OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd

calendar Oct 17, 2023 · attack.privilege_escalation attack.initial_access attack.execution attack.t1068 attack.t1190 attack.t1203  ·
Share on: linkedin copy

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.

Sigma rule (View on GitHub)

 1title: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd
 2id: 045b5f9c-49f7-4419-a236-9854fb3c827a
 3status: test
 4description: |
 5    Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.
 6    SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager.
 7    Microsoft Azure, and Microsoft Operations Management Suite.    
 8references:
 9    - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
10    - https://github.com/Azure/Azure-Sentinel/pull/3059
11author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
12date: 2021/09/17
13modified: 2022/11/26
14tags:
15    - attack.privilege_escalation
16    - attack.initial_access
17    - attack.execution
18    - attack.t1068
19    - attack.t1190
20    - attack.t1203
21logsource:
22    product: linux
23    service: auditd
24detection:
25    selection:
26        type: 'SYSCALL'
27        syscall: 'execve'
28        uid: 0
29        cwd: '/var/opt/microsoft/scx/tmp'
30        comm: 'sh'
31    condition: selection
32falsepositives:
33    - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.
34level: high

References

Related rules

to-top