Linux Host Compromise Assessment involves systematically evaluating a Linux system to determine if it has been compromised and to identify the scope of any potential breach. This process typically includes analysing key system logs, such as /var/log/auth.log or /var/log/secure, to detect unauthorised access attempts, suspicious logins, or privilege escalation activities. Analysts also inspect running processes and services for unusual activity, such as unknown or malicious binaries, rogue processes, or unexpected network connections. File integrity checks are performed to detect changes to critical system files or configurations, while cron jobs and startup scripts are examined for persistence mechanisms.
Advanced assessments incorporate memory forensics and network traffic analysis to identify malware, rootkits, or data exfiltration attempts. Tools like chkrootkit, rkhunter, and forensic utilities such as Volatility can be employed to detect signs of stealthy threats. Security frameworks like MITRE ATT&CK provide a structured approach for mapping observed behaviours to adversarial tactics and techniques. The goal of a Linux Host Compromise Assessment is to identify indicators of compromise (IOCs), assess the extent of the intrusion, and develop remediation strategies to secure the host and prevent future incidents.
The following is a set of commands that can be used to triage and help determine the state of a potentially compromised host. The commands are designed to quickly grab the relevant information that will allow the investigator to determine whether the activity warrants deeper analysis or escalation.
Note: Depending on the distro of the system being investigated, in certain situations, the commands present may not return the desired information; at that point, you will have to customise the queries to the distro being investigated.
Collect General Information
Description: Display the current date and time. Verify the timezone.
Command: date
Example: date #Displaying the Current Date and Time
date +"%Y-%m-%d %H:%M:%S" #Displaying the Date in a Specific Format
sudo date -s "2025-01-14 13:53:00" #Setting the System Date and Time
date -u #Displaying the Date in UTC
Description: Timezone information
Command: cat
Example: cat /etc/timezone
Description: System information
Command: uname
Example: uname -a
Description: Network information
Command: ifconfig
Example: cat /etc/network/interfaces
Description: Date of installation of the OS. Check the date
Command: ls -ld
Example: ls -ld /var/log/installer
Description: Display distro version
Command: cat
Example: cat /etc/*-release
Investigating the executed commands of a user could give some context about an incident.
Description: Check command history
Command: history
Example: history
Description: Check all files with "history" in their name in the user's home directory
Command: cat
Example: cat /home/$USER/.*_history
Description: Check the command history (specific to bash shell)
Command: cat
Example: cat /home/$USER/.bash_history
Description: Check the command history for the root user (specific to bash shell)
Command: cat
Example: cat /root/.bash_history
Description: Check the MySQL command history for the root user
Command: cat
Example: cat /root/.mysql_history
Description: Check the FTP command history
Command: cat
Example: cat /home/$USER/.ftp_history
Description: Check the SFTP command history
Command: cat
Example: cat /home/$USER/.sftp_history
Description: Check the VIM editor history
Command: cat
Example: cat /home/$USER/.viminfo
Description: Check the history of commands entered in the 'less' pager
Command: cat
Example: cat /home/$USER/.lesshst
Description: Check the Git configuration
Command: cat
Example: cat /home/$USER/.gitconfig
Description: List recent Git activity logs
Command: cat
Example: ls /home/$USER/.git/logs
Description: List Mozilla Firefox profiles, check history and downloads
Command: ls
Example: ls /home/$USER/.mozilla/firefox
Description: List Google Chrome profiles, check history and downloads
Command: ls
Example: ls /home/$USER/.config/google-chrome
Description: Search for relevant commands in the authentication logs excluding cron jobs
Command: grep
Example: grep -v cron /var/log/auth.log* | grep -i -e "command=" -e "su:" -e "groupadd" -e "useradd" -e "passwd"
Hunting Unusual Files
Description: Search for files modified within the last 5 days and Check them for further inspection; change 5 if needed
Command: find
Example: find / -type f -mtime -5 | less
Description: Search for files modified within the last 5 days with "php" in their name and Check them for further inspection
Command: find
Example: find / -type f -mtime -5 | grep "php"
Description: Find files modified in the last 10 days in specified directories and Check them
Command: find
Example: find /lib /usr/bin /usr/sbin -type f -newermt "$(date -d '10 days ago' +'%Y-%m-%d')"
Description: Find files modified within the last day and print their paths
Command: find
Example: find / -type f -mtime -1 -print
Description: Search for files larger than 10,000 kilobytes and print their paths
Command: find
Example: find / -type f -mtime -1 -print
Description: Search for files larger than 10,000 kilobytes and print their paths
Command: find
Example: find / -size +10000k -print
Description: List files in /usr/bin directory with their inode numbers and sort them numerically
Command: ls
Example: ls -lai /usr/bin | sort -n
Description: List files in /bin directory recursively, sorted by modification time
Command: ls
Example: ls -laR --sort=time /bin
Description: Find files owned by root with the setuid or setgid permissions and print their paths
Command: ls
Example: find / -user root -perm -04000 -print
Description: List all devices in the /dev directory
Command: ls
Example: ls /dev
Logon activities
Review the logon activities of the compromised host.
Description: Check users who are currently logged in
Command: w
Example: w
Description: Last login information for all users. It reads the /var/log/lastlog file
Command: lastlog
Example: cat /var/log/lastlog
Description: List of last logged-in users and their login times
Command: last
Example: last -f /var/log/wtmp
Description: Failed login attempts
Command: last
Example: last -f /var/log/btmp
Description: CentOS, Red Hat Enterprise Linux (RHEL) of auth.log
Command: cat
Example: cat /var/log/secure
Review Processes
Review all running processes; the following command could identify potentially malicious processes
Description: Interactive process viewer
Command: htop
Example: htop
Description: Currently running processes and its command
Command: ps
Example: ps -aux
Description: List all open files associated with a specific process
Command: lsof
Example: lsof -p <PID>
Description: Directories that contain information about a specific process
Command: ls, cat
Example: ls /proc/<PID>
cat /proc/<PID>
Description: Show process in tree view
Command: pstree
Example: pstree -a
Installed Programs
Description: Examine commands used for package installations from the APT history log for tracking software changes
Command: cat grep
Example: cat /var/log/apt/history.log | grep "Commandline"
Description: Retrieve package names and their statuses from the dpkg status file for software inventory analysis
Command: cat grep
Example: cat /var/lib/dpkg/status | grep -E "Package:|Status:"
Description: Review entries from the dpkg log file indicating installed packages for change analysis
Command: cat
Example: cat /var/log/dpkg.log | grep installed
Description: Identify executables in the /sbin directory and determine their package ownership using dpkg for attribution
Command: find
Example: find /sbin/ -exec dpkg -S {} \; | grep "no path found"
Description: List executables in standard system directories for anomaly detection
Command: ls
Example: ls /usr/sbin /usr/bin /bin /sbin
Description: List files in the APT package cache directory for investigating downloaded packages
Command: ls
Example: ls /var/cache/apt/archives
Description: Find based on date
Command: find
Example: find / -type f \( -newermt "2020-12-01" -and ! -newermt "2020-12-02" \)
File Investigation
Description: Collect detailed metadata about the file for forensic analysis
Command: stat
Example: stat <filename>
Description: Identify the file type and format to understand its nature
Command: file
Example: file <filename>
Description: Extract human-readable strings from the file for potential clues or analysis
Command: strings
Example: strings <filename>
Description: Generate an MD5 checksum of the file to verify integrity and check against known malware signatures
Command: md5sum
Example: md5sum <filename> # submit to VT
Persistent Mechanisms
A persistent mechanism is a method used by attackers to maintain access to a compromised system across reboots or to ensure their malicious activities persist over time. Below is a potential list of the places attackers might add or modify to deploy their persistent access.
Review Account
Review user account information and activity on the system to identify potentially active user accounts, detect anomalies in user account configurations, find files belonging to non-existent users, extract password hashes for analysis, examine group information for privilege analysis, review sudo configurations for potential privilege escalation, investigate SSH authentication keys and known hosts for unauthorized access, and analyze recently used files for user activity.
Description: Identify potentially active user accounts
Command: cat
Example: cat /etc/passwd | grep bash
cat /etc/passwd | grep sh
cat /etc/passwd | grep dash
Description: Sort user accounts by their UID to detect anomalies
Command: sort
Example: sort -nk3 -t: /etc/passwd
Description: Find files belonging to non-existent users (indicators of unauthorized ac
Command: find
Example: find / -nouser -print
Identify any scheduled tasks or suspicious activities that may have been configured to execute at specific times
Description: View the configuration of the cron service managed by systemd
Command: cat
Example: cat /lib/systemd/system/cron.service
Description: View the cron tasks scheduled for a specific user
Command: crontab
Example: crontab –u <user> -l
Description: View the system-wide crontab file containing system cron tasks
Command: cat
Example: cat /etc/crontab
Description: Check all files in /etc/cron
Command: tail
Example: tail -f /etc/cron.*/*
Description: List all user-specific cron files in the cron spool directory
Command: ls
Example: ls /var/spool/cron/crontabs/*
Description: View the contents of the atjobs file, which contains at jobs scheduled by the at command
Command: cat
Example: cat /var/spool/cron/atjobs
Services and Systemd
Examine systemd configurations and unit files to identify any modifications or suspicious configurations that may have been made to services or startup processes.
Description: List enabled services and Check their associated start commands
Command: systemctl
Example: for service in $(systemctl list-unit-files --type=service | grep enabled | awk '{print $1}'); do echo "Service: $service"; systemctl cat $service | grep ExecStart= | sed 's/^/Command: /'; echo "--------------------------------------------------"; done
Description: List custom systemd unit files in /etc/systemd/system/
Command: ls
Example: ls /etc/systemd/system/
Description: List systemd unit files in /lib/systemd/system/
Command: ls
Example: ls /lib/systemd/system/
Description: List systemd system generators
Command: ls
Example: ls /lib/systemd/system-generators/*
Description: View contents of init.d scripts
Command: more
Example: more -f /etc/init.d/*
Description: List systemd user units in /lib/systemd/user/
Command: ls
Example: ls /lib/systemd/user/*
Description: List custom systemd user units in /etc/systemd/user/
Command: ls
Example: ls /etc/systemd/user/*
Description: List user systemd generators in /etc/systemd/user-generators/
Command: ls
Example: ls /etc/systemd/user-generators/*
Description: List user systemd generators in /usr/local/lib/systemd/user-generators/
Command: ls
Example: ls /usr/local/lib/systemd/user-generators/*
Description: List user systemd generators in /usr/lib/systemd/user-generators/
Command: ls
Example: ls /usr/lib/systemd/user-generators/*
SSH Daemon
Examine the configuration of the SSH daemon and related resource files
Description: View the SSH service configuration managed by systemd
Command: cat
Example: cat /lib/systemd/system/ssh.service
Uncover recently modified files that may indicate unauthorised activity or compromise.
Description: Find binaries modified within the last 10 days in specified directori
Command: find
Example: find /lib /usr/bin /usr/sbin -type f -newermt "$(date -d '10 days ago' +'%Y-%m-%d')"
Description: List Python 3 related libraries and modules in /usr/lib directory
Command: ls
Example: ls /usr/lib/python3*
Pluggable Authentication Modules (PAM)
Description: Display contents of the PAM configuration file
Command: cat
Example: cat /etc/pam.conf
Description: Check contents of the PAM directory
Command: cat
Example: cat /etc/pam.d
cat /etc/pam.d/sudo
cat /etc/pam.conf
ls /etc/pam.d/
Message of the Day (MOTD)
“motd” stands for “message of the day”. These scripts may contain important system status updates, notifications, or potentially malicious content inserted by attackers.
Description: Examine the scripts responsible for generating dynamic messages displayed to users upon login
Command: cat
Example: cat /etc/update-motd.d/*
Unusual System Resources
These commands provide information about system uptime, memory usage, and disk space usage, which can help identify abnormal behaviour such as high resource consumption, potential denial of service attacks, or disk space exhaustion.
Description: Display system uptime and load average
Command: uptime
Example: uptime
Description: Display disk space usage statistics
Command: df
Example: df
Hunting Rootkit
To hunt via 3rd party software
Description: Detect rootkits on Linux systems
Command: chkrootkit
Example: chkrootkit
Description: Detect rootkits on Linux systems
Command: rkhunter
Example: rkhunter --check
Description: Comprehensive security auditing tool that includes checks for rootkits among other security issues:
Command: lynis audit system
Example: lynis audit system
Description: Compare checksums or file hashes against known good values
Command: sha256sum
Example: sha256sum /bin/* /sbin/* /usr/bin/* /usr/sbin/* /lib/* /lib64/* /etc/* | sort > current_checksums.txt
Disk imaging using dd
Collecting digital disk image of the Linux system is essential to perform disk analysis offline. This activity is required to find suspicious files and folders, recover files and extract artifacts (triage) from the disk.
Description: List all devices to identify the disk device for disk imaging
Command: lsblk
Example: lsblk
Description: List partition tables for disk devices
Command: fdisk
Example: fdisk -l
Description: Perform disk imaging to an external disk or shared folder
# Replace "sdb" with the appropriate disk device identifier
Command: dd
Example: dd if=/dev/sdb of=/media/sf_tmp/linux_forensic.img
Description: Alternatively, use dcfldd to perform hashing while imaging
Command: dcfldd
Example: dcfldd if=/dev/sdb of=/media/sf_tmp/linux_forensic.img hash=sha256 hashwindow=1M hashlog=/media/sf_tmp/linux_forensic.hash