Hal Pomeranz (@hal_pomeranz): "Interesting question: will auditd log the leading spaces if the attacker tries to put space at the beginning of a command-line to avoid history?" | nitter

Jake Williams @MalwareJake

11 Sep 2020

A client just asked for info on *nix commands that are most often run by attackers vs. legitimate users that we can find with auditd. Some things I thought of: ssh tunneling params stunnel nc cat/head/tail/more/less <critical config files> What else? Any cheat sheets out there?

50

32

3

180

Hal Pomeranz @hal_pomeranz

11 Sep 2020

Replying to @MalwareJake

Interesting question: will auditd log the leading spaces if the attacker tries to put space at the beginning of a command-line to avoid history?

Sep 11, 2020 · 11:19 PM UTC

2

10

Jake Williams @MalwareJake

11 Sep 2020

Replying to @hal_pomeranz

Ooh, I don't know.

1

3

Dak @d_a_keldsen

12 Sep 2020

Replying to @hal_pomeranz @MalwareJake

No. You’d have to instrument the leader in the shell to get that. But an instrumented shell isn’t a bad idea anyhow.