OMIGOD HTTP No Authentication RCE

calendar Aug 12, 2024 · attack.privilege-escalation attack.initial-access attack.execution attack.lateral-movement attack.t1068 attack.t1190 attack.t1203 attack.t1021.006 attack.t1210  ·
Share on: linkedin copy

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

Sigma rule (View on GitHub)

 1title: OMIGOD HTTP No Authentication RCE
 2id: ab6b1a39-a9ee-4ab4-b075-e83acf6e346b
 3status: stable
 4description: |
 5  Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request.
 6  Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP).
 7  Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.  
 8references:
 9    - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
10    - https://twitter.com/neu5ron/status/1438987292971053057?s=20
11author: Nate Guagenti (neu5ron)
12date: 2021-09-20
13modified: 2019-09-20
14tags:
15    - attack.privilege-escalation
16    - attack.initial-access
17    - attack.execution
18    - attack.lateral-movement
19    - attack.t1068
20    - attack.t1190
21    - attack.t1203
22    - attack.t1021.006
23    - attack.t1210
24logsource:
25    product: zeek
26    service: http
27    definition: Enable the builtin Zeek script that logs all HTTP header names by adding "@load policy/protocols/http/header-names" to your local.zeek config file. The script can be seen here for reference https://github.com/zeek/zeek/blob/d957f883df242ef159cfd846884e673addeea7a5/scripts/policy/protocols/http/header-names.zeek
28detection:
29    selection:
30        status_code: 200
31        uri: /wsman
32        method: POST
33    auth_header:
34        client_header_names|contains: 'AUTHORIZATION'
35    too_small_http_client_body:
36        request_body_len: 0
37    # winrm_ports:
38    #    id.resp_p:
39    #        -  5985
40    #        -  5986
41    #        -  1270
42    condition: selection and not auth_header and not too_small_http_client_body
43    # condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule
44fields:
45    - id.orig_h
46    - id.resp_h
47    - id.resp_p
48    - status_code
49    - method
50    - uri
51    - request_body_len
52    - response_body_len
53    - user_agent
54falsepositives:
55    - Exploits that were attempted but unsuccessful.
56    - Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips.
57level: high

References

Related rules

to-top