LoFP LoFP / legitimate administrators might create, delete, or modify an \"esx admins\" group for valid reasons. verify that the group changes are authorized and part of normal administrative tasks. consider the context of the action, such as the user performing it and any related activities.

Techniques

Sample rules

Windows ESX Admins Group Creation Security Event

Description

This analytic detects creation, deletion, or modification of the “ESX Admins” group in Active Directory. These events may indicate attempts to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085).

Detection logic

`wineventlog_security` EventCode IN (4727, 4730, 4737) (TargetUserName="ESX Admins" OR TargetUserName="*ESX Admins*") 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode TargetUserName TargetDomainName SubjectUserName SubjectDomainName Computer 
| rename Computer as dest 
| eval EventCodeDescription=case( EventCode=4727, "Security Enabled Global Group Created", EventCode=4730, "Security Enabled Global Group Deleted", EventCode=4737, "Security Enabled Global Group Modified" ) 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_esx_admins_group_creation_security_event_filter`