Blog Post

Microsoft Sentinel Blog
11 MIN READ

Azure Sentinel To-Go! A Linux 🐧 Lab with AUOMS Set Up to Learn About the OMI Vulnerability 💥

Cyb3rWard0g's avatar
Cyb3rWard0g
Icon for Microsoft rankMicrosoft
Sep 22, 2021

 

Last week, on September 14th, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities CVE-2021-38645CVE-2021-38649CVE-2021-38648and one unauthenticated Remote Code Execution (RCE) vulnerability CVE-2021-38647 .  

These vulnerabilities affect the Open Management Infrastructure (OMI), an open-source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards. The OMI Common Information Model Object Manager (CIMOM) is also designed to be portable and highly modular. It is written in C and the code is available in GitHub.

 

Great Resources to Read First 

The following resources have already been shared by Microsoft to provide guidance on updating vulnerable extensions for Cloud and On-Premises deployments, and indicators to detect the exploitation of the vulnerability: 

 

What is this about? 

In this post, I will show you how to automatically deploy a research lab environment with Azure Sentinel , a few Linux virtual machines and the Microsoft Audit Collection Tool (AUOMS) set up to understand the underlying behavior of the exploitation of the OMI vulnerability.

 

This is an extension of the amazing work shared by MSTIC through the following resources: 

 

Before going through a few concepts and the deployment process, remember that this vulnerability is actively being exploited. Therefore, make sure you do not expose your lab environment to the Internet.

 

Microsoft Audit Collection Tool (AUOMS) 

AUOMS is a Microsoft audit collection tool that can collect events generated by the Linux kernel’s audit subsystem, kaudit, and the optional user-space daemon, auditd. This allows, for example, the collection of syscalls events such as process creations, file access, and other valuable telemetry for research.

 

AUOMS is part of the installation of the Log Analytics Agent for Linux, also known as the  Operations Management Suite (OMS) Agent for Linux, which allows the streaming of events from Linux-based, syslog supporting devices into Azure Sentinel. However, AUOMS is not set up by default as shown below: 

 

 

My colleague Kevin Sheldrake documented everything that is required to set it up in this blog post Hunting Threats on Linux with Azure Sentinel.

 

The question is “How do we automate the whole setup?

 

Enter Azure Sentinel To-go! 

Azure Sentinel2Go is an open-source project developed to expedite the deployment of an Azure Sentinel lab along with other Azure resources and a data ingestion pipeline to consume pre-recorded datasets for research purposes.

 

Azure Sentinel + Linux Environment 

Currently, we have a Linux environment ready to go and deploy everything needed for a small research lab with AUOMS configured and sending logs to Azure Sentinel:

 

Azure-Sentinel2Go/grocery-list/Linux at master · OTRF/Azure-Sentinel2Go (github.com) 

 

We were able to use Azure Resource Manager (ARM) templates and a few bash scripts to automate the whole setup. These are all the resources used for each component of the lab: 

 

What about the OMI Vulnerability? 

As we know, older versions of the OMI agent (< 1.6.8.1) are vulnerable. Therefore, we created the following script to install version 1.6.8.0, and open port 5986.

 

Blacksmith/Install-OMI.sh at master · OTRF/Blacksmith (github.com)

 

We added that script to the Linux lab templates, and we now have a demo environment that you can also use to learn more about the exploitation of the OMI vulnerability. 

 

Azure-Sentinel2Go/grocery-list/Linux/demos/CVE-2021-38647-OMI at master · OTRF/Azure-Sentinel2Go (github.com) 

 

Deploying the Lab Environment 

Remember that this vulnerability is actively being exploited. Therefore, make sure you do not expose your lab environment to the Internet.

  • Click on the “Deploy to Azure” Button 

 

 

  • Fill out the following parameters: 
    • Subscription (selected by default) 
    • Resource group 
    • Region (selected by default) 
    • Admin Username 
    • Admin Password 
    • Remote Access Mode (AllowPublicIP selected by default. You can also use Azure Bastion Host. You would just need to set the Allowed IP Addresses parameter to *) 
    • Allowed IP Addresses (If you use the default access mode AllowPublicIP, use your home or office public IP address to only allow access from secure places. Remember that this vulnerability is actively being exploited. Therefore, make sure you do not expose your lab environment to the Internet.) 

 

 

  • Click the Review > Create buttons to start the deployment 

 

 

  • You can go to your resource group and explore all the resources being deployed

 

 

  • Wait around 5-10 minutes! You should be good to go! 

 

Validate Deployment 

It is very important to validate if everything was deployed properly before doing research. 

 

OMI Server 

SSH to your virtual machines and check the OMI version to confirm it is 1.6.8-0 

 

/opt/omi/bin/omiserver -v 

 

 

Check if the OMI service is running 

 

systemctl status omid 

 

 

Check if port 5986 is open (You might have to update your package manager and install net-tools) 

 

netstat -na | grep :5986 

 

 

AUOMS Setup 

Check if the AUOMS service is running with the following two commands: 

 

sudo /opt/microsoft/auoms/bin/auomsctl status 

 

 

systemctl status auoms 

 

 

Check if events are being sent to the OMS Agent: 

  • Open another SSH session to your virtual machine and in one run the following command:

 

sudo /opt/microsoft/auoms/bin/auomsctl monitor 

 

  • Then, in the other session run whoami. If everything is connected properly, you will be able to see events flowing through your first session as shown below: 

 

 

You can continue using `sudo /opt/microsoft/auoms/bin/auomsctl monitor` if you want to do research locally. You can have it running while you test the exploitation of the OMI vulnerability. 

 

Azure Sentinel 

Check if logs are being sent to your Azure Sentinel instance. 

 

 

  • Click on `logs` and explore the `Syslog` table 

 

 

Learning About the OMI vulnerability 

After validating that everything was deployed properly, you should be ready to run a few public proofs of concepts to test the OMI vulnerability.

 

One thing to remember is that there are three ways to execute arbitrary code via OMI. They are all part of the SCX RunAsProvider and their execution context varies a little bit. 

 

Run Public POC (ExecuteShellCommand) 

  1. SSH to machine A 
  2. SSH to machine B
  3. On machine A, prepare the data that you want to send to machine B 
    1. Request without authorization header
    2. Set the command you want to execute. For this example we execute “id”.
    3. Use the ExecuteShellCommand method in data.
  4. Send HTTP request 

 

 

Explore data in Azure Sentinel (ExecuteShellCommand) 

You can run the following hunting query to explore the execution context:

 

Syslog 
  | parse SyslogMessage with "type=" EventType " audit(" * "): " EventData 
  | where EventType =~ "AUOMS_EXECVE" and EventData has '/var/opt/microsoft/scx/tmp' 
  | project TimeGenerated, EventType, Computer, EventData 
  | parse EventData with * "syscall=" syscall " syscall_r=" * " success=" success " exit=" exit " a0" *
" 
ppid=" ppid " pid=" pid " audit_user=" audit_user " auid=" auid " user=" user " uid=" uid " group=" group "
gid=" gid "
effective_user=" effective_user " euid=" euid " set_user=" set_user " suid=" suid
" 
filesystem_user=" filesystem_user " fsuid=" fsuid " effective_group=" effective_group " egid=" egid 
" 
set_group=" set_group " sgid=" sgid " filesystem_group=" filesystem_group " fsgid=" fsgid " tty=" tty 
" 
ses=" ses " comm=\"" comm "\" exe=\"" exe "\"" * "cwd=\"" cwd "\"" * "name=\"" name "\"" * "cmdline=\"" cmdline "\"" *
 
  | where uid == '0' 
  | where cwd == '/var/opt/microsoft/scx/tmp' 
  | where comm == 'sh' 
  | extend Timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = user 

 

 

We observed that the execution was happening from the `current working directory (cwd): /var/opt/microsoft/scx/tmp`. This is an indicator that repeats across the other two methods to execute arbitrary code abusing the OMI vulnerability. Group the results by the command line values to identify initial outliers.

 

Run Public POC (ExecuteScript) 

  1. SSH to machine A 
  2. SSH to machine B
  3. On machine A, prepare the data that you want to send to machine B 
    1. Request without authorization header 
    2. Set the script you want to execute: 
      1. Pick a command. Let's say whoami 
      2. Base64 encode the command: d2hvYW1p 
    3. Use the ExecuteScript method in data. 
  4. Send HTTP request

 

 

Explore data in Azure Sentinel (ExecuteScript) 

You can run the previous hunting query again and explore the results. You will see that the current working directory (cwd) is the same, but the command line or in this case the script is now being hosted at the following directory:  /etc/opt/microsoft/scx/conf/tmpdir/.  The name of the scripts in that directory has the string “scx” as a prefix. For example: scxzEPOS4. 

 

Syslog 
  | parse SyslogMessage with "type=" EventType " audit(" * "): " EventData 
  | where EventType =~ "AUOMS_EXECVE" and EventData has '/var/opt/microsoft/scx/tmp' 
  | project TimeGeneratedEventType, Computer, EventData 
  | parse EventData with * "syscall=" syscall " syscall_r=" * " success=" success " exit=" exit " a0" * " 
ppid=" ppid " pid=" pid " audit_user=" audit_user " auid=" auid " user=" user " uid=" uid " group=" group
" gid=" gid "
effective_user=" effective_user " euid=" euid " set_user=" set_user " suid=" suid
filesystem_user=" filesystem_user " fsuid=" fsuid " effective_group=" effective_group " egid=" egid 
set_group=" set_group " sgid=" sgid " filesystem_group=" filesystem_group " fsgid=" fsgid " tty=" tty 
ses=" ses " comm=\"" comm "\" exe=\"" exe "\"" * "cwd=\"" cwd "\"" * "name=\"" name "\"" * "cmdline=\"" cmdline "\"" *
 
  | where uid == '0' 
  | where cwd == '/var/opt/microsoft/scx/tmp' 
  | where comm == 'sh' 
  | extend Timestamp = TimeGeneratedHostCustomEntity = Computer, AccountCustomEntity = user 

 

 

 

I was wondering what process had created that file in that directory. I ran the following query to answer that question:

 

let syscallsList = dynamic(["unlink","openat","chmod"]); 
Syslog 
| parse SyslogMessage with "type=" EventType " audit(" * "): " EventData 
| where EventType =~ "AUOMS_SYSCALL" and EventData contains "/etc/opt/microsoft/scx/conf/tmpdir/" 
| project TimeGenerated, EventType, Computer, EventData 
| parse EventData with * "syscall=" syscall " syscall_r=" * " success=" success " exit=" exit " a0" *
" 
ppid=" ppid " pid=" pid " audit_user=" audit_user " auid=" auid " user=" user " uid=" uid " group=" group
" gid=" gid "
effective_user=" effective_user " euid=" euid " set_user=" set_user " suid=" suid
" 
filesystem_user=" filesystem_user " fsuid=" fsuid " effective_group=" effective_group " egid=" egid 
" 
set_group=" set_group " sgid=" sgid " filesystem_group=" filesystem_group " fsgid=" fsgid " tty=" tty 
" 
ses=" ses " comm=\"" comm "\" exe=\"" exe "\"" * "cwd=\"" cwd "\"" * "name=\"" name "\"" *
" 
path_name=" path_name " path_nametype=" path_nametype " path_mode=" * " proctitle=" cmdline " redactors=" *
 
| where syscall in (syscallsList) 
| extend fileAction = (parse_json(path_nametype))[1] 
| where fileAction in ("CREATE","DELETE") 

 

 

It seems that the omiagent creates and deletes the file. The file is available only during the execution of the script. Once the execution is done, the file gets deleted. After doing some more research and reading some of the SCXCore code in GitHub, this the behavior of the ExecuteScript method: 

 

 

How can we cover both methods (ExecuteShellCommand and ExecuteScript) and show what the script executed?

As mentioned before, both methods execute from the /var/opt/microsoft/scx/tmp directory. Therefore, all we have to do is create a JOIN query to show the process parent-child relationship to get to the commands executed via the script method:

 

let scx_execve=(){
Syslog
| parse SyslogMessage with "type=" EventType " audit(" * "): " EventData
| where EventType =~ "AUOMS_EXECVE" and EventData has '/var/opt/microsoft/scx/tmp'
| project TimeGenerated, EventType, Computer, EventData
| parse EventData with * "syscall=" syscall " syscall_r=" * " success=" success " exit=" exit " a0" * " ppid=" ppid 
" pid=" pid " audit_user=" audit_user " auid=" auid " user=" user " uid=" uid " group=" group " gid=" gid 
"effective_user=" effective_user " euid=" euid " set_user=" set_user " suid=" suid " filesystem_user=" filesystem_user 
" fsuid=" fsuid " effective_group=" effective_group " egid=" egid " set_group=" set_group " sgid=" sgid 
" filesystem_group=" filesystem_group " fsgid=" fsgid " tty=" tty " ses=" ses " comm=\"" comm "\" exe=\"" exe "\"" * 
"cwd=\"" cwd "\"" * "name=\"" name "\"" * "cmdline=" cmdline " redactors=" *
| where uid == '0'
| where cwd == '/var/opt/microsoft/scx/tmp'
| where success == 'yes'
};
scx_execve
| where comm == 'sh' // ExecuteScript cmdline would trigger on /bin/sh /etc/opt/microsoft/scx/conf/tmpdir/scx_
| join kind=leftouter ( scx_execve ) on $left.Computer == $right.Computer, $left.pid == $right.ppid
| project-rename parentEventData=EventData,parentppid=ppid,parentpid=pid,parentcomm=comm,parentexe=exe,
parentname=name,parentcmdline=cmdline,childEventData=EventData1,childppid=ppid1,childpid=pid1,childcomm=comm1
,childexe=exe1,childname=name1,childcmdline=cmdline1
| project TimeGenerated, Computer, user, parentEventData,parentppid,parentpid,parentcomm,parentexe,parentname,parentcmdline,
childEventData,childppid,childpid,childcomm,childexe,childname,childcmdline
| extend Timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = user

 

 

This is now the hunting query we share via our Azure Sentinel GitHub repo!

 

Azure-Sentinel/SCXExecuteRunAsProviders.yml at master · Azure/Azure-Sentinel (github.com)

 

That’s it! I am sure there is more to explore! I hope this lab environment can help you to test a few things in a safer way and experience what it might look like if it happens in your environment.

 

Once again, we highly recommend upgrading the OMI agent to version 1.6.8-1+, and if possible, controlling access to ports 5986,5985 and 1270.  Remember that this vulnerability is actively being exploited. Therefore, make sure you do not expose your lab environment to the Internet.

 

In addition, remember that the behavior documented in this post is not malicious. The lab was created to help us understand how the execution of commands or a script was being handled by OMI from a data perspective. You must then go through the results of those queries and validate what is legitimate behavior or not depending on your organization’s baseline. 

 

Also, use this knowledge to map data you collect to every single action documented 😉 You might be collecting data from other sources that provide the same or similar visibility.  

 

Resources

 

References 

 

Updated Sep 24, 2021
Version 4.0