Query Details

CVE 2024 37085 Suspicious Creation Of Esx Admins Group Through Securityevent

Query

SecurityEvent
| where tostring(EventID) has_any (dynamic(["4727", "4728", "4737"]))
| where TargetUserName contains @"esx admins"
| project TimeGenerated, EventID, SubjectDomainName, SubjectUserName, TargetDomainName, TargetUserName

About this query

CVE-2024-37085 Suspicious Creation Of ESX Admins Group through SecurityEvent

Description

The following query will help detect any creation or modification to a windows domain group with the name "ESX Admins" which would potentially indicate exploitation attempt of CVE-2024-37085.

References

Microsoft Sentinel

MITRE ATT&CK Mapping

Source

Versioning

VersionDateComments
1.030/07/2024Initial publish

Explanation

Summary of the Query

This query is designed to detect any suspicious creation or modification of a Windows domain group named "ESX Admins." Such activity could indicate an attempt to exploit the vulnerability CVE-2024-37085.

How the Query Works

  1. Source of Data: The query looks at SecurityEvent logs.
  2. Event Filtering: It filters events with specific Event IDs (4727, 4728, 4737), which are associated with group creation and modification activities.
  3. Group Name Check: It specifically checks if the TargetUserName (the name of the group being created or modified) contains "esx admins".
  4. Data Projection: It then selects and displays relevant information such as the time the event was generated, the Event ID, and details about the user and domain involved.

Output Fields

  • TimeGenerated: When the event occurred.
  • EventID: The ID of the event.
  • SubjectDomainName: The domain of the user who performed the action.
  • SubjectUserName: The username of the person who performed the action.
  • TargetDomainName: The domain of the group being created or modified.
  • TargetUserName: The name of the group being created or modified.

Purpose

The query helps security teams identify potential exploitation attempts of the CVE-2024-37085 vulnerability by monitoring for the creation or modification of a specific domain group, "ESX Admins," which could be a target for attackers.

Additional Information

  • References: Links to detailed articles and resources about the vulnerability and its exploitation.
  • MITRE ATT&CK Mapping: The activity is mapped to the MITRE ATT&CK framework under the tactic of Persistence and the technique of creating domain accounts (Technique ID: T1136.002).

Versioning

  • Version 1.0: Initial version published on 30/07/2024.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: July 30, 2024

Tables

SecurityEvent

Keywords

SecurityEvent

Operators

wheretostringhas_anydynamiccontainsproject

MITRE Techniques

Actions

GitHub