IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Linux System Information Discovery Linux User Account Creation »

› › ›

Linux System Information Discovery via Getconf

edit

Linux System Information Discovery via Getconf

edit

This rule identifies Linux system information discovery via the getconf command. The getconf command is used to query system configuration variables and system limits. Adversaries may use this command to gather information about the system, such as the page size, maximum number of open files, and other system limits, to aid in further exploration and exploitation of the system.

Rule type: eql

Rule indices:

logs-endpoint.events.process*
endgame-*
auditbeat-*
logs-auditd_manager.auditd-*

Severity: low

Risk score: 21

Runs every: 60m

Searches indices from: now-119m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://blog.exatrack.com/Perfctl-using-portainer-and-new-persistences/

Tags:

Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Rule Type: BBR
Data Source: Elastic Defend
Data Source: Elastic Endgame
Data Source: Auditd Manager

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and
process.name == "getconf"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: System Information Discovery
- ID: T1082
- Reference URL: https://attack.mitre.org/techniques/T1082/

« Linux System Information Discovery Linux User Account Creation »