From 2ddd610a6143a9f2a92cb3739caa63281f3ebd3a Mon Sep 17 00:00:00 2001 From: Tony M Lambert Date: Tue, 30 Apr 2019 13:22:04 -0500 Subject: [PATCH] Add T1082 vm check from Pupy (#481) * initial commit * modified output style * final url changes * Update rocke-and-roll-stage-01.sh * Add Linux guest vm checks * case insensitivity --- atomics/T1082/T1082.yaml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/atomics/T1082/T1082.yaml b/atomics/T1082/T1082.yaml index 7bac7828..f5d6a8ee 100644 --- a/atomics/T1082/T1082.yaml +++ b/atomics/T1082/T1082.yaml @@ -46,3 +46,39 @@ atomic_tests: cat /etc/lsb-release >> /tmp/loot.txt cat /etc/redhat-release >> /tmp/loot.txt uptime >> /tmp/loot.txt + cat /etc/issue >> /tmp/loot.txt + +- name: Linux VM Check via Hardware + description: | + Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware. + + supported_platforms: + - linux + + executor: + name: bash + command: | + cat /sys/class/dmi/id/bios_version | grep -i amazon + cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware" + cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU" + sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu" + cat /proc/scsi/scsi | grep -i "vmware\|vbox" + cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual" + sudo lspci | grep -i "vmware\|virtualbox" + sudo lscpu | grep -i "Xen\|KVM\|Microsoft" + +- name: Linux VM Check via Kernel Modules + description: | + Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware. + + supported_platforms: + - linux + + executor: + name: bash + command: | + sudo lsmod | grep -i "vboxsf\|vboxguest" + sudo lsmod | grep -i "vmw_baloon\|vmxnet" + sudo lsmod | grep -i "xen-vbd\|xen-vnif" + sudo lsmod | grep -i "virtio_pci\|virtio_net" + sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc" \ No newline at end of file