Linux System Information Discovery via Getconf

This rule identifies Linux system information discovery via the getconf command. The getconf command is used to query system configuration variables and system limits. Adversaries may use this command to gather information about the system, such as the page size, maximum number of open files, and other system limits, to aid in further exploration and exploitation of the system.

Rule type: eql
Rule indices:

• logs-endpoint.events.process*
• endgame-*
• auditbeat-*
• logs-auditd_manager.auditd-*

Rule Severity: low
Risk Score: 21
Runs every: 60m
Searches indices from: now-119m
Maximum alerts per execution: ?
References:

• https://blog.exatrack.com/Perfctl-using-portainer-and-new-persistences/

Tags:

• Domain: Endpoint
• OS: Linux
• Use Case: Threat Detection
• Tactic: Discovery
• Rule Type: BBR
• Data Source: Elastic Defend
• Data Source: Elastic Endgame
• Data Source: Auditd Manager

Version: ?
Rule authors:

• Elastic

Rule license: Elastic License v2

process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and
process.name == "getconf"

Framework: MITRE ATT&CK

• Tactic:

  • Name: Discovery
  • Id: TA0007
  • Reference URL: https://attack.mitre.org/tactics/TA0007/

• Technique:

  • Name: System Information Discovery
  • Id: T1082
  • Reference URL: https://attack.mitre.org/techniques/T1082/