Linpeas is a popular tool used to search for possible paths to escalate privileges on Linux, Unix, and MacOS hosts. It provides users with possible exploits available for the target host based on system, service, and library information, as well as version levels. Tools like Linpeas frequently use the strings and grep system utilities to extensively and recursively check for important system files such as /etc/shadow and /etc/passwd or directories such as /usr/bin or /tmp.
You can use this search to identify some common hallmarks of Linpeas checks on hosts in your environment.
Sysmon for Linux
- Install the Add-on for Linux Sysmon.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="sysmon_linux" CommandLine!=null parent_process_exec=sudo OR parent_process_exec=bash OR CommandLine=*cve-list* | stats count BY Computer CommandLine user process_path
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|sourcetype="sysmon_linux" CommandLine!=null parent_process_exec=sudo OR parent_process_exec=bash OR CommandLine=*cve-list*||Search the sysmon_linux sourcetype for parent processes and command lines associated with Linpeas usage.|
|| stats count BY Computer CommandLine user process_path||Display results sorted by CommandLine, then the rest of the fields shown.|
Linpeas is a verbose tool and positive results from this search should show extensive use of the grep utility that it uses to perform its checks.
You might also be interested in other processes associated with the Detecting usage of popular Linux post-exploitation tools use case.