OMIGOD HTTP No Authentication RCE
Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
Sigma rule (View on GitHub)
1title: OMIGOD HTTP No Authentication RCE
2id: ab6b1a39-a9ee-4ab4-b075-e83acf6e346b
3status: stable
4description: |
5 Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request.
6 Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP).
7 Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
8references:
9 - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
10 - https://twitter.com/neu5ron/status/1438987292971053057?s=20
11author: Nate Guagenti (neu5ron)
12date: 2021/09/20
13modified: 2019/09/20
14tags:
15 - attack.privilege_escalation
16 - attack.initial_access
17 - attack.execution
18 - attack.lateral_movement
19 - attack.t1068
20 - attack.t1190
21 - attack.t1203
22 - attack.t1021.006
23 - attack.t1210
24logsource:
25 product: zeek
26 service: http
27 definition: Enable the builtin Zeek script that logs all HTTP header names by adding "@load policy/protocols/http/header-names" to your local.zeek config file. The script can be seen here for reference https://github.com/zeek/zeek/blob/d957f883df242ef159cfd846884e673addeea7a5/scripts/policy/protocols/http/header-names.zeek
28detection:
29 selection:
30 status_code: 200
31 uri: /wsman
32 method: POST
33 auth_header:
34 client_header_names|contains: 'AUTHORIZATION'
35 too_small_http_client_body:
36 request_body_len: 0
37 # winrm_ports:
38 # id.resp_p:
39 # - 5985
40 # - 5986
41 # - 1270
42 condition: selection and not auth_header and not too_small_http_client_body
43 # condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule
44fields:
45 - id.orig_h
46 - id.resp_h
47 - id.resp_p
48 - status_code
49 - method
50 - uri
51 - request_body_len
52 - response_body_len
53 - user_agent
54falsepositives:
55 - Exploits that were attempted but unsuccessful.
56 - Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips.
57level: high
References
-
Wiz Research recently found 4 critical vulnerabilities in OMI, which is one of Azure's most ubiquitous yet least known software agents and is deployed on a large portion of Linux VMs in Azure.
Read More -
Related rules
- Audit CVE Event
- OMIGOD SCX RunAsProvider ExecuteScript
- OMIGOD SCX RunAsProvider ExecuteShellCommand
- OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd
- OMIGOD SCX RunAsProvider ExecuteScript