pspy

by DominicBreuker

5.8Kstars

565forks

56watchers

Updated 2 months ago

About

pspy is a command line tool that monitors Linux processes and file system events without requiring root permissions.

Monitor linux processes without root permissions

Primary Use Case

pspy is primarily used for real-time monitoring and enumeration of Linux processes, including commands run by other users and cron jobs, without needing elevated privileges. It is ideal for security professionals conducting system audits, penetration testers in CTF environments, and administrators wanting to detect suspicious activity or demonstrate security risks such as passing secrets via command line arguments.

Key Features

Monitors processes and commands run by other users without root permissions
Detects short-lived processes via inotify watchers on selected file system paths
Scans procfs regularly to catch processes even if inotify events are missed
Supports recursive and non-recursive directory watching with inotify
Color-coded command output based on process UID for easier analysis
Provides verbose debug output for troubleshooting
Precompiled static binaries available for easy deployment on various Linux systems
Lightweight and easy to build using Go or Docker

Installation

Download the appropriate binary for your system from the releases page (pspy32, pspy64, pspy32s, or pspy64s).
For static binaries (~4MB), use pspy32 or pspy64; for smaller binaries (~1MB), use pspy32s or pspy64s which depend on libc and are compressed with UPX.
Make the binary executable (e.g., chmod +x pspy64).
Alternatively, clone the repository and build the tool using Go if installed: run `make build` or use Docker by running `make build-build-image` followed by `make build`.
Run `./pspy64 --help` to view available options and usage instructions.

Usage

>_ ./pspy64 -pf -i 1000

Print both commands and file system events, scanning procfs every 1000 milliseconds (1 second).

>_ ./pspy64 -r /path/to/first/recursive/dir -r /path/to/second/recursive/dir -d /path/to/the/non-recursive/dir

Place inotify watchers recursively on two directories and non-recursively on a third directory.

>_ ./pspy64 -p=false -f

Disable printing discovered commands but enable printing of file system events.

Security Frameworks

Discovery

Collection

Defense Evasion

Credential Access

Execution

Usage Insights

Leverage pspy during red team engagements to identify running processes and detect potential privilege escalation paths without root access.
Integrate pspy into blue team endpoint monitoring workflows to detect suspicious short-lived processes and command executions indicative of attacker activity.
Use pspy in purple team exercises to validate detection rules and improve collaboration between offensive and defensive teams.
Automate pspy deployment in CI/CD pipelines to monitor containerized Linux environments for anomalous process behavior during development and testing.
Combine pspy output with SIEM or EDR tools for enriched context and faster incident investigation.