Adversaries may exploit OMI vulnerabilities to escalate privileges or execute remote code, leveraging known CVEs to gain unauthorized access. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential elevation of privilege or remote code execution attacks before they cause widespread damage.
KQL Query
let OMIVulnerabilityPatchVersion = "OMIVulnerabilityPatchVersion:1.13.40-0";
Heartbeat
| where Category == "Direct Agent"
| summarize arg_max(TimeGenerated,*) by Computer
| parse strcat("Version:" , Version) with * "Version:" Major:long "."
Minor:long "." Patch:long "-" *
| parse OMIVulnerabilityPatchVersion with * "OMIVulnerabilityPatchVersion:"
OMIVersionMajor:long "." OMIVersionMinor:long "." OMIVersionPatch:long "-" *
| where Major <OMIVersionMajor or (Major==OMIVersionMajor and Minor
<OMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and
Patch<OMIVersionPatch)
| project Version, Major,Minor,Patch,
Computer,ComputerIP,OSType,OSName,ResourceId
id: 3cc5ccd8-b416-4141-bb2d-4eba370e37a5
name: OMI Vulnerability Exploitation
description: |
Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in the Open Management Infrastructure (OMI) Framework.
This detection validates that any OMS-agent that is reporting to the Microsoft Sentinel workspace is updated with the patch. The detection will go over the heartbeats received from all agents over the last day and will create alert for those agents who are not updated.
requiredDataConnectors: []
severity: Medium
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
tags:
- OMIGOD
- CVE-2021-38647
query: |
let OMIVulnerabilityPatchVersion = "OMIVulnerabilityPatchVersion:1.13.40-0";
Heartbeat
| where Category == "Direct Agent"
| summarize arg_max(TimeGenerated,*) by Computer
| parse strcat("Version:" , Version) with * "Version:" Major:long "."
Minor:long "." Patch:long "-" *
| parse OMIVulnerabilityPatchVersion with * "OMIVulnerabilityPatchVersion:"
OMIVersionMajor:long "." OMIVersionMinor:long "." OMIVersionPatch:long "-" *
| where Major <OMIVersionMajor or (Major==OMIVersionMajor and Minor
<OMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and
Patch<OMIVersionPatch)
| project Version, Major,Minor,Patch,
Computer,ComputerIP,OSType,OSName,ResourceId
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: Computer
- entityType: AzureResource
fieldMappings:
- identifier: ResourceId
columnName: ResourceId
customDetails:
HostIp: ComputerIP
OSType: OSType
OSName: OSName
kind: Scheduled
version: 1.1.5
metadata:
source:
kind: Community
author:
name: Ron Marsiano
support:
tier: Community
categories:
domains: [ "Security - Vulnerability Management" ]| Sentinel Table | Notes |
|---|---|
Heartbeat | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task (e.g., Task Scheduler or PowerShell script) is performing routine system maintenance, such as disk cleanup or log rotation, which may trigger the rule due to elevated privileges or suspicious process behavior.
Filter/Exclusion: Check for CommandLine containing known maintenance tools like cleanmgr.exe, logman.exe, or schtasks.exe, or filter by ProcessName matching taskhost.exe or powershell.exe with known maintenance scripts.
Scenario: Admin User Performing Privileged Actions
Description: An administrator is executing a legitimate administrative task, such as updating system settings or configuring services, which may be flagged due to the use of elevated privileges or suspicious process execution.
Filter/Exclusion: Filter by User field to exclude known admin accounts (e.g., Administrator, Domain Admins), or check for CommandLine containing known administrative tools like netsh.exe, reg.exe, or services.msc.
Scenario: Antivirus or Endpoint Protection Scan
Description: A security tool (e.g., Windows Defender, Malwarebytes, or Kaspersky) is performing a full system scan, which may trigger the rule due to the execution of scanning processes or the use of elevated privileges.
Filter/Exclusion: Filter by ProcessName such as MsMpEng.exe, mbam.exe, or kavsvc.exe, or check for CommandLine containing known scanning commands or tools.
Scenario: Remote PowerShell Session for Troubleshooting
Description: A system administrator is using a remote PowerShell session (e.g., WinRM) to troubleshoot an issue, which may be flagged due to the use of remote execution or suspicious process behavior.
*Filter/