IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Unusual User Privilege Enumeration via idedit
This rule monitors for a sequence of 20 "id" command executions within 1 second by the same parent process. This behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These scripts leverage the "id" command to enumerate the privileges of all users present on the system.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Discovery
- Data Source: Elastic Defend
Version: 3
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule queryedit
sequence by host.id, process.parent.entity_id with maxspan=1s [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "id" and process.args_count == 2 and not (process.parent.name == "rpm" or process.parent.args : "/var/tmp/rpm-tmp*")] with runs=20
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: System Owner/User Discovery
- ID: T1033
- Reference URL: https://attack.mitre.org/techniques/T1033/