Below is our Linux command line forensics and intrusion detection cheat sheet along with a presentation given at Purplecon 2018. These resources can help you investigate a Linux host for compromise without loading any special tools.
Big Five Areas for Linux Forensics
The presentation and cheat sheet give quick methods for assessing a Linux host for signs of compromise. It focuses on what we call The Big Five areas of Linux forensics:
Processes– Suspicious processes and network activity.
Directories – Suspicious directories holding malicious payloads, data, or tools to allow lateral movement into a network.
Files – Files that are malicious, likely tampered with, or otherwise out of place on a Linux host.
Users – Areas to check for suspicious user activity.
Logs – Log file tampering detection and common areas to check for signs someone has been covering their tracks.
The cheat sheet helps give quick assessment of a Linux host to find many common problems. Even advanced attackers may do things that can be spotted with these techniques if they aren’t careful.
Sandfly Security produces an agentless threat hunting system for Linux that checks for the above plus many other signs of compromise on Linux systems constantly throughout the day. The techniques in this cheat sheet are just a small portion of what you can investigate on a Linux system for signs of compromise from common attacks up to advanced persistent threat activity.
We thank the organizers of Purplecon for inviting us to speak.