If your organization is experiencing a Linux breach you can contact us and we can help you with a trial license of Sandfly to help identify and contain the incident quickly. The manual steps below are extremely effective, however our full product hunts for many more signs of compromise, is fully automated and is agentless so it can be deployed quickly across your systems to find intruders. We are happy to help you.
Linux Compromise and Incident Response Cheat Sheet
Below is our command line compromise detection for Linux cheat sheet and presentation given at Purplecon 2018:
Big Five Areas for Linux Forensics
The presentation and cheat sheet give quick methods for assessing a Linux host for signs of compromise. It focuses on what we call The Big Five areas of Linux forensics:
Processes– Suspicious processes and network activity.
Directories – Suspicious directories holding malicious payloads, data, or tools to allow lateral movement into a network.
Files – Files that are malicious, likely tampered with, or otherwise out of place on a Linux host.
Users – Areas to check for suspicious user activity.
Logs – Log file tampering detection and common areas to check for signs someone has been covering their tracks.
The cheat sheet helps give quick assessment of a Linux host to find many common problems. Even advanced attackers may do things that can be spotted with these techniques if they aren’t careful.
Sandfly Security produces an agentless threat hunting system for Linux that checks for the above plus many other signs of compromise on Linux systems constantly throughout the day. The techniques in this cheat sheet are just a small portion of what you can investigate on a Linux system for signs of compromise from common attacks up to advanced persistent threat activity.
We thank the organizers of Purplecon for inviting us to speak.