Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

OMIGOD SCX RunAsProvider ExecuteScript

Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTICCreated Fri Oct 15Updated Wed Oct 056eea1bf6-f8d2-488a-a742-e6ef6c1b67dblinux
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        User: root
        LogonId: 0
        CurrentDirectory: '/var/opt/microsoft/scx/tmp'
        CommandLine|contains: '/etc/opt/microsoft/scx/conf/tmpdir/scx'
    condition: selection
False Positives

Legitimate use of SCX RunAsProvider ExecuteScript.

References
1
Resolving title…
wiz.io
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
6eea1bf6-f8d2-488a-a742-e6ef6c1b67db
Status
test
Level
high
Type
Detection
Created
Fri Oct 15
Modified
Wed Oct 05
Author
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
Path
rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml
Raw Tags
attack.privilege-escalationattack.initial-accessattack.executionattack.t1068attack.t1190attack.t1203
View on GitHub