Machines identified by this rule are likely vulnerable to the OMIGOD CVE-2021-38647 exploit due to outdated or misconfigured OMI services, which could allow adversaries to execute arbitrary code with elevated privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential compromise of critical systems before exploitation occurs.
KQL Query
SecurityNestedRecommendation
| where RemediationDescription has 'CVE-2021-38647'
| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '"' *
| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
| extend HostName = tostring(split(VirtualMAchine, ".")[0]), DomainIndex = toint(indexof(VirtualMAchine, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(VirtualMAchine, DomainIndex + 1), VirtualMAchine)
id: 4d94d4a9-dc96-450a-9dea-4d4d4594199b
name: Vulnerable Machines related to OMIGOD CVE-2021-38647
description: |
'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647.
OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).
Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).
Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal'
severity: High
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- Execution
relevantTechniques:
- T1190
- T1203
tags:
- OMIGOD
- CVE-2021-38647
query: |
SecurityNestedRecommendation
| where RemediationDescription has 'CVE-2021-38647'
| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '"' *
| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
| extend HostName = tostring(split(VirtualMAchine, ".")[0]), DomainIndex = toint(indexof(VirtualMAchine, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(VirtualMAchine, DomainIndex + 1), VirtualMAchine)
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: VirtualMAchine
- identifier: HostName
columnName: HostName
- identifier: NTDomain
columnName: HostNameDomain
version: 1.0.5
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Security - Threat Protection" ]Scenario: Scheduled system updates using yum or apt
Filter/Exclusion: Exclude machines where the last_updated timestamp is within the last 24 hours and the update process is known to be automated (e.g., via cron job with yum update or apt upgrade).
Example Filter: process.name IN ('yum', 'apt') AND process.start_time > ago(24h)
Scenario: Admin task using omiutil for configuration management
Filter/Exclusion: Exclude machines where the process is initiated by a known admin user (e.g., root or admin) and the command is related to OMI configuration (e.g., omiutil config).
Example Filter: user.name IN ('root', 'admin') AND process.name = 'omiutil' AND process.command_line LIKE '%config%'
Scenario: Regular system health checks using omi CLI tools
Filter/Exclusion: Exclude machines where the process is initiated by a monitoring tool (e.g., Zabbix, Nagios, or Prometheus) and the command is related to health checks (e.g., omi health check).
Example Filter: process.name = 'omi' AND process.command_line LIKE '%health check%' AND source = 'Zabbix'
Scenario: Automated backup scripts using omi for configuration export
Filter/Exclusion: Exclude machines where the process is part of a known backup script (e.g., /opt/backup/backup.sh) and the command includes omi export.
Example Filter: process.name = 'omi' AND process.command_line LIKE '%export%' AND process.parent_process = '/opt/backup/backup.sh'
Scenario: Development environment with OMI used for testing
Filter/Exclusion: Exclude