1. Who is in the house?
Unexpected users, service accounts used interactively, or odd login times = early compromise indicators.
Look for –
Active sessions and login behaviours (commands – who, w)
Login history and odd access patterns (commands – last)
2. Logs tell the story
High-level log sources worth validating early.
📜 Authentication logs – /var/log/auth.log var/log/secure
Look for –
Unauthorized access, SSH abuse, failed/successful login patterns
Account creation or privilege-related activity
(e.g., filtering for user/group creation or sudo usage events)
3. Process & resource awareness
Look for –
Unusual running processes (commands – ps, top, htop)
High CPU / memory with no business justification
Legit-looking names running from unusual paths
4. Network activity
If there’s a SOC alert, the host is already talking.
Look for –
Active outbound connections (ss, netstat)
Listening ports (ss -tulpn)
Processes owning network sockets
Red flags
Non-standard outbound ports
Connections to unfamiliar IP ranges or regions
User-level processes initiating external traffic
Binaries running from /tmp, hidden paths, or /dev making connections
5. Persistence clues
SSH keys you didn’t add
Scheduled jobs or callbacks you didn’t create (cron)
Files worth checking
etc/hosts → malicious routing or redirection
etc/passwd → unexpected users (especially UID 0)
etc/shadow → password tampering
etc/sudoers → unauthorized privilege escalation
etc/group → group membership abuse
ssh/authorized_keys → SSH-based persistence
Init / startup configs → execution on reboot
Hidden directories (. prefixed) → tool & data storage