IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Virtual Machine Fingerprinting Virtual Private Network Connection Attempt »

› › ›

Virtual Machine Fingerprinting via Grep

edit

Virtual Machine Fingerprinting via Grep

edit

An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.

Rule type: eql

Rule indices:

auditbeat-*
logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://objective-see.com/blog/blog_0x4F.html

Tags:

Domain: Endpoint
OS: macOS
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Defend

Version: 104

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

process where event.type == "start" and
 process.name in ("grep", "egrep") and user.id != "0" and
 process.args : ("parallels*", "vmware*", "virtualbox*") and process.args : "Manufacturer*" and
 not process.parent.executable in ("/Applications/Docker.app/Contents/MacOS/Docker", "/usr/libexec/kcare/virt-what")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: System Information Discovery
- ID: T1082
- Reference URL: https://attack.mitre.org/techniques/T1082/

« Virtual Machine Fingerprinting Virtual Private Network Connection Attempt »