impact across multiple systems quickly and quietly.
This early-stage discovery activity gives attackers the blueprint they need to move fast and maximize damage. ZeroLock stops it before it starts:
- Lockdown Rules restrict access to hypervisor-level discovery commands, preventing unauthorized users from enumerating virtual machines.
- AI Detection analyzes command behavior in real time to identify and flag anomalous patterns.
- Stops reconnaissance before attackers escalate.
Final Thoughts: What’s Next
With MITRE v17 out, defenders finally have the guidance needed to confront ESXi threats head-on. But you need the right tools to act on this guidance.
ZeroLock is leading the way as the first solution dedicated to ransomware protection at the hypervisor layer. Built with VMware ESXi in mind, ZeroLock enables faster response, real-time defense, and full visibility into your hypervisor.
👉 Schedule your personalized demo or download our MITRE ATT&CK one-sheet to see how ZeroLock helps teams detect, respond, and recover at the hypervisor level.
For an easy snapshot of the matrix, quickly scan our MITRE ATT&CK Quick Map or check out our in-depth MITRE ATT&CK product mapping for more insights!