Which SIEM platforms have a CVE-2024-37079 detection rule?

df00tech provides CVE-2024-37079 (VMware vCenter Server Out-of-bounds Write (CVE-2024-37079)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect VMware vCenter Server Out-of-bounds Write (CVE-2024-37079) (CVE-2024-37079)?

Detecting VMware vCenter Server Out-of-bounds Write (CVE-2024-37079) requires the following data sources: CommonSecurityLog, Syslog, AzureActivity.

What severity and confidence is the CVE-2024-37079 detection?

The CVE-2024-37079 detection is rated critical severity with medium confidence.

What are common false positives for CVE-2024-37079?

Common false positives for CVE-2024-37079 include: Legitimate vCenter upgrades or patches that cause transient service restarts may trigger process crash signals; Misconfigured third-party backup agents polling vCenter management APIs on non-standard schedules; Internal vulnerability scanners (Tenable, Qualys) probing vCenter management ports during authorized assessments.

CVE-2024-37079 Detection: VMware vCenter Server Out-of-bounds Write (CVE-2024-37079) (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let vcenter_ips = dynamic([]);
union
(
    CommonSecurityLog
    | where DeviceProduct has_any ("vCenter", "VMware vCenter")
    | where Message has_any ("out-of-bounds", "heap corruption", "DCERPC", "vmdir", "vpxd crash", "core dump", "segfault")
    | project TimeGenerated, DeviceAddress, SourceIP, DestinationIP, Message, Activity, DeviceProduct
),
(
    Syslog
    | where ProcessName in ("vpxd", "vmdir", "vmdird", "vmafdd")
    | where SyslogMessage has_any ("segfault", "core dumped", "heap-buffer-overflow", "stack smashing", "SIGABRT", "SIGSEGV")
    | project TimeGenerated, HostName, HostIP, ProcessName, SyslogMessage
),
(
    AzureActivity
    | where ResourceProviderValue =~ "Microsoft.AVS"
    | where OperationNameValue has_any ("write", "update") and ActivityStatusValue =~ "Failed"
    | project TimeGenerated, CallerIpAddress, ResourceGroup, OperationNameValue, ActivityStatusValue
),
(
    CommonSecurityLog
    | where DestinationPort in (443, 902, 5480, 9443)
    | where DeviceVendor has_any ("VMware", "Broadcom")
    | where Activity has_any ("exploit", "attack", "CVE-2024-37079")
    | project TimeGenerated, SourceIP, DestinationIP, DestinationPort, Activity, Message
)
| sort by TimeGenerated desc

Detects indicators of CVE-2024-37079 exploitation against VMware vCenter Server by correlating vCenter process crashes, out-of-bounds memory errors, and anomalous DCERPC/management-port activity sourced from CommonSecurityLog and Syslog tables in Microsoft Sentinel.

critical severity medium confidence

Data Sources

CommonSecurityLog Syslog AzureActivity

Required Tables

CommonSecurityLog Syslog AzureActivity

False Positives

Legitimate vCenter upgrades or patches that cause transient service restarts may trigger process crash signals
Misconfigured third-party backup agents polling vCenter management APIs on non-standard schedules
Internal vulnerability scanners (Tenable, Qualys) probing vCenter management ports during authorized assessments
Hardware failures or resource exhaustion causing vCenter daemon crashes unrelated to exploitation

Splunk

spl

index=* sourcetype IN ("vmware:vcenter:log", "vmware:esxi:syslog", "linux_secure", "syslog", "cisco:asa", "pan:traffic")
(host=*vcenter* OR host=*vcs* OR host=*vc[0-9]*)
(
  (
    (source="/var/log/vmware/vpxd/vpxd.log" OR source="/var/log/vmware/vmdird/vmdird.log")
    ("segfault" OR "core dump" OR "heap-buffer-overflow" OR "SIGABRT" OR "SIGSEGV" OR "out of bounds" OR "stack smashing detected")
  )
  OR
  (
    sourcetype IN ("cisco:asa", "pan:traffic", "juniper:junos:firewall")
    dest_port IN (443, 902, 5480, 9443)
    ("CVE-2024-37079" OR "exploit" OR "scanner")
  )
  OR
  (
    sourcetype="vmware:vcenter:log"
    ("DCERPC" OR "RPC fault" OR "malformed request" OR "unexpected token" OR "parse error")
  )
)
| eval severity=case(
    match(_raw, "segfault|SIGSEGV|heap-buffer-overflow|core dump"), "critical",
    match(_raw, "DCERPC|RPC fault|malformed request"), "high",
    true(), "medium"
  )
| stats count AS event_count, values(severity) AS severities, earliest(_time) AS first_seen, latest(_time) AS last_seen, values(src_ip) AS source_ips BY host, source, sourcetype
| where event_count > 0
| sort - last_seen

Splunk query correlating VMware vCenter daemon crash signals, out-of-bounds memory errors in vCenter logs, and suspicious inbound traffic to vCenter management ports to surface CVE-2024-37079 exploitation attempts.

critical severity medium confidence

Data Sources

VMware vCenter logs Syslog Firewall/Network logs

Required Sourcetypes

vmware:vcenter:log vmware:esxi:syslog linux_secure syslog

False Positives

Authorized vulnerability scans against vCenter management interfaces generating parse-error log entries
vCenter service restarts during patch windows producing crash-like log signatures
Misconfigured monitoring agents sending malformed health-check requests to vCenter APIs
Third-party integrations (backup, orchestration) with incompatible API versions producing RPC fault entries

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and
   process.name in ("vpxd", "vmdir", "vmdird", "vmafdd", "vmcad") and
   host.os.type == "linux"]
  [process where event.type == "end" and
   process.name in ("vpxd", "vmdir", "vmdird", "vmafdd") and
   process.exit_code != 0]

OR

any where
  (
    (event.dataset == "system.syslog" and
     host.name : ("*vcenter*", "*vcs*") and
     message : ("segfault", "heap-buffer-overflow", "SIGSEGV", "SIGABRT", "core dumped", "stack smashing"))
    OR
    (event.category == "network" and
     destination.port in (443, 902, 5480, 9443) and
     destination.ip : ("*vcenter*") and
     network.protocol == "tcp" and
     event.action == "connection_attempted")
  )

Elastic EQL sequence detection correlating abnormal vCenter process terminations with memory corruption signals and anomalous inbound connections to vCenter management ports as indicators of CVE-2024-37079 exploitation.

critical severity medium confidence

Data Sources

Elastic Endpoint System syslog Network packet logs

Required Tables

logs-system.syslog-* logs-endpoint.events.process-* logs-network_traffic.*

False Positives

Planned vCenter maintenance or upgrades causing daemon restarts with non-zero exit codes
Resource exhaustion (OOM) events killing vCenter processes mimicking crash signatures
Automated integration tests in non-production vCenter environments
VMware Tools updates causing transient process churn across managed hosts

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  logsourcename(logsourceid) AS log_source,
  category,
  QIDNAME(qid) AS event_name,
  "username",
  magnitude,
  UTF8(payload) AS raw_payload
FROM events
WHERE
  (
    (
      logsourcetypename(devicetype) ILIKE '%VMware%'
      AND (
        UTF8(payload) ILIKE '%segfault%'
        OR UTF8(payload) ILIKE '%heap-buffer-overflow%'
        OR UTF8(payload) ILIKE '%SIGSEGV%'
        OR UTF8(payload) ILIKE '%core dump%'
        OR UTF8(payload) ILIKE '%out of bounds%'
        OR UTF8(payload) ILIKE '%DCERPC%'
        OR UTF8(payload) ILIKE '%vpxd%crash%'
        OR UTF8(payload) ILIKE '%CVE-2024-37079%'
      )
    )
    OR
    (
      destinationport IN (443, 902, 5480, 9443)
      AND destinationip INCIDR '0.0.0.0/0'
      AND category = 'Application'
      AND magnitude >= 6
    )
  )
  AND LOGSOURCETIME(starttime) > NOW() - 1 HOURS
ORDER BY starttime DESC
LIMIT 1000

QRadar AQL query identifying CVE-2024-37079 exploitation indicators via VMware log source payload analysis for memory corruption signals and high-magnitude events targeting vCenter management ports.

critical severity medium confidence

Data Sources

VMware vCenter log source Network activity events

Required Tables

events

False Positives

VMware log sources generating high-magnitude events during scheduled maintenance windows
Legitimate administrative RPC calls to vCenter that match DCERPC payload patterns
Automated monitoring tools connecting to vCenter management ports triggering network activity rules
Old or misconfigured integrations sending deprecated API calls that generate parse-error payloads

Sumo Logic CSE

sql

_sourceCategory=*vmware* OR _sourceCategory=*vcenter*
| parse "*" as raw_message
| where raw_message matches /segfault|heap-buffer-overflow|SIGSEGV|SIGABRT|core dump(ed)?|stack smashing|out.of.bounds|DCERPC|RPC fault|malformed request|CVE-2024-37079/ OR
  (_sourceCategory matches /firewall|network|palo_alto|cisco_asa/ and (raw_message matches /:(443|902|5480|9443)/ and raw_message matches /vcenter|vcs/))
| extract "(?P<process>vpxd|vmdir|vmdird|vmafdd|vmcad)" from raw_message nodrop
| extract "(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" from raw_message nodrop
| eval crash_indicator = if(raw_message matches /segfault|SIGSEGV|core dump|heap-buffer-overflow/, "true", "false")
| eval rpc_indicator = if(raw_message matches /DCERPC|RPC fault|malformed request/, "true", "false")
| timeslice 5m
| stats count as event_count, count_distinct(src_ip) as unique_sources, values(process) as affected_processes, sum(if(crash_indicator="true",1,0)) as crash_events, sum(if(rpc_indicator="true",1,0)) as rpc_events by _timeslice, _sourceHost
| where event_count > 0
| sort by _timeslice desc

Sumo Logic query aggregating vCenter memory corruption crash signals and anomalous DCERPC/RPC fault entries across 5-minute windows to detect CVE-2024-37079 exploitation patterns.

critical severity medium confidence

Data Sources

VMware vCenter logs Syslog Network/Firewall logs

Required Tables

_sourceCategory=*vmware* _sourceCategory=*vcenter*

False Positives

Scheduled vCenter backup agents triggering process activity that resembles crash patterns
vCenter API version mismatches with older integrations generating malformed request log entries
Burst network activity from authorized vSphere client pools scanning management interfaces
Log forwarding delays causing time-windowed aggregation to overcount single events

Google Chronicle / SecOps

yaral

rule cve_2024_37079_vcenter_oob_write {
  meta:
    author = "df00tech"
    description = "Detects CVE-2024-37079 exploitation: VMware vCenter Server out-of-bounds write via memory corruption signals and anomalous management port activity"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453"
    cve = "CVE-2024-37079"
    mitre_attack = "T1190"

  events:
    (
      (
        $e1.metadata.event_type = "PROCESS_UNCAUGHT_EXCEPTION"
        and $e1.principal.hostname = /vcenter|vcs/
        and $e1.target.process.file.full_path = /vpxd|vmdir|vmdird|vmafdd/
      )
      or
      (
        $e1.metadata.event_type = "NETWORK_CONNECTION"
        and (
          $e1.target.port = 443
          or $e1.target.port = 902
          or $e1.target.port = 5480
          or $e1.target.port = 9443
        )
        and $e1.target.hostname = /vcenter|vcs/
        and not $e1.principal.ip in %authorized_management_cidrs
      )
      or
      (
        $e1.metadata.event_type = "GENERIC_EVENT"
        and $e1.principal.hostname = /vcenter|vcs/
        and $e1.metadata.description = /segfault|heap-buffer-overflow|SIGSEGV|core dump|DCERPC|out.of.bounds|CVE-2024-37079/
      )
    )

  condition:
    $e1
}

Chronicle YARA-L rule detecting CVE-2024-37079 exploitation through process crash events on vCenter hosts, anomalous inbound connections to vCenter management ports from unauthorized sources, and memory corruption log entries.

critical severity medium confidence

Data Sources

Chronicle UDM events Endpoint telemetry Network telemetry

Required Tables

Process events Network connection events Generic/log events

False Positives

vCenter processes restarted by VMware lifecycle manager during patching generating PROCESS_UNCAUGHT_EXCEPTION events
Authorized monitoring platforms connecting to vCenter management ports from IPs outside documented management CIDRs
Penetration testing engagements with authorized scope covering vCenter infrastructure
High-availability failover events triggering abnormal vCenter process termination signals

CrowdStrike LogScale (CQL)

cql

#event_simpleName IN (ProcessRollup2, SyntheticProcessRollup2, NetworkConnectIP4, NetworkConnectIP6, CriticalEnvironmentBreachDetectionEvent)
| $falcon.ProcessImageFileName = /vpxd|vmdir|vmdird|vmafdd|vmcad/
  OR ($falcon.RemotePort IN (443, 902, 5480, 9443) AND $falcon.LocalAddressIP4 = /vcenter/)
  OR ($falcon.event_simpleName = "CriticalEnvironmentBreachDetectionEvent")
| eval vcenter_process = if(match($falcon.ProcessImageFileName, /vpxd|vmdir|vmdird|vmafdd/), "true", "false")
| eval mgmt_port_hit = if($falcon.RemotePort IN (443, 902, 5480, 9443), "true", "false")
| eval indicator_type = case(
    vcenter_process = "true" AND $falcon.event_simpleName = "CriticalEnvironmentBreachDetectionEvent", "crash_exploit",
    mgmt_port_hit = "true", "management_port_probe",
    true(), "generic"
  )
| stats count() AS event_count, dc($falcon.aip) AS unique_ips, values($falcon.ComputerName) AS hosts, values($falcon.ProcessImageFileName) AS processes, values($falcon.RemotePort) AS ports, earliest($falcon.timestamp) AS first_seen, latest($falcon.timestamp) AS last_seen BY indicator_type, $falcon.aid
| where event_count > 0
| sort last_seen desc

CrowdStrike Falcon CQL query correlating vCenter daemon process crash events, critical environment breach detections, and management port connection events to identify CVE-2024-37079 exploitation activity on protected vCenter hosts.

critical severity medium confidence

Data Sources

CrowdStrike Falcon EDR Falcon network telemetry

Required Tables

ProcessRollup2 NetworkConnectIP4 CriticalEnvironmentBreachDetectionEvent

False Positives

CrowdStrike sensor updates or policy changes triggering process re-scans on vCenter hosts
VMware vSphere Lifecycle Manager initiating planned vCenter process restarts flagged as crashes
Authorized red team operations against vCenter within approved engagement windows
Backup software establishing connections to vCenter management ports from unregistered IPs

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2024-37079 VMware vCenter Server Out-of-bounds Write (CVE-2024-37079)?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2024-37079

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox