security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix auditd field name

Browse Source
This commit is contained in:
frack113
2021-11-11 10:13:48 +01:00
parent 735e5eade9
commit bd3358d33c
3 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml → rules-unsupported/lnx_auditd_omigod_scx_runasprovider_executescript.yml
+2 -1
View File
@@ -3,6 +3,7 @@ id: 865c10a6-9541-4d11-9f45-9a3484e23b0a
description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
status: experimental
date: 2021/09/18
modified: 2021/11/11
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.privilege_escalation
@@ -21,7 +22,7 @@ logsource:
detection:
selection:
type: 'SYSCALL'
SYSCALL: 'execve'
syscall: 'execve'
uid: '0'
cwd: '/var/opt/microsoft/scx/tmp'
cmdline|contains: /etc/opt/microsoft/scx/conf/tmpdir/scx
rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml
+2 -2
View File
@@ -3,6 +3,7 @@ id: 045b5f9c-49f7-4419-a236-9854fb3c827a
description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
status: experimental
date: 2021/09/17
modified: 2021/11/11
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.privilege_escalation
@@ -20,7 +21,7 @@ logsource:
detection:
selection:
type: 'SYSCALL'
SYSCALL: 'execve'
syscall: 'execve'
uid: '0'
cwd: '/var/opt/microsoft/scx/tmp'
comm: 'sh'
@@ -28,4 +29,3 @@ detection:
falsepositives:
- Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.
level: high
rules/linux/auditd/lnx_auditd_web_rce.yml
+2 -3
View File
@@ -4,17 +4,16 @@ status: experimental
description: Detects possible command execution by web application/web shell
author: Ilyas Ochkov, Beyu Denis, oscd.community
date: 2019/10/12
modified: 2019/11/04
modified: 2021/11/11
references:
- personal experience
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
SYSCALL: 'execve'
syscall: 'execve'
key: 'detect_execve_www'
condition: selection
falsepositives: