Evidence Category · 9 Questions

Linux Auth Logs

Measures correlation of Linux authentication logs.

Questions in This Category

Q048Attacker's true source IP in AUTH.LOG? (correlation)

Q049Compromised SSH account?

Q050Which persistence method did the attacker use?

Q051How many failed attempts before the attacker succeeded?

Q124Which command did the compromised account run?

Q125Date of the forged log entry (time inconsistent)?

Q126State of the AUTH.LOG file?

Q158At what time did the attacker first succeed?

Q173Which service do the AUTH.LOG records belong to?