Linux find Command Tutorial: 20 Real SOC Threat-Hunting Uses
It was 2 a.m. when the alert fired. A mid-size fintech company in Austin had just flagged unusual outbound traffic from a web server that had no business talking to an IP in Eastern Europe. The on-call SOC analyst didn't reach for an expensive EDR dashboard first. She SSH'd into the box and typed a single line into the terminal:
find / -type f -mtime -1 -mmin -60
In under ten seconds, she had a list of every file modified in the last hour, system-wide. Buried in that output was a freshly dropped web shell disguised as upload.php, sitting in a directory it had no reason to be in. No expensive tooling. No waiting on a vendor. Just find, muscle memory, and experience.
This is the reality most cybersecurity training skips: the humble find command is one of the most powerful, underrated incident response and threat-hunting tools available on any Linux system, from a $5 VPS to a Fortune 500 production server. This guide breaks down every core use of find, not as a textbook man-page recap, but as a working SOC analyst, penetration tester, and Linux system administrator would actually use it in the field — for forensics, malware hunting, compliance audits, and day-to-day system hygiene.
Table of Contents
- Why the find Command Still Matters in 2026
- Core find Commands Every Analyst Should Know
- Real-World Scenario: Hunting a Web Shell with find
- Detection & Prevention Techniques Using find
- Expert Tips from the Field
- Related Articles
- FAQ Section
- Conclusion
Why the find Command Still Matters in 2026?
Every enterprise SOC today runs SIEM platforms, EDR agents, and cloud-native detection tools. But when you're doing live incident response on a compromised Linux host — especially in early containment, before a full forensic image is pulled — you don't always have the luxury of waiting for a dashboard to populate. You need answers from the shell, right now.
This is exactly why find remains a staple in real-world digital forensics and incident response (DFIR), penetration testing engagements, and routine Linux server hardening across US enterprises, cloud providers, and government infrastructure. It's fast, it's native to virtually every Linux and Unix distribution, and it doesn't require installing anything that could tip off an attacker still active on the box.
Core find Commands Every Analyst Should Know
1. Find a file by exact name
find /path -name "file.txt"
What it does: Searches recursively through the specified path for a file matching the exact name.
When to use it: When you already have a known indicator of compromise (IOC) — for example, a filename shared in a threat intelligence feed — and need to confirm its presence on a host.
Expected output: The full path to the matching file, or nothing if it doesn't exist.
2. Find all files of a specific type
find /path -type f -name "*.txt"
What it does: Locates every text file under a directory tree.
When to use it: Useful during data discovery audits, e.g., checking whether sensitive configuration or credential files were left behind in plaintext.
Expected output: A list of all matching .txt file paths.
3. Find directories only
find /path -type d -name "foldername"
What it does: Restricts the search to directories with the matching name.
When to use it: Attackers often stage tools in oddly named folders like .tmp_x1 or backup_old. This helps you hunt for suspicious directory structures.
Expected output: Paths to matching directories only, ignoring regular files.
4. Find files larger than a size threshold
find /path -type f -size +10M
What it does: Lists files larger than 10 MB.
When to use it: Ideal for spotting data staging before exfiltration — attackers frequently compress stolen data into a single large archive before shipping it out.
Expected output: File paths exceeding the size threshold, which you can pipe into ls -lh for readable sizes.
5. Find and delete matching files (use with extreme caution)
find /path -type f -name "*.log" -delete
What it does: Permanently deletes every file matching the pattern.
When to use it: Legitimate use includes log rotation cleanup on non-production systems. In an active investigation, never run this — deleting logs destroys evidence and can violate chain-of-custody requirements in a forensic investigation. Always run a dry search first without -delete.
Expected output: No output on success; files are silently removed.
6. Case-insensitive search
find /path -iname "*.jpg"
What it does: Matches files regardless of uppercase or lowercase naming.
When to use it: Malware authors sometimes rename payloads with mismatched case (e.g., Update.EXE) to slip past weak detection rules. Case-insensitive search closes that gap.
Expected output: All matches regardless of letter case.
7. Find empty files
find /path -type f -empty
What it does: Lists zero-byte files.
When to use it: Empty files can indicate failed malware drops, broken persistence scripts, or placeholder files left by automated attack tooling.
Expected output: Paths of all files with zero content.
8. Find empty directories
find /path -type d -empty
What it does: Lists directories with no contents.
When to use it: Helpful during system cleanup audits and identifying leftover artifacts from uninstalled or partially removed software.
Expected output: Paths of empty directories.
9. Find executable files
find /path -type f -executable
What it does: Lists all files with the executable bit set.
When to use it: Critical for hunting in world-writable directories like /tmp or /dev/shm, where attackers commonly drop and execute payloads since these directories often lack strict monitoring.
Expected output: Paths of all executable files under the given directory.
10. Find recently modified files
find /path -type f -mtime -7
What it does: Lists files modified within the last 7 days.
When to use it: One of the fastest ways to spot recent tampering during an active incident. Narrow it further with -mmin -60 for the last hour.
Expected output: Paths of files modified within the time window.
11. Find old, stale files
find /path -type f -mtime +30
What it does: Lists files untouched for over 30 days.
When to use it: Useful for storage cleanup and identifying dormant backdoors that were planted long ago and left inactive to avoid detection.
Expected output: Paths of files older than the threshold.
12. Find files by owner
find /path -user username
What it does: Filters results to files owned by a specific user account.
When to use it: Essential when investigating a compromised or misused service account — you can quickly see everything that account touched.
Expected output: Paths of files owned by the specified user.
13. Find files by group
find /path -group groupname
What it does: Filters results by group ownership.
When to use it: Useful in multi-tenant server environments and privilege audits to confirm group-based access boundaries are respected.
Expected output: Paths of files belonging to the specified group.
14. Find files by permission
find /path -perm 644
What it does: Finds files with an exact permission set.
When to use it: A staple in compliance audits (PCI-DSS, HIPAA, SOC 2) to catch misconfigured permissions, and in penetration testing to find world-writable or overly permissive files that could be abused for privilege escalation.
Expected output: Paths of files matching the exact permission bits.
15. Find symbolic links
find /path -type l
What it does: Lists all symbolic links.
When to use it: Attackers sometimes use symlinks to redirect legitimate-looking paths to malicious binaries elsewhere on disk — a classic persistence and evasion trick worth checking during any host review.
Expected output: Paths of all symbolic links found.
16. Find and execute a command on results
find /path -name "*.tmp" -exec rm {} \;
What it does: Runs a command against every matched file, with {} substituted for the file path.
When to use it: Extremely powerful for batch remediation, such as quarantining or removing confirmed malicious files after validation. Always test with -exec echo {} \; first to preview what would be affected.
Expected output: Depends on the executed command; in this case, silent deletion of matched .tmp files.
17. Find files by extension
find /path -type f -name "*.pdf"
What it does: Searches for all PDF files.
When to use it: Common in data loss prevention (DLP) checks and e-discovery requests where specific document types need to be located quickly.
Expected output: Paths of all matching PDF files.
18. Find files with spaces in the name
find /path -name "* *"
What it does: Matches filenames containing at least one space.
When to use it: Filenames with spaces or unusual characters are sometimes used to hide payloads in plain sight or break naive parsing scripts — worth a periodic sweep.
Expected output: Paths of files whose names include spaces.
19. Find files and show detailed metadata
find /path -type f -exec ls -lh {} \;
What it does: Lists detailed file metadata (size, permissions, owner, timestamp) for every match.
When to use it: When you need context beyond just the filename during triage, this saves a second manual step of running ls yourself.
Expected output: A detailed listing for each matched file.
20. Count total matching files
find /path -type f | wc -l
What it does: Counts the total number of files found.
When to use it: Handy for quick baselining — comparing file counts across snapshots to detect unexpected mass file creation, which can signal ransomware activity or automated malware droppers.
Expected output: A single number representing the file count.
Real-World Scenario: Hunting a Web Shell with find
Let's return to that fintech incident. Once the analyst spotted upload.php in an unusual location, she didn't stop there. She pivoted immediately to confirm scope:
find /var/www -type f -name "*.php" -mtime -3
find /var/www -type f -perm -o+w
find / -type f -name "*.php" -exec grep -l "eval(" {} \;
The first command surfaced every PHP file modified in the last three days — narrowing the blast radius to recent changes only. The second flagged world-writable files in the web root, a classic sign of a misconfigured upload directory that let the attacker plant the shell in the first place. The third hunted for the tell-tale eval() function commonly used to obfuscate malicious PHP payloads.
Within 15 minutes, the team had isolated three additional backdoor files, confirmed the initial access vector (an unrestricted file upload vulnerability), and handed a clean, timestamped file list to the incident response lead for containment. No fancy tooling. Just disciplined use of find.
Detection & Prevention Techniques
- Baseline your file system. Run scheduled
findsweeps (e.g., via cron) to snapshot file counts, permissions, and modification times, then diff against historical baselines to catch anomalies early. - Monitor world-writable directories. Regularly audit
/tmp,/var/tmp, and/dev/shmusingfind /tmp -perm -o+w -type fsince these are prime real estate for dropped payloads. - Combine find with hashing. Pipe results into
sha256sumand compare against known-good hash sets or threat intel feeds to catch tampered binaries. - Watch for SUID/SGID abuse. Use
find / -perm -4000 -type fto list SUID binaries — a favorite target for privilege escalation attacks in penetration tests and real breaches alike. - Automate log-free forensics triage. When SIEM access is delayed,
findcombined with-mtime/-mminfilters gives immediate visibility into what changed and when, buying critical time during containment. - Harden before you hunt. Restrict write permissions on upload directories, enforce least privilege on service accounts, and disable execution on shared temp directories using
noexecmount options to reduce the attack surfacefindwould otherwise need to hunt through.
Expert Tips from the Field
- Always run destructive flags like
-deleteor-exec rmagainst a dry-run first using-printorechoto avoid accidental data loss during a live investigation. - Combine
findwithxargsinstead of-execwhen processing large result sets — it's faster and easier to control in scripts. - Use
-newer referencefileto find anything modified after a known-good file, which is a fast way to establish a timeline around a specific compromise event. - Redirect output to a timestamped file (
find / -mtime -1 > findings_$(date +%F).txt) so your evidence trail is preserved for reporting and chain-of-custody documentation. - Never trust
findresults alone on a system you suspect is rootkitted — a compromised system binary can lie. Cross-verify with a trusted live-boot or forensic image when in doubt.
Related Cybersecurity Topics You Should Explore
- mv Command Guide: How SOC Analysts Use It Safely (2026)
- I Found a Hacker Hiding in a Single Linux cp Command
- Kali Linux 2026.2 Released: 9 New Hacking Tools & Major Upgrades
- rm Command in Linux: The Tutorial (And the Mistake That Kills Servers)
- rmdir vs rm -r: The Linux Command Mistake That Costs Evidence
- How Attackers Abuse mkdir to Hide Malware on Linux Servers
- cd Command in Linux: Complete Guide for SOC & Incident Response
- pwd Command in Cybersecurity: What SOC Analysts Must Know
Frequently Asked Questions
Is the find command safe to use on a production server during an active incident?
Yes, as long as you avoid destructive flags like -delete or -exec rm. Read-only searches have minimal performance impact and are widely used in live forensic triage.
Can find detect malware directly?
Not on its own. find locates files based on metadata (name, size, time, permissions), but pairing it with grep, hashing tools, or antivirus scanners turns it into a genuine detection workflow.
What's the difference between -mtime and -mmin?
-mtime measures time in whole days, while -mmin measures time in minutes — critical when you need to narrow a search to the exact hour of a suspected breach.
Why do attackers favor directories like /tmp and /dev/shm?
These directories are typically world-writable and sometimes overlooked in monitoring, making them convenient staging grounds for payloads and temporary tooling.
Is find available on all Linux distributions?
Yes, find is part of the GNU findutils package and ships by default on virtually every major Linux distribution, along with most Unix-like systems including macOS.
How does find help with compliance audits like PCI-DSS or HIPAA?
Auditors frequently require evidence of proper file permissions, ownership, and data retention. Commands like find /path -perm 644 or -user filters make it straightforward to generate that evidence quickly.
Can find replace a full EDR or SIEM solution?
No. find is a lightweight, native utility best used for rapid triage, spot-checks, and manual investigation — it complements, but doesn't replace, enterprise-grade detection platforms.
Conclusion
The find command doesn't make headlines the way a new zero-day or ransomware strain does, but it's quietly one of the most relied-upon tools in a working cybersecurity professional's toolkit. Whether you're a SOC analyst triaging an alert at 2 a.m., a penetration tester hunting for misconfigured permissions, or a sysadmin doing routine hygiene, mastering find gives you speed and control that heavier tools simply can't match in the first critical minutes of an investigation.
Bookmark this guide, practice these commands in a lab environment, and build the muscle memory now — because when an incident actually happens, you won't have time to look it up.





