Suspicious which Enumeration

Last updated 5 months ago on 2025-03-20

Created 2 years ago on 2023-08-30

About

This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: DiscoveryData Source: Elastic DefendData Source: Elastic EndgameData Source: SentinelOneLanguage: eql

Severity

low

Risk Score

MITRE ATT&CK™

Discovery (TA0007)(opens in a new tab or window)

↳ System Information Discovery (T1082)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

endgame-*logs-endpoint.events.process*logs-sentinel_one_cloud_funnel.*

Related Integrations

endpoint(opens in a new tab or window)

sentinel_one_cloud_funnel(opens in a new tab or window)

Query

process where host.os.type == "linux" and event.type == "start" and
  event.action in ("exec", "exec_event", "start") and
  process.name == "which" and process.args_count >= 10 and not (
    process.parent.name == "jem" or
    process.parent.executable like ("/vz/root/*", "/var/lib/docker/*") or
    process.args == "--tty-only"
  )

/* potential tuning if rule would turn out to be noisy
and process.args in ("nmap", "nc", "ncat", "netcat", nc.traditional", "gcc", "g++", "socat") and
process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
*/

Install detection rules in Elastic Security

Detect Suspicious which Enumeration in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).