DEV Community

Shubham Chaudhary
Shubham Chaudhary

Posted on

The "Basic" Linux Command That Exposes Hackers Before They Attack


Most SOC analysts scroll right past this command in their logs. That's a mistake.

pwd — print working directory — is taught on day one of every Linux course and dismissed as too basic to matter. But in real-world incident response, it's often the very first command an attacker runs after gaining shell access. Before privilege escalation. Before lateral movement. Before anything else.

Web application exploits routinely drop attackers into unpredictable directories depending on the vulnerable service (Apache, Tomcat, Node.js, a CMS plugin, etc.). pwd is how they instantly reorient — a low-noise, zero-footprint way to figure out whether they've landed in a web root, a home directory, or something far more valuable.

A typical post-exploitation sequence looks like this:

pwd
whoami
id
uname -a
Enter fullscreen mode Exit fullscreen mode

This pattern maps directly to MITRE ATT&CK discovery techniques like System Owner/User Discovery and File and Directory Discovery — and for defenders, seeing pwd as the first command in a session is a strong signal you're looking at the true start of an intrusion.

In the full guide, I break down:

  • Why attackers use pwd during post-exploitation
  • A real reverse shell attack walkthrough
  • 10 practical pwd command variations every analyst should know (pwd -L, pwd -P, and more)
  • How to detect discovery-phase behavior using SIEM correlation rules
  • Field-tested incident response tips

Read the full breakdown here:

pwd Command in Cybersecurity: What SOC Analysts Must Know

Discover how the Linux pwd command reveals hacker activity. A SOC analyst's guide to detection, forensics & real-world attack scenarios.

favicon xpert4cyber.com

cybersecurity #linux #security #beginners

Top comments (0)