Virtual Machine Fingerprinting via Grepedit

An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.

Rule type: eql

Rule indices:

  • auditbeat-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Elastic
  • Host
  • macOS
  • Linux
  • Threat Detection
  • Discovery

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule queryedit

process where event.type == "start" and in ("grep", "egrep") and != "0" and
 process.args : ("parallels*", "vmware*", "virtualbox*") and process.args : "Manufacturer*" and
 not process.parent.executable in ("/Applications/", "/usr/libexec/kcare/virt-what")