BreakingBad_Linux.md

Log/File Analysis

What	Where	Notes
review shell history files	.*_history
temp. editor files	.vi/.vim/.lesshst/sqlite*

Look for suspicious files

What	Where	Notes
hidden files
temp. files	/tmp, /dev/shm	look in /etc/fstab for tmpfs
incorrect permissions
file owners		e.g, incorrect withing web root
symlinks/aliases
SUID/SGID

Exfiltration / Lateral Movement

What	Where	Notes
scan for webshells	web root	limit to know file extentions & file size
upload/download activity	ftp, curl, wget, perl/python, scp, sftp, browser history, web logs

General

What	Where	Notes
suspicious software installed via packge manager	(yum.log, dpkg.log...)	nmap, openssh...
sources within package managers
pre/post scripts/commands from dependencies with package managers		e.g. stealing env. variables or executing something malicious after install with npm
application specific logs		database etc.
kernel modules
suspicious accounts	/etc/passwd	look for users with UID 0:0 (root) & default shells
suspicious accounts	/etc/sudoers
suspicious accounts	/etc/shadow	look for accounts with no password set
env variables		echo out env variables & also look for scripts/tools which are doing the same as sensitive information may be contained within them

Weak/Default Configurations

What	Where	Notes
SSH	password authentication permitted
SSH	root login permitted
SSH	max failed logons
3rd party within web root		outdated CMS, file upload functionality, incorrect permissions and file validation on uploads

Authentication

What	Where	Notes
numerous failed attempts		single user
numerous failed logons	/var/log/(b	u
SSH		ssh -T
SSH	*known_hosts
priv. escalation		sudo/su (/var/log/auth*.log*, /var/log/sudo*.log*)
correlation of source Ip/hostname for users logging on		easy to see shared accounts/logging in from places that arent normal
from suspicious processes	web server processes	e.g., explicit creds to auth. and logon process is C:\Windows\System32\inetsrv\InetMgr.exe

Persistence

What	Where	Notes
cron jobs
init.d scripts
symlinks
trojanized binaries
added to .bashrc/.profile/.bash_aliases
web browser plugins/extentions/addons
LD_PRELOAD
LD_LIBRARY_PATH
Upstart
SysVinit
webshells

Processes

What	Where	Notes
processes with no file on disk
reverse shells/tunnelers/listeners		CLI args. via Auditd
parent/child relationships

Network

What	Where	Notes
sockets
DNS cache
hosts file	/etc/hosts

TTPs

What	Where	Notes
tampering with shell history		UNSET, HISTSIZE, > /dev/null
gaps within logs	/var/log/ files and/or web logs	(e.g., attacker using something like white cat log cleaner)

---

Dead

What	Where	Notes
Distro info.	/etc/*-release
Install date	/etc/ssh/ssh_host_*_key files	usually created during install
System name	/etc/hostname
IP address(es)	/etc/hosts	static
IP address(es)	/var/lib/dhclient	DHCP
Timezone	/etc/localtime	needs to be decoded, strings or zdump

Log Standards/Pipeline/Recommendations

What	Description	Notes
AuditD	exec & connect, file integrity, priv. escalation	epoch in () is key to track/correlate additional event entries

Typical Analysis Workflow for LR data

1. Review shell history
2. Review tmpfs (/tmp, /dev/shm, tmpfs in /etc/fstab etc.)
3. Review history files of edit applications for files accessed/changed (.lesshst, .viminfo etc.)
4. Look for hidden files/directories
5. Review hits for webshell and A/V scans
6. Look at listening ports
7. Look at process listing (CLI, working directories, parent/child relationships, uptime etc.)
8. Rewview SSH related files (authorized_keys, known_hosts, sshd_config etc.)
9. Stack privileges of files/directories to spot excessive privileges
10. Stack owner/group of files/directories to spot anomalies
11. Review crontab
12. Query IPs/file hashes (known trojanized binaries, C2's etc.)
13. Review installed applications from package managers
14. Consolidate file listings into timeline view -> filter/grep/time slice
15. Look at shell's for users (/etc/passwd)