Virtual Machine Fingerprinting via Grep

calendar May 22, 2024 ยท Domain: Endpoint OS: macOS OS: Linux Use Case: Threat Detection Tactic: Discovery Data Source: Elastic Defend  ยท
Share on: linkedin copy

An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/09/29"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies
11common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy
12RAT and other malware.
13"""
14false_positives = [
15    """
16    Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or
17    process arguments to eliminate potential noise.
18    """,
19]
20from = "now-9m"
21index = ["auditbeat-*", "logs-endpoint.events.*"]
22language = "eql"
23license = "Elastic License v2"
24name = "Virtual Machine Fingerprinting via Grep"
25references = ["https://objective-see.com/blog/blog_0x4F.html"]
26risk_score = 47
27rule_id = "c85eb82c-d2c8-485c-a36f-534f914b7663"
28setup = """## Setup
29
30If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
31events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
32Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
33`event.ingested` to @timestamp.
34For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
35"""
36severity = "medium"
37tags = [
38    "Domain: Endpoint",
39    "OS: macOS",
40    "OS: Linux",
41    "Use Case: Threat Detection",
42    "Tactic: Discovery",
43    "Data Source: Elastic Defend",
44]
45timestamp_override = "event.ingested"
46type = "eql"
47
48query = '''
49process where event.type == "start" and
50 process.name in ("grep", "egrep") and user.id != "0" and
51 process.args : ("parallels*", "vmware*", "virtualbox*") and process.args : "Manufacturer*" and
52 not process.parent.executable in ("/Applications/Docker.app/Contents/MacOS/Docker", "/usr/libexec/kcare/virt-what")
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1082"
60name = "System Information Discovery"
61reference = "https://attack.mitre.org/techniques/T1082/"
62
63
64[rule.threat.tactic]
65id = "TA0007"
66name = "Discovery"
67reference = "https://attack.mitre.org/tactics/TA0007/"

References

  • FinFisher Filleted ๐ŸŸ

    FinFisher Filleted ๐ŸŸ a triage of the FinSpy (macOS) malware by: Patrick Wardle / September 26, 2020 Love these blog posts and/or want to support my research and tools? You can support them via my P...


    Read More

Related rules

to-top