Summary
This detection rule identifies attempts to create a group named "ESX Admins" using PowerShell on Windows systems. Such group creation activities may indicate attempts to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085). Specifically, it targets scenarios where attackers recreate the 'ESX Admins' group post-deletion from Active Directory, potentially providing unauthorized access to ESXi hosts. The detection leverages PowerShell Script Block Logging, monitoring for commands containing 'New-ADGroup' or 'New-LocalGroup' along with 'ESX Admins'. The rule is designed to alert security teams on suspicious group creation activities that should be validated against legitimate administrative behavior.
Categories
- Windows
- Endpoint
Data Sources
- Pod
- Script
- Pod
ATT&CK Techniques
- T1136.002
- T1136.001
Created: 2024-11-13