Skip to content

Instantly share code, notes, and snippets.

@actus10

actus10/forensics-cheatsheet.md

Forked from mihalyr/forensics-cheatsheet.md
Created March 11, 2022 02:54
Show Gist options
  • Save actus10/c1513af37ab2dab2639288d02585117d to your computer and use it in GitHub Desktop.
Save actus10/c1513af37ab2dab2639288d02585117d to your computer and use it in GitHub Desktop.
Download ZIP
Linux Compromise Assessment Command Cheat Sheet
Raw
forensics-cheatsheet.md

Linux Compromise Assessment Command Cheat Sheet

Source: https://www.sandflysecurity.com/blog/compromised-linux-cheat-sheet/

Processes

Large amounts of RAM:

top

Process tree:

ps -auxwf

Open network ports or raw sockets:

netstat -nalpn
etstat -plant
ss -a -e -i
lsof [many options]

Deleted binaries still running:

ls -alR /proc/*/exe 2> /dev/null |  grep deleted

Process command name/cmdline:

strings /proc/<PID>/comm
strings /proc/<PID>/cmdline

Real process path:

ls -al /proc/<PID>/exe

Process environment:

strings /proc/<PID>/environ

Process working directory:

ls -alR /proc/*/cwd

Process running from tmp, dev dirs:

ls -alR /proc/*/cwd 2> /dev/null | grep tmp
ls -alR /proc/*/cwd 2> /dev/null | grep dev

Directories

Commonly targeted directories:

/tmp, /var/tmp, /dev/shm, /var/run,/var/spool, user home directories

List and delimit spaces, etc. in names:

ls -lap

List all hidden directories:

find / -type d -name ".*"

Files

Immutable files and directories:

lsattr / -R 2> /dev/null | grep "\----i"

Find SUID/SGID files:

find / -type f \( -perm -04000 -o -perm -02000 \) -exec ls -lg {} \;

Files/dirs with no user/group name:

find / \( -nouser -o -nogroup \) -exec ls -lg  {} \;

List all file types in current dir:

file * -p

Find executables anywhere, /tmp, etc.:

find / -type f -exec file -p '{}' \; |  grep ELF
find /tmp -type f -exec file -p '{}' \; |  grep ELF

Find files modified/created within last day:

find / -mtime -1

Persistence areas:

/etc/rc.local, /etc/initd, /etc/rc*.d, /etc/modules, /etc/cron*, /var/spool/cron/*

Package commands to find changed files:

rpm -Va | grep ^..5.
debsums -c

Users

Find all ssh authorized_keys files:

find / -name authorized_keys

History files for users:

find / -name .*history

History files linked to /dev/null:

ls -alR / 2> /dev/null | grep .*history |  grep null

Look for UID 0/GID 0:

grep ":0:" /etc/passwd

Check sudoers file:

cat /etc/sudoers and /etc/group

Check scheduled tasks:

crontab -l
atq
systemctl list-timers  --all

Logs

Check for zero size logs:

ls -al /var/log/*

Dump audit logs:

utmpdump /var/log/wtmp
utmpdump /var/run/utmp
utmpdump /var/log/btmp
last
lastb

Find logs with binary in them:

grep [[:cntrl:]] /var/log/*.log
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment