OMIGOD SCX RunAsProvider ExecuteScript
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
Sigma rule (View on GitHub)
1title: OMIGOD SCX RunAsProvider ExecuteScript
2id: 865c10a6-9541-4d11-9f45-9a3484e23b0a
3description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
4status: experimental
5date: 2021/09/18
6modified: 2021/11/11
7author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
8tags:
9 - attack.privilege_escalation
10 - attack.initial_access
11 - attack.execution
12 - attack.t1068
13 - attack.t1190
14 - attack.t1203
15references:
16 - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
17 - https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/
18 - https://github.com/Azure/Azure-Sentinel/pull/3071/files
19logsource:
20 product: linux
21 service: auditd
22detection:
23 selection:
24 type: 'SYSCALL'
25 syscall: 'execve'
26 uid: '0'
27 cwd: '/var/opt/microsoft/scx/tmp'
28 cmdline|contains: /etc/opt/microsoft/scx/conf/tmpdir/scx
29 comm: 'sh'
30 condition: selection
31falsepositives:
32 - Legitimate use of SCX RunAsProvider ExecuteScript.
33level: high
References
-
Wiz Research recently found 4 critical vulnerabilities in OMI, which is one of Azure's most ubiquitous yet least known software agents and is deployed on a large portion of Linux VMs in Azure.
Read More -
This hunting query uses security events from the Microsoft Audit Collection Tool (AUOMS) collected via the Azure Sentinel Syslog data connector to explore the use of SCX Execute RunAs providers. Ex...
Read More
Related rules
- Suspicious HWP Sub Processes
- CVE-2021-3156 Exploitation Attempt
- CVE-2021-3156 Exploitation Attempt Bruteforcing
- Disabled Users Failing To Authenticate From Source Using Kerberos
- Invalid Users Failing To Authenticate From Single Source Using NTLM