OMIGOD HTTP No Authentication RCE - CVE-2021-38647
Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
Sigma rule (View on GitHub)
1title: OMIGOD HTTP No Authentication RCE - CVE-2021-38647
2id: ab6b1a39-a9ee-4ab4-b075-e83acf6e346b
3status: stable
4description: |
5 Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request.
6 Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP).
7 Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
8references:
9 - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
10 - https://twitter.com/neu5ron/status/1438987292971053057?s=20
11author: Nate Guagenti (neu5ron)
12date: 2021-09-20
13modified: 2025-11-03
14tags:
15 - attack.privilege-escalation
16 - attack.initial-access
17 - attack.execution
18 - attack.lateral-movement
19 - attack.t1068
20 - attack.t1190
21 - attack.t1203
22 - attack.t1021.006
23 - attack.t1210
24 - detection.emerging-threats
25 - cve.2021-38647
26logsource:
27 product: zeek
28 service: http
29 definition: Enable the builtin Zeek script that logs all HTTP header names by adding "@load policy/protocols/http/header-names" to your local.zeek config file. The script can be seen here for reference https://github.com/zeek/zeek/blob/d957f883df242ef159cfd846884e673addeea7a5/scripts/policy/protocols/http/header-names.zeek
30detection:
31 selection:
32 status_code: 200
33 uri: /wsman
34 method: POST
35 auth_header:
36 client_header_names|contains: 'AUTHORIZATION'
37 too_small_http_client_body:
38 request_body_len: 0
39 # winrm_ports:
40 # id.resp_p:
41 # - 5985
42 # - 5986
43 # - 1270
44 condition: selection and not auth_header and not too_small_http_client_body
45 # condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule
46falsepositives:
47 - Exploits that were attempted but unsuccessful.
48 - Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips.
49level: high
References
-
Wiz Research recently found 4 critical vulnerabilities in OMI, which is one of Azure's most ubiquitous yet least known software agents and is deployed on a large portion of Linux VMs in Azure.
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
- Audit CVE Event
- OMIGOD SCX RunAsProvider ExecuteScript
- OMIGOD SCX RunAsProvider ExecuteShellCommand
- Exploitation Activity of CVE-2025-59287 - WSUS Deserialization