← Library
splApache-2.0from splunk/security_content

Windows ESX Admins Group Creation via PowerShell

This analytic detects attempts to create an "ESX Admins" group using PowerShell commands. This activity may indicate an attempt to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). Attackers can use this method to gain unauthorized access to ESXi hosts by recreating the 'ESX Admins' group after its deletion from Active Directory.

Quality
43
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_esx_admins_group_creation_via_powershell.yml
`powershell` EventCode=4104 (ScriptBlockText="*New-ADGroup*" OR ScriptBlockText="*New-LocalGroup*") ScriptBlockText="*ESX Admins*"
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_esx_admins_group_creation_via_powershell_filter`