Hacker-Tool Hump-Day – ps

I had less time to work with the new Bash Bunny than I anticipated.  I chewed on what to cover for today, but a team mate (my team lead) at work stumbled upon a new flag for “ps” that we either hadn’t seen before, or had forgotten completely existed, and it’s a pretty cool flag.

The “-T” flag takes a process ID (PID) and presents a “tree” view of it and all of its child processes similarly to how “htop” works.

Being able to see the children of a PID at a glance is nice when you’re trying to track down problems with complicated scripts that fork off lots of children.

To get the entire process view in tree format, just pass in PID 1.

ps -T 1

You can always pass the -o flag to narrow the view.  The example we came across used -o to show the PID, owner, and command.

ps -T 1 -o pid,user,command

This is also useful in an incident response situation to see if there are processes that are spinning off children that don’t make sense.  A long lasting “vi” session running a shell child would be very suspicious, for example.

I know this was short, but it’s a really nice tip to share, which was quick to write up with all the interruptions I’ve had today.

I really appreciate all of my readers.

I hope you’ve enjoyed!

Leave a Reply

Your email address will not be published. Required fields are marked *