Detectionhightest
OMIGOD SCX RunAsProvider ExecuteShellCommand
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTICCreated Fri Oct 15Updated Wed Oct 0521541900-27a9-4454-9c4c-3f0a4240344alinux
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic1 selector
detection:
selection:
User: root
LogonId: 0
CurrentDirectory: '/var/opt/microsoft/scx/tmp'
CommandLine|contains: '/bin/sh'
condition: selectionFalse Positives
Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.
MITRE ATT&CK
Rule Metadata
Rule ID
21541900-27a9-4454-9c4c-3f0a4240344a
Status
test
Level
high
Type
Detection
Created
Fri Oct 15
Modified
Wed Oct 05
Path
rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml
Raw Tags
attack.privilege-escalationattack.initial-accessattack.executionattack.t1068attack.t1190attack.t1203