IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Virtual Machine Fingerprinting via Grep
editVirtual Machine Fingerprinting via Grep
editAn adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.
Rule type: eql
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: macOS
- OS: Linux
- Use Case: Threat Detection
- Tactic: Discovery
- Data Source: Elastic Defend
Version: 104
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editprocess where event.type == "start" and process.name in ("grep", "egrep") and user.id != "0" and process.args : ("parallels*", "vmware*", "virtualbox*") and process.args : "Manufacturer*" and not process.parent.executable in ("/Applications/Docker.app/Contents/MacOS/Docker", "/usr/libexec/kcare/virt-what")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: System Information Discovery
- ID: T1082
- Reference URL: https://attack.mitre.org/techniques/T1082/