Execution / User activities

A set of locations where proofs of execution and user activities can be searched for.

Shell history

Commands issued on Bash or similar (zsh, ksh, etc) are by default logged into the respectives history files. The name of the file depends on the interpreter used. By default on Bash, no timestamp are provided in the history, but ZSH do.

While being something pretty easily bypassed, it's surprisingly still a very valuable place to look into.

Location

<user_profile>/.bash_history

User profiles are not always on in /home/<user>. A search in /etc/passwd will help to have a quick overview.

Shell history can be easily disabled and renabled, bypassed or changed without much proofs left.

Vim

By default vim will keep tracks of the files open/editer with it.

Location

<user_profile>/.viminfo>

Auditd

An amazing place to look for if you are lucky enought to have the audit logs as well as enought retention.

Location

/var/audit

/etc/security

Sudo

Commands issued with sudo are logged into the auth file. This doesn't apply to command issued after a sudo su , though su will be logged.

Location

/var/log/auth.log

PreviousMISC NextPersistence

Last updated 4 years ago

Was this helpful?