Last login

$ lastlog
$ last

Users with login shells

$ cat /etc/passwd | grep sh$

List users’ cron

$ for user in $(cat /etc/passwd | cut -f1 -d: ); do echo $user; crontab -u $user -l; done

# users with shells only
$ for user in $(cat /etc/passwd | grep sh$ | cut -f1 -d: ); do echo $user; crontab -u $user -l; done

SSH authorized keys

$ find / -type f -name authorized_keys

Processes and Networking

Show process tree with username, TTY, and wide output.

$ ps auxfww

Process details

$ lsof -p [pid]

Show all connections don’t resolve names (IP only)

$ lsof -i -n
$ netstat -anp

# Look for tcp only
$ netstat -antp
$ ss -antp

List all services

$ service --status-all

List firewall rules

$ iptables --list-rules

List all timers

$ systemctl list-timers --all

Look to these file to see if the DNS has been poisoned.

/etc/hosts
/etc/resolv.conf

Files and Folders

Show list files and folder with nano timestamp, sort by modification time (newest).

$ ls --full-time -lt 

List all files that were modified on a specific date/time.

# List files which were modified on 2021-06-16 (YYYY-MM-DD)
$ find / -newermt "2021-06-16" -ls 2>/dev/null

# List files which were modified on 2021-05-01 until 2021-05-09 (9 days ago)
$ find / -newermt "2021-05-01" ! -newermt "2021-05-10" -ls 2>/dev/null

# List files which were modified on 2021-05-01 until 2021-05-09 (9 days ago) + add filter
$ find / -newermt "2021-05-01" ! -newermt "2021-05-10" -ls 2>/dev/null | grep -v 'filterone\|filtertwo'

# List files modified between 01:00 and 07:00 on June 16 2021.
$ find / -newermt "2021-06-16 01:00:00" ! -newermt "2021-06-16 07:00:00" -ls 2>/dev/null

# List files that were accessed exactly 2 days ago.
$ find / -atime 2 -ls 2>/dev/null

# List files that were modified in the last 2 days.
$ find / -mtime -2 -ls 2>/dev/null

File inspection

$ stat [file]
$ exiftool [file]

Observe changes in files

$ find . -type f -exec md5sum {} \; | awk '{print $1}' | sort | uniq -c | grep ' 1 ' | awk '{print $2	}'

Look for cap_setuid+ep in binary capabilities

$ getcap -r /usr/bin/
$ getcap -r /bin/
$ getcap -r / 2>/dev/null

SUID

$ find / -type f -perm -u=s 2>/dev/null

Log auditing

# 3rd party
$ aureport --tty

Persistence areas

Directories:

/etc/cron*/
/etc/incron.d/*
/etc/init.d/*
/etc/rc*.d/*
/etc/systemd/system/*
/etc/update.d/*
/var/spool/cron/*
/var/spool/incron/*
/var/run/motd.d/*

Files:

/etc/passwd
/etc/sudoers
/home/<user>/.ssh/authorized_keys
/home/<user>/.bashrc

References