Merge pull request #3054 from Azure/OMI_Vuln_Query

Queries related to OMIGOD Vuln.
2021-09-16 23:10:25 -07:00 · 2021-09-16 23:10:25 -07:00 · 051427d1fe
--- a/.script/tests/KqlvalidationsTests/CustomTables/SecurityNestedRecommendation.json
+++ b/.script/tests/KqlvalidationsTests/CustomTables/SecurityNestedRecommendation.json
@ -0,0 +1,101 @@
+{
+  "Name": "SecurityNestedRecommendation",
+  "Properties": [
+    {
+      "Name": "TenantId",
+      "Type": "string"
+    },
+    {
+      "Name": "TimeGenerated",
+      "Type": "DateTime"
+    },
+    {
+      "Name": "RecommendationSubscriptionId",
+      "Type": "string"
+    },
+    {
+      "Name": "ResourceGroup",
+      "Type": "String"
+    },
+    {
+      "Name": "AssessedResourceId",
+      "Type": "String"
+    },
+    {
+      "Name": "ParentRecommendationId",
+      "Type": "String"
+    },
+    {
+      "Name": "Id",
+      "Type": "String"
+    },
+    {
+      "Name": "RecommendationName",
+      "Type": "String"
+    },
+    {
+      "Name": "NestedRecommendationId",
+      "Type": "String"
+    },
+    {
+      "Name": "VulnerabilityId",
+      "Type": "String"
+    },
+    {
+      "Name": "Description",
+      "Type": "String"
+    },
+    {
+      "Name": "RecommendationSeverity",
+      "Type": "String"
+    },
+    {
+      "Name": "RecommendationState",
+      "Type": "String"
+    },
+    {
+      "Name": "RemediationDescription",
+      "Type": "String"
+    },
+    {
+      "Name": "AdditionalData",
+      "Type": "dynamic"
+    },
+    {
+      "Name": "ResourceProviderType",
+      "Type": "String"
+    },
+    {
+      "Name": "Category",
+      "Type": "String"
+    },
+    {
+      "Name": "ResourceDetails",
+      "Type": "dynamic"
+    },
+    {
+      "Name": "Impact",
+      "Type": "String"
+    },
+    {
+      "Name": "Cause",
+      "Type": "String"
+    },
+    {
+      "Name": "IsSnapshot",
+      "Type": "String"
+    },
+    {
+      "Name": "SourceSystem",
+      "Type": "String"
+    },
+    {
+      "Name": "Type",
+      "Type": "String"
+    },
+    {
+      "Name": "_ResourceId",
+      "Type": "String"
+    }
+  ]
+}
--- a/Detections/SecurityNestedRecommendation/OMIGODVulnerableMachines.yaml
+++ b/Detections/SecurityNestedRecommendation/OMIGODVulnerableMachines.yaml
@ -0,0 +1,32 @@
+id: 4d94d4a9-dc96-450a-9dea-4d4d4594199b
+name: Vulnerable Machines related to OMIGOD CVE-2021-38647
+description: |
+  'This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and 
+   helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).
+   Security Nested Recommendations data is sent to Azure Sentinel using the continuous export feature of Azure Defender(refrence link below).
+   Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
+   Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal'
+severity: High
+requiredDataConnectors: []
+queryFrequency: 1d
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+  - Execution
+relevantTechniques:
+  - T1190
+  - T1203
+query: |
+  SecurityNestedRecommendation
+  | where RemediationDescription has 'CVE-2021-38647'
+  | parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '"' *
+  | summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId
+  | extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine
+entityMappings: 
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity
+version: 1.0.0
--- a/Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml
+++ b/Queries/MultipleDataSources/NetworkConnectiontoOMIPorts.yaml
@ -0,0 +1,53 @@
+id: 06c52a66-fffe-4d3b-a05a-646ff65b7ec2
+name: Connection from external IP to OMI related Ports
+description: |
+  'This query identifies connection attempts from the external IP addresses to the management ports(5985,5986,1270) related to Open Management Infrastructure(OMI). 
+   OMI is the Linux equivalent of Windows WMI and helps users manage configurations across remote and local environments. 
+   The query aims to find attacks targeting OMI vulnerability (CVE-2021-38647). The query primarily leverages the Network Session normalization schema(imNetworkSession) 
+   as well as a few other logs to look for this activity. The Network normalizing parsers can be deployed in a click using an ARM Template shared in the link below:
+   Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
+   Reference: https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/ASimNetworkSession
+requiredDataConnectors:
+  - connectorId: AzureNetworkWatcher
+    dataTypes:
+      - AzureNetworkAnalytics_CL
+  - connectorId: AzureMonitor(VMInsights)
+    dataTypes:
+      - VMConnection
+tactics:
+  - Reconnaissance
+  - Initial Access	
+relevantTechniques:
+  - T1595
+  - T1190
+query: |
+  let Port = dynamic(["5985","5986","1270"]); 
+  let PrivateIPregex = @'^127\.|^10\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[0-1]\.|^192\.168\.';
+  (union isfuzzy=true
+  (imNetworkSession
+  | extend SourceIPType = iff(SrcIpAddr matches regex PrivateIPregex,"private" ,"public" )
+  | where SourceIPType =="public"
+  | where DstPortNumber in(Port)
+  | where EventResult != 'Failure'
+  | project TimeGenerated, EventProduct, EventResourceId, EventResult, SourceIp = SrcIpAddr, DestinationIp = DstIpAddr,Type, Computer, DestinationPort= DstPortNumber, SrcPortNumber, Protocol = NetworkProtocol, RemoteCountry = SrcGeoCountry, SrcGeoCity, RemoteLatitude = SrcGeoLatitude, RemoteLongitude = SrcGeoLongitude
+  | extend Timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = SourceIp 
+  ),
+  (VMConnection
+  | where Direction == "inbound"
+  | extend SourceIPType = iff(SourceIp matches regex PrivateIPregex,"private" ,"public" )
+  | where SourceIPType =="public"
+  | where ProcessName == 'omiengine'
+  | where DestinationPort in (Port)
+  | project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, Protocol, RemoteCountry, RemoteLatitude, RemoteLongitude, Type
+  | extend Timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = SourceIp
+  ),
+  (AzureNetworkAnalytics_CL
+  | extend SourceIPType = iff(SrcIP_s matches regex PrivateIPregex,"private" ,"public" )
+  | where SourceIPType =="public"
+  | where L7Protocol_s has 'wsman'
+  | where DestPort_d  in(Port)
+  | parse VM_s with * '/' VM 
+  | project TimeGenerated, SourceIp = SrcIP_s, DestinationIp = DestIP_s, DestinationPort = DestPort_d, Protocol = L7Protocol_s, NSGRule_s, VM, Type
+  | extend Timestamp = TimeGenerated, HostCustomEntity = VM, IPCustomEntity = SourceIp
+  )
+  )