LinuxHostThreatHunting
Find Command Line Execution T1059.004
Look within the user home directories for
.bash_history.Look for aliasing within
.bashrcin the user home directory.
Find USB Devices T1025
Look at
usbstrings within/var/log/syslog.Look at
dmesgstrings within/var/log/syslog.
Find Hidden Files T1564.001
Use
osqueryiwithSELECT filename, path, directory, size, type FROM file WHERE path LIKE '/.%';.
On the command line, use
lsofto examine process calls and possible network connections.On the command line, use
osqueryito examine processes withSELECT pid, fd, socket, local_address, remote_address FROM process_open_sockets WHERE pid = [PID];.View process execution with pspy.
Look for aliasing within
.bashrcin the user home directory.
On the command line, use
lsofto examine process calls and possible network connections.On the command line, use
osqueryito examine processes withSELECT pid, fd, socket, local_address, remote_address FROM process_open_sockets WHERE pid = [PID];.Look for aliasing within
.bashrcin the user home directory.
On the command line, use
lsofto examine process calls and possible network connections.On the command line, use
osqueryito examine processes withSELECT pid, fd, socket, local_address, remote_address FROM process_open_sockets WHERE pid = [PID];.View process execution with pspy.
Find all running processes using
osqueryiwihtSELECT pid, name, path, state FROM processes;.Find the open files associated with a running process using
osueryiwith theprocess_open_files_table.Look for aliasing within
.bashrcin the user home directory.
User Creation T1136
Look within auth.log for
useraddevents.Look within
/etc/passwdfor another user creation.If service based, look within
journalctloutput for the specific service.Use osqueryi with
Select username, uid, description from users;to find all users.
Look within
/var/spool/crontabto find each cronjob associated with each user.Look at the system level crontabs with
/etc/crontab.A helpful resource can be found here.
Use the
crontabcommand to view the user crontabs.Loop through each of the users and find the crontabs with
sudo bash -c 'for user in $(cut -f1 -d: /etc/passwd); do entries=$(crontab -u $user -l 2>/dev/null | grep -v "^#"); if [ -n "$entries" ]; then echo "$user: Crontab entry found!"; echo "$entries"; echo; fi; done'.Look for cron execution within
/var/log/syslog.View process execution and focus on cronjobs using pspy.
Find the system level crobjobs within
/etc/within ```
Look within
/etc/systemd/serviceto find anomalous services.Look within the logs at
/var/log/syslog.Find using
journalctlon the command line.Run the command
systemctl list-units --type=service --state=runningto find all running services.Find information about the service within
/etc/systemd/system.
Find Installed Packages T1072
Use the command
dpkg -lon the system.Search for package installs within
/var/log/dpkg.log.Use the command
apt list --installed.
View User Authentications T1078
Look at
/var/log/auth.logfile and focus on authentications withAccepted PasswordorSessions opened.View login and logout activity with
/var/log/btmpand/var/log/wtmp.Look for
gdm-passwordwithinauth.log.
Find Autostarts T1547
Look for files within
/etc/init.d,/etc/rc.d, and/etc/systemd/system.User specific autostrart scripts can be found in
~/.config/autostartand~/.config.
Find Vim Use T1059.004
Look within the user
.viminfofile saved in their home directory.
Look within user home directory for
.mozilla/firefoxor.config/googlechromefiles.Use dumpzilla.
Look for Kernel Exploits T1014
View log entries within
/var/log/kern.logand/var/log/desmg.Use the
dmesgcommand to find recent kernel events.Look for log files with kernel in
/var/log/syslog.
Last updated