| Layer | Question | Primary Artifacts |
|---|---|---|
| Authentication | Who entered? | auth.log, secure, journalctl |
| Execution | What ran? | bash_history, auditd, process artifacts |
| Persistence | What survives reboot? | cron, systemd, rc.local |
| Privilege Escalation | How did they elevate? | sudo logs, auth logs |
| Lateral Movement | SSH / remote actions? | ssh logs, authorized_keys |
| File Activity | What changed? | mtime/ctime, package logs |
| Network | Who connected where? | ss, netstat remnants, journal |
| Malware / Payloads | What binaries/scripts exist? | tmp, dev/shm, hidden files |
BLUE TEAM / THREAT HUNT / LINUX