LoFP / legitimate use of scx runasprovider invoke_executeshellcommand.

Techniques

• t1068
• t1190
• t1203

Sample rules

OMIGOD SCX RunAsProvider ExecuteShellCommand

• source: sigma
• technicques:
  • t1068
  • t1190
  • t1203

Description

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

Detection logic

condition: selection
selection:
  CommandLine|contains: /bin/sh
  CurrentDirectory: /var/opt/microsoft/scx/tmp
  LogonId: 0
  User: root

OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd

• source: sigma
• technicques:
  • t1068
  • t1190
  • t1203

Description

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.

Detection logic

condition: selection
selection:
  comm: sh
  cwd: /var/opt/microsoft/scx/tmp
  syscall: execve
  type: SYSCALL
  uid: 0