From 4d23dd2244e2ddd5ecf7d72b0f37509c1ef7753a Mon Sep 17 00:00:00 2001
From: Milad Cheraghi <cheraghimiladmail@gmail.com>
Date: Sat, 2 Nov 2024 17:01:33 +0330
Subject: [PATCH] Adding more images to the rule.

---
 ...x_omigod_scx_runasprovider_executeshellcommand.yml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml b/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml
index b985e82b4b8..55fc3cdfb04 100644
--- a/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml
@@ -10,7 +10,7 @@ references:
     - https://github.com/Azure/Azure-Sentinel/pull/3059
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
 date: 2021-10-15
-modified: 2022-10-05
+modified: 2024-11-02
 tags:
     - attack.privilege-escalation
     - attack.initial-access
@@ -26,7 +26,14 @@ detection:
         User: root
         LogonId: 0
         CurrentDirectory: '/var/opt/microsoft/scx/tmp'
-        CommandLine|contains: '/bin/sh'
+        CommandLine|contains: 
+            - '/bin/sh'
+            - '/bin/dash'
+            - '/bin/csh'
+            - '/bin/tcsh'
+            - '/bin/ksh'
+            - '/bin/ksh93'
+            - '/bin/bash'
     condition: selection
 falsepositives:
     - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.