Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group

    Wednesday, July 31, 2024 In: Threat Research Print

    Date: 07/31/2024

    Severity: Medium

    Summary

    The article "Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group" discusses the risks associated with a vulnerability identified as CVE-2024-37085 in VMware ESX/ESXi systems. This flaw can be exploited to create unauthorized or suspicious ESX Admins groups, potentially allowing attackers to gain elevated privileges and control over the virtual environment. The article highlights recent instances of such suspicious group creation and emphasizes the importance of monitoring and securing ESX configurations to prevent exploitation and maintain system integrity.

    Indicators of Compromise (IOC) List

    Image

    net.exe

    net1.exe

    PowerShell.exe

    pwsh.exe

    Filename

    net.exe

    net1.exe

    PowerShell.exe

    pwsh.dll

    Commandline

    add

    domain

    ESX Admins

    group

    New-ADGroup

    ESX Admins

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    resourcename = "Windows security" and eventtype = "1" and (((Image like "net.exe" or Image like "net1.exe") and (Filename like "net.exe" or Filename like "net1.exe")) and (Commandline like "add" or Commandline "domain" or Commandline like "ESX Admins" or Commandline like "group"))

    Detection Query 2

    technologygroup = "EDR" and (((Image like "net.exe" or Image like "net1.exe") and (Filename like "net.exe" or Filename like "net1.exe")) and (Commandline like "add" or Commandline "domain" or Commandline like "ESX Admins" or Commandline like "group"))

    Detection Query 3

    resourcename = "Windows security" and eventtype = "1" and (((Image like "PowerShell.exe" or Image like "pwsh.exe") and (Filename like "PowerShell.exe" or Filename like "pwsh.dll")) and (Commandline like "New-ADGroup" or Commandline "ESX Admins"))

    Detection Query 4

    technologygroup = "EDR" and (((Image like "PowerShell.exe" or Image like "pwsh.exe") and (Filename like "PowerShell.exe" or Filename like "pwsh.dll")) and (Commandline like "New-ADGroup" or Commandline "ESX Admins"))

    Category: Sigma

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Exploits/CVE-2024-37085/proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml

     

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.