3.3.11. Add Linux UAC Output

You can import the output of the Linux UAC tool into Cyber Triage. The files in the output will be parse and artifacts created and analyzed.

Watch the Cyber Triage Basics Course Linux UAC video on this technique.

You should use the “-p full” option when you run the collection tool. Otherwise not enough data will exist for Cyber Triage to analyze.

./uac -p full /tmp

To import a Linux UAC collection: 1. Extract the contents of TAR collection to a folder.

mkdir host1_uac
cd host1_uac
tar -zxvf ..\uac-host1-20240426125735.tar.gz

  1. Choose Linux - UAC button from the Add New Host screen.

  2. Enter a display name (it can be a host name or more descriptive).

../../_images/import_add_uac.png

  1. Choose the folder the UAC data was extracted to. It should contain subfolders for “[root]” or “bodyfile”.

../../_images/import_add_uac_folder.png

  1. Press Continue to then configure what data types to collect (see Data Collection Types) and malware settings (see Ingest-Time Settings).