Project Name: Linux threat hunting with CUT SORT UNIQ DIFF
Description: This article will help you to understand hands-on command execution of CUT SORT UNIQ DIFF to perform log analysis. Linux commands help threat hunter to perform passive log analysis. Linux threat hunting help threat hunter to do more deep dive into logs without using any commercial hunting platfrom
Author: Rohit D Sadgune
FAQ:
- Threat Hunting using Linux Commands
- UNIQ command for Log analysis
- CUT command for Log analysis
- DIFF command for Log analysis
- SORT command for Log analysis
Threat hunting using CUT command
This article will help you to understand hands -on command execution of CUT to perform log analysis.
## Print columns and characters from file
RDS-HUNT# cut -c1-12 attack.log
RDS-HUNT# cut -c12 attack.log :- Will print 12 character
##Find all unique values of 4th column from file.
RDS-HUNT# cut -d ‘ ‘ -f4 attack.log| sort | uniq
RDS-HUNT# cut -s -d ‘ ‘ -f4 attack.log :- Dont print line which dont have delimiter.
## Find all unique values except 1-5 column from file.
RDS-HUNT# cut -s –complement -d ‘ ‘ -f1-5 attack.log | sort | uniq
Threat hunting using UNIQ command
This article will help you to understand hands -on command execution of UNIQ to perform log analysis.
##Provides the output of how many times lines repeated
RDS-HUNT# cat Skeletonkey_Malware.log| uniq -c
##Helps you hunt for duplicate lines.
RDS-HUNT# cat attack.log| uniq -d
## Help you print duplicate lines once per group
RDS-HUNT# cat attack.log| uniq -D
#UNIQ compares factor.
RDS-HUNT# cat attack.log| uniq -w 3 cookie_theft.log
RDS-HUNT# cat attack.log| uniq -i beaconing.log
## Display Only Duplicate Rows Using Uniq
RDS-HUNT# cat DNS_Shadowing.log| uniq -cd
Threat hunting using DIFF command
This article will help you to understand hands -on command execution of DIFF to perform log analysis.
## DIFF based on context
RDS-HUNT# diff -c linux_hunt1551117.log linux_hunt14589217.log
##Print DIFF side by side.
RDS-HUNT# diff -y passive_threat.txt active_threat.txt
##Give minimal set of changes from file.
RDS-HUNT# diff -du threat_hunt.txtlog_analysis.txt
Threat hunting with SORT command
This article will help you to understand hands -on command execution of SORT to perform log analysis.
## Numeric data in reverse order
RDS-HUNT# sort -nr lateral_movement.log
## Sort based on specific column
RDS-HUNT# sort -k 3 cryptomining.log
## Removes duplicate.
RDS-HUNT# sort -u infostealer.log
## Sort based on 3,5 column and delimiter
RDS-HUNT# cat RDP_Tunnel.log| sort -t – -nk3,5
## Sort based on 3 column and remove duplicates
RDS-HUNT# cat attack.log| sort -u -t ” ” -k3 DNS_Amplification.log
