The SIEM app is now a part of the Elastic Security solution. Click here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.

« VNC (Virtual Network Computing) to the Internet Volume Shadow Copy Deletion via VssAdmin »

› › ›

Virtual Machine Fingerprinting

edit

Virtual Machine Fingerprinting

edit

An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by Pupy RAT and other malware.

Rule type: query

Rule indices:

auditbeat-*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

Tags:

Elastic
Linux

Version: 1

Added (Elastic Stack release): 7.8.0

Potential false positives

edit

Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise.

Rule query

edit

event.action:executed and
process.args:("/sys/class/dmi/id/bios_version" or
"/sys/class/dmi/id/product_name" or "/sys/class/dmi/id/chassis_vendor"
or "/proc/scsi/scsi" or "/proc/ide/hd0/model") and not user.name:root

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: System Information Discovery
- ID: T1082
- Reference URL: https://attack.mitre.org/techniques/T1082/

« VNC (Virtual Network Computing) to the Internet Volume Shadow Copy Deletion via VssAdmin »