Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SCX RunAsProvider ExecuteShellCommand #3059

Merged
merged 4 commits into from Sep 17, 2021
Merged

SCX RunAsProvider ExecuteShellCommand #3059

merged 4 commits into from Sep 17, 2021
+43 −0

Conversation

Cyb3rWard0g
Copy link
Contributor

@Cyb3rWard0g Cyb3rWard0g commented Sep 17, 2021
edited

This hunting query uses Auditd security events collected via the Syslog data connector to explore the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.

SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.

SCX has a support provider named RunAsProvider. This provider has a few classes:

Based on OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers by Wiz , ExecuteShellCommand was used in the HTTP request to test CVE-2021-38647.

<s:Body>
      <p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
         <p:command>id</p:command>
         <p:timeout>0</p:timeout>
      </p:ExecuteShellCommand_INPUT>
   </s:Body>

This was derived from initial testing while executing commands via /opt/omi/bin/omicli and exploring responses.

/opt/omi/bin/omicli --hostname 192.168.1.1 -u azureuser -p Password1 iv root/scx { SCX_OperatingSystem } ExecuteShellCommand { command 'id' timeout 0 }

Using the same template provided in the blog post by Wiz, we prepared a quick test:

<s:Body>
      <p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
         <p:command>echo 'Hola MSTIC'</p:command>
         <p:timeout>0</p:timeout>
      </p:ExecuteShellCommand_INPUT>
   </s:Body>

We set the SCX logging to verbose

/opt/microsoft/scx/bin/tools/scxadmin -log-set all verbose

and we were able to capture the activity on the OMI server side in the scx.log:

tail -f /var/opt/microsoft/scx/log/scx.log

image

image

Next, we checked our Sysmon for Linux and auditd logs in our lab environment and identified where the commands were being executed from:

image

image

We then put together the following query to validate our testing. The query is part of this PR.

image

References:

shainw
shainw requested changes Sep 17, 2021
View reviewed changes
Copy link
Contributor

@shainw shainw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 recommended change and 1 potential change depending on what is in the user fields, otherwise good.

Hunting Queries/Syslog/SCXRunAsProviderExecuteShellCommand.yml Show resolved Hide resolved
Hunting Queries/Syslog/SCXRunAsProviderExecuteShellCommand.yml Show resolved Hide resolved
@shainw shainw merged commit 840bdb9 into Azure:master Sep 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shainw shainw shainw approved these changes

@Amitbergman Amitbergman Awaiting requested review from Amitbergman

@aprakash13 aprakash13 Awaiting requested review from aprakash13

@ashwin-patil ashwin-patil Awaiting requested review from ashwin-patil

@dicolanl dicolanl Awaiting requested review from dicolanl

@ianhelle ianhelle Awaiting requested review from ianhelle

@juliango2100 juliango2100 Awaiting requested review from juliango2100

@laithhisham laithhisham Awaiting requested review from laithhisham

@liatlishams liatlishams Awaiting requested review from liatlishams

@liemilyg liemilyg Awaiting requested review from liemilyg

@lior-tamir lior-tamir Awaiting requested review from lior-tamir

@mgladi mgladi Awaiting requested review from mgladi

@nazang nazang Awaiting requested review from nazang

@NoamLandress NoamLandress Awaiting requested review from NoamLandress

@oshezaf oshezaf Awaiting requested review from oshezaf

@oshvartz oshvartz Awaiting requested review from oshvartz

@petebryan petebryan Awaiting requested review from petebryan

@preetikr preetikr Awaiting requested review from preetikr

@sagamzu sagamzu Awaiting requested review from sagamzu

@sarah-yo sarah-yo Awaiting requested review from sarah-yo

@shschwar shschwar Awaiting requested review from shschwar

@sreedharande sreedharande Awaiting requested review from sreedharande

@timbMSFT timbMSFT Awaiting requested review from timbMSFT

@Yaniv-Shasha Yaniv-Shasha Awaiting requested review from Yaniv-Shasha

@YaronFruchtmann YaronFruchtmann Awaiting requested review from YaronFruchtmann

@YuvalNaor YuvalNaor Awaiting requested review from YuvalNaor

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Cyb3rWard0g @shainw