Detection rules › Splunk
Windows ESX Admins Group Creation Security Event
This analytic detects creation, deletion, or modification of the "ESX Admins" group in Active Directory. These events may indicate attempts to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085).
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1136.001 Create Account: Local Account, T1136.002 Create Account: Domain Account |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4727 | A security-enabled global group was created. |
| Security-Auditing | Event ID 4730 | A security-enabled global group was deleted. |
| Security-Auditing | Event ID 4737 | A security-enabled global group was changed. |
Rule body splunk
name: Windows ESX Admins Group Creation Security Event
id: 53b4c927-5ec4-47cd-8aed-d4b303304f87
version: 9
creation_date: '2024-07-30'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: TTP
description: This analytic detects creation, deletion, or modification of the "ESX Admins" group in Active Directory. These events may indicate attempts to exploit the VMware ESXi Active Directory Integration Authentication Bypass vulnerability (CVE-2024-37085).
data_source:
- Windows Event Log Security 4727
- Windows Event Log Security 4730
- Windows Event Log Security 4737
search: |-
`wineventlog_security` EventCode IN (4727, 4730, 4737) (TargetUserName="ESX Admins" OR TargetUserName="*ESX Admins*")
| stats count min(_time) as firstTime max(_time) as lastTime
BY EventCode TargetUserName TargetDomainName
SubjectUserName SubjectDomainName Computer
| rename Computer as dest
| eval EventCodeDescription=case( EventCode=4727, "Security Enabled Global Group Created", EventCode=4730, "Security Enabled Global Group Deleted", EventCode=4737, "Security Enabled Global Group Modified" )
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_esx_admins_group_creation_security_event_filter`
how_to_implement: To successfully implement this search, ensure that Windows Security Event logging is enabled and being ingested into Splunk, particularly for event codes 4727, 4730, and 4737. Configure Group Policy settings to audit these specific events.
known_false_positives: Legitimate administrators might create, delete, or modify an "ESX Admins" group for valid reasons. Verify that the group changes are authorized and part of normal administrative tasks. Consider the context of the action, such as the user performing it and any related activities.
references:
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505
- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
- https://www.securityweek.com/microsoft-says-ransomware-gangs-exploiting-just-patched-vmware-esxi-flaw/
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
finding:
title: ESX Admins group $EventCodeDescription$ on $dest$ by user $SubjectUserName$.
entity:
field: SubjectUserName
type: user
score: 50
intermediate_findings:
entities:
- field: dest
type: system
score: 50
message: ESX Admins group $EventCodeDescription$ on $dest$ by user $SubjectUserName$.
analytic_story:
- VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
asset_type: Endpoint
cve:
- CVE-2024-37085
mitre_attack_id:
- T1136.001
- T1136.002
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security-esxadmins.log
sourcetype: XmlWinEventLog
source: Security
test_type: unit
Stages and Predicates
Stage 1: search
`wineventlog_security` EventCode IN (4727, 4730, 4737) (TargetUserName="ESX Admins" OR TargetUserName="*ESX Admins*")
Stage 2: stats
| stats count min(_time) as firstTime max(_time) as lastTime
BY EventCode TargetUserName TargetDomainName
SubjectUserName SubjectDomainName Computer
Stage 3: rename
| rename Computer as dest
Stage 4: eval
| eval EventCodeDescription=case( EventCode=4727, "Security Enabled Global Group Created", EventCode=4730, "Security Enabled Global Group Deleted", EventCode=4737, "Security Enabled Global Group Modified" )
EventCodeDescription =if
EventCode = 4727"Security Enabled Global Group Created"elif
EventCode = 4730"Security Enabled Global Group Deleted"else
"Security Enabled Global Group Modified"Stage 5: search
| `security_content_ctime(firstTime)`
Stage 6: search
| `security_content_ctime(lastTime)`
Stage 7: search
| `windows_esx_admins_group_creation_security_event_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | in |
|
TargetUserName | eq |
|