Vulnerable Machines related to OMIGOD CVE-2021-38647
| Id | 4d94d4a9-dc96-450a-9dea-4d4d4594199b |
| Rulename | Vulnerable Machines related to OMIGOD CVE-2021-38647 |
| Description | This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647). Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below). Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal |
| Severity | High |
| Tactics | InitialAccess Execution |
| Techniques | T1190 T1203 |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityNestedRecommendation/OMIGODVulnerableMachines.yaml |
| Version | 1.0.5 |
| Arm template | 4d94d4a9-dc96-450a-9dea-4d4d4594199b.json |
SecurityNestedRecommendation
| where RemediationDescription has 'CVE-2021-38647'
| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '"' *
| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
| extend HostName = tostring(split(VirtualMAchine, ".")[0]), DomainIndex = toint(indexof(VirtualMAchine, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(VirtualMAchine, DomainIndex + 1), VirtualMAchine)
relevantTechniques:
- T1190
- T1203
name: Vulnerable Machines related to OMIGOD CVE-2021-38647
requiredDataConnectors: []
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: VirtualMAchine
- identifier: HostName
columnName: HostName
- identifier: NTDomain
columnName: HostNameDomain
entityType: Host
triggerThreshold: 0
id: 4d94d4a9-dc96-450a-9dea-4d4d4594199b
tactics:
- InitialAccess
- Execution
version: 1.0.5
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityNestedRecommendation/OMIGODVulnerableMachines.yaml
queryPeriod: 1d
kind: Scheduled
tags:
- OMIGOD
- CVE-2021-38647
metadata:
categories:
domains:
- Security - Threat Protection
author:
name: Microsoft Security Research
support:
tier: Community
source:
kind: Community
queryFrequency: 1d
severity: High
description: |
'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647.
OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).
Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).
Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal'
query: |
SecurityNestedRecommendation
| where RemediationDescription has 'CVE-2021-38647'
| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '"' *
| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
| extend HostName = tostring(split(VirtualMAchine, ".")[0]), DomainIndex = toint(indexof(VirtualMAchine, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(VirtualMAchine, DomainIndex + 1), VirtualMAchine)
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4d94d4a9-dc96-450a-9dea-4d4d4594199b')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4d94d4a9-dc96-450a-9dea-4d4d4594199b')]",
"properties": {
"alertRuleTemplateName": "4d94d4a9-dc96-450a-9dea-4d4d4594199b",
"customDetails": null,
"description": "'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647.\nOMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal'\n",
"displayName": "Vulnerable Machines related to OMIGOD CVE-2021-38647",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "VirtualMAchine",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "HostNameDomain",
"identifier": "NTDomain"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityNestedRecommendation/OMIGODVulnerableMachines.yaml",
"query": "SecurityNestedRecommendation\n| where RemediationDescription has 'CVE-2021-38647'\n| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '\"' *\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\n| extend HostName = tostring(split(VirtualMAchine, \".\")[0]), DomainIndex = toint(indexof(VirtualMAchine, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(VirtualMAchine, DomainIndex + 1), VirtualMAchine)\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "High",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Execution",
"InitialAccess"
],
"tags": [
"OMIGOD",
"CVE-2021-38647"
],
"techniques": [
"T1190",
"T1203"
],
"templateVersion": "1.0.5",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}