Linux find-based artifact triage across planted filenames
Foundations Linux engagement: SSH as new-user; find/grep/sha1sum/wc/ls -ln located planted files by group, IP content, hash, line count, UID, and world-execute bit.
- Case files
- Linux find-based artifact triage across planted filenames
Twelve opaque filenames were scattered on disk. Scripted find pipelines attributed ownership, content, hashes, and permissions without manual path guessing.
find -group, grep -lE for IPv4, and sha1sum identified D8B3/v2Vb, oiMO, and c4ZX.
wc -l outlier bny0; ls -ln UID 502 → X1Uy; rwxrwxr-x → 8V2L.
Engagement summary
Twelve opaque filenames were scattered on disk. Scripted find pipelines attributed ownership, content, hashes, and permissions without manual path guessing.
NINJA SKILLS provided SSH (new-user:new-user) and a list of artifact names (8V2L, bny0, c4ZX, D8B3, …). find from / with OR’d -name predicates answered each investigative question: -group best-group → D8B3 and v2Vb; grep IPv4 → oiMO; sha1sum match → c4ZX; wc -l anomaly → bny0; UID 502 → X1Uy; world-executable → 8V2L. This is the same pattern SOC/IR uses when hunting known IOCs by name across a filesystem.
Business impact
Operators who cannot script filesystem triage waste hours on host compromise. Standardize find/grep/hash playbooks for IR; ensure least-privilege so analysts can read artifacts without full root when possible.
Group, IP content, and SHA1 match
find -group, grep -lE for IPv4, and sha1sum identified D8B3/v2Vb, oiMO, and c4ZX.
OPERATOR · FIND
savvy@lab:~$ ssh new-user@10.10.10.50
savvy@lab:~$
savvy@lab:~$ find / -type f \( -name "8V2L" -o -name "bny0" -o -name "c4ZX" -o -name "D8B3" -o -name "FHl1" -o -name "oiMO" -o -name "PFbD" -o -name "rmfX" -o -name "SRSq" -o -name "uqyw" -o -name "v2Vb" -o -name "X1Uy" \) -group best-group 2>/dev/null
/mnt/D8B3 /home/v2Vb
savvy@lab:~$ find / -type f \( ... \) -exec grep -lE '([0-9]{1,3}\.){3}[0-9]{1,3}' {} \; 2>/dev/null
/opt/oiMO
savvy@lab:~$ find / -type f \( ... \) -exec sha1sum {} \; 2>/dev/null | grep 9d54da7584015647
9d54da7584015647ba052173b84d45e8007eba94 /mnt/c4ZX
Line count, UID 502, and world-execute
wc -l outlier bny0; ls -ln UID 502 → X1Uy; rwxrwxr-x → 8V2L.
OPERATOR · META
savvy@lab:~$ find / \( -name ... \) -exec wc -l {} \; 2>/dev/null
# most files 209 lines; bny0 absent → 230-line target
savvy@lab:~$ find / -type f \( ... \) -exec ls -ln {} \; 2>/dev/null | grep ' 502 '
-rw-rw-r-- 1 502 501 ... /X1Uy
-rwxrwxr-x 1 501 501 ... /etc/8V2L
Remediation
Keep IR runbooks with canned find predicates. Restrict world-execute on system paths; monitor unexpected UID ownership on sensitive mounts.