
Summary
This detection rule is designed to identify the utilization of the SCX RunAsProvider's Invoke_ExecuteShellCommand in a Linux environment, which allows for the execution of UNIX/Linux commands through the /bin/sh shell. The SCXcore, a component that originated as part of the Microsoft Operations Manager for UNIX/Linux, has been incorporated into various Microsoft products, including Azure services. The rule captures execution attempts where the user is 'root', specifically monitoring for commands initiated in the '/var/opt/microsoft/scx/tmp' directory with the command line containing '/bin/sh'. Given that root access is generally associated with privileged operations, any command executed in this manner could indicate a potential security threat, such as privilege escalation or unauthorized access attempts. The identification of such commands is crucial, especially considering the security vulnerabilities related to the OMIGOD exploit, which can allow attackers to gain elevated privileges through flaws in the Open Management Infrastructure (OMI) service. This rule is thus essential for maintaining the integrity of Linux systems running these agents, enabling timely detection of potentially malicious actions that can compromise system security.
Categories
- Linux
- Cloud
- Infrastructure
Data Sources
- Process
Created: 2021-10-15