Virtual Machine Fingerprinting via Grep
An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/09/29"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies
11common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy
12RAT and other malware.
13"""
14false_positives = [
15 """
16 Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or
17 process arguments to eliminate potential noise.
18 """,
19]
20from = "now-9m"
21index = ["auditbeat-*", "logs-endpoint.events.*"]
22language = "eql"
23license = "Elastic License v2"
24name = "Virtual Machine Fingerprinting via Grep"
25references = ["https://objective-see.com/blog/blog_0x4F.html"]
26risk_score = 47
27rule_id = "c85eb82c-d2c8-485c-a36f-534f914b7663"
28setup = """## Setup
29
30If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
31events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
32Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
33`event.ingested` to @timestamp.
34For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
35"""
36severity = "medium"
37tags = [
38 "Domain: Endpoint",
39 "OS: macOS",
40 "OS: Linux",
41 "Use Case: Threat Detection",
42 "Tactic: Discovery",
43 "Data Source: Elastic Defend",
44 "Resources: Investigation Guide",
45]
46timestamp_override = "event.ingested"
47type = "eql"
48
49query = '''
50process where event.type == "start" and
51 process.name in ("grep", "egrep") and user.id != "0" and
52 process.args : ("parallels*", "vmware*", "virtualbox*") and process.args : "Manufacturer*" and
53 not process.parent.executable in ("/Applications/Docker.app/Contents/MacOS/Docker", "/usr/libexec/kcare/virt-what")
54'''
55note = """## Triage and analysis
56
57> **Disclaimer**:
58> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
59
60### Investigating Virtual Machine Fingerprinting via Grep
61
62Virtual machine fingerprinting involves identifying virtualized environments by querying system details. Adversaries exploit tools like `grep` to extract information about virtual machine hardware, aiding in evasion or targeting. The detection rule identifies non-root users executing `grep` with arguments linked to virtual machine identifiers, flagging potential reconnaissance activities while excluding benign processes.
63
64### Possible investigation steps
65
66- Review the process execution details to confirm the non-root user who initiated the `grep` or `egrep` command and assess their typical behavior and access rights.
67- Examine the command-line arguments used with `grep` to identify specific virtual machine identifiers such as "parallels", "vmware", or "virtualbox" and determine if these align with known reconnaissance patterns.
68- Investigate the parent process of the `grep` command to understand the context in which it was executed, ensuring it is not a benign process like Docker or kcare.
69- Check for any additional suspicious activities or commands executed by the same user around the same time to identify potential lateral movement or further reconnaissance.
70- Correlate this event with other security alerts or logs to determine if it is part of a broader attack pattern or campaign, particularly looking for connections to known malware like Pupy RAT.
71
72### False positive analysis
73
74- Non-root users running legitimate scripts or applications that query virtual machine identifiers for system management or inventory purposes may trigger the rule. To handle this, identify and whitelist these specific scripts or applications by excluding their parent executable paths.
75- Developers or IT personnel using grep to troubleshoot or gather system information on virtual machines might be flagged. Create exceptions for known user accounts or specific directories where these activities are expected.
76- Automated monitoring tools that check virtual machine environments for compliance or performance metrics could cause false positives. Exclude these tools by adding their process names or parent executables to the exception list.
77- Some virtualization management software might use grep internally to gather system information. Identify these applications and exclude their processes to prevent unnecessary alerts.
78
79### Response and remediation
80
81- Immediately isolate the affected system from the network to prevent further reconnaissance or data exfiltration by the adversary.
82- Terminate any suspicious processes identified by the alert, specifically those involving `grep` or `egrep` with arguments related to virtual machine identifiers.
83- Conduct a thorough review of the affected system's user accounts and permissions, focusing on non-root users, to identify any unauthorized access or privilege escalation.
84- Analyze system logs and network traffic for any signs of lateral movement or additional compromise, paying close attention to connections initiated by the affected system.
85- Restore the system from a known good backup if any unauthorized changes or malware are detected, ensuring that the backup is free from compromise.
86- Implement stricter access controls and monitoring for systems running virtual machines, including enhanced logging and alerting for similar reconnaissance activities.
87- Escalate the incident to the security operations team for further investigation and to determine if the activity is part of a larger attack campaign."""
88
89
90[[rule.threat]]
91framework = "MITRE ATT&CK"
92[[rule.threat.technique]]
93id = "T1082"
94name = "System Information Discovery"
95reference = "https://attack.mitre.org/techniques/T1082/"
96
97
98[rule.threat.tactic]
99id = "TA0007"
100name = "Discovery"
101reference = "https://attack.mitre.org/tactics/TA0007/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Virtual Machine Fingerprinting via Grep
Virtual machine fingerprinting involves identifying virtualized environments by querying system details. Adversaries exploit tools like grep
to extract information about virtual machine hardware, aiding in evasion or targeting. The detection rule identifies non-root users executing grep
with arguments linked to virtual machine identifiers, flagging potential reconnaissance activities while excluding benign processes.
Possible investigation steps
- Review the process execution details to confirm the non-root user who initiated the
grep
oregrep
command and assess their typical behavior and access rights. - Examine the command-line arguments used with
grep
to identify specific virtual machine identifiers such as "parallels", "vmware", or "virtualbox" and determine if these align with known reconnaissance patterns. - Investigate the parent process of the
grep
command to understand the context in which it was executed, ensuring it is not a benign process like Docker or kcare. - Check for any additional suspicious activities or commands executed by the same user around the same time to identify potential lateral movement or further reconnaissance.
- Correlate this event with other security alerts or logs to determine if it is part of a broader attack pattern or campaign, particularly looking for connections to known malware like Pupy RAT.
False positive analysis
- Non-root users running legitimate scripts or applications that query virtual machine identifiers for system management or inventory purposes may trigger the rule. To handle this, identify and whitelist these specific scripts or applications by excluding their parent executable paths.
- Developers or IT personnel using grep to troubleshoot or gather system information on virtual machines might be flagged. Create exceptions for known user accounts or specific directories where these activities are expected.
- Automated monitoring tools that check virtual machine environments for compliance or performance metrics could cause false positives. Exclude these tools by adding their process names or parent executables to the exception list.
- Some virtualization management software might use grep internally to gather system information. Identify these applications and exclude their processes to prevent unnecessary alerts.
Response and remediation
- Immediately isolate the affected system from the network to prevent further reconnaissance or data exfiltration by the adversary.
- Terminate any suspicious processes identified by the alert, specifically those involving
grep
oregrep
with arguments related to virtual machine identifiers. - Conduct a thorough review of the affected system's user accounts and permissions, focusing on non-root users, to identify any unauthorized access or privilege escalation.
- Analyze system logs and network traffic for any signs of lateral movement or additional compromise, paying close attention to connections initiated by the affected system.
- Restore the system from a known good backup if any unauthorized changes or malware are detected, ensuring that the backup is free from compromise.
- Implement stricter access controls and monitoring for systems running virtual machines, including enhanced logging and alerting for similar reconnaissance activities.
- Escalate the incident to the security operations team for further investigation and to determine if the activity is part of a larger attack campaign.
References
Related rules
- Security Software Discovery via Grep
- AWS SSM `SendCommand` with Run Shell Command Parameters
- Bash Shell Profile Modification
- ESXI Discovery via Find
- ESXI Discovery via Grep