Fix auditd field name

stboissdev · Nov 11, 2021 · bd3358d · bd3358d
1 parent 735e5ea
commit bd3358d
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/...migod_scx_runasprovider_executescript.yml → ...migod_scx_runasprovider_executescript.yml b/...migod_scx_runasprovider_executescript.yml → ...migod_scx_runasprovider_executescript.yml
@@ -3,6 +3,7 @@ id: 865c10a6-9541-4d11-9f45-9a3484e23b0a
 description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
 status: experimental
 date: 2021/09/18
+modified: 2021/11/11
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.privilege_escalation
@@ -21,7 +22,7 @@ logsource:
 detection:
     selection:
         type: 'SYSCALL'
-        SYSCALL: 'execve'
+        syscall: 'execve'
         uid: '0'
         cwd: '/var/opt/microsoft/scx/tmp'
         cmdline|contains: /etc/opt/microsoft/scx/conf/tmpdir/scx

diff --git a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml
@@ -3,6 +3,7 @@ id: 045b5f9c-49f7-4419-a236-9854fb3c827a
 description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
 status: experimental
 date: 2021/09/17
+modified:  2021/11/11
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.privilege_escalation
@@ -20,12 +21,11 @@ logsource:
 detection:
     selection:
         type: 'SYSCALL'
-        SYSCALL: 'execve'
+        syscall: 'execve'
         uid: '0'
         cwd: '/var/opt/microsoft/scx/tmp'
         comm: 'sh'
     condition: selection
 falsepositives:
     - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.
 level: high
-
diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml
@@ -4,17 +4,16 @@ status: experimental
 description: Detects possible command execution by web application/web shell
 author: Ilyas Ochkov, Beyu Denis, oscd.community
 date: 2019/10/12
-modified: 2019/11/04
+modified: 2021/11/11
 references:
     - personal experience
-
 logsource:
     product: linux
     service: auditd
 detection:
     selection:
         type: 'SYSCALL'
-        SYSCALL: 'execve'
+        syscall: 'execve'
         key: 'detect_execve_www'
     condition: selection
 falsepositives: