frack113
30 lines
1.5 KiB
YAML
30 lines
1.5 KiB
YAML
title: OMIGOD SCX RunAsProvider ExecuteScript
|
|
id: 6eea1bf6-f8d2-488a-a742-e6ef6c1b67db
|
|
status: experimental
|
|
description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
|
|
date: 2021/10/15
|
|
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
|
|
tags:
|
|
- attack.privilege_escalation
|
|
- attack.initial_access
|
|
- attack.execution
|
|
- attack.t1068
|
|
- attack.t1190
|
|
- attack.t1203
|
|
references:
|
|
- https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
|
|
- https://github.com/Azure/Azure-Sentinel/pull/3059
|
|
- https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml
|
|
logsource:
|
|
product: linux
|
|
category: process_creation
|
|
detection:
|
|
selection:
|
|
User: root
|
|
LogonId: '0'
|
|
CurrentDirectory: '/var/opt/microsoft/scx/tmp'
|
|
CommandLine|contains: '/etc/opt/microsoft/scx/conf/tmpdir/scx'
|
|
condition: selection
|
|
falsepositives:
|
|
- Legitimate use of SCX RunAsProvider ExecuteScript.
|
|
level: high |