Unusual User Privilege Enumeration via id
This rule monitors for a sequence of 20 "id" command executions within 1 second by the same parent process. This behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These scripts leverage the "id" command to enumerate the privileges of all users present on the system.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/29"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/24"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule monitors for a sequence of 20 "id" command executions within 1 second by the same parent process. This
11behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These
12scripts leverage the "id" command to enumerate the privileges of all users present on the system.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Unusual User Privilege Enumeration via id"
19risk_score = 21
20rule_id = "afa135c0-a365-43ab-aa35-fd86df314a47"
21setup = """## Setup
22
23This rule requires data coming in from Elastic Defend.
24
25### Elastic Defend Integration Setup
26Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
27
28#### Prerequisite Requirements:
29- Fleet is required for Elastic Defend.
30- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
31
32#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
33- Go to the Kibana home page and click "Add integrations".
34- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
35- Click "Add Elastic Defend".
36- Configure the integration name and optionally add a description.
37- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
38- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
39- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
40- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
41For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
42- Click "Save and Continue".
43- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
44For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
45"""
46severity = "low"
47tags = [
48 "Domain: Endpoint",
49 "OS: Linux",
50 "Use Case: Threat Detection",
51 "Tactic: Discovery",
52 "Data Source: Elastic Defend",
53 "Resources: Investigation Guide",
54]
55type = "eql"
56
57query = '''
58sequence by host.id, process.parent.entity_id with maxspan=1s
59 [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
60 process.name == "id" and process.args_count == 2 and
61 not (
62 process.parent.name in ("rpm", "snarftmp", "quota_copy", "java") or
63 process.parent.args : "/var/tmp/rpm-tmp*"
64 )] with runs=20
65'''
66note = """## Triage and analysis
67
68> **Disclaimer**:
69> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
70
71### Investigating Unusual User Privilege Enumeration via id
72
73The `id` command in Linux environments is used to display user identity information, including user and group IDs. Adversaries may exploit this command in enumeration scripts to gather extensive user privilege data rapidly, which can aid in lateral movement or privilege escalation. The detection rule identifies suspicious activity by flagging rapid, repeated executions of the `id` command, suggesting potential misuse by scripts like LinPEAS or LinEnum.
74
75### Possible investigation steps
76
77- Review the alert details to identify the specific host.id and process.parent.entity_id associated with the suspicious activity.
78- Examine the parent process of the 'id' command executions to determine if it is a known or legitimate process, and check for any unusual or unexpected parent process names or arguments.
79- Investigate the timeline of events on the affected host around the time of the alert to identify any other suspicious activities or related processes that may indicate a broader attack or script execution.
80- Check the user account associated with the process executions to verify if it has legitimate access and if there are any signs of compromise or misuse.
81- Look for any additional indicators of compromise on the host, such as unauthorized file modifications, network connections, or other unusual command executions, to assess the scope of potential malicious activity.
82
83### False positive analysis
84
85- System management scripts or automated tasks may execute the id command frequently for legitimate purposes. Review the parent process to determine if it is a known management tool or script.
86- Software installation or update processes might trigger the rule if they use the id command to verify user permissions. Consider excluding processes with parent names like rpm or similar package managers.
87- Custom scripts developed in-house for system monitoring or auditing could inadvertently match the rule's criteria. Identify these scripts and add exceptions for their parent process entity IDs.
88- Security tools or compliance checks that perform regular user enumeration might cause false positives. Verify the source of these tools and exclude them if they are part of a trusted security suite.
89- In environments with high user account turnover, scripts that manage user accounts might execute the id command in rapid succession. Evaluate these scripts and exclude them if they are part of routine account management.
90
91### Response and remediation
92
93- Immediately isolate the affected host from the network to prevent potential lateral movement by the adversary.
94- Terminate any suspicious processes associated with the parent process identified in the alert to halt further enumeration activities.
95- Conduct a thorough review of the parent process and its associated scripts to determine if they are legitimate or malicious.
96- If malicious activity is confirmed, perform a comprehensive scan of the system for additional indicators of compromise, such as unauthorized user accounts or altered system files.
97- Reset credentials for any user accounts that may have been exposed or compromised during the enumeration activity.
98- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.
99- Implement enhanced monitoring and logging for similar enumeration activities to improve detection and response capabilities for future incidents."""
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1033"
106name = "System Owner/User Discovery"
107reference = "https://attack.mitre.org/techniques/T1033/"
108
109
110[rule.threat.tactic]
111id = "TA0007"
112name = "Discovery"
113reference = "https://attack.mitre.org/tactics/TA0007/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Unusual User Privilege Enumeration via id
The id
command in Linux environments is used to display user identity information, including user and group IDs. Adversaries may exploit this command in enumeration scripts to gather extensive user privilege data rapidly, which can aid in lateral movement or privilege escalation. The detection rule identifies suspicious activity by flagging rapid, repeated executions of the id
command, suggesting potential misuse by scripts like LinPEAS or LinEnum.
Possible investigation steps
- Review the alert details to identify the specific host.id and process.parent.entity_id associated with the suspicious activity.
- Examine the parent process of the 'id' command executions to determine if it is a known or legitimate process, and check for any unusual or unexpected parent process names or arguments.
- Investigate the timeline of events on the affected host around the time of the alert to identify any other suspicious activities or related processes that may indicate a broader attack or script execution.
- Check the user account associated with the process executions to verify if it has legitimate access and if there are any signs of compromise or misuse.
- Look for any additional indicators of compromise on the host, such as unauthorized file modifications, network connections, or other unusual command executions, to assess the scope of potential malicious activity.
False positive analysis
- System management scripts or automated tasks may execute the id command frequently for legitimate purposes. Review the parent process to determine if it is a known management tool or script.
- Software installation or update processes might trigger the rule if they use the id command to verify user permissions. Consider excluding processes with parent names like rpm or similar package managers.
- Custom scripts developed in-house for system monitoring or auditing could inadvertently match the rule's criteria. Identify these scripts and add exceptions for their parent process entity IDs.
- Security tools or compliance checks that perform regular user enumeration might cause false positives. Verify the source of these tools and exclude them if they are part of a trusted security suite.
- In environments with high user account turnover, scripts that manage user accounts might execute the id command in rapid succession. Evaluate these scripts and exclude them if they are part of routine account management.
Response and remediation
- Immediately isolate the affected host from the network to prevent potential lateral movement by the adversary.
- Terminate any suspicious processes associated with the parent process identified in the alert to halt further enumeration activities.
- Conduct a thorough review of the parent process and its associated scripts to determine if they are legitimate or malicious.
- If malicious activity is confirmed, perform a comprehensive scan of the system for additional indicators of compromise, such as unauthorized user accounts or altered system files.
- Reset credentials for any user accounts that may have been exposed or compromised during the enumeration activity.
- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.
- Implement enhanced monitoring and logging for similar enumeration activities to improve detection and response capabilities for future incidents.
Related rules
- Enumeration of Kernel Modules
- Pluggable Authentication Module (PAM) Version Discovery
- Security File Access via Common Utilities
- Unusual Instance Metadata Service (IMDS) API Request
- Polkit Version Discovery