← Library
splApache-2.0from splunk/security_content

Windows ESX Admins Group Creation Security Event

This analytic detects creation, deletion, or modification of the "ESX Admins" group in Active Directory. These events may indicate attempts to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085).

Quality
59
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_esx_admins_group_creation_security_event.yml
`wineventlog_security` EventCode IN (4727, 4730, 4737) (TargetUserName="ESX Admins" OR TargetUserName="*ESX Admins*")
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY EventCode TargetUserName TargetDomainName
       SubjectUserName SubjectDomainName Computer
  | rename Computer as dest
  | eval EventCodeDescription=case( EventCode=4727, "Security Enabled Global Group Created", EventCode=4730, "Security Enabled Global Group Deleted", EventCode=4737, "Security Enabled Global Group Modified" )
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_esx_admins_group_creation_security_event_filter`