Skip to content

Hide Navigation Hide TOC

OMIGOD HTTP No Authentication RCE (ab6b1a39-a9ee-4ab4-b075-e83acf6e346b)

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

Cluster A Galaxy A Cluster B Galaxy B Level
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern OMIGOD HTTP No Authentication RCE (ab6b1a39-a9ee-4ab4-b075-e83acf6e346b) Sigma-Rules 1
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern OMIGOD HTTP No Authentication RCE (ab6b1a39-a9ee-4ab4-b075-e83acf6e346b) Sigma-Rules 1
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern OMIGOD HTTP No Authentication RCE (ab6b1a39-a9ee-4ab4-b075-e83acf6e346b) Sigma-Rules 1
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern OMIGOD HTTP No Authentication RCE (ab6b1a39-a9ee-4ab4-b075-e83acf6e346b) Sigma-Rules 1
Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82) Attack Pattern OMIGOD HTTP No Authentication RCE (ab6b1a39-a9ee-4ab4-b075-e83acf6e346b) Sigma-Rules 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 2