SCX RunAsProvider ExecuteShellCommand #3059
Merged
+43
−0
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This hunting query uses Auditd security events collected via the Syslog data connector to explore the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.
SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
SCX has a support provider named RunAsProvider. This provider has a few classes:
Based on OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers by Wiz ,
ExecuteShellCommand
was used in the HTTP request to testCVE-2021-38647
.This was derived from initial testing while executing commands via
/opt/omi/bin/omicli
and exploring responses.Using the same template provided in the blog post by Wiz, we prepared a quick test:
We set the SCX logging to
verbose
and we were able to capture the activity on the OMI server side in the
scx.log
:Next, we checked our
Sysmon for Linux
andauditd
logs in our lab environment and identified where the commands were being executed from:We then put together the following query to validate our testing. The query is part of this PR.
References: