Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity

    Thursday, August 1, 2024 In: Threat Research Print

    Date: 07/31/2024

    Severity: Medium

    Summary

    The article "Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity" addresses concerns about a specific vulnerability identified as CVE-2024-37085. This flaw affects VMware ESX and ESXi environments, potentially allowing unauthorized access or privilege escalation within the ESX Admins group. The article highlights recent suspicious activities linked to this vulnerability, suggesting that attackers may be exploiting it to gain elevated permissions or compromise systems. It underscores the need for prompt patching and monitoring to mitigate potential security risks associated with this vulnerability.

    Indicators of Compromise (IOC) List

    EventID

    4727

     4728

     4731

     4737

     4754

     4755

     4756

    keyword

    ESX Admins

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    resourceName = "Windows Security"  AND  eventtype in ("4727","4728","4731","4737","4754","4755","4756" )  AND groupname = "ESX Admins"

    Detection Query 2

    technologygroup = "EDR"   AND groupname = "ESX Admins"

    Category: Sigma

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Exploits/CVE-2024-37085/win_security_exploit_cve_2024_37085_esxi_admins_group.yml

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.