Adversaries may use grep to discover the operating system architecture to tailor subsequent exploitation efforts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential reconnaissance activities that could lead to more advanced persistent threats.
Detection Rule
title: OS Architecture Discovery Via Grep
id: d27ab432-2199-483f-a297-03633c05bae6
status: test
description: |
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: linux
detection:
selection_process:
Image|endswith: '/grep'
selection_architecture:
CommandLine|endswith:
- 'aarch64'
- 'arm'
- 'i386'
- 'i686'
- 'mips'
- 'x86_64'
condition: all of selection_*
falsepositives:
- Unknown
level: low
imProcessCreate
| where TargetProcessName endswith "/grep" and (TargetProcessCommandLine endswith "aarch64" or TargetProcessCommandLine endswith "arm" or TargetProcessCommandLine endswith "i386" or TargetProcessCommandLine endswith "i686" or TargetProcessCommandLine endswith "mips" or TargetProcessCommandLine endswith "x86_64")Scenario: System Information Gathering via uname -a
Description: A system administrator runs uname -a to gather system information, which may be piped into grep to extract the architecture.
Filter/Exclusion: Exclude processes where the command line includes uname -a or uname with a regex pattern that matches typical architecture identifiers (e.g., x86_64, aarch64).
Example Filter: process.command_line contains "uname -a" or process.command_line contains "uname" and process.command_line contains "x86_64"
Scenario: Scheduled Job for OS Inventory
Description: A scheduled job runs a script that uses grep to parse OS architecture information from system files like /proc/cpuinfo or /etc/os-release.
Filter/Exclusion: Exclude processes associated with known inventory tools (e.g., systemd, os-prober, initscripts) or scripts with specific paths like /etc/cron.daily/os_inventory.sh.
Example Filter: process.name contains "systemd" or process.path contains "/etc/cron.daily/os_inventory.sh"
Scenario: Admin Task to Verify System Compatibility
Description: An admin runs a command like grep 'x86_64' /proc/cpuinfo to verify if the system is running on a 64-bit architecture.
Filter/Exclusion: Exclude commands that match known admin tasks, such as grep 'x86_64' /proc/cpuinfo or grep 'aarch64' /proc/cpuinfo.
Example Filter: process.command_line contains "grep 'x86_64' /proc/cpuinfo"
Scenario: Log Analysis Using grep for Architecture Info
Description: