Below is our command line compromise detection for Linux cheat sheet and presentation given at Purplecon 2018:
The presentation and cheat sheet give quick methods for assessing a Linux host for signs of compromise. It focuses on what we call The Big Five areas of Linux forensics:
Processes– Suspicious processes and network activity.
Directories – Suspicious directories holding malicious payloads, data, or tools to allow lateral movement into a network.
Files – Files that are malicious, likely tampered with, or otherwise out of place on a Linux host.
Users – Areas to check for suspicious user activity.
Logs – Log file tampering detection and common areas to check for signs someone has been covering their tracks.
The cheat sheet helps give quick assessment of a Linux host to find many common problems. Even advanced attackers may do things that can be spotted with these techniques if they aren’t careful.
Sandfly Security produces an agentless threat hunting system for Linux that checks for the above plus many other signs of compromise on Linux systems constantly throughout the day. The techniques in this cheat sheet are just a small portion of what you can investigate on a Linux system for signs of compromise from common attacks up to advanced persistent threat activity.
We thank the organizers of Purplecon for inviting us to speak.