CVE 2024 37085 Suspicious Creation Of Esx Admins Group
Query
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName has "net.exe" or FileName has "net1.exe"
| where ProcessCommandLine has_all (@"group", @"esx admins", @"/domain", @"/add")
| where InitiatingProcessCommandLine has_any (@"powershell.exe", @"pwsh.exe")
| project Timestamp, DeviceId, DeviceName, ProcessCommandLine, ProcessCreationTime, AccountNameAbout this query
CVE-2024-37085 Suspicious Creation Of ESX Admins Group
Description
The following query will help detect the execution of "net.exe" command to add a group "ESX Admins" which would indicate a potential exploitation attempt of CVE-2024-37085.
References
- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
- https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Exploits/CVE-2024-37085/proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml
Microsoft XDR & Microsoft Sentinel
MITRE ATT&CK Mapping
- Tactic: Persistence
- Technique ID: T1136.002
- Create Account: Domain Account
Source
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 30/07/2024 | Initial publish |
Explanation
This query is designed to detect suspicious activity related to the exploitation of a known vulnerability (CVE-2024-37085). Specifically, it looks for instances where the "net.exe" or "net1.exe" command is used to create a group called "ESX Admins," which could indicate an attempt to exploit this vulnerability.
Key Points:
- Purpose: Identify potential exploitation of CVE-2024-37085 by detecting the creation of the "ESX Admins" group.
- Detection Method: Monitors for the creation of processes involving "net.exe" or "net1.exe" with specific command-line arguments that suggest the addition of the "ESX Admins" group.
- Additional Context: The query also checks if these commands were initiated by PowerShell (
powershell.exeorpwsh.exe), which is often used in such attacks. - Output: The query returns details like the timestamp, device ID, device name, command line used, process creation time, and account name involved in the suspicious activity.
MITRE ATT&CK Mapping:
- Tactic: Persistence
- Technique ID: T1136.002 (Create Account: Domain Account)
Usage:
- Tools: Microsoft XDR & Microsoft Sentinel
- Version: 1.0, published on 30/07/2024
This query helps security teams quickly identify and respond to potential exploitation attempts, enhancing their ability to maintain system integrity and security.
