Analytics Story: VMware ESXi AD Integration Authentication Bypass CVE-2024-37085

Description

This analytic story addresses the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). It detects attempts to exploit this flaw, which allows attackers with sufficient AD permissions to gain full access to ESXi hosts by recreating the 'ESX Admins' group after deletion.

Why it matters

VMware ESXi contains an authentication bypass vulnerability (CVE-2024-37085) that allows attackers to gain unauthorized access to ESXi hosts. Ransomware groups have been observed exploiting this flaw to deploy malware and encrypt virtual machines. This story focuses on detecting potential exploitation attempts, suspicious Active Directory group modifications. It aims to help defenders identify and respond to attacks leveraging this vulnerability in their virtualized environments.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows ESX Admins Group Creation Security Event Local Account, Domain Account TTP
Windows ESX Admins Group Creation via Net Domain Account, Local Account TTP
Windows ESX Admins Group Creation via PowerShell Domain Account, Local Account TTP
Windows Privileged Group Modification Local Account, Domain Account TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References


Source: GitHub | Version: 1