OMI Vulnerability Exploitation
Id | 3cc5ccd8-b416-4141-bb2d-4eba370e37a5 |
Rulename | OMI Vulnerability Exploitation |
Description | Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in the Open Management Infrastructure (OMI) Framework. This detection validates that any OMS-agent that is reporting to the Microsoft Sentinel workspace is updated with the patch. The detection will go over the heartbeats received from all agents over the last day and will create alert for those agents who are not updated. |
Severity | Medium |
Tactics | InitialAccess |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/OMI_vulnerability_detection.yaml |
Version | 1.1.3 |
Arm template | 3cc5ccd8-b416-4141-bb2d-4eba370e37a5.json |
let OMIVulnerabilityPatchVersion = "OMIVulnerabilityPatchVersion:1.13.40-0";
Heartbeat
| where Category == "Direct Agent"
| summarize arg_max(TimeGenerated,*) by Computer
| parse strcat("Version:" , Version) with * "Version:" Major:long "."
Minor:long "." Patch:long "-" *
| parse OMIVulnerabilityPatchVersion with * "OMIVulnerabilityPatchVersion:"
OMIVersionMajor:long "." OMIVersionMinor:long "." OMIVersionPatch:long "-" *
| where Major <OMIVersionMajor or (Major==OMIVersionMajor and Minor
<OMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and
Patch<OMIVersionPatch)
| project Version, Major,Minor,Patch,
Computer,ComputerIP,OSType,OSName,ResourceId
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/OMI_vulnerability_detection.yaml
severity: Medium
tags:
- OMIGOD
- CVE-2021-38647
name: OMI Vulnerability Exploitation
entityMappings:
- entityType: Host
fieldMappings:
- columnName: Computer
identifier: HostName
- entityType: AzureResource
fieldMappings:
- columnName: ResourceId
identifier: ResourceId
metadata:
support:
tier: Community
categories:
domains:
- Security - Vulnerability Management
source:
kind: Community
author:
name: Ron Marsiano
queryFrequency: 1d
triggerThreshold: 0
queryPeriod: 1d
description: |
Following the September 14th, 2021 release of three Elevation of Privilege
(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one
unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in
the Open Management Infrastructure (OMI) Framework.
This detection validates that any OMS-agent that is reporting to the Microsoft
Sentinel workspace is updated with the patch. The detection will go over the
heartbeats received from all agents over the last day and will create alert
for those agents who are not updated.
id: 3cc5ccd8-b416-4141-bb2d-4eba370e37a5
customDetails:
OSType: OSType
HostIp: ComputerIP
OSName: OSName
version: 1.1.3
tactics:
- InitialAccess
query: |
let OMIVulnerabilityPatchVersion = "OMIVulnerabilityPatchVersion:1.13.40-0";
Heartbeat
| where Category == "Direct Agent"
| summarize arg_max(TimeGenerated,*) by Computer
| parse strcat("Version:" , Version) with * "Version:" Major:long "."
Minor:long "." Patch:long "-" *
| parse OMIVulnerabilityPatchVersion with * "OMIVulnerabilityPatchVersion:"
OMIVersionMajor:long "." OMIVersionMinor:long "." OMIVersionPatch:long "-" *
| where Major <OMIVersionMajor or (Major==OMIVersionMajor and Minor
<OMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and
Patch<OMIVersionPatch)
| project Version, Major,Minor,Patch,
Computer,ComputerIP,OSType,OSName,ResourceId
requiredDataConnectors: []
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3cc5ccd8-b416-4141-bb2d-4eba370e37a5')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3cc5ccd8-b416-4141-bb2d-4eba370e37a5')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "OMI Vulnerability Exploitation",
"description": "Following the September 14th, 2021 release of three Elevation of Privilege\n(EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one\nunauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in\nthe Open Management Infrastructure (OMI) Framework.\nThis detection validates that any OMS-agent that is reporting to the Microsoft\nSentinel workspace is updated with the patch. The detection will go over the\nheartbeats received from all agents over the last day and will create alert\nfor those agents who are not updated.\n",
"severity": "Medium",
"enabled": true,
"query": "let OMIVulnerabilityPatchVersion = \"OMIVulnerabilityPatchVersion:1.13.40-0\";\nHeartbeat\n| where Category == \"Direct Agent\"\n| summarize arg_max(TimeGenerated,*) by Computer\n| parse strcat(\"Version:\" , Version) with * \"Version:\" Major:long \".\"\nMinor:long \".\" Patch:long \"-\" *\n| parse OMIVulnerabilityPatchVersion with * \"OMIVulnerabilityPatchVersion:\"\nOMIVersionMajor:long \".\" OMIVersionMinor:long \".\" OMIVersionPatch:long \"-\" *\n| where Major <OMIVersionMajor or (Major==OMIVersionMajor and Minor\n<OMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and\nPatch<OMIVersionPatch) \n| project Version, Major,Minor,Patch,\nComputer,ComputerIP,OSType,OSName,ResourceId\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"alertRuleTemplateName": "3cc5ccd8-b416-4141-bb2d-4eba370e37a5",
"customDetails": {
"OSType": "OSType",
"HostIp": "ComputerIP",
"OSName": "OSName"
},
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "Computer"
}
]
},
{
"entityType": "AzureResource",
"fieldMappings": [
{
"identifier": "ResourceId",
"columnName": "ResourceId"
}
]
}
],
"templateVersion": "1.1.3",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/OMI_vulnerability_detection.yaml",
"tags": [
"OMIGOD",
"CVE-2021-38647"
]
}
}
]
}