KQL Search

Query Details

HomeAI ToolsDevice Query

CVE 2024 37085 Suspicious Creation Of Esx Admins Group

Query

# CVE-2024-37085 Suspicious Creation Of ESX Admins Group

### Description

The following query will help detect the execution of  "net.exe" command to add a group "ESX Admins" which would indicate a potential exploitation attempt of CVE-2024-37085.

### References
- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
- https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Exploits/CVE-2024-37085/proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml
  
### Microsoft XDR & Microsoft Sentinel
```
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where FileName has "net.exe" or FileName has "net1.exe"
| where ProcessCommandLine has_all (@"group", @"esx admins", @"/domain", @"/add")
| where InitiatingProcessCommandLine has_any (@"powershell.exe", @"pwsh.exe")
| project Timestamp, DeviceId, DeviceName, ProcessCommandLine, ProcessCreationTime, AccountName
```

### MITRE ATT&CK Mapping
- Tactic: Persistence
- Technique ID: T1136.002
- [Create Account: Domain Account](https://attack.mitre.org/techniques/T1136/002/)

### Source

### Versioning
| Version       | Date          | Comments                          |
| ------------- |---------------| ----------------------------------|
| 1.0           | 30/07/2024    | Initial publish                   |

Explanation

This query is designed to detect suspicious activity related to the exploitation of a known vulnerability (CVE-2024-37085). Specifically, it looks for instances where the "net.exe" or "net1.exe" command is used to create a group called "ESX Admins," which could indicate an attempt to exploit this vulnerability.

Key Points:

  • Purpose: Identify potential exploitation of CVE-2024-37085 by detecting the creation of the "ESX Admins" group.
  • Detection Method: Monitors for the creation of processes involving "net.exe" or "net1.exe" with specific command-line arguments that suggest the addition of the "ESX Admins" group.
  • Additional Context: The query also checks if these commands were initiated by PowerShell (powershell.exe or pwsh.exe), which is often used in such attacks.
  • Output: The query returns details like the timestamp, device ID, device name, command line used, process creation time, and account name involved in the suspicious activity.

MITRE ATT&CK Mapping:

  • Tactic: Persistence
  • Technique ID: T1136.002 (Create Account: Domain Account)

Usage:

  • Tools: Microsoft XDR & Microsoft Sentinel
  • Version: 1.0, published on 30/07/2024

This query helps security teams quickly identify and respond to potential exploitation attempts, enhancing their ability to maintain system integrity and security.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: July 30, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsDeviceIdDeviceNameProcessCommandLineProcessCreationTimeAccountName

Operators

==hasorhas_allhas_anyproject

Actions