Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity

Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.

Sigma rule (View on GitHub)

 1title: Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
 2id: 47a1658b-67a4-48e2-8ab1-c10437fc0148
 3status: experimental
 4description: |
 5    Detects any creation or modification to a windows domain group with the name "ESX Admins".
 6    This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.
 7    VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.    
 8references:
 9    - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2024-07-30
12tags:
13    - attack.execution
14    - cve.2024-37085
15    - detection.emerging-threats
16logsource:
17    product: windows
18    service: security
19detection:
20    selection:
21        EventID:
22            - 4727
23            - 4728
24            - 4731
25            - 4737
26            - 4754
27            - 4755
28            - 4756
29    keyword_group:
30        - 'ESX Admins'
31    condition: selection and keyword_group
32falsepositives:
33    - Unknown
34level: high

References

Related rules

to-top