BTLO Incident Response Case Study: Pranoid
Executive Summary A forensic review of Linux auditd logs confirms that the host was compromised through an external SSH brute-force attack. The attacker authenticated as a low-privileged user, executed automated system enumeration, escalated privileges using a local sudo vulnerability, accessed sensitive credential material, and attempted basic anti-forensic cleanup. The entire intrusion lifecycle occurred within approximately six minutes.
Scope and Evidence Primary artifact:
audit.log (Linux auditd) Tools used:
aureport ausearch Manual timeline correlation Observed timeframe: