Techniques
Sample rules
OMIGOD SCX RunAsProvider ExecuteShellCommand
- source: sigma
- technicques:
- t1068
- t1190
- t1203
Description
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
Detection logic
condition: selection
selection:
CommandLine|contains: /bin/sh
CurrentDirectory: /var/opt/microsoft/scx/tmp
LogonId: 0
User: root
OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd
- source: sigma
- technicques:
- t1068
- t1190
- t1203
Description
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
Detection logic
condition: selection
selection:
comm: sh
cwd: /var/opt/microsoft/scx/tmp
syscall: execve
type: SYSCALL
uid: 0