Virtual Machine Fingerprinting via Grep

  1[metadata]
  2creation_date = "2021/09/29"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies
 11common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy
 12RAT and other malware.
 13"""
 14false_positives = [
 15    """
 16    Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or
 17    process arguments to eliminate potential noise.
 18    """,
 19]
 20from = "now-9m"
 21index = ["auditbeat-*", "logs-endpoint.events.*"]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Virtual Machine Fingerprinting via Grep"
 25references = ["https://objective-see.com/blog/blog_0x4F.html"]
 26risk_score = 47
 27rule_id = "c85eb82c-d2c8-485c-a36f-534f914b7663"
 28setup = """## Setup
 29
 30If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 31events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 32Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 33`event.ingested` to @timestamp.
 34For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 35"""
 36severity = "medium"
 37tags = [
 38    "Domain: Endpoint",
 39    "OS: macOS",
 40    "OS: Linux",
 41    "Use Case: Threat Detection",
 42    "Tactic: Discovery",
 43    "Data Source: Elastic Defend",
 44    "Resources: Investigation Guide",
 45]
 46timestamp_override = "event.ingested"
 47type = "eql"
 48
 49query = '''
 50process where event.type == "start" and
 51 process.name in ("grep", "egrep") and user.id != "0" and
 52 process.args : ("parallels*", "vmware*", "virtualbox*") and process.args : "Manufacturer*" and
 53 not process.parent.executable in ("/Applications/Docker.app/Contents/MacOS/Docker", "/usr/libexec/kcare/virt-what")
 54'''
 55note = """## Triage and analysis
 56
 57> **Disclaimer**:
 58> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 59
 60### Investigating Virtual Machine Fingerprinting via Grep
 61
 62Virtual machine fingerprinting involves identifying virtualized environments by querying system details. Adversaries exploit tools like `grep` to extract information about virtual machine hardware, aiding in evasion or targeting. The detection rule identifies non-root users executing `grep` with arguments linked to virtual machine identifiers, flagging potential reconnaissance activities while excluding benign processes.
 63
 64### Possible investigation steps
 65
 66- Review the process execution details to confirm the non-root user who initiated the `grep` or `egrep` command and assess their typical behavior and access rights.
 67- Examine the command-line arguments used with `grep` to identify specific virtual machine identifiers such as "parallels", "vmware", or "virtualbox" and determine if these align with known reconnaissance patterns.
 68- Investigate the parent process of the `grep` command to understand the context in which it was executed, ensuring it is not a benign process like Docker or kcare.
 69- Check for any additional suspicious activities or commands executed by the same user around the same time to identify potential lateral movement or further reconnaissance.
 70- Correlate this event with other security alerts or logs to determine if it is part of a broader attack pattern or campaign, particularly looking for connections to known malware like Pupy RAT.
 71
 72### False positive analysis
 73
 74- Non-root users running legitimate scripts or applications that query virtual machine identifiers for system management or inventory purposes may trigger the rule. To handle this, identify and whitelist these specific scripts or applications by excluding their parent executable paths.
 75- Developers or IT personnel using grep to troubleshoot or gather system information on virtual machines might be flagged. Create exceptions for known user accounts or specific directories where these activities are expected.
 76- Automated monitoring tools that check virtual machine environments for compliance or performance metrics could cause false positives. Exclude these tools by adding their process names or parent executables to the exception list.
 77- Some virtualization management software might use grep internally to gather system information. Identify these applications and exclude their processes to prevent unnecessary alerts.
 78
 79### Response and remediation
 80
 81- Immediately isolate the affected system from the network to prevent further reconnaissance or data exfiltration by the adversary.
 82- Terminate any suspicious processes identified by the alert, specifically those involving `grep` or `egrep` with arguments related to virtual machine identifiers.
 83- Conduct a thorough review of the affected system's user accounts and permissions, focusing on non-root users, to identify any unauthorized access or privilege escalation.
 84- Analyze system logs and network traffic for any signs of lateral movement or additional compromise, paying close attention to connections initiated by the affected system.
 85- Restore the system from a known good backup if any unauthorized changes or malware are detected, ensuring that the backup is free from compromise.
 86- Implement stricter access controls and monitoring for systems running virtual machines, including enhanced logging and alerting for similar reconnaissance activities.
 87- Escalate the incident to the security operations team for further investigation and to determine if the activity is part of a larger attack campaign."""
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1082"
 94name = "System Information Discovery"
 95reference = "https://attack.mitre.org/techniques/T1082/"
 96
 97
 98[rule.threat.tactic]
 99id = "TA0007"
100name = "Discovery"
101reference = "https://attack.mitre.org/tactics/TA0007/"