
Most SOC analysts scroll right past this command in their logs. That's a mistake.
pwd — print working directory — is taught on day one of every Linux course and dismissed as too basic to matter. But in real-world incident response, it's often the very first command an attacker runs after gaining shell access. Before privilege escalation. Before lateral movement. Before anything else.
Web application exploits routinely drop attackers into unpredictable directories depending on the vulnerable service (Apache, Tomcat, Node.js, a CMS plugin, etc.). pwd is how they instantly reorient — a low-noise, zero-footprint way to figure out whether they've landed in a web root, a home directory, or something far more valuable.
A typical post-exploitation sequence looks like this:
pwd
whoami
id
uname -a
This pattern maps directly to MITRE ATT&CK discovery techniques like System Owner/User Discovery and File and Directory Discovery — and for defenders, seeing pwd as the first command in a session is a strong signal you're looking at the true start of an intrusion.
In the full guide, I break down:
- Why attackers use
pwdduring post-exploitation - A real reverse shell attack walkthrough
- 10 practical
pwdcommand variations every analyst should know (pwd -L,pwd -P, and more) - How to detect discovery-phase behavior using SIEM correlation rules
- Field-tested incident response tips
Read the full breakdown here:
Top comments (0)