Virtual Machine Fingerprinting via Grep
An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/09/29"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies
13common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy
14RAT and other malware.
15"""
16false_positives = [
17 """
18 Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or
19 process arguments to eliminate potential noise.
20 """,
21]
22from = "now-9m"
23index = ["auditbeat-*", "logs-endpoint.events.*"]
24language = "eql"
25license = "Elastic License v2"
26name = "Virtual Machine Fingerprinting via Grep"
27note = """## Setup
28
29If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
30"""
31references = ["https://objective-see.com/blog/blog_0x4F.html"]
32risk_score = 47
33rule_id = "c85eb82c-d2c8-485c-a36f-534f914b7663"
34severity = "medium"
35tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40process where event.type == "start" and
41 process.name in ("grep", "egrep") and user.id != "0" and
42 process.args : ("parallels*", "vmware*", "virtualbox*") and process.args : "Manufacturer*" and
43 not process.parent.executable in ("/Applications/Docker.app/Contents/MacOS/Docker", "/usr/libexec/kcare/virt-what")
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1082"
51name = "System Information Discovery"
52reference = "https://attack.mitre.org/techniques/T1082/"
53
54
55[rule.threat.tactic]
56id = "TA0007"
57name = "Discovery"
58reference = "https://attack.mitre.org/tactics/TA0007/"
Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested
and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested
to @timestamp for this rule to work.
References
Related rules
- Security Software Discovery via Grep
- Bash Shell Profile Modification
- ESXI Discovery via Find
- ESXI Discovery via Grep
- EggShell Backdoor Execution