Another fun Linux command line: "sudo ls -l /proc/[0-9]*/exe 2>/dev/null | awk '/ -> / && !/\/usr\/(lib(exec)?|s?bin)\// {print $9, $10, $11}' | sed 's,/proc/\([0-9]*\)/exe,\1,'" Display PIDs with non-standard EXE paths

Dec 13, 2021 · 4:13 PM UTC

2
54
2
284
Or just try: "ls -l /proc/[0-9]*/exe 2>/dev/null | awk '/ -> / {print $NF}' | sort" Shows all EXE paths in sorted order making it easier to spot outliers #log4j
5
32
FYI recent malware uses LD_PRELOAD to hide behind legit exe paths. sansec.io/research/nginrat
8
2
15