The cd Command Every SOC Analyst Should Master: A Linux Navigation Guide for Incident Response
It's 2:55 AM. A SOC analyst at a mid-sized fintech company gets paged for a critical alert: unusual outbound traffic from a production web server. She SSHs into the box, and the next sixty seconds decide whether this is a false positive or a live breach. There's no fancy dashboard here — just a raw terminal. Her first move? cd /var/log. Her second? cd /tmp, because that's where attackers love to stage payloads.
This is the unglamorous truth about cybersecurity: before the SIEM dashboards, before the EDR alerts, before the forensic imaging tools — there's a terminal, and there's the cd command. It's the single most-used command in every incident responder's, penetration tester's, and system administrator's daily workflow. Yet most tutorials treat it like a beginner's toy. In this guide, we're flipping that script and looking at cd the way a real security professional does: as a navigation weapon used both by attackers to hide and by defenders to hunt.
Table of Contents
- What Is the cd Command and Why It Matters in Security
- Real-World Scenario: Tracing an Intrusion Directory by Directory
- Complete cd Command Reference for Security Professionals
- How Attackers Abuse Directory Navigation
- Detection Techniques: Spotting Suspicious Directory Activity
- Prevention and Hardening Strategies
- Expert Tips from the SOC Floor
- Related Articles
- FAQ
- Conclusion
What Is the cd Command and Why It Matters in Security?
cd (change directory) is a built-in shell command in Linux, macOS, and Unix-based systems that moves your working context from one directory to another. On the surface, it looks trivial. But in the context of digital forensics and incident response (DFIR), cd is how analysts physically walk through a compromised filesystem — following an attacker's footprints from an initial web shell drop, through privilege escalation artifacts, into log directories, and finally to persistence mechanisms.
Every enterprise Linux server — whether it's an AWS EC2 instance, a Kubernetes node, or an on-prem database — relies on the same filesystem hierarchy. Knowing it cold, and being fast with cd, is what separates an analyst who contains a breach in 20 minutes from one who's still lost in /usr/share an hour later while data is exfiltrating.
Real-World Scenario: Tracing an Intrusion Directory by Directory
Let's go back to that fintech SOC. The alert flagged a process spawning from /tmp — a classic red flag, since /tmp is world-writable and a favorite staging ground for malware. Here's roughly how the investigation unfolded:
- The analyst used
cd /tmp && ls -lato check for hidden files (dotfiles) dropped by the attacker. - She found a suspicious binary disguised as
.systemd-helper, then usedcd -to jump back to her previous working directory without losing her place. - Next,
cd /var/logto checkauth.logandsecurefor the SSH session that dropped the payload. - She then navigated to the web application root with
cd /var/www/htmlto check for a web shell — the actual entry point. - Finally,
cd ~attacker_service_accountrevealed a home directory that shouldn't have existed, confirming a rogue account had been created for persistence.
None of this required exotic tooling. It required speed, muscle memory, and a rock-solid grasp of directory navigation under pressure — which is exactly why this "basic" command deserves a serious treatment.
Complete cd Command Reference for Security Professionals
Below is a practitioner-focused breakdown of every essential cd variation, including where it fits into real investigative or administrative work.
Basic Navigation
cd /path/to/directory
What it does: Moves directly to the specified absolute path.
When to use it: When you already know the exact location of a suspicious file, log directory, or configuration path (e.g., jumping straight to /etc/cron.d to check for malicious scheduled tasks).
Expected output: No output on success; the shell prompt updates to reflect the new path.
cd ~
What it does: Returns to the current user's home directory.
When to use it: Resetting your position quickly during a long investigation, or checking a user's personal files for indicators of compromise (IOCs) like SSH keys or bash history.
cd ..
What it does: Moves up one directory level.
When to use it: Backing out of a deeply nested application directory during log review.
cd -
What it does: Switches to the last visited directory.
When to use it: This is a huge time-saver during forensic triage — toggle between two directories (e.g., a malware drop location and a log directory) without retyping full paths.
cd ../folder
What it does: Moves up one level, then into a sibling folder.
When to use it: Comparing configuration files across sibling application directories.
cd /
What it does: Jumps to the root directory.
When to use it: Starting a full filesystem sweep, especially when hunting for files planted outside standard directories.
cd ../..
What it does: Moves up two directory levels at once.
When to use it: Speeding up navigation in deeply nested application or container filesystems.
cd .
What it does: Stays in the current directory.
When to use it: Rarely used interactively, but critical in shell scripts (e.g., automated log-collection scripts) where an explicit "current directory" reference is needed.
User and Account Navigation
cd ~username
What it does: Moves to another user's home directory, permissions allowing.
When to use it: Investigating a compromised or suspicious user account, such as a newly created service account used for persistence.
cd ~-
What it does: Moves to the previous working directory (directory stack).
When to use it: Similar to cd -, useful for rapid back-and-forth movement during log correlation.
cd /root
What it does: Navigates to the root user's home directory (requires elevated permissions).
When to use it: Checking for root-level persistence mechanisms — a major red flag if unauthorized files appear here.
Variable and Environment-Based Navigation
cd "$PWD"
What it does: Changes to the current working directory as stored in the PWD environment variable.
When to use it: Common in automated scripts and CI/CD pipelines where directory context needs to be explicit and reliable.
cd "$HOME"
What it does: Moves to the home directory using the HOME environment variable.
When to use it: Portable scripting across different user environments and containers.
Common Directory Shortcuts
cd ~/Desktop
cd ~/Downloads
cd ~/Documents
What they do: Jump directly to common user folders.
Security relevance: The Downloads folder is a frequent landing zone for phishing payloads and drive-by downloads on endpoint machines — one of the first places an endpoint forensic analyst checks.
Absolute vs. Relative Path Navigation
cd /var/log
What it does: Absolute path navigation directly to the system log directory — arguably the single most important directory in any Linux investigation.
cd projects/linux
What it does: Relative path navigation from your current location.
When to use it: Efficient movement within a known project or application directory tree.
Handling Directories With Spaces
cd "My Folder"
cd My\ Folder
What they do: Both handle directory names containing spaces — one using quotes, the other using an escape character.
Security relevance: Attackers sometimes exploit inconsistent space-handling in scripts to hide payloads in oddly named directories that break naive parsing logic.
Returning Home and Verifying Location
cd
What it does: With no arguments, returns to the home directory — identical to cd ~.
cd /etc && pwd
What it does: Changes directory and immediately confirms the new path.
When to use it: Best practice during investigations — always verify your location before running destructive or sensitive commands.
Chained Commands for Investigation Efficiency
cd /var/log && ls
What it does: Navigates and immediately lists directory contents in one line.
When to use it: Standard first move when triaging a new log directory.
cd /etc && ls -la
What it does: Navigates and lists all files, including hidden dotfiles.
Security relevance: Hidden configuration files are a common hiding spot for malicious cron entries, SSH authorized_keys tampering, and rogue systemd units.
[ -d /opt ] && cd /opt
What it does: Conditionally changes directory only if it exists.
When to use it: Essential in automated incident-response scripts run across fleets of servers with inconsistent directory structures — prevents script failures.
How Attackers Abuse Directory Navigation?
Directory navigation isn't just a defender's tool — it's part of an attacker's living-off-the-land (LOTL) toolkit too. Understanding attacker tradecraft here directly improves detection.
- Staging in world-writable directories: Attackers gravitate toward
/tmp,/var/tmp, and/dev/shmbecause any user can write there without special permissions. - Hiding in plain sight: Malicious files are often named to blend in with legitimate system files (e.g.,
.systemd-private-xxxx) inside directories admins rarely inspect closely. - Abusing user home directories: Creating a hidden service account and populating its home directory with persistence scripts is a common technique in cloud compromise cases.
- Directory traversal in scripts: Poorly sanitized
cdor path operations in automation scripts can be exploited for path traversal if user input controls the target directory.
Detection Techniques: Spotting Suspicious Directory Activity
Shell history and auditd logs are your best friends here. A few practical detection angles used in real SOC environments:
- Auditd rules: Configure
auditdto logexecveand directory-change syscalls in sensitive paths like/tmp,/var/tmp, and/etc. - Bash history correlation: Reviewing
.bash_historyfiles across accounts can reveal an attacker's manual navigation pattern — repeatedcdcommands into unusual directories are a strong behavioral IOC. - File integrity monitoring (FIM): Tools like AIDE or OSSEC flag new files appearing in directories where activity should be rare, such as
/rootor/etc/cron.d. - EDR process-tree analysis: Look for shell processes spawning from web server or database service accounts navigating outside their expected working directories — a strong sign of a web shell or SQL injection pivot.
Prevention and Hardening Strategies
- Mount
/tmpand/var/tmpwithnoexecto prevent execution of binaries staged there. - Apply the principle of least privilege so compromised web or application accounts can't navigate into or write to sensitive system directories.
- Enable centralized shell logging (e.g., via
auditdor shell history forwarding to a SIEM) so directory navigation is visible across the entire fleet, not just on the box during a live investigation. - Regularly audit user home directories for unauthorized or orphaned accounts.
- Use configuration management (Ansible, Puppet) to enforce consistent directory permissions across servers, reducing the attack surface attackers rely on for staging.
Expert Tips from the SOC Floor
- Always run
pwdafter acdduring an active investigation — confirming your location prevents costly mistakes when running remediation commands. - Use
cd -aggressively; it's faster than retyping paths and keeps your investigation moving during time-sensitive incidents. - Build a personal "cheat list" of high-value directories (
/var/log,/etc/cron.d,/tmp,~/.ssh) so you can move through them without hesitation under pressure. - In scripts, always guard your
cdcommands with existence checks like[ -d /opt ] && cd /optto avoid silent failures that could break automated response playbooks.
Related Cybersecurity Topics You Should Explore
- pwd Command in Cybersecurity: What SOC Analysts Must Know
- ls Command in Cybersecurity: Full Guide for SOC Analysts
- Linux File & Directory Management Commands Explained (2026 Guide)
- Linux Filesystem Tree Explained: Critical Directories, Security Logs, and Threat Hunting Techniques
- What Is Linux? Why It Powers the Internet, Cybersecurity, and Modern Technology (2026)
- 120+ SOC & DFIR Tools Every Windows Server Incident Responder Needs in 2026
- ntopng: Best Network Traffic Monitoring and Threat Detection Tool for SOC Teams
Frequently Asked Questions
1. Is the cd command itself a security risk?
No, cd is a harmless navigation command. The risk comes from what attackers do once they've navigated into writable or sensitive directories, not from the command itself.
2. Why do attackers prefer /tmp for staging payloads?
Because it's world-writable by default on most Linux systems, requires no special permissions, and is often overlooked in routine monitoring — though modern SOC teams now treat it as a high-priority watch directory.
3. What's the difference between cd - and cd ~-?
cd - switches to your last visited directory and prints the path. cd ~- refers to the previous working directory in the shell's directory stack; in most common shells they behave similarly, though cd - is more universally used.
4. How can I monitor cd command usage across my servers?
Enable shell history logging with timestamps, forward auditd logs to your SIEM, and consider PAM-based session recording tools for privileged accounts.
5. Can a malicious script exploit cd to escape its intended directory?
Yes, if user-controlled input is passed unsanitized into a cd call within a script, it can lead to path traversal issues. Always validate and sanitize any dynamic path input in automation.
6. Should /tmp be mounted with noexec in production environments?
In most cases, yes. Mounting /tmp and /var/tmp with noexec is a widely recommended hardening step that blocks a large class of malware staging techniques.
7. What's the fastest way to verify my current directory during an investigation?
Chain your commands, like cd /etc && pwd, so you get instant path confirmation without an extra keystroke.
Conclusion
The cd command will never make headlines the way a zero-day exploit does. But talk to any experienced SOC analyst, and they'll tell you that mastering basic navigation under pressure is what separates a smooth incident response from a chaotic one. Every breach investigation, every log review, every forensic timeline starts the same way: moving through a filesystem, directory by directory, looking for the story the attacker left behind. Learn these commands until they're muscle memory — because the next time you're paged at 2:47 AM, you won't have time to look them up.







