09/01/2024, 18:13 Users and Groups - LetsDefend

Home Learn Practice Challenge PricingStart a 1-day free trial 7

Incident Response on Linux

All Lessons Structure
How to Create Incident Response Plan?
Incident Response Procedure
3 Important Things
Users and Groups
Processes
Files and File System
Mounts
Network
Service
Crontab
SSH Authorized Keys
Bash_rc & Bash_profile
Useful Log Files
https://app.letsdefend.io/training/lesson_detail/users-and-groups 1/24
09/01/2024, 18:13 Users and Groups - LetsDefend

Users and Groups

Home Learn Practice Challenge PricingStart a 1-day free trial 7
Users are a must in an operating system. User systems are present in all operating systems in order to ensure the safety of the
system, to identify the data, and to provide a better user experience.
In this article, we will examine the user system included in the Linux operating system.
When we examine the APT attack reports, we can observe that cyber attackers aim to take over the authorized user in order to
completely compromise the domain. In ransomware attacks that have been very popular in today’s world, cyber attackers take
over the domain admin accounts and download ransomware into all devices within the domain.

https://app.letsdefend.io/training/lesson_detail/users-and-groups 2/24
09/01/2024, 18:13 Users and Groups - LetsDefend

Most system administrators won’t periodically conduct check-up’s regarding the devices under their responsibility. Thus, when a
user is taken over or a new user Home
is addedLearn
into the operating system, itPricing
is very rarely recognized.
free trialSince the7 possibility of it being
recognized is very low, attackers frequently Practice
choose this method in order toStart
Challenge a 1-day
maintain persistence.
In addition, since the passwords that are included for users by default are not changed/forgotten during set-up, attackers can
easily access the operating system.
If the general anatomy of a cyber attack is examined, attackers access the system as a result of exploiting the vulnerability on a
service that is open to the Internet, and since these services are mostly unauthorized service accounts, the attackers compromise
the users on the operating system in order to increase their privileges on the system.
As an incident responder, we must be able to detect the users that have been taken over, added or removed from the operating
system by the cyber-attackers.
“Everything is a file”
Everything is a file describes one of the defining features of Unix, and its derivatives—that a wide range of input/output resources
such as documents, directories, hard-drives, modems, keyboards, printers and even some inter-process and network
communications are simple streams of bytes exposed through the filesystem name space. (Wikipedia)
The UNIX file system contains critical files that contain information about users and groups. As an incident responder, it is
necessary to gain the ability to detect the existence of these files, their file structures, and the anomaly on these files.
The files containing the information of users and groups are as seen below:
/etc/passwd
Undoubtedly, one of the most crucial files in UNIX operating systems is /etc/passwd. This file contains usernames, the user's
password (depracated), UID/GID, the user's home directory and the user's shell information.

https://app.letsdefend.io/training/lesson_detail/users-and-groups 3/24
09/01/2024, 18:13 Users and Groups - LetsDefend

The file named passwd belongs toHome

the root
LearnuserPractice
and everyone has permission to aread thefree
file.trial
For this reason, even if the attacker
compromises the user with the lowest privilege Challenge
in the system, they can stillStart
Pricing collect1-day
information about the7users on the device.
You can read the passwd file like any other file with the cat command.
cat /etc/passwd

At first glance, the /etc/passwd file may seem confusing. However, each line in this file has a specific format.

https://app.letsdefend.io/training/lesson_detail/users-and-groups 4/24
09/01/2024, 18:13 Users and Groups - LetsDefend

Home Learn Practice Challenge PricingStart a 1-day free trial 7

When we analyze the file format, we can see that:

The username is written in the beginning of each prior to the first colon,
The password is written in between the first colon and the second colon (this part is a legacy and is generally not used anymore.)
The UID is written in between the second colon and the third colon,
The GID is written in between the third colon and the fourth colon,
The comment is included in between the fourth colon and the fifth colon,
The home directory of the user is written in between the fifth colon and the sixth colon,
The shell used by the user is written in between the sixth colon and the seventh colon
If a user's shell is "/usr/sbin/nologin" in the passwd file, it means that the user will not be able to login to the operating system.

https://app.letsdefend.io/training/lesson_detail/users-and-groups 5/24
09/01/2024, 18:13 Users and Groups - LetsDefend

The fact that the user cannot login to theLearn

systemPractice
does notChallenge
mean that the user cannot
a 1-dayrun commands
trial onattackers
7the system. For example,
the shell of the www-data user isHome
"/usr/sbin/nologin", web Start
however when aPricingapplication isfree
compromised, generally
execute commands on the system with the www-data user.
/etc/shadow
In the shadow file, there are encrypted versions of user passwords. Thus, it has become one of the most popular files by
attackers.

You may think that including user passwords in a file may pose a security risk. The shadow file is readable only by the root user
and users in the shadow group and passwords are kept encrypted. Reading this file doesn't make any sense on its own. An
attacker who wants to discover a user's password must brute force it to find the password.

Let’s take a look at the shadow file format.

https://app.letsdefend.io/training/lesson_detail/users-and-groups 6/24
09/01/2024, 18:13 Users and Groups - LetsDefend

Home Learn Practice Challenge PricingStart a 1-day free trial 7

When we analyze the file format, we can see that:

The username is written in the beginning prior to the first colon,
The encrypted password is written in between the first colon and the second colon,
The last password change date is written in between the second colon and the third colon,
Information about the time needed in order for the user to change the password is written in between the third colon and the
fourth colon,
Information about the required password change time is written in between the fourth colon and the fifth colon,
Information about when the user will be notified before the password is expired is written in between the fifth colon and the sixth
colon,
Information about how many days will be provided for the user to change the expired password before the user is disabled is
written in between the sixth colon and seventh colon,
Information about when the account will be expired is written in between the seventh and eight colon,
https://app.letsdefend.io/training/lesson_detail/users-and-groups 7/24
09/01/2024, 18:13 Users and Groups - LetsDefend

The section after the eighth colon is created for future use but is left empty because it is not currently used
Home Learn Practice Challenge PricingStart a 1-day free trial 7
/etc/group
The /etc/group file contains the groups and information about which users are included in these groups.
Identifying compromised users is not enough to understand the risk in a cybersecurity incident. User groups should also be
checked.
If a special configuration is not made, the www-data user is a user with low privilege. However, when determining the risk of a
cyber incident, it would be wrong to adopt a point of view such as "The www-data user has been compromised, but the risk is low
since the level of privileges is low". If the attacker includes the www-data user in an high privilege group, the www-data user can
have almost as much privilege as the root user.

The file named group belongs to the root user and everyone has read permission. For this reason, even if the attacker accesses
the system through the user with the lowest privileges, they can still collect information about the groups on the device.

https://app.letsdefend.io/training/lesson_detail/users-and-groups 8/24
09/01/2024, 18:13 Users and Groups - LetsDefend

Let’s take a look at the file format.Home Learn Practice Challenge PricingStart a 1-day free trial 7

When we analyze the file format, we can see that:

The group name is written in the beginning of each prior to the first colon,
The password is written in between the first colon and the second colon (this part is a legacy and is generally not used anymore.)
The GID is written in between the second colon and the third colon,
The users and usernames who are group members are written after the third colon
/etc/sudoers
The sudoers file contains information about who can run the sudo command under which conditions.
https://app.letsdefend.io/training/lesson_detail/users-and-groups 9/24
09/01/2024, 18:13 Users and Groups - LetsDefend

Home Learn Practice Challenge PricingStart a 1-day free trial 7

Unlike other files, the sudoers file contains comments about the file format by default.

https://app.letsdefend.io/training/lesson_detail/users-and-groups 10/24
09/01/2024, 18:13 Users and Groups - LetsDefend

User List: Determines which users will have certain authorizations

Home
Host List: Determines which hostsLearn
will havePractice Challenge PricingStart a 1-day free trial
certain authorizations 7
Operator List: Determines which user the users in <user list> will run commands on behalf of
Tag List: Can have the “PASSWD”, “NOPASSWD” and “NOEXEC” values and determines whether they need passwords to run the
command or not
Command List: Contains commands

Other Important Files

Apart from these files, there are also different files that contain information about user logon processes.
/var/run/utmp: maintains a full accounting of the current status of the system, system boot time (used by uptime), recording user
logins at which terminals, logouts, system events etc.
/var/log/wtmp: acts as a historical utmp
/var/log/btmp: records failed login attempts

Incident Response
Analyze
Determining the Users on the System
https://app.letsdefend.io/training/lesson_detail/users-and-groups 11/24
09/01/2024, 18:13 Users and Groups - LetsDefend

Attackers add new users and modify

Homeexisting
Learninusers to ensure persistence. As
Startanduring
aincident
1-day responder,
trial itstep.
is7necessary to identify
these users and to remove/edit these users aPractice
way that Challenge Pricing
does not pose a risk thefree
eradication
While controlling the users on the system during the incident response process, it may be necessary to compare the compromised
system with clean system by obtaining the list of users that should be on the device from the application/server owner. It will be
more accurate to use snapshots from the pre-cyber incident while obtaining the user list.
In order to make our analysis specific to the users on the system, we first need to identify the users on the system.
By reading the /etc/passwd file, users defined on the system can be determined.
cat /etc/passwd

https://app.letsdefend.io/training/lesson_detail/users-and-groups 12/24
09/01/2024, 18:13 Users and Groups - LetsDefend

Attackers prefer names such as support, service, dev, admin and sysadmin for the users they create in order to prevent
themselves from being detected.Home We should
LearnpayPractice
attentionChallenge
to users with these
PricingStartnames.
a 1-day free trial 7
If the passwd file has incorrect permissions, users can be compromised by editing the passwd file. Attackers can take over users
by replacing the "x" value next to their username with the password they created. For this reason, the information in the password
field in the passwd file should be carefully checked during the incident response.
In addition, the shell information of the users should be checked. Shell information of users who should not have shell should be
double-checked.
If the attacker has not cleaned the auth.log file, it is possible to detect newly created users via the auth.log file.
tail /var/log/auth.log

You can find newly created users by searching for the word “useradd” in the auth.log file.

https://app.letsdefend.io/training/lesson_detail/users-and-groups 13/24
09/01/2024, 18:13 Users and Groups - LetsDefend

grep useradd /var/log/auth.log

Home Learn Practice Challenge PricingStart a 1-day free trial 7

You can identify users whose passwords have been changed by searching for the word “passwd” in the Auth.log file.
grep passwd /var/log/auth.log

Identifying User’s Permissions

As we mentioned earlier in our article, detecting compromised users is not enough to determine the risk. After identifying the
users, the groups that these users are included in, and the authorizations defined specifically for these users should also be
determined.
A good starting point is to examine the groups that the users belong to and check the permissions of the user.
We have to examine the groups and the users included in the groups through the /etc/group file. The contents of the group file
can be viewed using the cat command.
https://app.letsdefend.io/training/lesson_detail/users-and-groups 14/24
09/01/2024, 18:13 Users and Groups - LetsDefend

cat /etc/group
Home Learn Practice Challenge PricingStart a 1-day free trial 7

While conducting our examinations, we must pay attention to the critical groups and the users included in these groups. Users
who should not be included in these groups should be identified. For example, the www-data user being included in the sudo
group is certainly suspicious. Some of the critical groups are as stated below:
root
adm
shadow
sudo
Another file that needs to be checked in order to understand the authorizations of users or groups is “/etc/sudoers”. There is
information on which users and groups can use sudo authority to what extent on this file.
cat /etc/sudoers

https://app.letsdefend.io/training/lesson_detail/users-and-groups 15/24
09/01/2024, 18:13 Users and Groups - LetsDefend

Home Learn Practice Challenge PricingStart a 1-day free trial 7

In the sudoers file, unauthorized users and the sudo authorizations that may cause a system compromise should not be defined.
In addition, incorrect configurations on this file should be determined.
You can list group processes by searching for the words “groupadd” and “usermod” in the auth.log file. Listing the group changes
in the date range of the attack will make it easier to track the actions taken by the attacker.
grep groupadd /var/log/auth.log

grep usermod /var/log/auth.log

https://app.letsdefend.io/training/lesson_detail/users-and-groups 16/24
09/01/2024, 18:13 Users and Groups - LetsDefend

Home Learn Practice Challenge PricingStart a 1-day free trial 7

Identifying Users That Have Logged into the System

With the help of some tools that are installed by default in most linux systems, users with an active connection on the operating
system can be listed. We recommend installing as few new tools as possible in order to preserve the integrity of the device during
the incident response process. There are several different tools that we can use to detect logon users on GNU/Linux.
The w, who, users and last tools are included by default in GNU/Linux. With the help of these tools, you can identify users who
have logged into the system.
These tools have their own advantages and disadvantages. However, choosing the "last" tool will speed up the incident response
process, as it provides more information and historical data. If no parameter is given, it will give the login history of all users.
last

https://app.letsdefend.io/training/lesson_detail/users-and-groups 17/24
09/01/2024, 18:13 Users and Groups - LetsDefend

Home Learn Practice Challenge PricingStart a 1-day free trial 7

The last command obtains this information from the "/var/log/wtmp" file. You can get the same information by reading this file, but
the last command provides it in a more readable format.
cat /var/log/wtmp

https://app.letsdefend.io/training/lesson_detail/users-and-groups 18/24
09/01/2024, 18:13 Users and Groups - LetsDefend

The /var/log/auth.log file can be examined to detect users logged into the system via SSH. This file includes successful logins as
well as unsuccessful logons. In this
Homeway,Learn
we canPractice
detect brute-force
Challenge attacks fromawithin
PricingStart 1-daythe
freeauth.log
trial file. 7
You can list the failed login attempts with the following command.
grep "Failed password" /var/log/auth.log

As an alternative, failed SSH logins can be determined with the journalctl command.
journalctl _SYSTEMD_UNIT=ssh.service | egrep "Failed|Failure"
Identification of Users That Can Conduct SSH
During the incident response it may be necessary to detect users who can remotely conduct SSH to the device. You can learn
about users who can conduct RDP on Windows operating systems by listing the users included in the "Remote Desktop Users"
group. However, there is no similar group on Linux. The following steps should be followed in order to detect users who can
conduct SSH.
1. By reading the /etc/passwd file, the users on the system are detected.
2. Users who do not have a valid shell are removed from the list.
https://app.letsdefend.io/training/lesson_detail/users-and-groups 19/24
09/01/2024, 18:13 Users and Groups - LetsDefend

3. Users who do not have valid passwords are removed from the list.
4. Users with SSH permissionsHome
are detected in /etc/ssh/sshd_config. If "AllowUsers" is specified in this7 file, it means that other
users cannot use the SSH service. Learn Practice Challenge PricingStart a 1-day free trial

Eradication
At the end of the incident response, the system must be restored to its working condition in a way that has not been affected by
the cyber-attack.
Users added by the attacker should be deleted from the system. You can delete the user and the user's home directory with the
following command.
userdel -r USERNAME

Unauthorized users should be removed from groups with high authorizations. You can remove the user from the group with the
command below.
gpasswd -d USERNAME GROUP

https://app.letsdefend.io/training/lesson_detail/users-and-groups 20/24
09/01/2024, 18:13 Users and Groups - LetsDefend

The sudo authorization given to the user must be removed. You can edit sudo authorizations with the visudo command.
Home Learn Practice Challenge PricingStart a 1-day free trial 7
visudo

Passwords of users that should not be deleted should be changed and their SSH keys should be regenerated.
You can use the passwd command to change the user's password.
passwd USERNAME

https://app.letsdefend.io/training/lesson_detail/users-and-groups 21/24
09/01/2024, 18:13 Users and Groups - LetsDefend

Home Learn Practice Challenge PricingStart a 1-day free trial 7

In order to regenerate the user's SSH Keys, the old keys must be deleted first. Then a new SSH Key must be created.

Lab Environment
Connect

Questions Progress

Examine the /etc/passwd file. What is the name of the compromised account?
Answer Format: **** Submit

Hint
https://app.letsdefend.io/training/lesson_detail/users-and-groups 22/24
09/01/2024, 18:13 Users and Groups - LetsDefend

Home Learn Practice Challenge PricingStart a 1-day free trial 7

Back Next

LetsDefend
Social

Resources
Support
Community
https://app.letsdefend.io/training/lesson_detail/users-and-groups 23/24
09/01/2024, 18:13 Users and Groups - LetsDefend

Plans
Home Learn Practice Challenge PricingStart a 1-day free trial 7
Roles

https://app.letsdefend.io/training/lesson_detail/users-and-groups 24/24