Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity

Rule Info

Name
Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
Date
2024-07-30 00:00:00
Modified
None
Id
47a1658b-67a4-48e2-8ab1-c10437fc0148
Tags
attack.execution cve.2024-37085 detection.emerging-threats DEMO
Type
Community Rule

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
frack113
Merge PR #4938 from @frack113 - Add CVE-2024-37085 detection rules
2024-07-30