Hal Pomeranz · Dec 13, 2021 · 4:13 PM UTC

Hal Pomeranz · Dec 13, 2021 · 4:13 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

13 Dec 2021

Another fun Linux command line: "sudo ls -l /proc/[0-9]*/exe 2>/dev/null | awk '/ -> / && !/\/usr\/(lib(exec)?|s?bin)\// {print $9, $10, $11}' | sed 's,/proc/$[0-9]*$/exe,\1,'" Display PIDs with non-standard EXE paths

Dec 13, 2021 · 4:13 PM UTC

284

Hal Pomeranz · Dec 13, 2021 · 4:22 PM UTC

Hal Pomeranz @hal_pomeranz

13 Dec 2021

Or just try: "ls -l /proc/[0-9]*/exe 2>/dev/null | awk '/ -> / {print $NF}' | sort" Shows all EXE paths in sorted order making it easier to spot outliers #log4j

gwillem · Dec 13, 2021 · 7:16 PM UTC

gwillem @gwillem

13 Dec 2021

Replying to @hal_pomeranz @CraigHRowland

FYI recent malware uses LD_PRELOAD to hide behind legit exe paths. sansec.io/research/nginrat

NginRAT parasite targets Nginx

sansec.io