Techniques
Sample rules
OMIGOD SCX RunAsProvider ExecuteScript
- source: sigma
- technicques:
- t1068
- t1190
- t1203
Description
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
Detection logic
condition: selection
selection:
CommandLine|contains: /etc/opt/microsoft/scx/conf/tmpdir/scx
CurrentDirectory: /var/opt/microsoft/scx/tmp
LogonId: 0
User: root