The SIEM app is now a part of the Elastic Security solution.
Click
here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
Virtual Machine Fingerprintingedit
An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by Pupy RAT and other malware.
Rule type: query
Rule indices:
- auditbeat-*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum signals per execution: 100
Tags:
- Elastic
- Linux
Version: 1
Added (Elastic Stack release): 7.8.0
Potential false positivesedit
Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise.
Rule queryedit
event.action:executed and process.args:("/sys/class/dmi/id/bios_version" or "/sys/class/dmi/id/product_name" or "/sys/class/dmi/id/chassis_vendor" or "/proc/scsi/scsi" or "/proc/ide/hd0/model") and not user.name:root
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: System Information Discovery
- ID: T1082
- Reference URL: https://attack.mitre.org/techniques/T1082/