OMI Vulnerability Exploitation
| Id | 3cc5ccd8-b416-4141-bb2d-4eba370e37a5 |
| Rulename | OMI Vulnerability Exploitation |
| Description | Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in the Open Management Infrastructure (OMI) Framework. This detection validates that any OMS-agent that is reporting to the Microsoft Sentinel workspace is updated with the patch. The detection will go over the heartbeats received from all agents over the last day and will create alert for those agents who are not updated. |
| Severity | Medium |
| Tactics | InitialAccess |
| Techniques | T1190 |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/OMI_vulnerability_detection.yaml |
| Version | 1.1.5 |
| Arm template | 3cc5ccd8-b416-4141-bb2d-4eba370e37a5.json |
let OMIVulnerabilityPatchVersion = "OMIVulnerabilityPatchVersion:1.13.40-0";
Heartbeat
| where Category == "Direct Agent"
| summarize arg_max(TimeGenerated,*) by Computer
| parse strcat("Version:" , Version) with * "Version:" Major:long "."
Minor:long "." Patch:long "-" *
| parse OMIVulnerabilityPatchVersion with * "OMIVulnerabilityPatchVersion:"
OMIVersionMajor:long "." OMIVersionMinor:long "." OMIVersionPatch:long "-" *
| where Major <OMIVersionMajor or (Major==OMIVersionMajor and Minor
<OMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and
Patch<OMIVersionPatch)
| project Version, Major,Minor,Patch,
Computer,ComputerIP,OSType,OSName,ResourceId
id: 3cc5ccd8-b416-4141-bb2d-4eba370e37a5
tags:
- OMIGOD
- CVE-2021-38647
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Heartbeat/OMI_vulnerability_detection.yaml
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: Computer
entityType: Host
- fieldMappings:
- identifier: ResourceId
columnName: ResourceId
entityType: AzureResource
requiredDataConnectors: []
queryFrequency: 1d
metadata:
categories:
domains:
- Security - Vulnerability Management
support:
tier: Community
source:
kind: Community
author:
name: Ron Marsiano
queryPeriod: 1d
triggerThreshold: 0
query: |
let OMIVulnerabilityPatchVersion = "OMIVulnerabilityPatchVersion:1.13.40-0";
Heartbeat
| where Category == "Direct Agent"
| summarize arg_max(TimeGenerated,*) by Computer
| parse strcat("Version:" , Version) with * "Version:" Major:long "."
Minor:long "." Patch:long "-" *
| parse OMIVulnerabilityPatchVersion with * "OMIVulnerabilityPatchVersion:"
OMIVersionMajor:long "." OMIVersionMinor:long "." OMIVersionPatch:long "-" *
| where Major <OMIVersionMajor or (Major==OMIVersionMajor and Minor
<OMIVersionMinor) or (Major==OMIVersionMajor and Minor==OMIVersionMinor and
Patch<OMIVersionPatch)
| project Version, Major,Minor,Patch,
Computer,ComputerIP,OSType,OSName,ResourceId
name: OMI Vulnerability Exploitation
kind: Scheduled
tactics:
- InitialAccess
severity: Medium
relevantTechniques:
- T1190
version: 1.1.5
description: |
Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647) in the Open Management Infrastructure (OMI) Framework.
This detection validates that any OMS-agent that is reporting to the Microsoft Sentinel workspace is updated with the patch. The detection will go over the heartbeats received from all agents over the last day and will create alert for those agents who are not updated.
customDetails:
HostIp: ComputerIP
OSName: OSName
OSType: OSType