OMIGOD SCX RunAsProvider ExecuteShellCommand

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

Sigma rule (View on GitHub)

 1title: OMIGOD SCX RunAsProvider ExecuteShellCommand
 2id: 21541900-27a9-4454-9c4c-3f0a4240344a
 3status: test
 4description: |
 5    Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.
 6    SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including
 7    Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.    
 8references:
 9    - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
10    - https://github.com/Azure/Azure-Sentinel/pull/3059
11author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
12date: 2021/10/15
13modified: 2022/10/05
14tags:
15    - attack.privilege_escalation
16    - attack.initial_access
17    - attack.execution
18    - attack.t1068
19    - attack.t1190
20    - attack.t1203
21logsource:
22    product: linux
23    category: process_creation
24detection:
25    selection:
26        User: root
27        LogonId: 0
28        CurrentDirectory: '/var/opt/microsoft/scx/tmp'
29        CommandLine|contains: '/bin/sh'
30    condition: selection
31falsepositives:
32    - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.
33level: high

References

Related rules

to-top