gettinganattackeripaddressfromamaliciousatjob-rowland2019
2025-04-01
Getting an Attacker IP Address from a Malicious Linux At Job
July 25, 2019
https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/
| Notes |
|---|
| Linux |
| persistence |
| cron |
| at job |
| atd |
| at command |
| atq command |
| scheduled job |
| incident response |
| checking for at jobs, cron jobs during incident response is mandatory |
| at jobs tend to include the adding user’s environment, including SSH_CLIENT, SSH_CONNECTION |
| SSH_CLIENT |
| SSH_CONNECTION |
| Sandfly |
Linux Persistence: Modular Software
2025-04-17 DFIR CTF persistence linux persistence apache asterisk
Linux Persistence: Web Shells
2025-04-16 DFIR persistence webshell linux persistence webshell apache nginx PHP
Linux Persistence: Rootkits
2025-04-15 DFIR persistence rootkit LKM linux persistence LKM rootkit LD_PRELOAD kprobe ftrace ld.so hooking
Defanging Linux LKM Rootkits With cleanup_module()
2025-04-05 Linux LKM rootkits EDR hooks incident response Linux LKM rootkit