OMIGOD SCX RunAsProvider ExecuteScript
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
Sigma rule (View on GitHub)
1title: OMIGOD SCX RunAsProvider ExecuteScript
2id: 6eea1bf6-f8d2-488a-a742-e6ef6c1b67db
3status: test
4description: |
5 Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.
6 Script being executed gets created as a temp file in /tmp folder with a scx* prefix.
7 Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.
8 The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including
9 Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
10references:
11 - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
12 - https://github.com/Azure/Azure-Sentinel/pull/3059
13author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
14date: 2021-10-15
15modified: 2022-10-05
16tags:
17 - attack.privilege-escalation
18 - attack.initial-access
19 - attack.execution
20 - attack.t1068
21 - attack.t1190
22 - attack.t1203
23logsource:
24 product: linux
25 category: process_creation
26detection:
27 selection:
28 User: root
29 LogonId: 0
30 CurrentDirectory: '/var/opt/microsoft/scx/tmp'
31 CommandLine|contains: '/etc/opt/microsoft/scx/conf/tmpdir/scx'
32 condition: selection
33falsepositives:
34 - Legitimate use of SCX RunAsProvider ExecuteScript.
35level: high
References
-
Wiz Research recently found 4 critical vulnerabilities in OMI, which is one of Azure's most ubiquitous yet least known software agents and is deployed on a large portion of Linux VMs in Azure.
Read More -
This hunting query uses Auditd security events collected via the Syslog data connector to explore the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using...
Read More
Related rules
- OMIGOD HTTP No Authentication RCE
- OMIGOD SCX RunAsProvider ExecuteShellCommand
- Audit CVE Event
- OMIGOD SCX RunAsProvider ExecuteScript
- Atlassian Confluence CVE-2022-26134