Techniques
Sample rules
Virtual Machine Fingerprinting via Grep
- source: elastic
- technicques:
- T1082
Description
An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.
Detection logic
process where event.type == "start" and
process.name in ("grep", "egrep") and user.id != "0" and
process.args : ("parallels*", "vmware*", "virtualbox*") and process.args : "Manufacturer*" and
not process.parent.executable in ("/Applications/Docker.app/Contents/MacOS/Docker", "/usr/libexec/kcare/virt-what")
Virtual Machine Fingerprinting
- source: elastic
- technicques:
- T1082
Description
An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.
Detection logic
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "process_started") and
process.args in (
"/sys/class/dmi/id/bios_version", "/sys/class/dmi/id/product_name", "/sys/class/dmi/id/chassis_vendor",
"/proc/scsi/scsi", "/proc/ide/hd0/model"
) and not (
user.name == "root" or
?process.parent.name in ("LinkManager.exe", "saposcol", "svc_snow_discovery") or
?process.working_directory == "/home/qualys" or
?process.parent.executable in (
"/usr/sara/sbin/sys2prometheus", "/usr/sara/sbin/sys2ganglia", "/usr/libexec/valgrind/memcheck-amd64-linux",
"/var/lib/cfengine3/modules/init_node", "/opt/emby-server/system/EmbyServer"
)
)