Rule Info
Name
Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects any creation or modification to a windows domain group with the name "ESX Admins".
This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.
VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
Date
2024-07-30 00:00:00
Modified
None
Id
47a1658b-67a4-48e2-8ab1-c10437fc0148
Tags
attack.execution cve.2024-37085 detection.emerging-threats DEMO
Type
Community Rule
Link to Public Repo