Directory Insights in 10 Minutes
In this episode, Craig Birch breaks down how Scattered Spider, also known as Octo Tempest, is exploiting a built-in trust relationship between Active Directory and VMware ESXi to escalate privileges and deploy ransomware — all without triggering traditional security tools. Learn how the ESX Admins group becomes an unintentional backdoor to root access on every ESXi host in your environment, and why this attack path — warned about in CVE-2024-37085 — is being actively exploited in the wild. You’ll also get a quick PowerShell walkthrough to detect the ESX Admins group and hear how Cayosoft Guardian can proactively detect and block this behavior before it causes damage. * Who is Scattered Spider and what makes their attacks unique * How Active Directory and VMware vSphere integration can expose your hypervisors * The role of the ESX Admins AD group in privilege escalation * Live PowerShell examples to detect group presence and abuse * How Cayosoft Guardian detects and stops unauthorized privilege paths * CVE-2024-37085 and its relevance to real-world breaches Check if the ESX Admins group exists: List group members: Search for changes to group membership: * Real-time detection of suspicious AD group membership changes * Custom Change Roles to block group creation like ESX Admins * 200+ identity misconfigurations covered across AD, Entra ID, Microsoft 365, and Intune * Rollback and audit features for fast response and recovery “If you’ve got domain-joined ESXi hosts and an ESX Admins group in AD — you’ve got a direct path to root. And attackers like Scattered Spider know it.” Until next time stay guarded, stay informed, and be the guardian of your directory.
11 episodes
Comments
0Be the first to comment
Sign up now and become a member of the Directory Insights in 10 Minutes community!