| Artifact | Data Stored | Exec | Create | Delete | Persist | User | Net | PrivEsc | Timestomp | MITRE | Tools | Location |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Bash History | User command history | ⚠ | ❌ | ❌ | ❌ | ✅ | ⚠ | ⚠ | ⚠ | T1059 | cat ~/.bash_history | /home/*/.bash_history |
| Auth Logs | SSH logins, sudo usage, failed auth | ⚠ | ❌ | ❌ | ❌ | ✅ | ⚠ | ⚠ | ❌ | T1021 | grep -i "ssh" /var/log/auth.log<br>grep -i "sudo" /var/log/auth.log | /var/log/auth.log |
| Secure Log (RHEL) | Authentication events | ⚠ | ❌ | ❌ | ❌ | ✅ | ⚠ | ⚠ | ❌ | T1021 | grep -i "failed" /var/log/secure | /var/log/secure |
| Syslog | System-wide events | ⚠ | ⚠ | ⚠ | ⚠ | ⚠ | ⚠ | ⚠ | ❌ | Various | less /var/log/syslog | /var/log/syslog |
| Journalctl | Systemd logs | ⚠ | ⚠ | ⚠ | ⚠ | ⚠ | ⚠ | ⚠ | ❌ | Various | journalctl -xe<br>journalctl --since "1 hour ago" | systemd journal |
| wtmp | Successful logins | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | T1033 | last | /var/log/wtmp |
| btmp | Failed logins | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | T1110 | lastb | /var/log/btmp |
| lastlog | Last login per user | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | T1033 | lastlog | /var/log/lastlog |
| Crontab (User) | Scheduled jobs | ⚠ | ❌ | ❌ | ✅ | ⚠ | ❌ | ⚠ | ❌ | T1053.003 | crontab -l | User crontabs |
| Crontab (System) | System scheduled jobs | ⚠ | ❌ | ❌ | ✅ | ❌ | ❌ | ⚠ | ❌ | T1053.003 | cat /etc/crontab | /etc/crontab |
| Systemd Services | Service persistence | ⚠ | ❌ | ❌ | ✅ | ❌ | ❌ | ⚠ | ❌ | T1543.002 | systemctl list-unit-files | /etc/systemd/system |
| rc.local | Startup commands | ⚠ | ❌ | ❌ | ✅ | ❌ | ❌ | ⚠ | ❌ | T1037 | cat /etc/rc.local | /etc/rc.local |
| SSH Authorized Keys | Backdoor access keys | ❌ | ⚠ | ❌ | ✅ | ⚠ | ⚠ | ⚠ | ❌ | T1098 | cat ~/.ssh/authorized_keys | ~/.ssh/authorized_keys |
| SSH Config | SSH settings | ❌ | ⚠ | ❌ | ⚠ | ❌ | ⚠ | ❌ | ❌ | T1021 | cat /etc/ssh/sshd_config | /etc/ssh/sshd_config |
| /etc/passwd | User accounts | ❌ | ⚠ | ❌ | ⚠ | ⚠ | ❌ | ⚠ | ❌ | T1136 | cat /etc/passwd | /etc/passwd |
| /etc/shadow | Password hashes | ❌ | ⚠ | ❌ | ❌ | ❌ | ❌ | ⚠ | ❌ | T1003 | sudo cat /etc/shadow | /etc/shadow |
| Sudoers | Privilege escalation rules | ❌ | ⚠ | ❌ | ⚠ | ❌ | ❌ | ⚠ | ❌ | T1548 | cat /etc/sudoers | /etc/sudoers |
| Auditd Logs | Detailed syscall logging | ⚠ | ⚠ | ⚠ | ⚠ | ⚠ | ⚠ | ⚠ | ❌ | Various | ausearch -ts recent | /var/log/audit/audit.log |
| File MAC Times | File timestamps | ⚠ | ✅ | ✅ | ❌ | ⚠ | ❌ | ❌ | ✅ | T1070 | stat filename | Any file |
| Inotify Logs | File monitoring | ⚠ | ⚠ | ⚠ | ❌ | ⚠ | ❌ | ❌ | ❌ | Various | inotifywatch -r /path | Monitored dirs |
| Network Connections | Active sockets | ⚠ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | T1105 | ss -tunap | /proc/net |
| iptables Rules | Firewall config | ❌ | ⚠ | ❌ | ⚠ | ❌ | ✅ | ❌ | ❌ | T1562 | iptables -L -n -v | Kernel firewall |
| Hosts File | DNS overrides | ❌ | ⚠ | ❌ | ⚠ | ❌ | ⚠ | ❌ | ❌ | T1565 | cat /etc/hosts | /etc/hosts |
| Docker Logs | Container logs | ⚠ | ❌ | ❌ | ⚠ | ⚠ | ⚠ | ⚠ | ❌ | T1610 | docker ps<br>docker logs <id> | Docker runtime |
| Kube Audit Logs | Kubernetes API activity | ⚠ | ❌ | ❌ | ⚠ | ⚠ | ⚠ | ⚠ | ❌ | T1610 | cat /var/log/kube-apiserver-audit.log | K8s control plane |
| /proc Artifacts | Running processes | ✅ | ❌ | ❌ | ❌ | ❌ | ⚠ | ⚠ | ❌ | T1057 | ps aux<br>ls /proc/<pid> | /proc |
| LD_PRELOAD | Library hijacking | ⚠ | ❌ | ❌ | ⚠ | ❌ | ❌ | ⚠ | ❌ | T1574 | cat /etc/ld.so.preload | /etc/ld.so.preload |
BLUE TEAM / DFI / ARTEFACT / LINUX