Linux Threat Hunting — Know your Penguins

Penguin awareness :)
  1. Auditd — This module establishes a subscription to the kernel to receive the events as they occur. To capture these events, the specific rules can be written based on the requirements. Well-extracted rulesets can be referred from here [ Florian Roth’s rules :) ]
  2. File Integrity — It checks integrity of the file systems.
  3. System — This module is specific for collecting the 5 types of data sets i.e., host, login, process, socket, user. The detailed information can be read here.


lazagne executed on endpoint for password dumping
python utility is used to dump password from memory
systemctl utility is used to “initialize” auditbeat service
nano editor is used to create cron jobs
chmod utility is used to set those two flags
mkdir utility is used to create hidden directories
touch utility is used for timestomping




Incident Handler, Security Operations

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Restoring your address from coinbase wallet to metamask

User Identities Exposed in Asia

Encrypting Viruses And Other Malicious Software

WebRTC Browser Security: Real-Time Communications for B2B

Online Age Verification: How to Prevent Sales to Minors Without Alienating Legitimate Customers

GSoC with OpenMRS — Week 6 Update

{UPDATE} Firefighter Truck Simulator 3D Hack Free Resources Generator

DeFiner 2.0 Milestones Revealed

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abhijith Rao

Abhijith Rao

Incident Handler, Security Operations

More from Medium

Transform your security operations with Cetas Autonomous Incident Responder, the futuristic…

Advisory and Exploitation: The MELAG FTP Server

The 5 W’s of Threat Modeling

How To Establish Messaging & Mentoring During The Selection Of A Cyber Security Platform