Virtual Machine Fingerprinting via Grepedit

An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.

Rule type: eql

Rule indices:

  • auditbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Elastic
  • Host
  • macOS
  • Linux
  • Threat Detection
  • Discovery

Version: 1

Added (Elastic Stack release): 7.16.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positivesedit

Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise.

Rule queryedit

process where event.type == "start" and in ("grep",
"egrep") and != "0" and process.args : ("parallels*",
"vmware*", "virtualbox*") and process.args : "Manufacturer*" and not
process.parent.executable in

Threat mappingedit