mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 21:54:56 +03:00
mukul975
efca3ec611
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions) based on subdomain and content analysis. Restores 11 skills corrupted during prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields. All 754 skills now carry structured mappings for all 5 security frameworks: - MITRE ATT&CK (in tags) - MITRE ATLAS v5.5 (atlas_techniques) - MITRE D3FEND v1.3 (d3fend_techniques) - NIST AI RMF 1.0 (nist_ai_rmf) - NIST CSF 2.0 (nist_csf)
333 lines
14 KiB
Markdown
333 lines
14 KiB
Markdown
---
|
|
name: analyzing-linux-system-artifacts
|
|
description: Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover
|
|
evidence of compromise or unauthorized activity.
|
|
domain: cybersecurity
|
|
subdomain: digital-forensics
|
|
tags:
|
|
- forensics
|
|
- linux-forensics
|
|
- system-artifacts
|
|
- log-analysis
|
|
- persistence-detection
|
|
- incident-investigation
|
|
version: '1.0'
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
nist_csf:
|
|
- RS.AN-01
|
|
- RS.AN-03
|
|
- DE.AE-02
|
|
- RS.MA-01
|
|
---
|
|
|
|
# Analyzing Linux System Artifacts
|
|
|
|
## When to Use
|
|
- When investigating a compromised Linux server or workstation
|
|
- For identifying persistence mechanisms (cron, systemd, SSH keys)
|
|
- When tracing user activity through shell history and authentication logs
|
|
- During incident response to determine the scope of a Linux-based breach
|
|
- For detecting rootkits, backdoors, and unauthorized modifications
|
|
|
|
## Prerequisites
|
|
- Forensic image or live access to the Linux system (read-only)
|
|
- Understanding of Linux file system hierarchy (FHS)
|
|
- Knowledge of common Linux logging locations (/var/log/)
|
|
- Tools: chkrootkit, rkhunter, AIDE, auditd logs
|
|
- Familiarity with systemd, cron, and PAM configurations
|
|
- Root access for complete artifact collection
|
|
|
|
## Workflow
|
|
|
|
### Step 1: Mount and Collect System Artifacts
|
|
|
|
```bash
|
|
# Mount forensic image read-only
|
|
mount -o ro,loop,offset=$((2048*512)) /cases/case-2024-001/images/linux_evidence.dd /mnt/evidence
|
|
|
|
# Create collection directories
|
|
mkdir -p /cases/case-2024-001/linux/{logs,config,users,persistence,network}
|
|
|
|
# Collect authentication logs
|
|
cp /mnt/evidence/var/log/auth.log* /cases/case-2024-001/linux/logs/
|
|
cp /mnt/evidence/var/log/secure* /cases/case-2024-001/linux/logs/
|
|
cp /mnt/evidence/var/log/syslog* /cases/case-2024-001/linux/logs/
|
|
cp /mnt/evidence/var/log/kern.log* /cases/case-2024-001/linux/logs/
|
|
cp /mnt/evidence/var/log/audit/audit.log* /cases/case-2024-001/linux/logs/
|
|
cp /mnt/evidence/var/log/wtmp /cases/case-2024-001/linux/logs/
|
|
cp /mnt/evidence/var/log/btmp /cases/case-2024-001/linux/logs/
|
|
cp /mnt/evidence/var/log/lastlog /cases/case-2024-001/linux/logs/
|
|
cp /mnt/evidence/var/log/faillog /cases/case-2024-001/linux/logs/
|
|
|
|
# Collect user artifacts
|
|
for user_dir in /mnt/evidence/home/*/; do
|
|
username=$(basename "$user_dir")
|
|
mkdir -p /cases/case-2024-001/linux/users/$username
|
|
cp "$user_dir"/.bash_history /cases/case-2024-001/linux/users/$username/ 2>/dev/null
|
|
cp "$user_dir"/.zsh_history /cases/case-2024-001/linux/users/$username/ 2>/dev/null
|
|
cp -r "$user_dir"/.ssh/ /cases/case-2024-001/linux/users/$username/ 2>/dev/null
|
|
cp "$user_dir"/.bashrc /cases/case-2024-001/linux/users/$username/ 2>/dev/null
|
|
cp "$user_dir"/.profile /cases/case-2024-001/linux/users/$username/ 2>/dev/null
|
|
cp "$user_dir"/.viminfo /cases/case-2024-001/linux/users/$username/ 2>/dev/null
|
|
cp "$user_dir"/.wget-hsts /cases/case-2024-001/linux/users/$username/ 2>/dev/null
|
|
cp "$user_dir"/.python_history /cases/case-2024-001/linux/users/$username/ 2>/dev/null
|
|
done
|
|
|
|
# Collect root user artifacts
|
|
cp /mnt/evidence/root/.bash_history /cases/case-2024-001/linux/users/root/ 2>/dev/null
|
|
cp -r /mnt/evidence/root/.ssh/ /cases/case-2024-001/linux/users/root/ 2>/dev/null
|
|
|
|
# Collect system configuration
|
|
cp /mnt/evidence/etc/passwd /cases/case-2024-001/linux/config/
|
|
cp /mnt/evidence/etc/shadow /cases/case-2024-001/linux/config/
|
|
cp /mnt/evidence/etc/group /cases/case-2024-001/linux/config/
|
|
cp /mnt/evidence/etc/sudoers /cases/case-2024-001/linux/config/
|
|
cp -r /mnt/evidence/etc/sudoers.d/ /cases/case-2024-001/linux/config/
|
|
cp /mnt/evidence/etc/hosts /cases/case-2024-001/linux/config/
|
|
cp /mnt/evidence/etc/resolv.conf /cases/case-2024-001/linux/config/
|
|
cp -r /mnt/evidence/etc/ssh/ /cases/case-2024-001/linux/config/
|
|
```
|
|
|
|
### Step 2: Analyze User Accounts and Authentication
|
|
|
|
```bash
|
|
# Analyze user accounts for anomalies
|
|
python3 << 'PYEOF'
|
|
print("=== USER ACCOUNT ANALYSIS ===\n")
|
|
|
|
# Parse /etc/passwd
|
|
with open('/cases/case-2024-001/linux/config/passwd') as f:
|
|
for line in f:
|
|
parts = line.strip().split(':')
|
|
if len(parts) >= 7:
|
|
username, _, uid, gid, comment, home, shell = parts[0], parts[1], int(parts[2]), int(parts[3]), parts[4], parts[5], parts[6]
|
|
|
|
# Flag accounts with UID 0 (root equivalent)
|
|
if uid == 0 and username != 'root':
|
|
print(f" ALERT: UID 0 account: {username} (shell: {shell})")
|
|
|
|
# Flag accounts with login shells that shouldn't have them
|
|
if shell not in ('/bin/false', '/usr/sbin/nologin', '/bin/sync') and uid >= 1000:
|
|
print(f" User: {username} (UID:{uid}, Shell:{shell}, Home:{home})")
|
|
|
|
# Flag system accounts with login shells
|
|
if uid < 1000 and uid > 0 and shell in ('/bin/bash', '/bin/sh', '/bin/zsh'):
|
|
print(f" WARNING: System account with shell: {username} (UID:{uid}, Shell:{shell})")
|
|
|
|
# Parse /etc/shadow for account status
|
|
print("\n=== PASSWORD STATUS ===")
|
|
with open('/cases/case-2024-001/linux/config/shadow') as f:
|
|
for line in f:
|
|
parts = line.strip().split(':')
|
|
if len(parts) >= 3:
|
|
username = parts[0]
|
|
pwd_hash = parts[1]
|
|
last_change = parts[2]
|
|
|
|
if pwd_hash and pwd_hash not in ('*', '!', '!!', ''):
|
|
hash_type = 'Unknown'
|
|
if pwd_hash.startswith('$6$'): hash_type = 'SHA-512'
|
|
elif pwd_hash.startswith('$5$'): hash_type = 'SHA-256'
|
|
elif pwd_hash.startswith('$y$'): hash_type = 'yescrypt'
|
|
elif pwd_hash.startswith('$1$'): hash_type = 'MD5 (WEAK)'
|
|
print(f" {username}: {hash_type} hash, last changed: day {last_change}")
|
|
PYEOF
|
|
|
|
# Analyze login history
|
|
last -f /cases/case-2024-001/linux/logs/wtmp > /cases/case-2024-001/linux/analysis/login_history.txt
|
|
lastb -f /cases/case-2024-001/linux/logs/btmp > /cases/case-2024-001/linux/analysis/failed_logins.txt 2>/dev/null
|
|
```
|
|
|
|
### Step 3: Examine Persistence Mechanisms
|
|
|
|
```bash
|
|
# Check cron jobs for all users
|
|
echo "=== CRON JOBS ===" > /cases/case-2024-001/linux/persistence/cron_analysis.txt
|
|
|
|
# System cron
|
|
for cronfile in /mnt/evidence/etc/crontab /mnt/evidence/etc/cron.d/*; do
|
|
echo "--- $cronfile ---" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt
|
|
cat "$cronfile" 2>/dev/null >> /cases/case-2024-001/linux/persistence/cron_analysis.txt
|
|
echo "" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt
|
|
done
|
|
|
|
# User cron tabs
|
|
for cronfile in /mnt/evidence/var/spool/cron/crontabs/*; do
|
|
echo "--- User crontab: $(basename $cronfile) ---" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt
|
|
cat "$cronfile" 2>/dev/null >> /cases/case-2024-001/linux/persistence/cron_analysis.txt
|
|
echo "" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt
|
|
done
|
|
|
|
# Check systemd services for persistence
|
|
echo "=== SYSTEMD SERVICES ===" > /cases/case-2024-001/linux/persistence/systemd_analysis.txt
|
|
find /mnt/evidence/etc/systemd/system/ -name "*.service" -newer /mnt/evidence/etc/os-release \
|
|
>> /cases/case-2024-001/linux/persistence/systemd_analysis.txt
|
|
|
|
for svc in /mnt/evidence/etc/systemd/system/*.service; do
|
|
echo "--- $(basename $svc) ---" >> /cases/case-2024-001/linux/persistence/systemd_analysis.txt
|
|
cat "$svc" >> /cases/case-2024-001/linux/persistence/systemd_analysis.txt
|
|
echo "" >> /cases/case-2024-001/linux/persistence/systemd_analysis.txt
|
|
done
|
|
|
|
# Check authorized SSH keys (backdoor detection)
|
|
echo "=== SSH AUTHORIZED KEYS ===" > /cases/case-2024-001/linux/persistence/ssh_keys.txt
|
|
find /mnt/evidence/home/ /mnt/evidence/root/ -name "authorized_keys" -exec sh -c \
|
|
'echo "--- {} ---"; cat {}; echo ""' \; >> /cases/case-2024-001/linux/persistence/ssh_keys.txt
|
|
|
|
# Check rc.local and init scripts
|
|
cat /mnt/evidence/etc/rc.local 2>/dev/null > /cases/case-2024-001/linux/persistence/rc_local.txt
|
|
|
|
# Check /etc/profile.d/ for login-triggered scripts
|
|
ls -la /mnt/evidence/etc/profile.d/ > /cases/case-2024-001/linux/persistence/profile_scripts.txt
|
|
|
|
# Check for LD_PRELOAD hijacking
|
|
grep -r "LD_PRELOAD" /mnt/evidence/etc/ 2>/dev/null > /cases/case-2024-001/linux/persistence/ld_preload.txt
|
|
cat /mnt/evidence/etc/ld.so.preload 2>/dev/null >> /cases/case-2024-001/linux/persistence/ld_preload.txt
|
|
```
|
|
|
|
### Step 4: Analyze Shell History and Command Execution
|
|
|
|
```bash
|
|
# Analyze bash history for each user
|
|
python3 << 'PYEOF'
|
|
import os, glob
|
|
|
|
print("=== SHELL HISTORY ANALYSIS ===\n")
|
|
|
|
suspicious_commands = [
|
|
'wget', 'curl', 'nc ', 'ncat', 'netcat', 'python -c', 'python3 -c',
|
|
'perl -e', 'base64', 'chmod 777', 'chmod +s', '/dev/tcp', '/dev/udp',
|
|
'nmap', 'masscan', 'hydra', 'john', 'hashcat', 'passwd', 'useradd',
|
|
'iptables -F', 'ufw disable', 'history -c', 'rm -rf /', 'dd if=',
|
|
'crontab', 'at ', 'systemctl enable', 'ssh-keygen', 'scp ', 'rsync',
|
|
'tar czf', 'zip -r', 'openssl enc', 'gpg --encrypt', 'shred',
|
|
'chattr', 'setfacl', 'awk', '/tmp/', '/dev/shm/'
|
|
]
|
|
|
|
for hist_file in glob.glob('/cases/case-2024-001/linux/users/*/.bash_history'):
|
|
username = hist_file.split('/')[-2]
|
|
print(f"User: {username}")
|
|
|
|
with open(hist_file, 'r', errors='ignore') as f:
|
|
lines = f.readlines()
|
|
|
|
print(f" Total commands: {len(lines)}")
|
|
flagged = []
|
|
for i, line in enumerate(lines):
|
|
line = line.strip()
|
|
for cmd in suspicious_commands:
|
|
if cmd in line.lower():
|
|
flagged.append((i+1, line))
|
|
break
|
|
|
|
if flagged:
|
|
print(f" Suspicious commands: {len(flagged)}")
|
|
for lineno, cmd in flagged:
|
|
print(f" Line {lineno}: {cmd[:120]}")
|
|
print()
|
|
PYEOF
|
|
```
|
|
|
|
### Step 5: Check for Rootkits and Modified Binaries
|
|
|
|
```bash
|
|
# Check for known rootkit indicators
|
|
# Compare system binary hashes against known-good
|
|
find /mnt/evidence/usr/bin/ /mnt/evidence/usr/sbin/ /mnt/evidence/bin/ /mnt/evidence/sbin/ \
|
|
-type f -executable -exec sha256sum {} \; > /cases/case-2024-001/linux/analysis/binary_hashes.txt
|
|
|
|
# Check for SUID/SGID binaries (potential privilege escalation)
|
|
find /mnt/evidence/ -perm -4000 -type f 2>/dev/null > /cases/case-2024-001/linux/analysis/suid_files.txt
|
|
find /mnt/evidence/ -perm -2000 -type f 2>/dev/null > /cases/case-2024-001/linux/analysis/sgid_files.txt
|
|
|
|
# Check for suspicious files in /tmp and /dev/shm
|
|
find /mnt/evidence/tmp/ /mnt/evidence/dev/shm/ -type f 2>/dev/null \
|
|
-exec file {} \; > /cases/case-2024-001/linux/analysis/tmp_files.txt
|
|
|
|
# Check for hidden files and directories
|
|
find /mnt/evidence/ -name ".*" -not -path "*/\." -type f 2>/dev/null | \
|
|
head -100 > /cases/case-2024-001/linux/analysis/hidden_files.txt
|
|
|
|
# Check kernel modules
|
|
ls -la /mnt/evidence/lib/modules/$(ls /mnt/evidence/lib/modules/ | head -1)/extra/ 2>/dev/null \
|
|
> /cases/case-2024-001/linux/analysis/extra_modules.txt
|
|
|
|
# Check for modified PAM configuration (authentication backdoors)
|
|
diff /mnt/evidence/etc/pam.d/ /cases/baseline/pam.d/ 2>/dev/null \
|
|
> /cases/case-2024-001/linux/analysis/pam_changes.txt
|
|
```
|
|
|
|
## Key Concepts
|
|
|
|
| Concept | Description |
|
|
|---------|-------------|
|
|
| /var/log/auth.log | Primary authentication log on Debian/Ubuntu systems |
|
|
| /var/log/secure | Primary authentication log on RHEL/CentOS systems |
|
|
| wtmp/btmp | Binary logs recording successful and failed login sessions |
|
|
| .bash_history | User command history file (can be cleared by attackers) |
|
|
| crontab | Scheduled task system commonly used for persistence |
|
|
| authorized_keys | SSH public keys granting passwordless access to an account |
|
|
| SUID bit | File permission allowing execution as the file owner (privilege escalation vector) |
|
|
| LD_PRELOAD | Environment variable that loads a shared library before all others (hooking technique) |
|
|
|
|
## Tools & Systems
|
|
|
|
| Tool | Purpose |
|
|
|------|---------|
|
|
| chkrootkit | Rootkit detection scanner for Linux systems |
|
|
| rkhunter | Rootkit Hunter - checks for rootkits, backdoors, and local exploits |
|
|
| AIDE | Advanced Intrusion Detection Environment - file integrity monitor |
|
|
| auditd | Linux audit framework for system call and file access monitoring |
|
|
| last/lastb | Parse wtmp/btmp for login and failed login history |
|
|
| Plaso/log2timeline | Super-timeline creation including Linux artifacts |
|
|
| osquery | SQL-based system querying for live forensic investigation |
|
|
| Velociraptor | Endpoint agent with Linux artifact collection capabilities |
|
|
|
|
## Common Scenarios
|
|
|
|
**Scenario 1: SSH Brute Force Followed by Compromise**
|
|
Analyze auth.log for failed SSH attempts followed by success, identify the attacking IP, check .bash_history for post-compromise commands, examine authorized_keys for added backdoor keys, check crontab for persistence, review network connections.
|
|
|
|
**Scenario 2: Web Server Compromise via Application Vulnerability**
|
|
Examine web server access and error logs for exploitation attempts, check /tmp and /dev/shm for webshells, analyze the web server user's activity (www-data), check for privilege escalation via SUID binaries or kernel exploits, review outbound connections.
|
|
|
|
**Scenario 3: Insider Threat on Database Server**
|
|
Analyze the suspect user's bash_history for database dump commands, check for large tar/zip files in home directory or /tmp, examine scp/rsync commands for data transfer, review cron jobs for automated exfiltration, check USB device logs.
|
|
|
|
**Scenario 4: Crypto-Miner on Cloud Instance**
|
|
Check for high-CPU processes in /proc (live) or systemd service files, examine crontab entries for miner restart scripts, check /tmp for mining binaries, analyze network connections for mining pool communications, review authorized_keys for attacker access.
|
|
|
|
## Output Format
|
|
|
|
```
|
|
Linux Forensics Summary:
|
|
System: webserver01 (Ubuntu 22.04 LTS)
|
|
Hostname: webserver01.corp.local
|
|
Kernel: 5.15.0-91-generic
|
|
|
|
User Accounts:
|
|
Total: 25 (3 with UID 0 - 1 ANOMALOUS)
|
|
Interactive shells: 8 users
|
|
Recently created: admin2 (created 2024-01-15)
|
|
|
|
Authentication Events:
|
|
Successful SSH logins: 456
|
|
Failed SSH attempts: 12,345 (from 23 unique IPs)
|
|
Sudo executions: 89
|
|
|
|
Persistence Mechanisms Found:
|
|
Cron jobs: 3 suspicious (reverse shell, miner restart)
|
|
Systemd services: 1 unknown (update-checker.service)
|
|
SSH keys: 2 unauthorized keys in root authorized_keys
|
|
rc.local: Modified with download cradle
|
|
|
|
Suspicious Activity:
|
|
- bash_history contains wget to pastebin URL
|
|
- SUID binary /tmp/.hidden/escalate found
|
|
- /dev/shm/ contains compiled ELF binary
|
|
- LD_PRELOAD in /etc/ld.so.preload pointing to /lib/.hidden.so
|
|
|
|
Report: /cases/case-2024-001/linux/analysis/
|
|
```
|