← Back to SOC feed Coverage →

VMWare-LPE-2022-22960

kql MEDIUM Azure-Sentinel
T1204T1548
DeviceProcessEvents
exploithuntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-21T23:00:01Z · Confidence: medium

Hunt Hypothesis

The query checks process command being placed into the script; CVE-2022-22960 allows a user to write to it and be executed as root. This vulnerability of VMware Workspace ONE Access, Identity Manager

KQL Query

DeviceProcessEvents
| where InitiatingProcessCommandLine has_any ("/opt/vmware/certproxy/bing/certproxyService.sh", "/horizon/scripts/exportCustomGroupUsers.sh", "/horizon/scripts/extractUserIdFromDatabase.sh")
    or FileName has_any ("certproxyService.sh", "exportCustomGroupUsers.sh", "extractUserIdFromDatabase.sh ")
| project Timestamp, DeviceName , FileName, ProcessCommandLine, InitiatingProcessCommandLine

Analytic Rule Definition

id: 1d468d49-ffea-4daf-ba6b-72525ec17b61
name: VMWare-LPE-2022-22960
description: |
  The query checks process command being placed into the script; CVE-2022-22960 allows a user to write to it and be executed as root.
  This vulnerability of VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts.
  CVE: CVE-2022-22960.
  Read more here:.
  https://www.cisa.gov/uscert/ncas/alerts/aa22-138b
  https://www.vmware.com/security/advisories/VMSA-2022-0011.html
  Tags: #exploit #CVE-2022-22960
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
  - Execution
  - Privilege Escalation
relevantTechniques:
  - T1204
  - T1548
query: |
  DeviceProcessEvents
  | where InitiatingProcessCommandLine has_any ("/opt/vmware/certproxy/bing/certproxyService.sh", "/horizon/scripts/exportCustomGroupUsers.sh", "/horizon/scripts/extractUserIdFromDatabase.sh")
      or FileName has_any ("certproxyService.sh", "exportCustomGroupUsers.sh", "extractUserIdFromDatabase.sh ")
  | project Timestamp, DeviceName , FileName, ProcessCommandLine, InitiatingProcessCommandLine

Required Data Sources

Sentinel TableNotes
DeviceProcessEventsEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Exploits/VMWare-LPE-2022-22960.yaml