Virtual Machine Fingerprinting via Grep

An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/09/29"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies
11common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy
12RAT and other malware.
13"""
14false_positives = [
15    """
16    Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or
17    process arguments to eliminate potential noise.
18    """,
19]
20from = "now-9m"
21index = ["auditbeat-*", "logs-endpoint.events.*"]
22language = "eql"
23license = "Elastic License v2"
24name = "Virtual Machine Fingerprinting via Grep"
25references = ["https://objective-see.com/blog/blog_0x4F.html"]
26risk_score = 47
27rule_id = "c85eb82c-d2c8-485c-a36f-534f914b7663"
28setup = """## Setup
29
30If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
31events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
32Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
33`event.ingested` to @timestamp.
34For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
35"""
36severity = "medium"
37tags = [
38    "Domain: Endpoint",
39    "OS: macOS",
40    "OS: Linux",
41    "Use Case: Threat Detection",
42    "Tactic: Discovery",
43    "Data Source: Elastic Defend",
44]
45timestamp_override = "event.ingested"
46type = "eql"
47
48query = '''
49process where event.type == "start" and
50 process.name in ("grep", "egrep") and user.id != "0" and
51 process.args : ("parallels*", "vmware*", "virtualbox*") and process.args : "Manufacturer*" and
52 not process.parent.executable in ("/Applications/Docker.app/Contents/MacOS/Docker", "/usr/libexec/kcare/virt-what")
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1082"
60name = "System Information Discovery"
61reference = "https://attack.mitre.org/techniques/T1082/"
62
63
64[rule.threat.tactic]
65id = "TA0007"
66name = "Discovery"
67reference = "https://attack.mitre.org/tactics/TA0007/"

References

Related rules

to-top