Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
Detects execution of the "net.exe" command in order to add a group named "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
Sigma rule (View on GitHub)
1title: Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
2id: c408acfe-2870-41df-8d2f-9f4daa4555ed
3status: experimental
4description: |
5 Detects execution of the "net.exe" command in order to add a group named "ESX Admins".
6 This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.
7 VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
8references:
9 - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
10author: frack113
11date: 2024-07-29
12tags:
13 - attack.execution
14 - cve.2024-37085
15 - detection.emerging-threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_net_img:
21 - Image|endswith:
22 - '\net.exe'
23 - '\net1.exe'
24 - OriginalFileName:
25 - 'net.exe'
26 - 'net1.exe'
27 selection_net_cmd:
28 CommandLine|contains|all:
29 - '/add'
30 - '/domain'
31 - 'ESX Admins'
32 - 'group'
33 selection_powershell_img:
34 - Image|endswith:
35 - '\PowerShell.exe'
36 - '\pwsh.exe'
37 - OriginalFileName:
38 - 'PowerShell.exe'
39 - 'pwsh.dll'
40 selection_powershell_cli:
41 CommandLine|contains|all:
42 - 'New-ADGroup'
43 - 'ESX Admins'
44 condition: all of selection_net_* or all of selection_powershell_*
45falsepositives:
46 - Unknown
47level: high
References
Related rules
- Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Blue Mockingbird
- CVE-2021-1675 Print Spooler Exploitation