Emerging Threathighstable

OMIGOD HTTP No Authentication RCE - CVE-2021-38647

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nate Guagenti (neu5ron)Created Mon Sep 20Updated Mon Nov 03ab6b1a39-a9ee-4ab4-b075-e83acf6e346b2021

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Zeek (Bro)http

ProductZeek (Bro)← raw: zeek

Servicehttp← raw: http

Definition

Enable the builtin Zeek script that logs all HTTP header names by adding "@load policy/protocols/http/header-names" to your local.zeek config file. The script can be seen here for reference https://github.com/zeek/zeek/blob/d957f883df242ef159cfd846884e673addeea7a5/scripts/policy/protocols/http/header-names.zeek

Detection Logic

detection:
    selection:
        status_code: 200
        uri: /wsman
        method: POST
    auth_header:
        client_header_names|contains: 'AUTHORIZATION'
    too_small_http_client_body:
        request_body_len: 0
    # winrm_ports:
    #    id.resp_p:
    #        -  5985
    #        -  5986
    #        -  1270
    condition: selection and not auth_header and not too_small_http_client_body
    # condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule

False Positives

Exploits that were attempted but unsuccessful.

Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips.

References

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0001 · Initial Access TA0002 · Execution TA0008 · Lateral Movement

Techniques

T1068 · Exploitation for Privilege Escalation T1190 · Exploit Public-Facing Application T1203 · Exploitation for Client Execution T1210 · Exploitation of Remote Services

Sub-techniques

T1021.006 · Windows Remote Management

Other

detection.emerging-threatscve.2021-38647

Rule Metadata

Rule ID

ab6b1a39-a9ee-4ab4-b075-e83acf6e346b

Status

stable

Level

high

Type

Emerging Threat

Created

Mon Sep 20

Modified

Mon Nov 03

Author

Nate Guagenti (neu5ron)

Path

rules-emerging-threats/2021/Exploits/CVE-2021-38647/zeek_http_exploit_cve_2021_38647_omigod_no_auth_rce.yml

Raw Tags

attack.privilege-escalationattack.initial-accessattack.executionattack.lateral-movementattack.t1068attack.t1190attack.t1203attack.t1021.006attack.t1210detection.emerging-threatscve.2021-38647

View on GitHub