| Command | What it does | When to use |
|---|---|---|
ps | List all processes | Get initial overview |
ps -u | Show only user processes | Reduce noise (hide kernel threads) |
ps <name> | Find process by name | Locate suspicious process quickly |
ps -p <pid> | Show parent chain (walk UP) | Trace origin of a process |
ps -c <pid> | Show children (walk DOWN) | Find spawned payloads |
ps -a <pid> | Show arguments/env | See how process was executed |
ps -g <pid> | Show thread group | Analyze multi-threaded processes |
set <pid> | Switch to process context | Prepare for deeper inspection |
files | Show open files of current process | See what the process accessed |
task <addr> | Show task_struct | Low-level process inspection |
BLUE TEAM / MALWARE REVERSE / LINUX / CRASH