Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
Sigma rule (View on GitHub)
1title: Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
2id: 47a1658b-67a4-48e2-8ab1-c10437fc0148
3status: experimental
4description: |
5 Detects any creation or modification to a windows domain group with the name "ESX Admins".
6 This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.
7 VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
8references:
9 - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2024-07-30
12tags:
13 - attack.execution
14 - cve.2024-37085
15 - detection.emerging-threats
16logsource:
17 product: windows
18 service: security
19detection:
20 selection:
21 EventID:
22 - 4727
23 - 4728
24 - 4731
25 - 4737
26 - 4754
27 - 4755
28 - 4756
29 keyword_group:
30 - 'ESX Admins'
31 condition: selection and keyword_group
32falsepositives:
33 - Unknown
34level: high
References
Related rules
- Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Blue Mockingbird
- CVE-2021-1675 Print Spooler Exploitation