Emerging Threathightest

Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity

Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Tue Jul 3047a1658b-67a4-48e2-8ab1-c10437fc01482024

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID:
            - 4727
            - 4728
            - 4731
            - 4737
            - 4754
            - 4755
            - 4756
    keyword_group:
        - 'ESX Admins'
    condition: selection and keyword_group

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

microsoft.com

MITRE ATT&CK

Tactics

TA0002 · Execution

Other

cve.2024-37085detection.emerging-threats

Rule Metadata

Rule ID

47a1658b-67a4-48e2-8ab1-c10437fc0148

Status

test

Level

high

Type

Emerging Threat

Created

Tue Jul 30

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules-emerging-threats/2024/Exploits/CVE-2024-37085/win_security_exploit_cve_2024_37085_esxi_admins_group.yml

Raw Tags

attack.executioncve.2024-37085detection.emerging-threats

View on GitHub