Windows ESX Admins Group Creation via Net

Name:Windows ESX Admins Group Creation via Net
id:3d7df60b-3332-4667-8090-afe03e08dce0
version:3
date:2024-11-26
author:Michael Haag, Splunk
status:production
type:TTP
Description:This analytic detects attempts to create an "ESX Admins" group using the Windows net.exe or net1.exe commands. This activity may indicate an attempt to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). Attackers can use this method to gain unauthorized access to ESXi hosts by recreating the "ESX Admins" group after its deletion from Active Directory.
Data_source:

• -Sysmon EventID 1

search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` AND (Processes.process="*group \"ESX Admins\"*" OR Processes.process="*group ESX Admins*") AND Processes.process="*/add*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.original_file_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_esx_admins_group_creation_via_net_filter`

how_to_implement:To successfully implement this search, you need to be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
known_false_positives:Legitimate administrators might create an "ESX Admins" group for valid reasons. Verify that the group creation is authorized and part of normal administrative tasks. Consider the context of the action, such as the user performing it and any related activities.
References:
  -https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505
  -https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
  -https://www.securityweek.com/microsoft-says-ransomware-gangs-exploiting-just-patched-vmware-esxi-flaw/
drilldown_searches:
 name:'View the detection results for - "$user$" and "$dest$"'
 search:'%original_detection_search% | search user = "$user$" dest = "$dest$"'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
 name:'View risk events for the last 7 days for - "$user$" and "$dest$"'
 search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'VMware ESXi AD Integration Authentication Bypass CVE-2024-37085'
  asset_type:Endpoint
  confidence:70
  impact:80
  message:An attempt to create an "ESX Admins" group was detected on $dest$ by user $user$.
  mitre_attack_id:
    - 'T1136.002'
    - 'T1136.001'
  observable:
    name:'user'
    type:'User'
    - role:
      - 'Victim'
    name:'dest'
    type:'Hostname'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'Processes.dest'
    - 'Processes.user'
    - 'Processes.parent_process_name'
    - 'Processes.parent_process'
    - 'Processes.process_name'
    - 'Processes.process'
    - 'Processes.process_id'
    - 'Processes.original_file_name'
  risk_score:56
  security_domain:endpoint
  cve:
    - 'CVE-2024-37085'

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon-esxadmins.log
  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
  sourcetype: XmlWinEventLog
manual_test:None