Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
Detects execution of the "net.exe" command in order to add a group named "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_net_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_net_cmd:
CommandLine|contains|all:
- '/add'
- '/domain'
- 'ESX Admins'
- 'group'
selection_powershell_img:
- Image|endswith:
- '\PowerShell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.exe'
- 'pwsh.dll'
selection_powershell_cli:
CommandLine|contains|all:
- 'New-ADGroup'
- 'ESX Admins'
condition: all of selection_net_* or all of selection_powershell_*False positive likelihood has not been assessed. Additional context may be needed during triage.
Tactics
Other