Azure Sentinel To-Go! A Linux 🐧 Lab with AUOMS Set Up to Learn About the OMI Vulnerability 💥

Published Sep 22 2021 08:25 AM 8,168 Views
Microsoft

main_image.PNG

 

Last week, on September 14th, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities CVE-2021-38645CVE-2021-38649CVE-2021-38648and one unauthenticated Remote Code Execution (RCE) vulnerability CVE-2021-38647 .  

These vulnerabilities affect the Open Management Infrastructure (OMI), an open-source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards. The OMI Common Information Model Object Manager (CIMOM) is also designed to be portable and highly modular. It is written in C and the code is available in GitHub.

 

Great Resources to Read First 

The following resources have already been shared by Microsoft to provide guidance on updating vulnerable extensions for Cloud and On-Premises deployments, and indicators to detect the exploitation of the vulnerability: 

 

What is this about? 

In this post, I will show you how to automatically deploy a research lab environment with Azure Sentinel , a few Linux virtual machines and the Microsoft Audit Collection Tool (AUOMS) set up to understand the underlying behavior of the exploitation of the OMI vulnerability.

 

This is an extension of the amazing work shared by MSTIC through the following resources: 

 

Before going through a few concepts and the deployment process, remember that this vulnerability is actively being exploited. Therefore, make sure you do not expose your lab environment to the Internet.

 

Microsoft Audit Collection Tool (AUOMS) 

AUOMS is a Microsoft audit collection tool that can collect events generated by the Linux kernel’s audit subsystem, kaudit, and the optional user-space daemon, auditd. This allows, for example, the collection of syscalls events such as process creations, file access, and other valuable telemetry for research.

 

AUOMS is part of the installation of the Log Analytics Agent for Linux, also known as the  Operations Management Suite (OMS) Agent for Linux, which allows the streaming of events from Linux-based, syslog supporting devices into Azure Sentinel. However, AUOMS is not set up by default as shown below: 

 

auoms_not_enabled.png

 

My colleague Kevin Sheldrake documented everything that is required to set it up in this blog post Hunting Threats on Linux with Azure Sentinel.

 

The question is “How do we automate the whole setup?

 

Enter Azure Sentinel To-go! 

Azure Sentinel2Go is an open-source project developed to expedite the deployment of an Azure Sentinel lab along with other Azure resources and a data ingestion pipeline to consume pre-recorded datasets for research purposes.

 

Azure Sentinel + Linux Environment 

Currently, we have a Linux environment ready to go and deploy everything needed for a small research lab with AUOMS configured and sending logs to Azure Sentinel:

 

Azure-Sentinel2Go/grocery-list/Linux at master · OTRF/Azure-Sentinel2Go (github.com) 

 

We were able to use Azure Resource Manager (ARM) templates and a few bash scripts to automate the whole setup. These are all the resources used for each component of the lab: 

 

What about the OMI Vulnerability? 

As we know, older versions of the OMI agent (< 1.6.8.1) are vulnerable. Therefore, we created the following script to install version 1.6.8.0, and open port 5986.

 

Blacksmith/Install-OMI.sh at master · OTRF/Blacksmith (github.com)

 

We added that script to the Linux lab templates, and we now have a demo environment that you can also use to learn more about the exploitation of the OMI vulnerability. 

 

Azure-Sentinel2Go/grocery-list/Linux/demos/CVE-2021-38647-OMI at master · OTRF/Azure-Sentinel2Go (gi... 

 

Deploying the Lab Environment 

Remember that this vulnerability is actively being exploited. Therefore, make sure you do not expose your lab environment to the Internet.

  • Click on the “Deploy to Azure” Button 

 

linux_lab_deploy_button.png

 

  • Fill out the following parameters: 
    • Subscription (selected by default) 
    • Resource group 
    • Region (selected by default) 
    • Admin Username 
    • Admin Password 
    • Remote Access Mode (AllowPublicIP selected by default. You can also use Azure Bastion Host. You would just need to set the Allowed IP Addresses parameter to *) 
    • Allowed IP Addresses (If you use the default access mode AllowPublicIP, use your home or office public IP address to only allow access from secure places. Remember that this vulnerability is actively being exploited. Therefore, make sure you do not expose your lab environment to the Internet.) 

 

deploy_environment_parameters.png

 

  • Click the Review > Create buttons to start the deployment 

 

deployment_in_progress.png

 

  • You can go to your resource group and explore all the resources being deployed

 

resources_being_created.png

 

  • Wait around 5-10 minutes! You should be good to go! 

 

Validate Deployment 

It is very important to validate if everything was deployed properly before doing research. 

 

OMI Server 

SSH to your virtual machines and check the OMI version to confirm it is 1.6.8-0 

 

/opt/omi/bin/omiserver -v 

 

validate_omi_server_version.png

 

Check if the OMI service is running 

 

systemctl status omid 

 

validate_omid_server_is_running.png

 

Check if port 5986 is open (You might have to update your package manager and install net-tools) 

 

netstat -na | grep :5986 

 

validate_omi_5986_port.png

 

AUOMS Setup 

Check if the AUOMS service is running with the following two commands: 

 

sudo /opt/microsoft/auoms/bin/auomsctl status 

 

validate_auoms_server_is_running.png

 

systemctl status auoms 

 

validate_auoms_server_is_running_2.png

 

Check if events are being sent to the OMS Agent: 

  • Open another SSH session to your virtual machine and in one run the following command:

 

sudo /opt/microsoft/auoms/bin/auomsctl monitor 

 

  • Then, in the other session run whoami. If everything is connected properly, you will be able to see events flowing through your first session as shown below: 

 

validate_auoms_can_send_events.png

 

You can continue using `sudo /opt/microsoft/auoms/bin/auomsctl monitor` if you want to do research locally. You can have it running while you test the exploitation of the OMI vulnerability. 

 

Azure Sentinel 

Check if logs are being sent to your Azure Sentinel instance. 

 

validate_azure_sentinel.png

 

  • Click on `logs` and explore the `Syslog` table 

 

validate_syslog_events_are_flowing.png

 

Learning About the OMI vulnerability 

After validating that everything was deployed properly, you should be ready to run a few public proofs of concepts to test the OMI vulnerability.

 

One thing to remember is that there are three ways to execute arbitrary code via OMI. They are all part of the SCX RunAsProvider and their execution context varies a little bit. 

 

Run Public POC (ExecuteShellCommand) 

  1. SSH to machine A 
  2. SSH to machine B
  3. On machine A, prepare the data that you want to send to machine B 
    1. Request without authorization header
    2. Set the command you want to execute. For this example we execute “id”.
    3. Use the ExecuteShellCommand method in data.
  4. Send HTTP request 

 

execute_poc_executeshellcommand.png

 

Explore data in Azure Sentinel (ExecuteShellCommand) 

You can run the following hunting query to explore the execution context:

 

Syslog 
  | parse SyslogMessage with "type=" EventType " audit(" * "): " EventData 
  | where EventType =~ "AUOMS_EXECVE" and EventData has '/var/opt/microsoft/scx/tmp' 
  | project TimeGenerated, EventType, Computer, EventData 
  | parse EventData with * "syscall=" syscall " syscall_r=" * " success=" success " exit=" exit " a0" *
" 
ppid=" ppid " pid=" pid " audit_user=" audit_user " auid=" auid " user=" user " uid=" uid " group=" group "
gid=" gid "
effective_user=" effective_user " euid=" euid " set_user=" set_user " suid=" suid
" 
filesystem_user=" filesystem_user " fsuid=" fsuid " effective_group=" effective_group " egid=" egid 
" 
set_group=" set_group " sgid=" sgid " filesystem_group=" filesystem_group " fsgid=" fsgid " tty=" tty 
" 
ses=" ses " comm=\"" comm "\" exe=\"" exe "\"" * "cwd=\"" cwd "\"" * "name=\"" name "\"" * "cmdline=\"" cmdline "\"" *
 
  | where uid == '0' 
  | where cwd == '/var/opt/microsoft/scx/tmp' 
  | where comm == 'sh' 
  | extend Timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = user 

 

executeshellcommand_kql_query.png

 

We observed that the execution was happening from the `current working directory (cwd): /var/opt/microsoft/scx/tmp`. This is an indicator that repeats across the other two methods to execute arbitrary code abusing the OMI vulnerability. Group the results by the command line values to identify initial outliers.

 

Run Public POC (ExecuteScript) 

  1. SSH to machine A 
  2. SSH to machine B
  3. On machine A, prepare the data that you want to send to machine B 
    1. Request without authorization header 
    2. Set the script you want to execute: 
      1. Pick a command. Let's say whoami 
      2. Base64 encode the command: d2hvYW1p 
    3. Use the ExecuteScript method in data. 
  4. Send HTTP request

 

execute_poc_executescript.png

 

Explore data in Azure Sentinel (ExecuteScript) 

You can run the previous hunting query again and explore the results. You will see that the current working directory (cwd) is the same, but the command line or in this case the script is now being hosted at the following directory:  /etc/opt/microsoft/scx/conf/tmpdir/.  The name of the scripts in that directory has the string “scx” as a prefix. For example: scxzEPOS4. 

 

Syslog 
  | parse SyslogMessage with "type=" EventType " audit(" * "): " EventData 
  | where EventType =~ "AUOMS_EXECVE" and EventData has '/var/opt/microsoft/scx/tmp' 
  | project TimeGeneratedEventType, Computer, EventData 
  | parse EventData with * "syscall=" syscall " syscall_r=" * " success=" success " exit=" exit " a0" * " 
ppid=" ppid " pid=" pid " audit_user=" audit_user " auid=" auid " user=" user " uid=" uid " group=" group
" gid=" gid "
effective_user=" effective_user " euid=" euid " set_user=" set_user " suid=" suid
filesystem_user=" filesystem_user " fsuid=" fsuid " effective_group=" effective_group " egid=" egid 
set_group=" set_group " sgid=" sgid " filesystem_group=" filesystem_group " fsgid=" fsgid " tty=" tty 
ses=" ses " comm=\"" comm "\" exe=\"" exe "\"" * "cwd=\"" cwd "\"" * "name=\"" name "\"" * "cmdline=\"" cmdline "\"" *
 
  | where uid == '0' 
  | where cwd == '/var/opt/microsoft/scx/tmp' 
  | where comm == 'sh' 
  | extend Timestamp = TimeGeneratedHostCustomEntity = Computer, AccountCustomEntity = user 

 

executescript_kql_query_execution.png

 

 

I was wondering what process had created that file in that directory. I ran the following query to answer that question:

 

let syscallsList = dynamic(["unlink","openat","chmod"]); 
Syslog 
| parse SyslogMessage with "type=" EventType " audit(" * "): " EventData 
| where EventType =~ "AUOMS_SYSCALL" and EventData contains "/etc/opt/microsoft/scx/conf/tmpdir/" 
| project TimeGenerated, EventType, Computer, EventData 
| parse EventData with * "syscall=" syscall " syscall_r=" * " success=" success " exit=" exit " a0" *
" 
ppid=" ppid " pid=" pid " audit_user=" audit_user " auid=" auid " user=" user " uid=" uid " group=" group
" gid=" gid "
effective_user=" effective_user " euid=" euid " set_user=" set_user " suid=" suid
" 
filesystem_user=" filesystem_user " fsuid=" fsuid " effective_group=" effective_group " egid=" egid 
" 
set_group=" set_group " sgid=" sgid " filesystem_group=" filesystem_group " fsgid=" fsgid " tty=" tty 
" 
ses=" ses " comm=\"" comm "\" exe=\"" exe "\"" * "cwd=\"" cwd "\"" * "name=\"" name "\"" *
" 
path_name=" path_name " path_nametype=" path_nametype " path_mode=" * " proctitle=" cmdline " redactors=" *
 
| where syscall in (syscallsList) 
| extend fileAction = (parse_json(path_nametype))[1] 
| where fileAction in ("CREATE","DELETE") 

 

executescript_kql_query_file_creation_deletion.png

 

It seems that the omiagent creates and deletes the file. The file is available only during the execution of the script. Once the execution is done, the file gets deleted. After doing some more research and reading some of the SCXCore code in GitHub, this the behavior of the ExecuteScript method: 

 

executescript_behavior.png

 

How can we cover both methods (ExecuteShellCommand and ExecuteScript) and show what the script executed?

As mentioned before, both methods execute from the /var/opt/microsoft/scx/tmp directory. Therefore, all we have to do is create a JOIN query to show the process parent-child relationship to get to the commands executed via the script method:

 

let scx_execve=(){
Syslog
| parse SyslogMessage with "type=" EventType " audit(" * "): " EventData
| where EventType =~ "AUOMS_EXECVE" and EventData has '/var/opt/microsoft/scx/tmp'
| project TimeGenerated, EventType, Computer, EventData
| parse EventData with * "syscall=" syscall " syscall_r=" * " success=" success " exit=" exit " a0" * " ppid=" ppid 
" pid=" pid " audit_user=" audit_user " auid=" auid " user=" user " uid=" uid " group=" group " gid=" gid 
"effective_user=" effective_user " euid=" euid " set_user=" set_user " suid=" suid " filesystem_user=" filesystem_user 
" fsuid=" fsuid " effective_group=" effective_group " egid=" egid " set_group=" set_group " sgid=" sgid 
" filesystem_group=" filesystem_group " fsgid=" fsgid " tty=" tty " ses=" ses " comm=\"" comm "\" exe=\"" exe "\"" * 
"cwd=\"" cwd "\"" * "name=\"" name "\"" * "cmdline=" cmdline " redactors=" *
| where uid == '0'
| where cwd == '/var/opt/microsoft/scx/tmp'
| where success == 'yes'
};
scx_execve
| where comm == 'sh' // ExecuteScript cmdline would trigger on /bin/sh /etc/opt/microsoft/scx/conf/tmpdir/scx_
| join kind=leftouter ( scx_execve ) on $left.Computer == $right.Computer, $left.pid == $right.ppid
| project-rename parentEventData=EventData,parentppid=ppid,parentpid=pid,parentcomm=comm,parentexe=exe,
parentname=name,parentcmdline=cmdline,childEventData=EventData1,childppid=ppid1,childpid=pid1,childcomm=comm1
,childexe=exe1,childname=name1,childcmdline=cmdline1
| project TimeGenerated, Computer, user, parentEventData,parentppid,parentpid,parentcomm,parentexe,parentname,parentcmdline,
childEventData,childppid,childpid,childcomm,childexe,childname,childcmdline
| extend Timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = user

 

Final_Query.PNG

 

This is now the hunting query we share via our Azure Sentinel GitHub repo!

 

Azure-Sentinel/SCXExecuteRunAsProviders.yml at master · Azure/Azure-Sentinel (github.com)

 

That’s it! I am sure there is more to explore! I hope this lab environment can help you to test a few things in a safer way and experience what it might look like if it happens in your environment.

 

Once again, we highly recommend upgrading the OMI agent to version 1.6.8-1+, and if possible, controlling access to ports 5986,5985 and 1270.  Remember that this vulnerability is actively being exploited. Therefore, make sure you do not expose your lab environment to the Internet.

 

In addition, remember that the behavior documented in this post is not malicious. The lab was created to help us understand how the execution of commands or a script was being handled by OMI from a data perspective. You must then go through the results of those queries and validate what is legitimate behavior or not depending on your organization’s baseline. 

 

Also, use this knowledge to map data you collect to every single action documented ;) You might be collecting data from other sources that provide the same or similar visibility.  

 

Resources

 

References 

 

1 Comment
%3CLINGO-SUB%20id%3D%22lingo-sub-2774857%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20To-Go!%20A%20Linux%20%3Apenguin%3A%20Lab%20with%20AUOMS%20Set%20Up%20to%20Learn%20About%20the%20OMI%20Vulnerability%20%3Acollision%3A%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2774857%22%20slang%3D%22en-US%22%3E%3CP%3Egreat%20stuff!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2772581%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20To-Go!%20A%20Linux%20%3Apenguin%3A%3C%2Fimg%3E%20Lab%20with%20AUOMS%20Set%20Up%20to%20Learn%20About%20the%20OMI%20Vulnerability%20%3Acollision%3A%3C%2Fimg%3E%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2772581%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22main_image.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311962i65FABA402DA450D7%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22main_image.PNG%22%20alt%3D%22main_image.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELast%20week%2C%20on%20September%2014%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eth%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%202021%2C%20Microsoft%20released%20fixes%20for%20three%20Elevation%20of%20Privilege%20(EoP)%20vulnerabilities%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2021-38645%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ECVE-2021-38645%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2021-38649%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ECVE-2021-38649%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2021-38648%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ECVE-2021-38648%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eand%20one%20unauthenticated%20Remote%20Code%20Execution%20(RCE)%20vulnerability%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2021-38647%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ECVE-2021-38647%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EThese%20vulnerabilities%20affect%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2Fomi%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EOpen%20Management%20Infrastructure%20(OMI)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%26nbsp%3Ban%20open-source%20project%26nbsp%3Bto%20further%20the%20development%20of%20a%20production%20quality%20implementation%20of%20the%20DMTF%20CIM%2FWBEM%20standards.%20The%20OMI%26nbsp%3BCommon%20Information%20Model%20Object%20Manager%20(CIMOM)%26nbsp%3Bis%20also%20designed%20to%20be%20portable%20and%20highly%20modular.%20It%20is%20written%20in%20C%20and%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2Fomi%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ecode%20is%20available%20in%20GitHub%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId--350658514%22%20id%3D%22toc-hId--350598001%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EGreat%20Resources%20to%20Read%20First%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EThe%20following%20resources%20have%26nbsp%3Balready%20been%26nbsp%3Bshared%20by%20Microsoft%20to%20provide%26nbsp%3Bguidance%26nbsp%3Bon%26nbsp%3Bupdating%26nbsp%3Bvulnerable%20extensions%20for%20Cloud%20and%20On-Premises%20deployments%2C%26nbsp%3Band%20indicators%20to%20detect%20the%20exploitation%20of%20the%20vulnerability%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%221%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2021%2F09%2F16%2Fadditional-guidance-regarding-omi-vulnerabilities-within-azure-vm-management-extensions%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EMSRC%3A%26nbsp%3BAdditional%20Guidance%20Regarding%20OMI%20Vulnerabilities%20within%20Azure%20VM%20Management%20Extensions%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%221%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fblogs%2Fblogworkflowpage%2Fblog-id%2FAzureSentinelBlog%2Farticle-id%2F1697%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EMSTIC%3A%20Hunting%20for%20OMI%20Vulnerability%20Exploitation%20with%20Azure%20Sentinel%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%221%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-security-center%2Fusing-asc-to-find-machines-affected-by-omi-vulnerabilities-in%2Fba-p%2F2767240%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Security%20Center%3A%20Using%20ASC%20to%20find%20machines%20affected%20by%20OMI%20vulnerabilities%20in%20Azure%20VM%20Management%20Extensions%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-2136854319%22%20id%3D%22toc-hId-2136914832%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EWhat%20is%20this%20about%3F%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIn%20this%20post%2C%20I%26nbsp%3Bwill%20show%26nbsp%3Byou%20how%20to%26nbsp%3Bautomatically%26nbsp%3Bdeploy%26nbsp%3Ba%26nbsp%3Bresearch%26nbsp%3Blab%20environment%20with%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Sentinel%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%2C%20a%20few%26nbsp%3BLinux%26nbsp%3Bvirtual%20machines%26nbsp%3Band%26nbsp%3Bthe%26nbsp%3BMicrosoft%20Audit%20Collection%20Tool%20(AUOMS)%26nbsp%3Bset%20up%26nbsp%3Bto%20understand%26nbsp%3Bthe%20underlying%20behavior%20of%20the%20exploitation%20of%20the%20OMI%20vulnerability.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThis%20is%20an%20extension%20of%20the%20amazing%20work%20shared%26nbsp%3Bby%20MSTIC%26nbsp%3Bthrough%26nbsp%3Bthe%20following%20resources%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%222%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Fkevsecurity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EKevin%20Sheldrake%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B-%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fhunting-threats-on-linux-with-azure-sentinel%2Fba-p%2F1344431%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EHunting%20Threats%20on%20Linux%20with%20Azure%20Sentinel%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%222%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Fjanniejli%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EJannie%20Li%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B-%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fguided-hunting-notebook-base64-encoded-linux-commands%2Fba-p%2F1579484%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EGuided%20Hunting%20Notebook%3A%20Base64-Encoded%20Linux%20Commands%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW145370746%22%3EBefore%20going%20through%20a%20few%20concepts%20and%20the%20deployment%20process%2C%20r%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW145370746%22%3Eemember%20that%20this%20vulnerability%20is%20actively%20being%20exploited.%20Therefore%2C%20make%20sure%20you%20do%20not%20expose%20your%20lab%20environment%20to%20the%20Internet%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW145370746%22%3E.%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-329399856%22%20id%3D%22toc-hId-329460369%22%3E%3CFONT%20size%3D%225%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EMicrosoft%20Audit%20Collection%20Tool%20(AUOMS)%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAUOMS%20is%20a%20Microsoft%20audit%20collection%20tool%20that%20can%20collect%20events%20generated%20by%20the%20Linux%20kernel%E2%80%99s%20audit%20subsystem%2C%26nbsp%3Bkaudit%2C%20and%20the%20optional%20user-space%26nbsp%3Bdaemon%2C%26nbsp%3Bauditd.%26nbsp%3BThis%20allows%2C%20for%20example%2C%20the%26nbsp%3Bcollection%26nbsp%3Bof%26nbsp%3Bsyscalls%26nbsp%3Bevents%26nbsp%3Bsuch%20as%20process%20creations%2C%20file%20access%2C%20and%20other%26nbsp%3Bvaluable%20telemetry%20for%20research.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAUOMS%20is%20part%20of%20the%26nbsp%3Binstallation%20of%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Flog-analytics-agent%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ELog%20Analytics%20Agent%3C%2FSPAN%3E%3C%2FA%3E%26nbsp%3Bfor%20Linux%2C%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Balso%20known%20as%20the%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FOMS-Agent-for-Linux%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EOperations%20Management%20Suite%20(OMS)%20Agent%20for%20Linux%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%26nbsp%3Bwhich%20allows%20the%20streaming%20of%20events%20from%20Linux-based%2C%20syslog%20supporting%20devices%20into%20Azure%20Sentinel.%26nbsp%3BHowever%2C%20AUOMS%20is%20not%20set%20up%20by%20default%20as%20shown%20below%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22auoms_not_enabled.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311930iFBE6875E18F4C807%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22auoms_not_enabled.png%22%20alt%3D%22auoms_not_enabled.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMy%20colleague%20Kevin%20Sheldrake%26nbsp%3Bdocumented%26nbsp%3Beverything%20that%20is%20required%20to%20set%20it%20up%26nbsp%3Bin%26nbsp%3Bthis%20blog%20post%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fhunting-threats-on-linux-with-azure-sentinel%2Fba-p%2F1344431%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EHunting%20Threats%20on%20Linux%20with%20Azure%20Sentinel%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId--776990029%22%20id%3D%22toc-hId--776929516%22%3E%3CFONT%20size%3D%224%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20question%20is%20%E2%80%9C%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EHow%20do%20we%20automate%20the%20whole%20setup%3F%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%9D%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH4%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-1009458226%22%20id%3D%22toc-hId-1009518739%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EEnter%20Azure%20Sentinel%20To-go!%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAzure%20Sentinel2Go%20is%20an%26nbsp%3Bopen-source%26nbsp%3Bproject%20developed%20to%20expedite%20the%20deployment%20of%20an%20Azure%20Sentinel%20lab%20along%20with%20other%20Azure%20resources%20and%20a%20data%20ingestion%20pipeline%20to%20consume%20pre-recorded%20datasets%20for%20research%20purposes.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId--797996237%22%20id%3D%22toc-hId--797935724%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Sentinel%20%2B%26nbsp%3BLinux%20Environment%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECurrently%2C%20we%20have%26nbsp%3Ba%20Linux%20environment%20ready%20to%20go%20and%20deploy%26nbsp%3Beverything%20needed%20for%20a%26nbsp%3Bsmall%26nbsp%3Bresearch%20lab%20with%20AUOMS%20configured%26nbsp%3Band%20sending%20logs%20to%20Azure%20Sentinel%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Ftree%2Fmaster%2Fgrocery-list%2FLinux%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure-Sentinel2Go%2Fgrocery-list%2FLinux%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%20were%20able%20to%20use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-resource-manager%2Ftemplates%2Foverview%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Resource%20Manager%20(ARM)%3C%2FA%3E%20templates%20and%20a%20few%20bash%20scripts%20to%20automate%20the%20whole%20setup.%20These%20are%20all%20the%20resources%20used%20for%20each%20component%20of%20the%20lab%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAzure%20Sentinel%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Fazuredeploy.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Sentinel%26nbsp%3Binstance%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Fdata-connectors%2FsyslogCollection.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ESyslog%26nbsp%3Bdata%20connector%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Fblob%2Fmaster%2Fazure-sentinel%2Flinkedtemplates%2Flog-analytics%2FsyslogDataSources.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ESyslog%20data%20collection%20from%20specific%20facilities%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELinux%20Virtual%20Machines%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FBlacksmith%2Fblob%2Fmaster%2Ftemplates%2Fazure%2FLinux%2Fazuredeploy.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ELinux%20virtual%20machines%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FBlacksmith%2Fblob%2Fmaster%2Fresources%2Fscripts%2Fbash%2FInstall-OMS-Linux-Agent.sh%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EOMS%20Agent%20for%20Linux%20installer%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FBlacksmith%2Fblob%2Fmaster%2Fresources%2Fscripts%2Fbash%2FInstall-OMS-Auditd-Plugin.sh%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EOMS%26nbsp%3BAuditd%26nbsp%3BPlugin%20setup%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FBlacksmith%2Fblob%2Fmaster%2Fresources%2Fconfigs%2Fauoms-outconf%2Fsyslog.conf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAUOMS%20Syslog%20config%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FBlacksmith%2Fblob%2Fmaster%2Fresources%2Fconfigs%2Fauoms-rules%2Fmstic-research.rules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAUOMS%20rules%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-1689516596%22%20id%3D%22toc-hId-1689577109%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EWhat%20about%20the%20OMI%20Vulnerability%3F%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAs%20we%20know%2C%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fomi%2Freleases%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Eolder%20versions%20of%26nbsp%3Bthe%20OMI%20agent%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B(%26lt%3B%26nbsp%3B1.6.8.1)%20are%20vulnerable.%20Therefore%2C%20we%20created%20the%20following%20script%20to%20install%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fomi%2Freleases%2Ftag%2Fv1.6.8-0%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eversion%201.6.8.0%3C%2FA%3E%2C%20and%20open%20port%205986.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FBlacksmith%2Fblob%2Fmaster%2Fresources%2Fscripts%2Fbash%2FInstall-OMI.sh%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EBlacksmith%2FInstall-OMI.sh%20at%20master%20%C2%B7%20OTRF%2FBlacksmith%20(github.com)%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%20added%20that%20script%20to%20the%20Linux%20lab%20templates%2C%20and%20we%20now%20have%20a%20demo%20environment%20that%20you%20can%20also%20use%20to%20learn%20more%20about%20the%20exploitation%20of%20the%20OMI%20vulnerability.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Ftree%2Fmaster%2Fgrocery-list%2FLinux%2Fdemos%2FCVE-2021-38647-OMI%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure-Sentinel2Go%2Fgrocery-list%2FLinux%2Fdemos%2FCVE-2021-38647-OMI%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId--117937867%22%20id%3D%22toc-hId--117877354%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EDeploying%26nbsp%3Bthe%20Lab%20Environment%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%3CSTRONG%3ERemember%20that%20this%20vulnerability%20is%20actively%20being%20exploited.%20Therefore%2C%20make%20sure%20you%20do%20not%20expose%20your%20lab%20environment%20to%20the%20Internet.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%224%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EGo%20to%26nbsp%3Bthe%20following%20link%3A%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Ftree%2Fmaster%2Fgrocery-list%2FLinux%2Fdemos%2FCVE-2021-38647-OMI%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure-Sentinel2Go%2Fgrocery-list%2FLinux%2Fdemos%2FCVE-2021-38647-OMI%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%224%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EClick%20on%20the%20%E2%80%9C%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EDeploy%20to%20Azure%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%9D%20Button%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22linux_lab_deploy_button.png%22%20style%3D%22width%3A%20855px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311931i16B6B1518B668E5A%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22linux_lab_deploy_button.png%22%20alt%3D%22linux_lab_deploy_button.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%224%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFill%20out%20the%20following%20parameters%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%224%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESubscription%20(selected%20by%20default)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%224%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EResource%20group%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%224%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ERegion%20(selected%20by%20default)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%224%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAdmin%20Username%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%224%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAdmin%20Password%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%224%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ERemote%20Access%20Mode%20(%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAllowPublicIP%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bselected%20by%20default.%20You%20can%20also%20use%20Azure%20Bastion%20Host.%26nbsp%3BYou%26nbsp%3Bwould%20just%26nbsp%3Bneed%20to%20set%20the%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAllowed%20IP%20Addresses%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bparameter%20to%20*)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%224%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAllowed%20IP%20Addresses%20(If%20you%20use%20the%20default%20access%20mode%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAllowPublicIP%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%20use%20your%20home%20or%20office%20public%20IP%20address%26nbsp%3Bto%20only%20allow%20access%20from%20secure%20places.%20%3CSTRONG%3ERemember%20that%20this%20vulnerability%20is%20actively%20being%20exploited.%20Therefore%2C%20make%20sure%20you%20do%20not%20expose%20your%20lab%20environment%20to%20the%20Internet.%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22deploy_environment_parameters.png%22%20style%3D%22width%3A%20916px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311932i6486F9ACA5DF66CC%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22deploy_environment_parameters.png%22%20alt%3D%22deploy_environment_parameters.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%20class%3D%22TextRun%20SCXW100673580%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW100673580%20BCX8%22%3EClick%20the%20Review%20%26gt%3B%20Create%20buttons%20to%20start%20the%20deployment%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW100673580%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22deployment_in_progress.png%22%20style%3D%22width%3A%20502px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311933i1AAFBB48EC98F6C6%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22deployment_in_progress.png%22%20alt%3D%22deployment_in_progress.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%20class%3D%22TextRun%20SCXW14026402%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW14026402%20BCX8%22%3EYou%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW14026402%20BCX8%22%3Ecan%20go%20to%20your%20resource%20group%20and%20explore%20all%20the%20resources%20being%20deployed%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22resources_being_created.png%22%20style%3D%22width%3A%20760px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311934i3BC4C9CDFAB7AE40%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22resources_being_created.png%22%20alt%3D%22resources_being_created.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%224%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%226%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWait%20around%205-10%20minutes!%26nbsp%3BYou%20should%20be%20good%20to%20go!%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId--1925392330%22%20id%3D%22toc-hId--1925331817%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EValidate%20Deployment%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIt%20is%20very%20important%20to%20validate%20if%20everything%20was%20deployed%20properly%20before%26nbsp%3Bdoing%20research.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId--1234830856%22%20id%3D%22toc-hId--1234770343%22%3E%3CFONT%20size%3D%225%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EOMI%20Server%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESSH%20to%20your%20virtual%20machines%26nbsp%3Band%20check%20the%20OMI%20version%20to%20confirm%20it%20is%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fomi%2Freleases%2Ftag%2Fv1.6.8-0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E1.6.8-0%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2Fopt%2Fomi%2Fbin%2Fomiserver%26nbsp%3B-v%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22validate_omi_server_version.png%22%20style%3D%22width%3A%20742px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311939iA31C642B149B6E0A%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22validate_omi_server_version.png%22%20alt%3D%22validate_omi_server_version.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECheck%20if%20the%20OMI%20service%20is%20running%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22auto%22%3Esystemctl%26nbsp%3Bstatus%26nbsp%3Bomid%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22validate_omid_server_is_running.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311940i75C039806DED7E93%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22validate_omid_server_is_running.png%22%20alt%3D%22validate_omid_server_is_running.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECheck%26nbsp%3Bif%20port%205986%20is%20open%26nbsp%3B(You%20might%20have%20to%20update%20your%20package%20manager%20and%20install%20net-tools)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22auto%22%3Enetstat%20-na%26nbsp%3B%7C%20grep%20%3A5986%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22validate_omi_5986_port.png%22%20style%3D%22width%3A%20836px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311941i82E8345DF5CD987D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22validate_omi_5986_port.png%22%20alt%3D%22validate_omi_5986_port.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-557518498%22%20id%3D%22toc-hId-557579011%22%3E%3CFONT%20size%3D%225%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAUOMS%20Setup%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECheck%20if%20the%20AUOMS%20service%20is%20running%20with%20the%20following%20two%20commands%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22auto%22%3Esudo%26nbsp%3B%2Fopt%2Fmicrosoft%2Fauoms%2Fbin%2Fauomsctl%26nbsp%3Bstatus%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22validate_auoms_server_is_running.png%22%20style%3D%22width%3A%20703px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311942iB4C73CCF37824EE4%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22validate_auoms_server_is_running.png%22%20alt%3D%22validate_auoms_server_is_running.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20class%3D%22TextRun%20SCXW244722716%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW244722716%20BCX8%22%3Esystemctl%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW244722716%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Estatus%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW244722716%20BCX8%22%3Eauoms%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW244722716%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22validate_auoms_server_is_running_2.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311943i406C396C794104F2%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22validate_auoms_server_is_running_2.png%22%20alt%3D%22validate_auoms_server_is_running_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECheck%20if%20events%20are%26nbsp%3Bbeing%20sent%20to%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOMS%20Agent%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2211%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOpen%20another%20SSH%20session%20to%20your%20virtual%20machine%20and%20in%20one%20run%20the%20following%20command%3A%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-contrast%3D%22auto%22%3Esudo%26nbsp%3B%2Fopt%2Fmicrosoft%2Fauoms%2Fbin%2Fauomsctl%26nbsp%3Bmonitor%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2210%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThen%2C%20in%20the%20other%20session%20run%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ewhoami.%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIf%20everything%20is%20connected%20properly%2C%20you%20will%20be%20able%20to%20see%20events%20flowing%20through%20your%20first%20session%20as%20shown%20below%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22validate_auoms_can_send_events.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311944i73AAC7959DD3EE21%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22validate_auoms_can_send_events.png%22%20alt%3D%22validate_auoms_can_send_events.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20can%20continue%20using%20%60%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Esudo%26nbsp%3B%2Fopt%2Fmicrosoft%2Fauoms%2Fbin%2Fauomsctl%26nbsp%3Bmonitor%60%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eif%20you%20want%20to%20do%20research%20locally.%20You%20can%20have%20it%20running%20while%20you%20test%20the%20exploitation%20of%20the%20OMI%20vulnerability.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId--1249935965%22%20id%3D%22toc-hId--1249875452%22%3E%3CFONT%20size%3D%225%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Sentinel%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECheck%20if%20logs%20are%20being%20sent%20to%20your%20Azure%20Sentinel%26nbsp%3Binstance.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%226%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%2F%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%226%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAzure%20Sentinel%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22validate_azure_sentinel.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311945iDD106A4E8BC76C2D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22validate_azure_sentinel.png%22%20alt%3D%22validate_azure_sentinel.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%20class%3D%22TextRun%20SCXW2347696%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2347696%20BCX8%22%3EClick%20on%20%60logs%60%20and%20explore%20the%20%60Syslog%60%20table%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW2347696%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22validate_syslog_events_are_flowing.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311946iFE26DCDE940CDF9D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22validate_syslog_events_are_flowing.png%22%20alt%3D%22validate_syslog_events_are_flowing.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-1108494149%22%20id%3D%22toc-hId-1108554662%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ELearning%26nbsp%3BAbout%20the%26nbsp%3BOMI%20vulnerability%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAfter%20validating%20that%20everything%20was%20deployed%20properly%2C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Byou%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bshould%20be%20ready%20to%20run%20a%20few%20public%26nbsp%3Bproofs%26nbsp%3Bof%20concepts%20to%20test%20the%20OMI%20vulnerability.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOne%20thing%20to%20remember%20is%20that%20there%20are%20three%20ways%20to%20execute%20arbitrary%20code%20via%20OMI.%20They%20are%20all%20part%20of%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FSCXcore%2Fblob%2Fmaster%2Fsource%2Fcode%2Fproviders%2Fsupport%2Frunasprovider.cpp%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3ESCX%20RunAsProvider%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FA%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eand%20their%20execution%20context%20varies%20a%20little%20bit.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%221%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%224%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FSCXcore%23runas-provider-executecommand%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EExecuteCommand%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%221%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%224%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FSCXcore%23runas-provider-executeshellcommand%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EExecuteShellCommand%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%221%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%224%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FSCXcore%23runas-provider-executescript%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EExecuteScript%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId--569877595%22%20id%3D%22toc-hId--569817082%22%3E%3CFONT%20size%3D%225%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ERun%20Public%20POC%26nbsp%3B(ExecuteShellCommand)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH3%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESSH%20to%20machine%20A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%22%20data-listid%3D%2213%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESSH%20to%20machine%20B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%22%20data-listid%3D%2213%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOn%20machine%20A%2C%20prepare%20the%20data%20that%20you%20want%20to%20send%20to%20machine%20B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3COL%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%22%20data-listid%3D%2213%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ERequest%20without%20authorization%20header%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%22%20data-listid%3D%2213%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESet%20the%20command%20you%20want%20to%20execute.%20For%20this%20example%20we%20execute%20%E2%80%9C%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eid%E2%80%9D.%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%22%20data-listid%3D%2213%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EUse%20the%26nbsp%3BExecuteShellCommand%26nbsp%3Bmethod%20in%20data.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%22%20data-listid%3D%2213%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESend%20HTTP%20request%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22execute_poc_executeshellcommand.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311960i66DD4736803880E7%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22execute_poc_executeshellcommand.png%22%20alt%3D%22execute_poc_executeshellcommand.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-1917635238%22%20id%3D%22toc-hId-1917695751%22%3E%3CFONT%20size%3D%225%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EExplore%20data%20in%20Azure%20Sentinel%26nbsp%3B(ExecuteShellCommand)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20can%20run%20the%26nbsp%3Bfollowing%20hunting%20query%20to%20explore%20the%20execution%20context%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20class%3D%22TextRun%20SCXW268281063%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3ESyslog%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW268281063%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW268281063%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW268281063%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW268281063%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%26nbsp%3B%20%7C%20parse%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3ESyslogMessage%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ewith%20%22type%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3EEventType%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20ContextualSpellingAndGrammarErrorV2%20SCXW268281063%20BCX8%22%3Eaudit(%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%22%20*%20%22)%3A%20%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3EEventData%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW268281063%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW268281063%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW268281063%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW268281063%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%26nbsp%3B%20%7C%20where%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3EEventType%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3D~%20%22AUOMS_EXECVE%22%20and%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3EEventData%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ehas%20'%2Fvar%2Fopt%2F%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%20DefaultHighlightTransition%22%3Emicrosoft%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%2F%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Escx%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%2F%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Etmp%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E'%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW268281063%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW268281063%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW268281063%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW268281063%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%26nbsp%3B%20%7C%20project%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%20DefaultHighlightTransition%22%3ETimeGenerated%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3EEventType%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%2C%20Computer%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3EEventData%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW268281063%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW268281063%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW268281063%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW268281063%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%26nbsp%3B%20%7C%20parse%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3EEventData%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ewith%20*%20%22%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Esyscall%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Esyscall%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Esyscall_r%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%20*%20%22%20success%3D%22%20success%20%22%20exit%3D%22%20exit%20%22%20a0%22%20*%3CBR%20%2F%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eppid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eppid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Epid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Epid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eaudit_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eaudit_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eauid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eauid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%20user%3D%22%20user%20%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Euid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Euid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%20group%3D%22%20group%20%22%3CBR%20%2F%3Egid%3D%22%20gid%20%22%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eeffective_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eeffective_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eeuid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eeuid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eset_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eset_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%20suid%3D%22%20suid%3CBR%20%2F%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Efilesystem_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Efilesystem_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Efsuid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Efsuid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eeffective_group%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eeffective_group%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eegid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eegid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eset_group%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eset_group%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Esgid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Esgid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Efilesystem_group%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Efilesystem_group%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Efsgid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Efsgid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Etty%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Etty%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eses%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Eses%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%20comm%3D%5C%22%22%20comm%20%22%5C%22%20exe%3D%5C%22%22%20exe%20%22%5C%22%22%20*%20%22%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3Ecwd%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%5C%22%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3Ecwd%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%5C%22%22%20*%20%22name%3D%5C%22%22%20name%20%22%5C%22%22%20*%20%22%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Ecmdline%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3D%5C%22%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Ecmdline%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%5C%22%22%20*%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW268281063%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW268281063%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW268281063%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW268281063%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%26nbsp%3B%20%7C%20where%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Euid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3D%3D%20'0'%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW268281063%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW268281063%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW268281063%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW268281063%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%26nbsp%3B%20%7C%20where%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3Ecwd%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3D%3D%20'%2Fvar%2Fopt%2F%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Emicrosoft%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%2F%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Escx%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%2F%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3Etmp%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E'%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW268281063%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW268281063%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW268281063%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW268281063%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%26nbsp%3B%20%7C%20where%20comm%20%3D%3D%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3E'sh%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E'%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW268281063%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW268281063%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW268281063%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW268281063%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%26nbsp%3B%20%7C%20extend%20Timestamp%20%3D%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3ETimeGenerated%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3EHostCustomEntity%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3D%20Computer%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW268281063%20BCX8%22%3EAccountCustomEntity%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW268281063%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3D%20user%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW268281063%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22executeshellcommand_kql_query.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311948i6E82A05388A19212%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22executeshellcommand_kql_query.png%22%20alt%3D%22executeshellcommand_kql_query.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%20observed%20that%20the%20execution%20was%20happening%20from%20the%26nbsp%3B%60%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ecurrent%20working%20directory%20(cwd)%3A%20%2Fvar%2Fopt%2Fmicrosoft%2Fscx%2Ftmp%60.%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThis%20is%20an%20indicator%20that%20repeats%20across%20the%20other%20two%20methods%20to%20execute%20arbitrary%26nbsp%3Bcode%26nbsp%3Babusing%20the%20OMI%20vulnerability.%20Group%20the%20results%20by%20the%20command%20line%20values%20to%20identify%20initial%20outliers.%3C%2FSPAN%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId-110180775%22%20id%3D%22toc-hId-110241288%22%3E%3CFONT%20size%3D%225%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ERun%20Public%20POC%26nbsp%3B(ExecuteScript)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH3%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESSH%20to%20machine%20A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%22%20data-listid%3D%2216%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESSH%20to%20machine%20B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%22%20data-listid%3D%2216%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOn%20machine%20A%2C%20prepare%20the%20data%20that%20you%20want%20to%20send%20to%20machine%20B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3COL%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%22%20data-listid%3D%2216%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ERequest%20without%20authorization%20header%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%22%20data-listid%3D%2216%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESet%20the%20script%20you%20want%20to%20execute%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3COL%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%22%20data-listid%3D%2216%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EPick%20a%20command.%20Let's%20say%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ewhoami%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%22%20data-listid%3D%2216%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EBase64%20encode%20the%20command%3A%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ed2hvYW1p%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%22%20data-listid%3D%2216%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EUse%20the%26nbsp%3BExecuteScript%20method%20in%20data.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%22%20data-listid%3D%2216%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESend%20HTTP%20request%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22execute_poc_executescript.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311958i543F243D2FF89FD5%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22execute_poc_executescript.png%22%20alt%3D%22execute_poc_executescript.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20aria-level%3D%222%22%20id%3D%22toc-hId--1697273688%22%20id%3D%22toc-hId--1697213175%22%3E%3CFONT%20size%3D%225%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EExplore%20data%20in%20Azure%20Sentinel%26nbsp%3B(ExecuteScript)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20can%20run%20the%20previous%20hunting%20query%20again%20and%20explore%20the%20results.%20You%20will%20see%20that%20the%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ecurrent%20working%20directory%20(cwd)%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bis%20the%20same%2C%20but%20the%20command%20line%20or%26nbsp%3Bin%20this%20case%20the%26nbsp%3Bscript%20is%20now%20being%20hosted%20at%20the%20following%20directory%3A%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2Fetc%2Fopt%2Fmicrosoft%2Fscx%2Fconf%2Ftmpdir%2F.%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BThe%20name%20of%20the%20scripts%20in%20that%20directory%20has%20the%20string%20%E2%80%9C%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3Escx%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%E2%80%9D%20as%20a%20prefix.%20For%20example%3A%26nbsp%3Bscx%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EzEPOS4.%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW267943799%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3ESyslog%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW267943799%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW267943799%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW267943799%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW267943799%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%20%7C%20parse%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3ESyslogMessage%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3Bwith%20%22type%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3EEventType%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20ContextualSpellingAndGrammarErrorV2%20SCXW267943799%20BCX8%22%3Eaudit(%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%22%20*%20%22)%3A%20%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3EEventData%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW267943799%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW267943799%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW267943799%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW267943799%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%20%7C%20where%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3EEventType%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%3D~%20%22AUOMS_EXECVE%22%20and%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3EEventData%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3Bhas%20'%2Fvar%2Fopt%2F%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%20DefaultHighlightTransition%22%3Emicrosoft%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%2F%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Escx%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%2F%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Etmp%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E'%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW267943799%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW267943799%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW267943799%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW267943799%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%20%7C%20project%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%20DefaultHighlightTransition%22%3ETimeGenerated%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3EEventType%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%2C%20Computer%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3EEventData%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW267943799%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW267943799%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW267943799%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW267943799%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%20%7C%20parse%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3EEventData%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3Bwith%20*%20%22%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Esyscall%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Esyscall%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Esyscall_r%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%20*%20%22%20success%3D%22%20success%20%22%20exit%3D%22%20exit%20%22%20a0%22%20*%20%22%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eppid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eppid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Epid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Epid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eaudit_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eaudit_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eauid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eauid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%22%20user%3D%22%20user%20%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Euid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Euid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%22%20group%3D%22%20group%20%3CBR%20%2F%3E%22%20gid%3D%22%20gid%20%22%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eeffective_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eeffective_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eeuid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eeuid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eset_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eset_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%22%20suid%3D%22%20suid%20%3CBR%20%2F%3E%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Efilesystem_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Efilesystem_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Efsuid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Efsuid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eeffective_group%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eeffective_group%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eegid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eegid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%3CBR%20%2F%3E%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eset_group%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eset_group%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Esgid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Esgid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Efilesystem_group%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Efilesystem_group%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Efsgid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Efsgid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Etty%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Etty%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%3CBR%20%2F%3E%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eses%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Eses%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%22%20comm%3D%5C%22%22%20comm%20%22%5C%22%20exe%3D%5C%22%22%20exe%20%22%5C%22%22%20*%20%22cwd%3D%5C%22%22%20cwd%20%22%5C%22%22%20*%20%22name%3D%5C%22%22%20name%20%22%5C%22%22%20*%20%22%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Ecmdline%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%3D%5C%22%22%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Ecmdline%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%22%5C%22%22%20*%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW267943799%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW267943799%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW267943799%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW267943799%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%20%7C%20where%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Euid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%3D%3D%20'0'%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW267943799%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW267943799%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW267943799%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW267943799%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%20%7C%20where%20cwd%20%3D%3D%20'%2Fvar%2Fopt%2F%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Emicrosoft%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%2F%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Escx%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%2F%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3Etmp%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E'%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW267943799%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW267943799%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW267943799%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW267943799%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%20%7C%20where%20comm%20%3D%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3E'sh%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E'%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW267943799%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW267943799%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW267943799%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW267943799%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%20%7C%20extend%20Timestamp%20%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3ETimeGenerated%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3EHostCustomEntity%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%3D%20Computer%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW267943799%20BCX8%22%3EAccountCustomEntity%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267943799%20BCX8%22%3E%26nbsp%3B%3D%20user%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW267943799%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22executescript_kql_query_execution.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311949iC704AAECED655314%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22executescript_kql_query_execution.png%22%20alt%3D%22executescript_kql_query_execution.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW42733508%22%3EI%20was%20wondering%20what%20process%20had%20created%20that%20file%20in%20that%20directory.%20I%20ran%20the%20following%20query%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW42733508%22%3E%26nbsp%3Bto%20answer%20that%20question%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW42733508%22%3E%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW42733508%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW164422095%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3Elet%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3EsyscallsList%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3D%20dynamic(%5B%22unlink%22%2C%22%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eopenat%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%22%2C%22%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Echmod%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%22%5D%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20ContextualSpellingAndGrammarErrorV2%20SCXW164422095%20BCX8%22%3E)%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW164422095%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW164422095%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW164422095%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW164422095%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3ESyslog%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW164422095%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW164422095%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW164422095%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW164422095%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%7C%20parse%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%20DefaultHighlightTransition%22%3ESyslogMessage%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ewith%20%22type%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3EEventType%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20ContextualSpellingAndGrammarErrorV2%20SCXW164422095%20BCX8%22%3Eaudit(%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%22%20*%20%22)%3A%20%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3EEventData%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW164422095%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW164422095%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW164422095%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW164422095%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%7C%20where%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3EEventType%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3D~%20%22AUOMS_SYSCALL%22%20and%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3EEventData%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Econtains%20%22%2F%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eetc%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%2Fopt%2F%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Emicrosoft%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%2F%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Escx%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%2Fconf%2F%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Etmpdir%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%2F%22%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW164422095%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW164422095%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW164422095%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW164422095%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%7C%20project%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3ETimeGenerated%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3EEventType%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%2C%20Computer%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3EEventData%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW164422095%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW164422095%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW164422095%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW164422095%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%7C%20parse%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3EEventData%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ewith%20*%20%22%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Esyscall%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Esyscall%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Esyscall_r%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%20*%20%22%20success%3D%22%20success%20%22%20exit%3D%22%20exit%20%22%20a0%22%20*%20%3CBR%20%2F%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eppid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eppid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Epid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Epid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eaudit_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eaudit_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eauid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eauid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%20user%3D%22%20user%20%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Euid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Euid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%20group%3D%22%20group%20%3CBR%20%2F%3E%22%20gid%3D%22%20gid%20%22%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eeffective_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eeffective_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eeuid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eeuid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eset_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eset_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%20suid%3D%22%20suid%20%3CBR%20%2F%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Efilesystem_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Efilesystem_user%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Efsuid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Efsuid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eeffective_group%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eeffective_group%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eegid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eegid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eset_group%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eset_group%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Esgid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Esgid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Efilesystem_group%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Efilesystem_group%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Efsgid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Efsgid%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Etty%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Etty%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eses%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eses%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%20comm%3D%5C%22%22%20comm%20%22%5C%22%20exe%3D%5C%22%22%20exe%20%22%5C%22%22%20*%20%22cwd%3D%5C%22%22%20cwd%20%22%5C%22%22%20*%20%22name%3D%5C%22%22%20name%20%22%5C%22%22%20*%3CBR%20%2F%3E%20%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Epath_name%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Epath_name%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Epath_nametype%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Epath_nametype%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Epath_mode%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%20*%20%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eproctitle%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3D%22%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Ecmdline%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%22%20redactors%3D%22%20*%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW164422095%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW164422095%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW164422095%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW164422095%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%7C%20where%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Esyscall%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ein%20(%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3EsyscallsList%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E)%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW164422095%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW164422095%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW164422095%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW164422095%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%7C%20extend%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3EfileAction%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3D%20(%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Eparse_json%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E(%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3Epath_nametype%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E))%5B1%5D%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW164422095%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW164422095%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW164422095%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW164422095%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%7C%20where%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW164422095%20BCX8%22%3EfileAction%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW164422095%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ein%20(%22CREATE%22%2C%22DELETE%22)%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW164422095%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22executescript_kql_query_file_creation_deletion.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311951iC7B4DD01AF96E6A3%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22executescript_kql_query_file_creation_deletion.png%22%20alt%3D%22executescript_kql_query_file_creation_deletion.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22TextRun%20SCXW138185179%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW138185179%20BCX8%22%3EIt%20seems%20that%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20class%3D%22TextRun%20SCXW138185179%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW138185179%20BCX8%22%3Eomiagent%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20class%3D%22TextRun%20SCXW138185179%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW138185179%20BCX8%22%3E%26nbsp%3Bcreates%20and%20deletes%20the%20file.%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW138185179%20BCX8%22%3E%26nbsp%3BThe%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW138185179%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW138185179%20BCX8%22%3Ef%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW138185179%20BCX8%22%3Eile%20is%20available%20only%20during%20the%20execution%20of%20the%20script.%20Once%20the%20execution%20is%20done%2C%20the%20file%20gets%20deleted.%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW138185179%20BCX8%22%3E%26nbsp%3BAfter%20doing%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW138185179%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW138185179%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Esome%20more%20research%20and%20reading%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW138185179%20BCX8%22%3Esome%20of%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW138185179%20BCX8%22%3Ethe%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW138185179%20BCX8%22%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FSCXcore%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW138185179%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW138185179%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3ESCXCore%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW138185179%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ecode%20in%20GitHub%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW138185179%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW138185179%20BCX8%22%3E%2C%20this%20the%20behavior%20of%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW138185179%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW138185179%20BCX8%22%3EExecuteScript%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW138185179%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW138185179%20BCX8%22%3E%26nbsp%3Bmethod%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW138185179%20BCX8%22%3E%3A%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW138185179%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22executescript_behavior.png%22%20style%3D%22width%3A%20572px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F311952i8FAAABB5CC39FEEA%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22executescript_behavior.png%22%20alt%3D%22executescript_behavior.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-790239145%22%20id%3D%22toc-hId-790299658%22%3E%3CFONT%20size%3D%225%22%3EHow%20can%20we%20cover%20both%20methods%20(ExecuteShellCommand%20and%20ExecuteScript)%20and%20show%20what%20the%20script%20executed%3F%3C%2FFONT%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAs%20mentioned%20before%2C%20both%20methods%20execute%20from%20the%26nbsp%3B%3CSTRONG%3E%2Fvar%2Fopt%2Fmicrosoft%2Fscx%2Ftmp%3C%2FSTRONG%3E%26nbsp%3Bdirectory.%20Therefore%2C%20all%20we%20have%20to%20do%20is%20create%20a%26nbsp%3BJOIN%20query%20to%20show%20the%20process%20parent-child%20relationship%20to%20get%20to%20the%20commands%20executed%20via%20the%20script%20method%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CPRE%3E%3CSPAN%3Elet%26nbsp%3Bscx_execve%3D()%7B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3ESyslog%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%7C%26nbsp%3Bparse%26nbsp%3BSyslogMessage%26nbsp%3Bwith%26nbsp%3B%22type%3D%22%26nbsp%3BEventType%26nbsp%3B%22%26nbsp%3Baudit(%22%26nbsp%3B*%26nbsp%3B%22)%3A%26nbsp%3B%22%26nbsp%3BEventData%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3BEventType%26nbsp%3B%3D~%26nbsp%3B%22AUOMS_EXECVE%22%26nbsp%3Band%26nbsp%3BEventData%26nbsp%3Bhas%26nbsp%3B'%2Fvar%2Fopt%2Fmicrosoft%2Fscx%2Ftmp'%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%7C%26nbsp%3Bproject%26nbsp%3BTimeGenerated%2C%26nbsp%3BEventType%2C%26nbsp%3BComputer%2C%26nbsp%3BEventData%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%7C%26nbsp%3Bparse%26nbsp%3BEventData%26nbsp%3Bwith%26nbsp%3B*%26nbsp%3B%22syscall%3D%22%26nbsp%3Bsyscall%26nbsp%3B%22%26nbsp%3Bsyscall_r%3D%22%26nbsp%3B*%26nbsp%3B%22%26nbsp%3Bsuccess%3D%22%26nbsp%3Bsuccess%26nbsp%3B%22%26nbsp%3Bexit%3D%22%26nbsp%3Bexit%26nbsp%3B%22%26nbsp%3Ba0%22%26nbsp%3B*%26nbsp%3B%22%26nbsp%3Bppid%3D%22%26nbsp%3Bppid%26nbsp%3B%3CBR%20%2F%3E%22%26nbsp%3Bpid%3D%22%26nbsp%3Bpid%26nbsp%3B%22%26nbsp%3Baudit_user%3D%22%26nbsp%3Baudit_user%26nbsp%3B%22%26nbsp%3Bauid%3D%22%26nbsp%3Bauid%26nbsp%3B%22%26nbsp%3Buser%3D%22%26nbsp%3Buser%26nbsp%3B%22%26nbsp%3Buid%3D%22%26nbsp%3Buid%26nbsp%3B%22%26nbsp%3Bgroup%3D%22%26nbsp%3Bgroup%26nbsp%3B%22%26nbsp%3Bgid%3D%22%26nbsp%3Bgid%26nbsp%3B%3CBR%20%2F%3E%22effective_user%3D%22%26nbsp%3Beffective_user%26nbsp%3B%22%26nbsp%3Beuid%3D%22%26nbsp%3Beuid%26nbsp%3B%22%26nbsp%3Bset_user%3D%22%26nbsp%3Bset_user%26nbsp%3B%22%26nbsp%3Bsuid%3D%22%26nbsp%3Bsuid%26nbsp%3B%22%26nbsp%3Bfilesystem_user%3D%22%26nbsp%3Bfilesystem_user%26nbsp%3B%3CBR%20%2F%3E%22%26nbsp%3Bfsuid%3D%22%26nbsp%3Bfsuid%26nbsp%3B%22%26nbsp%3Beffective_group%3D%22%26nbsp%3Beffective_group%26nbsp%3B%22%26nbsp%3Begid%3D%22%26nbsp%3Begid%26nbsp%3B%22%26nbsp%3Bset_group%3D%22%26nbsp%3Bset_group%26nbsp%3B%22%26nbsp%3Bsgid%3D%22%26nbsp%3Bsgid%26nbsp%3B%3CBR%20%2F%3E%22%26nbsp%3Bfilesystem_group%3D%22%26nbsp%3Bfilesystem_group%26nbsp%3B%22%26nbsp%3Bfsgid%3D%22%26nbsp%3Bfsgid%26nbsp%3B%22%26nbsp%3Btty%3D%22%26nbsp%3Btty%26nbsp%3B%22%26nbsp%3Bses%3D%22%26nbsp%3Bses%26nbsp%3B%22%26nbsp%3Bcomm%3D%5C%22%22%26nbsp%3Bcomm%26nbsp%3B%22%5C%22%26nbsp%3Bexe%3D%5C%22%22%26nbsp%3Bexe%26nbsp%3B%22%5C%22%22%26nbsp%3B*%26nbsp%3B%3CBR%20%2F%3E%22cwd%3D%5C%22%22%26nbsp%3Bcwd%26nbsp%3B%22%5C%22%22%26nbsp%3B*%26nbsp%3B%22name%3D%5C%22%22%26nbsp%3Bname%26nbsp%3B%22%5C%22%22%26nbsp%3B*%26nbsp%3B%22cmdline%3D%22%26nbsp%3Bcmdline%26nbsp%3B%22%26nbsp%3Bredactors%3D%22%26nbsp%3B*%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3Buid%26nbsp%3B%3D%3D%26nbsp%3B'0'%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3Bcwd%26nbsp%3B%3D%3D%26nbsp%3B'%2Fvar%2Fopt%2Fmicrosoft%2Fscx%2Ftmp'%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3Bsuccess%26nbsp%3B%3D%3D%26nbsp%3B'yes'%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%7D%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3Escx_execve%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3Bcomm%26nbsp%3B%3D%3D%26nbsp%3B'sh'%26nbsp%3B%2F%2F%26nbsp%3BExecuteScript%26nbsp%3Bcmdline%26nbsp%3Bwould%26nbsp%3Btrigger%26nbsp%3Bon%26nbsp%3B%2Fbin%2Fsh%26nbsp%3B%2Fetc%2Fopt%2Fmicrosoft%2Fscx%2Fconf%2Ftmpdir%2Fscx_%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%7C%26nbsp%3Bjoin%26nbsp%3Bkind%3Dleftouter%26nbsp%3B(%26nbsp%3Bscx_execve%26nbsp%3B)%26nbsp%3Bon%26nbsp%3B%24left.Computer%26nbsp%3B%3D%3D%26nbsp%3B%24right.Computer%2C%26nbsp%3B%24left.pid%26nbsp%3B%3D%3D%26nbsp%3B%24right.ppid%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%7C%26nbsp%3Bproject-rename%26nbsp%3BparentEventData%3DEventData%2Cparentppid%3Dppid%2Cparentpid%3Dpid%2Cparentcomm%3Dcomm%2Cparentexe%3Dexe%2C%3CBR%20%2F%3Eparentname%3Dname%2Cparentcmdline%3Dcmdline%2CchildEventData%3DEventData1%2Cchildppid%3Dppid1%2Cchildpid%3Dpid1%2Cchildcomm%3Dcomm1%3CBR%20%2F%3E%2Cchildexe%3Dexe1%2Cchildname%3Dname1%2Cchildcmdline%3Dcmdline1%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%7C%26nbsp%3Bproject%26nbsp%3BTimeGenerated%2C%26nbsp%3BComputer%2C%26nbsp%3Buser%2C%26nbsp%3BparentEventData%2Cparentppid%2Cparentpid%2Cparentcomm%2Cparentexe%2Cparentname%2Cparentcmdline%2C%3CBR%20%2F%3EchildEventData%2Cchildppid%2Cchildpid%2Cchildcomm%2Cchildexe%2Cchildname%2Cchildcmdline%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%3E%7C%26nbsp%3Bextend%26nbsp%3BTimestamp%26nbsp%3B%3D%26nbsp%3BTimeGenerated%2C%26nbsp%3BHostCustomEntity%26nbsp%3B%3D%26nbsp%3BComputer%2C%26nbsp%3BAccountCustomEntity%26nbsp%3B%3D%26nbsp%3Buser%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Final_Query.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F312507i6564DFF9C8850EA7%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Final_Query.PNG%22%20alt%3D%22Final_Query.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThis%20is%20now%20the%20hunting%20query%20we%20share%20via%20our%20Azure%20Sentinel%20GitHub%20repo!%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FHunting%2520Queries%2FSyslog%2FSCXExecuteRunAsProviders.yml%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel%2FSCXExecuteRunAsProviders.yml%20at%20master%20%C2%B7%20Azure%2FAzure-Sentinel%20(github.com)%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThat%E2%80%99s%20it!%20I%20am%20sure%20there%20is%20more%20to%20explore!%20I%20hope%20this%20lab%20environment%20can%20help%20you%20to%20test%20a%20few%20things%20in%20a%20safer%20way%20and%20experience%20what%20it%20might%20look%20like%20if%20it%20happens%20in%20your%20environment.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSTRONG%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW238013921%22%3EOnce%20again%2C%20we%20highly%20recommend%20upgrading%20the%20OMI%20agent%20to%20version%201.6.8-1%2B%2C%20and%20if%20possible%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW238013921%22%3Econtrolling%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW238013921%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW238013921%22%3Eaccess%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW238013921%22%3E%26nbsp%3Bto%20ports%205986%2C5985%20and%201270.%3C%2FSPAN%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CSTRONG%3ERemember%20that%20this%20vulnerability%20is%20actively%20being%20exploited.%20Therefore%2C%20make%20sure%20you%20do%20not%20expose%20your%20lab%20environment%20to%20the%20Internet.%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIn%20addition%2C%20remember%20that%20the%20behavior%26nbsp%3Bdocumented%20in%20this%20post%20is%20not%20malicious.%20The%20lab%26nbsp%3Bwas%20created%26nbsp%3Bto%20help%26nbsp%3Bus%20understand%20how%20the%20execution%20of%20commands%20or%20a%20script%26nbsp%3Bwas%26nbsp%3Bbeing%26nbsp%3Bhandled%20by%20OMI%26nbsp%3Bfrom%20a%20data%20perspective.%20You%26nbsp%3Bmust%26nbsp%3Bthen%20go%20through%20the%20results%20of%20those%20queries%20and%20validate%20what%26nbsp%3Bis%20legitimate%20behavior%26nbsp%3Bor%20not%26nbsp%3Bdepending%20on%20your%20organization%E2%80%99s%20baseline.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAlso%2C%20use%20this%20knowledge%20to%20map%20data%26nbsp%3Byou%20collect%26nbsp%3Bto%20every%20single%20action%20documented%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3B)%3C%2Fimg%3E%26nbsp%3BYou%20might%20be%20collecting%20data%20from%20other%20sources%20that%20provide%20the%20same%20or%20similar%20visibility.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1146298037%22%20id%3D%22toc-hId--1146237524%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3EResources%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3ELinux%20Lab%20Environment%20-%20OMI%20Vulnerability%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FAzure-Sentinel2Go%2Ftree%2Fmaster%2Fgrocery-list%2FLinux%2Fdemos%2FCVE-2021-38647-OMI%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel2Go%2Fgrocery-list%2FLinux%2Fdemos%2FCVE-2021-38647-OMI%20at%20master%20%C2%B7%20OTRF%2FAzure-Sentinel2Go%20(github.com)%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%20Install%20OMS%20Agent%20bash%20script%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FBlacksmith%2Fblob%2Fmaster%2Fresources%2Fscripts%2Fbash%2FInstall-OMS-Linux-Agent.sh%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EBlacksmith%2FInstall-OMS-Linux-Agent.sh%20at%20master%20%C2%B7%20OTRF%2FBlacksmith%20(github.com)%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3EInstall%20OMS%20Auditd%20Pluging%20bash%20script%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FBlacksmith%2Fblob%2Fmaster%2Fresources%2Fscripts%2Fbash%2FInstall-OMS-Auditd-Plugin.sh%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EBlacksmith%2FInstall-OMS-Auditd-Plugin.sh%20at%20master%20%C2%B7%20OTRF%2FBlacksmith%20(github.com)%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3EInstall%20OMI%20bash%20script%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOTRF%2FBlacksmith%2Fblob%2Fmaster%2Fresources%2Fscripts%2Fbash%2FInstall-OMI.sh%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EBlacksmith%2FInstall-OMI.sh%20at%20master%20%C2%B7%20OTRF%2FBlacksmith%20(github.com)%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3EHunting%20query%3A%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FHunting%2520Queries%2FSyslog%2FSCXExecuteRunAsProviders.yml%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel%2FSCXExecuteRunAsProviders.yml%20at%20master%20%C2%B7%20Azure%2FAzure-Sentinel%20(github.com)%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%221%22%20id%3D%22toc-hId-1341214796%22%20id%3D%22toc-hId-1341275309%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EReferences%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2217%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fhunting-for-omi-vulnerability-exploitation-with-azure-sentinel%2Fba-p%2F2764093%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EHunting%20for%20OMI%20Vulnerability%20Exploitation%20with%20Azure%20Sentinel%20-%20Microsoft%20Tech%20Community%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2217%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fhunting-threats-on-linux-with-azure-sentinel%2Fba-p%2F1344431%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EHunting%20Threats%20on%20Linux%20with%20Azure%20Sentinel%20-%20Microsoft%20Tech%20Community%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2217%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fguided-hunting-notebook-base64-encoded-linux-commands%2Fba-p%2F1579484%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EGuided%20Hunting%20Notebook%3A%20Base64-Encoded%20Linux%20Commands%20-%20Microsoft%20Tech%20Community%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2217%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2F%2Fagents%2Fdata-sources-syslog%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ECollect%20Syslog%20data%20sources%20with%20Log%20Analytics%20agent%20in%20Azure%20Monitor%20-%20Azure%20Monitor%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2217%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FSCXcore%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Emicrosoft%2FSCXcore%3A%20System%20Center%20Cross%20Platform%20Provider%20for%20Operations%20Manager%20(github.com)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2217%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FOMS-Agent-for-Linux%2Ftree%2Fmaster%2Ftools%2FOMIcheck%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EOMS-Agent-for-Linux%2Ftools%2FOMIcheck%20at%20master%20%C2%B7%20microsoft%2FOMS-Agent-for-Linux%20(github.com)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2217%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Faccess.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_enterprise_linux%2F7%2Fhtml%2Fsecurity_guide%2Fsec-understanding_audit_log_files%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E7.6.%26nbsp%3BUnderstanding%20Audit%20Log%20Files%20Red%20Hat%20Enterprise%20Linux%207%20%7C%20Red%20Hat%20Customer%20Portal%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2217%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fomi%2Freleases%2Ftag%2Fv1.6.8-0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ERelease%20v1.6.8-0%20%C2%B7%20microsoft%2Fomi%20(github.com)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2217%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FOMS-Auditd-Plugin%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Emicrosoft%2FOMS-Auditd-Plugin%3A%20Auditd%20plugin%20that%20forwards%20audit%20events%20to%20OMS%20Agent%20for%20Linux%20(github.com)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%2217%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Fblob%2Fmaster%2FHunting%2520Queries%2FSyslog%2FSCXRunAsProviderExecuteShellCommand.yml%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure-Sentinel%2FSCXRunAsProviderExecuteShellCommand.yml%20at%20master%20%C2%B7%20Azure%2FAzure-Sentinel%20(github.com)%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2772581%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22TextRun%20SCXW2037460%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3EIn%20this%20post%2C%20I%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3Ewill%20show%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eyou%20how%20to%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3Eautomatically%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3Edeploy%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3E%26nbsp%3Ba%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3Eresearch%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3Elab%20environment%20with%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW2037460%20BCX8%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW2037460%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3EAzure%20Sentinel%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW2037460%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3E%2C%20a%20few%3CSPAN%3E%26nbsp%3BLinux%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3Evirtual%20machines%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3E%26nbsp%3Bthe%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3EMicrosoft%20Audit%20Collection%20Tool%20(AUOMS)%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3Eset%20up%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3Eto%20understand%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ethe%20underlying%20behavior%20of%20the%20exploitation%20of%20the%20OMI%20vulnerability%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW2037460%20BCX8%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Co-Authors
Version history
Last update:
‎Sep 24 2021 09:26 AM
Updated by:
www.000webhost.com