Virtual Machine Fingerprinting via Grep
An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/09/29"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/10/19"
8
9[rule]
10author = ["Elastic"]
11description = """
12An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies
13common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy
14RAT and other malware.
15"""
16false_positives = [
17 """
18 Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or
19 process arguments to eliminate potential noise.
20 """,
21]
22from = "now-9m"
23index = ["auditbeat-*", "logs-endpoint.events.*"]
24language = "eql"
25license = "Elastic License v2"
26name = "Virtual Machine Fingerprinting via Grep"
27references = ["https://objective-see.com/blog/blog_0x4F.html"]
28risk_score = 47
29rule_id = "c85eb82c-d2c8-485c-a36f-534f914b7663"
30setup = """## Setup
31
32If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
33events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
34Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
35`event.ingested` to @timestamp.
36For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
37"""
38severity = "medium"
39tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44process where event.type == "start" and
45 process.name in ("grep", "egrep") and user.id != "0" and
46 process.args : ("parallels*", "vmware*", "virtualbox*") and process.args : "Manufacturer*" and
47 not process.parent.executable in ("/Applications/Docker.app/Contents/MacOS/Docker", "/usr/libexec/kcare/virt-what")
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1082"
55name = "System Information Discovery"
56reference = "https://attack.mitre.org/techniques/T1082/"
57
58
59[rule.threat.tactic]
60id = "TA0007"
61name = "Discovery"
62reference = "https://attack.mitre.org/tactics/TA0007/"
References
-
FinFisher Filleted ๐ a triage of the FinSpy (macOS) malware by: Patrick Wardle / September 26, 2020 Love these blog posts and/or want to support my research and tools? You can support them via my P...
Read More
Related rules
- Security Software Discovery via Grep
- Elastic Agent Service Terminated
- Enumeration of Users or Groups via Built-in Commands
- Hosts File Modified
- Masquerading Space After Filename