: Review /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS) for brute-force attempts or successful logins from unknown IPs. C. Persistence Mechanisms

: Identifying a .tar or .zip archive created by the attacker containing sensitive data (e.g., /etc/shadow or user documents). 4. Remediation Recommendations

: Disconnect from the network to prevent further data exfiltration.

Using , the following artifacts are typically prioritized: