Linux Command Line Forensics and Intrusion Detection Cheat Sheet
May 20, 2021
Below is our Linux command line forensics and intrusion detection cheat sheet along with a presentation given at Purplecon 2018. These resources can help you investigate a Linux host for compromise without loading any special tools.
You can also get a free license of our product to automatically investigate Linux systems for compromise instantly.
The presentation and cheat sheet give quick methods for assessing a Linux host for signs of compromise. It focuses on what we call The Big Five areas of Linux forensics:
Processes – Suspicious processes and network activity.
Directories – Suspicious directories holding malicious payloads, data, or tools to allow lateral movement into a network.
Files – Files that are malicious, likely tampered with, or otherwise out of place on a Linux host.
Users – Areas to check for suspicious user activity.
Logs – Log file tampering detection and common areas to check for signs someone has been covering their tracks.
The cheat sheet helps give quick assessment of a Linux host to find many common problems. Even advanced attackers may do things that can be spotted with these techniques if they aren’t careful.
Sandfly Security works by using an agentless threat hunting system that checks for the above plus many other signs of compromise on Linux systems constantly throughout the day. The techniques in this cheat sheet are just a small portion of what you can investigate on a Linux system for signs of compromise from common attacks up to advanced persistent threat activity.
We thank the organizers of Purplecon for inviting us to speak.
Sandfly is a linux threat hunting tool to aid in intrusion detection and removal of malware and ransomware from your Linux systems. It supports many of the most popular distributions including Debian, Ubuntu, Redhat, Suse, Fedora, Arch Linux, CentOS and even Rasberry Pi. Talk to one of our experts and see how Sandly can help you with your Linux forensics.