Potential Virtual Machine Fingerprinting via Grep

Detects the use of grep to identify virtual machine environments by searching for VMware, Parallels, and VirtualBox indicators. Malware commonly performs this check to detect sandbox or analysis environments before executing malicious payloads.

Rule type: eql
Rule indices:

• logs-endpoint.events.process-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:

• https://objective-see.com/blog/blog_0x4F.html

Tags:

• Domain: Endpoint
• OS: macOS
• Use Case: Threat Detection
• Tactic: Discovery
• Tactic: Defense Evasion
• Data Source: Elastic Defend

Version: ?
Rule authors:

• Elastic

Rule license: Elastic License v2

process where host.os.type == "macos" and event.type == "start" and
  process.name in ("grep", "egrep") and
  process.command_line like "*parallels*" and
  process.command_line like "*virtualbox*" and
  process.command_line like "*vmware*" and
  not process.parent.executable in ("/Applications/Docker.app/Contents/MacOS/Docker", "/usr/libexec/kcare/virt-what")
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Discovery
  • Id: TA0007
  • Reference URL: https://attack.mitre.org/tactics/TA0007/

• Technique:

  • Name: System Information Discovery
  • Id: T1082
  • Reference URL: https://attack.mitre.org/techniques/T1082/

• Technique:

  • Name: Virtualization/Sandbox Evasion
  • Id: T1497
  • Reference URL: https://attack.mitre.org/techniques/T1497/

• Sub Technique:

  • Name: System Checks
  • Id: T1497.001
  • Reference URL: https://attack.mitre.org/techniques/T1497/001/