Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group

 1title: Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
 2id: c408acfe-2870-41df-8d2f-9f4daa4555ed
 3status: experimental
 4description: |
 5    Detects execution of the "net.exe" command in order to add a group named "ESX Admins".
 6    This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.
 7    VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.    
 8references:
 9    - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
10author: frack113
11date: 2024-07-29
12tags:
13    - attack.execution
14    - cve.2024-37085
15    - detection.emerging-threats
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_net_img:
21        - Image|endswith:
22              - '\net.exe'
23              - '\net1.exe'
24        - OriginalFileName:
25              - 'net.exe'
26              - 'net1.exe'
27    selection_net_cmd:
28        CommandLine|contains|all:
29            - '/add'
30            - '/domain'
31            - 'ESX Admins'
32            - 'group'
33    selection_powershell_img:
34        - Image|endswith:
35              - '\PowerShell.exe'
36              - '\pwsh.exe'
37        - OriginalFileName:
38              - 'PowerShell.exe'
39              - 'pwsh.dll'
40    selection_powershell_cli:
41        CommandLine|contains|all:
42            - 'New-ADGroup'
43            - 'ESX Admins'
44    condition: all of selection_net_* or all of selection_powershell_*
45falsepositives:
46    - Unknown
47level: high