SLeek is an interactive Linux threat-hunting script that guides an analyst through a structured, command-line examination of a system for signs of malware and compromise.
SLeek covers the basics of manual triage of a system for signs of malware.
The script is intended for users who are familiar with Linux. SLeek runs a set of investigative checks and relies on the analyst to interpret results and perform follow-up analysis where required.
SLeek can be run in Explanation Mode (enabled by default) which includes an explanation alongside each check to describe the purpose of the check and give examples of how results can indicate malware presence.
Many included checks are based on SandflySecurity's Linux Compromise Assessment Command Cheat Sheet, see here and here. SLeek also includes options to run Rootkit Hunter (rkhunter) and Chkrootkit, which includes scans for known rookits & malware.
Run SLeek:
sudo ./SLeek.sh
It will present you with options to run a "quick check" or a "full check".
Quick check includes:
- process listing
- network connections listing
- a check for deleted binaries
- user checks (details below)
Full check includes:
- process checks
- file & directory checks
- user checks
- log checks
- rootkit checks
Full check will also require user input of the number of days prior for examination, used in various checks (e.g. check X will search only for files modified in the last N days).
More details on the inclusions within each check is given below. Running the script with Explanation Mode enabled will display more details about what is included in each check. Modify the script to turn this off.
Note: SLeek is written for Debian-based systems, so some checks will not be effective on other systems.
- process listing
- examination of any selected process, which includes:
- examination of the processes's /proc entries
- network connections
- binary capabilities
- package information
- SHA256 hash
- resource usage checks
- network connections listing
- raw sockets listing
- deleted binaries check
- check for processes with a suspicious current working directory
- display mismatches between comm / cmdline / exe values
- check for locations commonly used for malware persistence
- includes: scheduled tasks, services, kernel modules, rc files and autostart files
- tamper checks for dpkg-installed binaries
- check for executables in locations frequently used by malware
- check for files with no user/group name
- search for immutable files/directories
- check files used by LD_PRELOAD
- check for binaries with high-risk capabilities
- search for hidden directories
- check for suspicious users, elevated permissions and groups with special privileges
- check and display contents of any SSH authorized keys file found
- Check any user history files linked to /dev/null
- check user logins
- check for size 0 log files
- check for log files containing control characters
- runs (and offers to install if not currently installed) Rootkit Hunter (rkhunter) and Chkrootkit for known rootkits.