OMIGOD HTTP No Authentication RCE - CVE-2021-38647

Status: stable
Severity: high
Log source: product zeek, service http
Author: Nate Guagenti (neu5ron)
Source: github.com/SigmaHQ/sigma

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1190` Exploit Public-Facing Application
Execution	`T1203` Exploitation for Client Execution
Privilege Escalation	`T1068` Exploitation for Privilege Escalation
Lateral Movement	`T1021.006` Remote Services: Windows Remote Management, `T1210` Exploitation of Remote Services

Rule body yaml

title: OMIGOD HTTP No Authentication RCE - CVE-2021-38647
id: ab6b1a39-a9ee-4ab4-b075-e83acf6e346b
status: stable
description: |
    Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request.
    Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP).
    Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
references:
    - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
    - https://twitter.com/neu5ron/status/1438987292971053057?s=20
author: Nate Guagenti (neu5ron)
date: 2021-09-20
modified: 2025-11-03
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.execution
    - attack.lateral-movement
    - attack.t1068
    - attack.t1190
    - attack.t1203
    - attack.t1021.006
    - attack.t1210
    - detection.emerging-threats
    - cve.2021-38647
logsource:
    product: zeek
    service: http
    definition: Enable the builtin Zeek script that logs all HTTP header names by adding "@load policy/protocols/http/header-names" to your local.zeek config file. The script can be seen here for reference https://github.com/zeek/zeek/blob/d957f883df242ef159cfd846884e673addeea7a5/scripts/policy/protocols/http/header-names.zeek
detection:
    selection:
        status_code: 200
        uri: /wsman
        method: POST
    auth_header:
        client_header_names|contains: 'AUTHORIZATION'
    too_small_http_client_body:
        request_body_len: 0
    # winrm_ports:
    #    id.resp_p:
    #        -  5985
    #        -  5986
    #        -  1270
    condition: selection and not auth_header and not too_small_http_client_body
    # condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule
falsepositives:
    - Exploits that were attempted but unsuccessful.
    - Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips.
level: high

Stages and Predicates

Stage 0: `condition`

selection and not auth_header and not too_small_http_client_body

Stage 1: `selection`

selection:
    status_code: 200
    uri: /wsman
    method: POST

Stage 2: `not auth_header`

auth_header:
    client_header_names|contains: 'AUTHORIZATION'

Stage 3: `not too_small_http_client_body`

too_small_http_client_body:
    request_body_len: 0

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`client_header_names`	match	`AUTHORIZATION`
`request_body_len`	eq	`0`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`method`	eq	`POST`
`status_code`	eq	`200`
`uri`	eq	`/wsman`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

OMIGOD HTTP No Authentication RCE - CVE-2021-38647

MITRE ATT&CK coverage

Rule body yaml

Stages and Predicates

Stage 0: `condition`

Stage 1: `selection`

Stage 2: `not auth_header`

Stage 3: `not too_small_http_client_body`

Exclusions

Indicators

Keyboard shortcuts

Search operators

OMIGOD HTTP No Authentication RCE - CVE-2021-38647

MITRE ATT&CK coverage

Rule body yaml

Stages and Predicates

Stage 0: condition

Stage 1: selection

Stage 2: not auth_header

Stage 3: not too_small_http_client_body

Exclusions

Indicators

Stage 0: `condition`

Stage 1: `selection`

Stage 2: `not auth_header`

Stage 3: `not too_small_http_client_body`