Adversaries may use the SCX RunAsProvider ExecuteScript to execute malicious UNIX/Linux scripts via /bin/sh, leveraging temporary files in /tmp to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control or persistence mechanisms.
Detection Rule
title: OMIGOD SCX RunAsProvider ExecuteScript
id: 6eea1bf6-f8d2-488a-a742-e6ef6c1b67db
status: test
description: |
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.
Script being executed gets created as a temp file in /tmp folder with a scx* prefix.
Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.
The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including
Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
references:
- https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
- https://github.com/Azure/Azure-Sentinel/pull/3059
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-10-05
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.execution
- attack.t1068
- attack.t1190
- attack.t1203
logsource:
product: linux
category: process_creation
detection:
selection:
User: root
LogonId: 0
CurrentDirectory: '/var/opt/microsoft/scx/tmp'
CommandLine|contains: '/etc/opt/microsoft/scx/conf/tmpdir/scx'
condition: selection
falsepositives:
- Legitimate use of SCX RunAsProvider ExecuteScript.
level: high
imProcessCreate
| where TargetUsername =~ "root" and TargetUserSessionId == 0 and TargetProcessCurrentDirectory =~ "/var/opt/microsoft/scx/tmp" and TargetProcessCommandLine contains "/etc/opt/microsoft/scx/conf/tmpdir/scx"Scenario: System Update via SCX Provider
Description: A legitimate system update process uses the SCX RunAsProvider to execute a script that configures or updates software on Linux systems.
Filter/Exclusion: Check the script content for known update scripts (e.g., scx_update.sh) or filter by the script path /opt/update/scx_update.sh.
Scenario: Scheduled Job for Configuration Sync
Description: A scheduled job runs a script via SCX RunAsProvider to synchronize configuration files between servers, using /bin/sh to execute a script in /tmp.
Filter/Exclusion: Exclude scripts that match known sync scripts (e.g., sync_config.sh) or filter by the job name in the task scheduler (e.g., sync_config_job).
Scenario: Admin Task for Log Rotation
Description: An administrator uses SCX RunAsProvider to execute a log rotation script that runs via /bin/sh and creates a temporary script in /tmp.
Filter/Exclusion: Exclude scripts that match known log rotation scripts (e.g., rotate_logs.sh) or filter by the user account (e.g., root or admin).
Scenario: Custom Script for Monitoring Tool Integration
Description: A custom script is used to integrate with a monitoring tool (e.g., Nagios, Zabbix) and is executed via SCX RunAsProvider using /bin/sh.
Filter/Exclusion: Exclude scripts that match known monitoring integration scripts (e.g., monitor_integration.sh) or filter by the monitoring tool name in the script content.
Scenario: Temp Script for One-Time Administrative Task
Description: An admin creates a temporary script in /tmp using SCX RunAsProvider to perform a one-time administrative task, such as user account cleanup or file migration.