Dr. Maik Ro Profile picture
Jan 5 31 tweets 9 min read Read on X
Linux Log Files and where to find them: Image
First up - are you ready to become a full fledged cyber professional?

Maybe even a Security Analyst or Security Operations Center Analyst?

Good - I have just the thing for you - sign up now for the bootcamp waitlist at:
maikroservice.com/waitlist
Image
*nix systems store logs in a variety of locations but most of them are aggregated in one central folder:

/var/log Image
GREAT! but umm… is this universal?

Do all unix systems store the same log files?

Is the content always the same across distributions?

NO. Image
If you compare e.g. debian and debian-based ubuntu 22.04 you will see some differences: Image
But now comes the tricky part…

If you compare ubuntu 22.04 and ubuntu 23.04…

well… They also differ Image
WHAT THE FUDGE?!

Exactly - Apparently ubuntu 23.04 added a new file called apport.log (it holds information about program crashes) which ubuntu 22.04 does not have
Huh, interesting.

Well but it also makes sense - software evolves and changes - just like Operating Systems ;) (they are software)
Ok cool, but which files do I need to know when I want to become a Security/SOC Analyst?

There are at least 5 you should have heard of (probably more) Image
Wanna look at them?

OK HERE WE GO!
First candidate is auth.log, located in /var/log/auth.log and it is one of the important logs that every SOC Analyst needs to know Image
auth.log holds

logins
user changes
group changes
system reboot timestamps
sudo command history
… more Image
Wanna look at an example?

Here we go! 🚀 Image
Next up in our list is syslog

The ultimate log, cut directly from Yggdrasil and forged in the hell fire protected by Kerberos (or something like that 🤣) - the holy grail of logs Image
The systemlog or syslog is a combination of multiple different log information - e.g. authentication events, kernel events and something called “locales” Image
a local is basically a configurable channel that you can fill with almost any log of your choice

Have a webserver that you want to monitor closely? Put it on a local

Need to know when your Database throws up? Put it on a local

You get the idea 💡
Cool but what does syslog look like?

e.g. like this: Image
Wonderful, but I want to know where I can look for brute-force attacks.

Smart!

You could find those in two specialized logs - wtmp and btmp Image
These two are a little special though, they are binary logs.

Binary what?

They hold 0s and 1s ? almost. They are in a format that is not plain text but needs a special command to be readable

PFFF I dont believe you.
You dont?

Well.. that makes me sad. but luckily I can prove it!

try opening wtmp with a text editor: Image
WOAAAAAHHHHH ITS TOOO BRIGHT - MY EYES

HEAAAAAAALP
Image
Image
MAKE IT STOP - ahh ok much better.

How would I open those to be readable in dark mode though?!

use the last and lastb commands: Image
last reads the wtmp file which holds all the current logon sessions (who is using the computer)

while lastb needs sudo rights to execute and it holds failed logon attempts

check it out:

sudo lastb

oh. Its empty. Image
ok ok ok - we can easily generate some failed logons - either use hydra for brute force or just type your password wrong at least 2x

Just like I do every time… … 😅🫠 Image
Can we also see when users logged in the last time?

SURE! That is where lastlog comes in - its a command that allows you to see who logged into the computer at which time. Image
if e.g. a hacker would login as root because they escalated their privileges and then uploaded a ssh key into the root .ssh folder - you can see that

and start the investigation 🔬👀 🕵️ Image
and then CATCH THE BAD GUYS MUHAHAHAHAH

CLICK CLACK IS THE SOUND OF THE HAND CUFFS (kinda) Image
The last one for today is called journalctl - it is a good starting point to check if services/software had errors during their installation / runtime Image
typically you would use

journalctl -xe

to see the end of the file (-e), the most recent part, and more metadata (-x) Image
Just like MAGIC! 🪄✨

I hope you learned something today - if you did please follow me @maikroservice for more content like this Image
@threadreaderapp unroll

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Dr. Maik Ro

Dr. Maik Ro Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @maikroservice

Dec 30, 2023
Day 2️⃣2️⃣
How to join Computers to your Domain - Windows & Linux:
Wonderful, you made it.

I was hoping you would join me for Part II of "Your HomeLab AD Domain"

You did not see Part 1?!

Look here:
Yesterday - we have created:
1 DC w/ 1 Domain
as a Virtual Machine in VirtualBox
Today we create + join the Windows machine to the Domain and also add one Linux (Ubuntu) box, because we like Linux and Penguins 🐧
LETS GOOOO
Read 24 tweets
Dec 30, 2023
Day 2️⃣1️⃣
How to setup AD in your HomeLab:
Today we try something new - for the TLDR; folks,
have a look at the visual of the thread:



This way you can have a birds-eye view first on pinterest and then come back for details once you are ready - I hope it helps.pinterest.de/pin/1065171749…
A HomeLab is the door opener to Network Analyst, Security Operations Center (SOC) and other Blue Team jobs.

Why?

Because you will need to understand how Corporate Networks work, how to monitor Traffic and how to read Windows Event IDs

But how do you start?!
Read 31 tweets
Dec 28, 2023
Day 2️⃣0️⃣ of Your 30 Day SOC Analyst Journey

How to detect Windows Attacks - Kerberoasting:
Kerberoasting is one of the quickest way for an attacker to get password hashes and try to crack them to get to the passwords

It is based on a “feature” that essentially allows anyone to request a ticket (TGS) from the domain controller without knowing the users password
This only works for service accounts - those that have a Service Principal Name (SPN)

The received ticket/hash is encrypted with the users password and thus it can be used to brute-force passwords of so called service accounts
Read 50 tweets
Dec 24, 2023
Day 1️⃣9️⃣ of Your 30 Day SOC Analyst Journey

The Art of Memory Forensics explained for Beginners:
Let’s continue our Story - shall we!?
You gain new information from your colleagues - they give you a rough timeline of what happened and the current status. ⌛️

As expected it is bad, the whole company has been locked out of their accounts and no one has access to anything anymore.
Read 45 tweets
Dec 23, 2023
Day 1️⃣8️⃣ of Your 30 Day SOC Analyst Journey

How to analyze computer snapshots: Image
To make sure we are all on the same page

Yesterday we learned how to create a snapshot of a potentially compromised machine:

Today we will use a snapshot from the internet just so that we are all on the same page.
Here are some resources that have free forensic images/challenges for your Journey:


cfreds.nist.gov
cci.calpoly.edu/2019-digital-f…
digitalcorpora.org
Read 28 tweets
Dec 20, 2023
Day 1️⃣7️⃣ of Your 30 Day SOC Analyst Journey
How to get started with Digital Forensics: Image
Digital Forensics, the stuff you always dreamed about since CSI Miami.

What is Digital Forensics?, you ask

Let me tell you a story.
It is Thursday, a quiet day.

You sit on your couch sipping hot chocolate ☕️ 🫕 staring into the fire place ❤️‍🔥

As always…

Obviously during working hours 🧑‍💼, stop asking too many questions!

Then…
Read 18 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(