Virtual Machine Fingerprinting

An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/04/27"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies
13common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy
14RAT and other malware.
15"""
16false_positives = [
17    """
18    Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or
19    process arguments to eliminate potential noise.
20    """,
21]
22from = "now-9m"
23index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Virtual Machine Fingerprinting"
27risk_score = 73
28rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba"
29severity = "high"
30tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
31timestamp_override = "event.ingested"
32type = "query"
33
34query = '''
35event.category:process and host.os.type:linux and event.type:(start or process_started) and
36  process.args:("/sys/class/dmi/id/bios_version" or
37                "/sys/class/dmi/id/product_name" or
38                "/sys/class/dmi/id/chassis_vendor" or
39                "/proc/scsi/scsi" or
40                "/proc/ide/hd0/model") and
41  not user.name:root
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1082"
49name = "System Information Discovery"
50reference = "https://attack.mitre.org/techniques/T1082/"
51
52
53[rule.threat.tactic]
54id = "TA0007"
55name = "Discovery"
56reference = "https://attack.mitre.org/tactics/TA0007/"

Related rules

to-top