Adversaries may use the SCX RunAsProvider to execute arbitrary shell commands, leveraging it as a persistence mechanism or to exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control activities or lateral movement attempts.
Detection Rule
title: OMIGOD SCX RunAsProvider ExecuteShellCommand
id: 21541900-27a9-4454-9c4c-3f0a4240344a
status: test
description: |
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.
SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including
Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
references:
- https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
- https://github.com/Azure/Azure-Sentinel/pull/3059
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-10-05
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.execution
- attack.t1068
- attack.t1190
- attack.t1203
logsource:
product: linux
category: process_creation
detection:
selection:
User: root
LogonId: 0
CurrentDirectory: '/var/opt/microsoft/scx/tmp'
CommandLine|contains: '/bin/sh'
condition: selection
falsepositives:
- Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.
level: high
imProcessCreate
| where TargetUsername =~ "root" and TargetUserSessionId == 0 and TargetProcessCurrentDirectory =~ "/var/opt/microsoft/scx/tmp" and TargetProcessCommandLine contains "/bin/sh"Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a shell command via SCX to perform system updates or log rotation.
Filter/Exclusion: process.parent_process_name == "task scheduler" or process.command_line contains "systemd-sysv" or "init.d"
Scenario: Configuration Management Tool Execution
Description: A configuration management tool like Ansible or Puppet uses SCX to execute shell commands during a deployment.
Filter/Exclusion: process.command_line contains "ansible" or "puppet" or "chef" or "salt"
Scenario: Admin Task via SCX for Script Execution
Description: An administrator uses SCX to run a custom script for system monitoring or reporting.
Filter/Exclusion: process.command_line contains "custom_script.sh" or "monitoring_script.sh" or "reporting_script.sh"
Scenario: Service Restart via SCX
Description: A service restart is initiated via SCX to ensure a service is running correctly after a configuration change.
Filter/Exclusion: process.command_line contains "systemctl restart" or "service restart" or "init.d restart"
Scenario: Log File Rotation via SCX
Description: SCX is used to rotate log files as part of a standard log management process.
Filter/Exclusion: process.command_line contains "logrotate" or "rsyslog" or "logrotate.conf"