This note documents detection patterns related to Linux Privilege Escalation Enumeration on Linux systems.

Direct Indicators

Source	Grep Pattern / Artifact	Meaning	Forensic Value	Notes
Shell history	`sudo -l`	Enumerate sudo rights	Critical	Highest-value privilege recon command.
Shell history	`find / -perm -4000`	SUID binary hunt	Critical	Classic escalation enumeration.
Shell history	`find / -perm -2000`	SGID binary hunt	High	Secondary privilege surface discovery.
Shell history	`getcap -r /`	Capability enumeration	Critical	Mature privilege escalation recon.
Shell history	`ls -la /etc/sudoers.d`	Sudo policy inspection	Critical	Precise privilege mapping.
Shell history	`cat /etc/sudoers`	Sudo policy review	Critical	Strong escalation intent.
Shell history	`uname -a`	Kernel version discovery	Critical	Exploit path selection.
Shell history	`cat /etc/os-release`	Distribution discovery	High	Exploit compatibility check.
Shell history	`ps aux`	Privileged process review	High	Service escalation target search.
Shell history	`env`	Environment leak review	High	Path / variable abuse opportunities.
Shell history	`linpeas`	Automated privilege audit	Critical	Strong operator indicator.
Shell history	`linux-exploit-suggester`	Exploit recommendation	Critical	Strong escalation preparation.
`auditd`	privilege recon commands	Process attribution	Critical	Best attribution if enabled.
File reads	sudoers / capability files	High	Strong escalation context.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Enumeration immediately after foothold	Escalation preparation	Critical	Common attacker progression.
`uname -a` then exploit download	Kernel exploit chain	Critical	Strong hostile sequence.
SUID hunt plus GTFOBins abuse	Escalation chain	Critical	Strong evidence.
Capability review plus interpreter abuse	Mature operator behavior	Critical	Higher technical skill.
`linpeas` under temp path	Automated host audit	Critical	Very strong intrusion signal.
Sudoers read under service account	Suspicious context	Critical	Exploitation shell likely.
Process review before service abuse	Privileged target selection	High	Common escalation prep.
Env review before PATH hijack	Precise escalation path	High	Skilled operator clue.
Enumeration plus cleanup	Mature intrusion behavior	High	Strong operational discipline.
Minimal commands but exact checks	Mature hands-on-keyboard	High	Strong operator signal.

Common Tools

Tool	Usage
`sudo -l`	Sudo privilege discovery.
`find / -perm -4000`	SUID hunting.
`getcap -r /`	Capability enumeration.
`uname -a`	Kernel identification.
`linpeas`	Automated privilege enumeration.
`linux-exploit-suggester`	Kernel exploit suggestions.

Relevant Artifacts

Artifact	Path / Command	Forensic Value	Notes
Sudo policy	`/etc/sudoers`, `/etc/sudoers.d/`	Critical	Escalation surface.
Capability metadata	`getcap` output	Critical	Modern privilege surface.
SUID binaries	file system	Critical	Escalation surface.
Kernel version	`uname -a`	Critical	Exploit context.
Shell history	`.bash_history`, `.zsh_history`	Critical	Enumeration evidence.
Audit logs	`/var/log/audit/audit.log`	Critical	Process attribution.
Temp tools	`/tmp`, `/var/tmp`, `/dev/shm`	High	linpeas / helper tools often staged here.

MITRE ATT&CK References

T1068 Exploitation for Privilege Escalation
T1548 Abuse Elevation Control Mechanism
T1082 System Information Discovery

Decision Tree

Was privilege recon performed?
- Search shell history and audit logs.
Which privilege surface?
- Sudo, SUID, capabilities, kernel.
Was automation used?
- linpeas, exploit suggesters.
Did recon lead to escalation?
- sudo abuse, GTFOBins, kernel exploit.
Is context suspicious?
- Service account, web shell, fresh foothold.
Pivot
- SUID list → abused binary.
- Kernel version → exploit path.
- Sudo policy → exact abuse route.
Confirm escalation reconnaissance
- Privilege checks + suspicious context + follow-on abuse = strong escalation finding.

Example Detection Templates

Grep

grep -R "sudo -l\|find / -perm -4000\|find / -perm -2000\|getcap -r /\|cat /etc/sudoers\|uname -a\|cat /etc/os-release\|linpeas\|linux-exploit-suggester" /home/*/.bash_history /root/.bash_history 2>/dev/null

grep -R "ls -la /etc/sudoers.d\|ps aux\|env" /home/*/.bash_history /root/.bash_history 2>/dev/null

Journalctl

journalctl | grep sudo

File Inspection

find / -perm -4000 2>/dev/null

getcap -r / 2>/dev/null

Sigma

title: Linux Privilege Escalation Enumeration
id: linux-privilege-escalation-enumeration
status: experimental
description: Detects suspicious Linux privilege escalation reconnaissance activity
logsource:
  product: linux
detection:
  selection_keywords:
    message|contains:
      - 'sudo -l'
      - 'find / -perm -4000'
      - 'getcap -r /'
      - 'linpeas'
  condition: selection_keywords
fields:
  - message
  - hostname
falsepositives:
  - Legitimate administration
level: high
tags:
  - attack.discovery
  - attack.privilege_escalation

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
Sudo minimization	Restrict dangerous sudo entries	Critical	Major escalation reduction.
Capability review	Remove unnecessary caps	High	Shrinks modern privilege surface.
SUID review	Baseline and minimize SUID binaries	Critical	Core prevention.
Auditd	Track privilege recon commands	High	Strong attribution.
Temp monitoring	Detect linpeas / helper tools	High	Strong intrusion clue.

Fast Triage Checks

Question	Command / Artifact	Why It Matters
Was sudo checked?	grep sudo -l	Immediate escalation intent.
Were SUID binaries hunted?	grep find perms	Classic escalation clue.
Were capabilities reviewed?	grep getcap	Mature operator signal.
Was kernel checked?	grep uname -a	Exploit prep clue.
Did recon lead to abuse?	correlate next commands	Escalation chain.

High Value Grep Strings

Pattern	Why It Matters
`sudo -l`	Highest-value privilege check.
`find / -perm -4000`	SUID hunt.
`getcap -r /`	Capability hunt.
`uname -a`	Kernel exploit prep.
`linpeas`	Automated privilege audit.
`linux-exploit-suggester`	Exploit prep.

Analyst Notes

Scenario	Interpretation
`sudo -l` immediately after foothold	Strong escalation intent.
SUID hunt plus GTFOBins	Direct escalation chain.
`linpeas` in temp	Very strong intrusion evidence.
Capability review under www-data	Mature operator behavior.
Kernel check then payload download	Exploit preparation likely.
Minimal exact checks	Skilled hands-on-keyboard signal.