detection.wiki

Detection rules › Splunk

Windows ESX Admins Group Creation Security Event

Author
Michael Haag, Splunk
Source
upstream

This analytic detects creation, deletion, or modification of the "ESX Admins" group in Active Directory. These events may indicate attempts to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085).

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1136.001 Create Account: Local Account, T1136.002 Create Account: Domain Account

Event coverage

ProviderEvent IDTitle
Security-Auditing4727A security-enabled global group was created.
Security-Auditing4730A security-enabled global group was deleted.
Security-Auditing4737A security-enabled global group was changed.

Stages and Predicates

Stage 1: search

search (TargetUserName="*ESX Admins*" OR TargetUserName="ESX Admins") EventCode IN (4727, 4730, 4737)

Stage 2: stats

stats BY EventCode, TargetUserName, TargetDomainName, SubjectUserName, SubjectDomainName, Computer

Stage 3: rename

rename

Stage 4: eval

eval ... using (EventCode)

Stage 5: search

search

Stage 6: search

search

Stage 7: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodein
  • 4727 corpus 3 (splunk 3)
  • 4730
  • 4737
TargetUserNameeq
  • "*ESX Admins*"
  • "ESX Admins"

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.