
Summary
This detection rule is designed to monitor for excessive executions of the 'id' command, specifically tracking 20 instances within a 1-second window by the same parent process on Linux systems. Such behavior is considered anomalous and may indicate the execution of enumeration scripts, including LinPEAS or LinEnum, which are used to enumerate user privileges across the system. By flagging this pattern, the rule aims to identify attempts at privilege escalation or lateral movement by adversaries using scripted methods to gather sensitive user and group information. The rule operates from the Elastic Defend platform and requires specific setup through the Elastic Agent to effectively monitor host events. Its detection logic comprises a sequential query that identifies rapid executions of the 'id' command while filtering out known legitimate processes and patterns to reduce false positives. This proactive detection helps organizations mitigate risks associated with unauthorized privilege enumeration and potential exploitation.
Categories
- Linux
- Endpoint
- Cloud
- Infrastructure
Data Sources
- Process
- Application Log
- Network Traffic
- Cloud Service
ATT&CK Techniques
- T1033
Created: 2023-08-29