Skip to content

Commit

Permalink
Adding more images to the rule.
Browse files Browse the repository at this point in the history
  • Loading branch information
Milad Cheraghi committed Nov 2, 2024
1 parent e584cf7 commit 28c7a89
Showing 1 changed file with 9 additions and 2 deletions.
11 changes: 9 additions & 2 deletions ...linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ references:
- https://github.com/Azure/Azure-Sentinel/pull/3059
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-10-05
modified: 2024-11-02
tags:
- attack.privilege-escalation
- attack.initial-access
Expand All @@ -26,7 +26,14 @@ detection:
User: root
LogonId: 0
CurrentDirectory: '/var/opt/microsoft/scx/tmp'
CommandLine|contains: '/bin/sh'
CommandLine|contains:
- '/bin/sh'
- '/bin/dash'
- '/bin/csh'
- '/bin/tcsh'
- '/bin/ksh'
- '/bin/ksh93'
- '/bin/bash'
condition: selection
falsepositives:
- Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.
Expand Down

0 comments on commit 28c7a89

Please sign in to comment.