OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
Sigma rule (View on GitHub)
1title: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd
2id: 045b5f9c-49f7-4419-a236-9854fb3c827a
3status: test
4description: |
5 Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.
6 SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager.
7 Microsoft Azure, and Microsoft Operations Management Suite.
8references:
9 - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
10 - https://github.com/Azure/Azure-Sentinel/pull/3059
11author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
12date: 2021/09/17
13modified: 2022/11/26
14tags:
15 - attack.privilege_escalation
16 - attack.initial_access
17 - attack.execution
18 - attack.t1068
19 - attack.t1190
20 - attack.t1203
21logsource:
22 product: linux
23 service: auditd
24detection:
25 selection:
26 type: 'SYSCALL'
27 syscall: 'execve'
28 uid: 0
29 cwd: '/var/opt/microsoft/scx/tmp'
30 comm: 'sh'
31 condition: selection
32falsepositives:
33 - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.
34level: high
References
Related rules
- OMIGOD SCX RunAsProvider ExecuteScript
- OMIGOD SCX RunAsProvider ExecuteShellCommand
- OMIGOD SCX RunAsProvider ExecuteScript
- Audit CVE Event
- Atlassian Confluence CVE-2022-26134