Analytics Story: VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
Description
This analytic story addresses the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). It detects attempts to exploit this flaw, which allows attackers with sufficient AD permissions to gain full access to ESXi hosts by recreating the 'ESX Admins' group after deletion.
Why it matters
VMware ESXi contains an authentication bypass vulnerability (CVE-2024-37085) that allows attackers to gain unauthorized access to ESXi hosts. Ransomware groups have been observed exploiting this flaw to deploy malware and encrypt virtual machines. This story focuses on detecting potential exploitation attempts, suspicious Active Directory group modifications. It aims to help defenders identify and respond to attacks leveraging this vulnerability in their virtualized environments.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Powershell Script Block Logging 4104 |  Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
| Sysmon EventID 1 | Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
References
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505
- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
- https://www.securityweek.com/microsoft-says-ransomware-gangs-exploiting-just-patched-vmware-esxi-flaw/
Source: GitHub | Version: 1