scanning attempts with the abnormal use of the http post method with no indication of code execution within the http client (request) body. an example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. see description for investigation tips.

t1021
t1021.006
t1068
t1190
t1203
t1210
zeek
sigma

Techniques

t1021
t1021.006
t1068
t1190
t1203
t1210

Sample rules

OMIGOD HTTP No Authentication RCE

source: sigma
technicques:
- t1021
- t1021.006
- t1068
- t1190
- t1203
- t1210

Description

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

Detection logic

auth_header:
  client_header_names|contains: AUTHORIZATION
condition: selection and not auth_header and not too_small_http_client_body
selection:
  method: POST
  status_code: 200
  uri: /wsman
too_small_http_client_body:
  request_body_len: 0