Virtual Machine Discovery

let VMDiscoveryPatterns = dynamic(["vm process list", "vmsvc/getallvms", "vmsvc/power.getstate", "vmsvc/getallvms", "esxcli vm", "esxcli storage", "esxcli network vm"]);
let HyperVCmdlets = dynamic(["Get-VM", "Get-VHD", "Get-VMHost", "Get-VMSwitch", "Get-VMNetworkAdapter", "Get-VMSnapshot", "Get-VMReplication"]);
let VBoxCommands = dynamic(["list vms", "list runningvms", "list hdds"]);
DeviceProcessEvents
| where Timestamp > ago(1d)
| where (
    // VMware ESXi enumeration via esxcli or vim-cmd
    (ProcessCommandLine has_any ("esxcli", "vim-cmd") and ProcessCommandLine has_any (VMDiscoveryPatterns))
    // Hyper-V enumeration via PowerShell
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (HyperVCmdlets))
    // VirtualBox management enumeration
    or (FileName =~ "VBoxManage.exe" and ProcessCommandLine has_any (VBoxCommands))
    // VMware Workstation/Fusion vmrun list
    or (FileName =~ "vmrun.exe" and ProcessCommandLine has "list")
    // virsh enumeration on Windows Subsystem or cross-platform tools
    or (FileName =~ "virsh.exe" and ProcessCommandLine has_any ("list", "dominfo", "nodeinfo"))
    // prlctl (Parallels) enumeration
    or (FileName =~ "prlctl" and ProcessCommandLine has "list")
)
| extend CommandType = case(
    ProcessCommandLine has_any ("esxcli", "vim-cmd"), "ESXi-CLI",
    FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (HyperVCmdlets), "HyperV-PowerShell",
    FileName =~ "VBoxManage.exe", "VirtualBox-CLI",
    FileName =~ "vmrun.exe", "VMware-Workstation",
    FileName =~ "virsh.exe", "KVM-virsh",
    "Other"
)
| project
    Timestamp,
    DeviceName,
    AccountName,
    AccountDomain,
    FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessAccountName,
    CommandType,
    FolderPath,
    ProcessId
| order by Timestamp desc

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
OR (sourcetype="WinEventLog:Security" EventCode=4688)
| eval CommandLine=coalesce(CommandLine, Process_Command_Line)
| eval Image=coalesce(Image, New_Process_Name)
| where (
    (match(CommandLine, "(?i)(esxcli|vim-cmd)") AND match(CommandLine, "(?i)(vm\s+process\s+list|vmsvc/getallvms|vmsvc/power\.getstate|vmsvc/get)"))
    OR (match(Image, "(?i)(powershell\.exe|pwsh\.exe)") AND match(CommandLine, "(?i)(Get-VM\b|Get-VMHost\b|Get-VHD\b|Get-VMSwitch\b|Get-VMNetworkAdapter\b|Get-VMSnapshot\b)"))
    OR (match(Image, "(?i)VBoxManage\.exe") AND match(CommandLine, "(?i)(list\s+(vms|runningvms|hdds|snapshots))"))
    OR (match(Image, "(?i)vmrun\.exe") AND match(CommandLine, "(?i)list"))
    OR (match(Image, "(?i)virsh") AND match(CommandLine, "(?i)(\blist\b|dominfo|nodeinfo|domstate)"))
)
| eval CommandType=case(
    match(CommandLine, "(?i)(esxcli|vim-cmd)"), "ESXi-CLI",
    match(Image, "(?i)(powershell|pwsh)") AND match(CommandLine, "(?i)Get-VM"), "HyperV-PowerShell",
    match(Image, "(?i)VBoxManage"), "VirtualBox-CLI",
    match(Image, "(?i)vmrun"), "VMware-Workstation",
    match(Image, "(?i)virsh"), "KVM-virsh",
    true(), "Other"
)
| eval RiskScore=case(
    CommandType="ESXi-CLI", 90,
    CommandType="HyperV-PowerShell", 70,
    CommandType="VirtualBox-CLI", 60,
    CommandType="KVM-virsh", 65,
    true(), 50
)
| stats count as ExecutionCount, values(CommandLine) as CommandLines, values(CommandType) as CommandTypes, max(RiskScore) as MaxRiskScore by host, User, Image
| where ExecutionCount >= 1
| sort - MaxRiskScore
| table _time, host, User, Image, CommandLines, CommandTypes, MaxRiskScore, ExecutionCount

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1673*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

rule detection_t1673 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Virtual Machine Discovery - T1673"
    severity = "HIGH"
    mitre_attack = "T1673"
    reference = "https://attack.mitre.org/techniques/T1673/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)