Virtual Machine Fingerprinting via Grep

calendar Sep 5, 2023 ยท Domain: Endpoint OS: macOS OS: Linux Use Case: Threat Detection Tactic: Discovery Data Source: Elastic Defend  ยท
Share on: linkedin copy

An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/09/29"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies
13common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy
14RAT and other malware.
15"""
16false_positives = [
17    """
18    Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or
19    process arguments to eliminate potential noise.
20    """,
21]
22from = "now-9m"
23index = ["auditbeat-*", "logs-endpoint.events.*"]
24language = "eql"
25license = "Elastic License v2"
26name = "Virtual Machine Fingerprinting via Grep"
27note = """## Setup
28
29If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
30"""
31references = ["https://objective-see.com/blog/blog_0x4F.html"]
32risk_score = 47
33rule_id = "c85eb82c-d2c8-485c-a36f-534f914b7663"
34severity = "medium"
35tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40process where event.type == "start" and
41 process.name in ("grep", "egrep") and user.id != "0" and
42 process.args : ("parallels*", "vmware*", "virtualbox*") and process.args : "Manufacturer*" and
43 not process.parent.executable in ("/Applications/Docker.app/Contents/MacOS/Docker", "/usr/libexec/kcare/virt-what")
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1082"
51name = "System Information Discovery"
52reference = "https://attack.mitre.org/techniques/T1082/"
53
54
55[rule.threat.tactic]
56id = "TA0007"
57name = "Discovery"
58reference = "https://attack.mitre.org/tactics/TA0007/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

References

  • FinFisher Filleted ๐ŸŸ

    FinFisher Filleted ๐ŸŸ a triage of the FinSpy (macOS) malware by: Patrick Wardle / September 26, 2020 Love these blog posts and/or want to support my research and tools? You can support them via my P...


    Read More

Related rules

to-top