From bd3358d33c03c84dcc532b007d385168e7b63757 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 11 Nov 2021 10:13:48 +0100 Subject: [PATCH] Fix auditd field name --- .../lnx_auditd_omigod_scx_runasprovider_executescript.yml | 3 ++- ...x_auditd_omigod_scx_runasprovider_executeshellcommand.yml | 4 ++-- rules/linux/auditd/lnx_auditd_web_rce.yml | 5 ++--- 3 files changed, 6 insertions(+), 6 deletions(-) rename {rules/linux/auditd => rules-unsupported}/lnx_auditd_omigod_scx_runasprovider_executescript.yml (96%) diff --git a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml b/rules-unsupported/lnx_auditd_omigod_scx_runasprovider_executescript.yml similarity index 96% rename from rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml rename to rules-unsupported/lnx_auditd_omigod_scx_runasprovider_executescript.yml index a760be6da2a..8571eee417e 100644 --- a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml +++ b/rules-unsupported/lnx_auditd_omigod_scx_runasprovider_executescript.yml @@ -3,6 +3,7 @@ id: 865c10a6-9541-4d11-9f45-9a3484e23b0a description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. status: experimental date: 2021/09/18 +modified: 2021/11/11 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.privilege_escalation @@ -21,7 +22,7 @@ logsource: detection: selection: type: 'SYSCALL' - SYSCALL: 'execve' + syscall: 'execve' uid: '0' cwd: '/var/opt/microsoft/scx/tmp' cmdline|contains: /etc/opt/microsoft/scx/conf/tmpdir/scx diff --git a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml index d98c1a541c4..0cd7848208c 100644 --- a/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml +++ b/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml @@ -3,6 +3,7 @@ id: 045b5f9c-49f7-4419-a236-9854fb3c827a description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. status: experimental date: 2021/09/17 +modified: 2021/11/11 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.privilege_escalation @@ -20,7 +21,7 @@ logsource: detection: selection: type: 'SYSCALL' - SYSCALL: 'execve' + syscall: 'execve' uid: '0' cwd: '/var/opt/microsoft/scx/tmp' comm: 'sh' @@ -28,4 +29,3 @@ detection: falsepositives: - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand. level: high - diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml index 32b3c16f55d..69a36bdc080 100644 --- a/rules/linux/auditd/lnx_auditd_web_rce.yml +++ b/rules/linux/auditd/lnx_auditd_web_rce.yml @@ -4,17 +4,16 @@ status: experimental description: Detects possible command execution by web application/web shell author: Ilyas Ochkov, Beyu Denis, oscd.community date: 2019/10/12 -modified: 2019/11/04 +modified: 2021/11/11 references: - personal experience - logsource: product: linux service: auditd detection: selection: type: 'SYSCALL' - SYSCALL: 'execve' + syscall: 'execve' key: 'detect_execve_www' condition: selection falsepositives: