linux-cti

Live URL: https://aminbiography.github.io/linux-cti/

---

Linux for CTI

This repository documents essential Linux knowledge required for Cyber Threat Intelligence (CTI), SOC operations, threat hunting, and security automation. Each section includes commands, explanations, and expected outputs.

---

Linux Core Concepts

filesystem, permissions, users, processes, networking, logs, services,
bash scripting, package management, security, monitoring

---

1) Linux Distributions and Installation

Common Linux distributions used in CTI and security:

• Ubuntu
• Debian
• Kali Linux
• Red Hat / Rocky Linux
• Parrot OS

Check OS details:

cat /etc/os-release

Output (example):

NAME="Ubuntu"
VERSION="22.04.3 LTS (Jammy Jellyfish)"

---

2) Linux Shell Basics

Check current user:

whoami

Output:

amein

Check hostname:

hostname

Output:

cti-lab

---

3) Linux File System Structure

Key directories:

Directory	Purpose
/	Root filesystem
/etc	Configuration files
/var	Logs, spool files
/home	User home directories
/tmp	Temporary files
/usr	User binaries and libraries

List root directories:

ls /

Output (example):

bin  boot  dev  etc  home  lib  proc  tmp  usr  var

---

4) Working with Files and Directories

Create directories and files:

mkdir cti-labs
cd cti-labs
touch report.txt

List files:

ls -l

Output:

-rw-r--r-- 1 amein amein 0 report.txt

---

5) Viewing File Contents

echo "Threat report draft" > report.txt
cat report.txt

Output:

Threat report draft

Other useful commands:

less report.txt
head report.txt
tail report.txt

---

6) File Permissions and Ownership

Check permissions:

ls -l report.txt

Output:

-rw-r--r-- 1 amein amein report.txt

Change permissions:

chmod 600 report.txt

Change ownership (requires sudo):

sudo chown root:root report.txt

---

7) Users and Groups

View current user ID:

id

Output:

uid=1000(amein) gid=1000(amein) groups=1000(amein)

List users:

cat /etc/passwd

---

8) Process Management

List running processes:

ps aux

Output (sample):

root     1023  0.0  systemd
amein    2345  0.1  bash

Real-time monitoring:

top

Kill a process:

kill 2345

---

9) Disk Usage and Monitoring

Check disk usage:

df -h

Output:

Filesystem  Size  Used Avail Use%
/dev/sda1    50G   12G   36G  25%

Check directory size:

du -sh /var/log

---

10) Networking Basics

Check IP address:

ip a

Output (example):

inet 192.168.1.20/24

Check active connections:

ss -tulnp

---

11) DNS and Connectivity Testing

ping google.com

Output:

64 bytes from google.com: icmp_seq=1 ttl=117

DNS lookup:

nslookup google.com

---

12) Package Management (APT)

Update package list:

sudo apt update

Install a package:

sudo apt install curl

Verify installation:

curl --version

---

13) Log Analysis (Critical for CTI)

System logs:

ls /var/log

Authentication logs:

sudo cat /var/log/auth.log

Output (example):

Failed password for invalid user admin from 45.33.32.156

---

14) Searching Logs and Files (grep)

grep "Failed password" /var/log/auth.log

Output:

Failed password for root from 45.33.32.156

Recursive search:

grep -R "malware" /var/log

---

15) Bash Variables and Environment

export CTI_LEVEL=advanced
echo $CTI_LEVEL

Output:

advanced

---

16) Bash Scripting Basics

Create script:

nano scan.sh

Script content:

#!/bin/bash
echo "Starting CTI scan..."
date

Make executable:

chmod +x scan.sh
./scan.sh

Output:

Starting CTI scan...
Mon Dec 15 07:30:12 UTC 2025

---

17) Conditional Logic in Bash

if [ -f report.txt ]; then
  echo "Report exists"
else
  echo "Report missing"
fi

Output:

Report exists

---

18) Loops in Bash

for ip in 8.8.8.8 1.1.1.1; do
  ping -c 1 $ip
done

Output (example):

PING 8.8.8.8
PING 1.1.1.1

---

19) Cron Jobs (Automation)

Edit cron jobs:

crontab -e

Example:

0 2 * * * /home/amein/scan.sh

Runs script daily at 02:00.

---

20) System Services (systemd)

Check service status:

systemctl status ssh

Start / stop service:

sudo systemctl restart ssh

---

21) File Integrity and Hashing

sha256sum report.txt

Output:

a3f5c1e7f2d9... report.txt

Used in malware analysis and IOC validation.

---

22) Archive and Compression

tar -czvf logs.tar.gz /var/log

Extract:

tar -xzvf logs.tar.gz

---

23) Permissions Abuse Detection

Find world-writable files:

find / -perm -002 -type f 2>/dev/null

---

24) Network Capture (tcpdump)

sudo tcpdump -i eth0

Save capture:

sudo tcpdump -i eth0 -w traffic.pcap

---

25) Linux Security Basics

Check open ports:

sudo netstat -tulnp

Check firewall:

sudo ufw status

---

26) SSH and Remote Access

ssh user@192.168.1.10

Generate SSH key:

ssh-keygen

---

27) Sudo and Privilege Escalation Awareness

sudo -l

Output:

User amein may run the following commands

Critical for privilege escalation assessments.

---

28) Malware Analysis Utilities

Install tools:

sudo apt install strings binutils

Extract strings:

strings suspicious.bin

---

29) File System Monitoring

inotifywait -m /var/log

Detects file changes in real time.

---

30) Linux for CTI Use Cases

• Log analysis
• Threat hunting
• IOC validation
• Malware triage
• Automation with Bash
• Network monitoring
• Incident response

---

Final Notes

This repository is designed to be:

• SOC-ready
• CTI-aligned
• Beginner → advanced
• Interview and lab friendly
• Automation-focused

---

Just tell me how deep you want to go.