legitimate use of scx runasprovider invoke_executeshellcommand.

t1068
t1190
t1203
linux
sigma

Techniques

t1068
t1190
t1203

Sample rules

OMIGOD SCX RunAsProvider ExecuteShellCommand

source: sigma
technicques:
- t1068
- t1190
- t1203

Description

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

Detection logic

condition: selection
selection:
  CommandLine|contains: /bin/sh
  CurrentDirectory: /var/opt/microsoft/scx/tmp
  LogonId: 0
  User: root