Inside a Real Hack: How Tree Found the Web Shell
It's 2:55 AM when the SOC phone rings. A mid-sized fintech company in Austin just got hit — ransomware note sitting on the desktop, and nobody knows how deep it went. The incident responder on call SSHs into the affected Linux server, and before touching a single log file, types one command that most people associate with basic file listing: tree.
Within seconds, she has a full visual map of the file system — every directory, every suspicious hidden folder, every oddly named executable buried three levels deep in /var/tmp. That single command just saved twenty minutes of blind cd and ls navigation during a window where every second matters.
This is the real value of tree in cybersecurity work. It's not just a developer convenience — in incident response, digital forensics, malware analysis, and penetration testing, it's a reconnaissance tool that gives you situational awareness of a file system in seconds. This guide breaks down every practical use of the tree command, but through the lens of how security professionals actually use it in the field.
Table of Contents
- What Is the Tree Command and Why Security Teams Use It
- Real-World Scenario: Mapping a Compromised Web Server
- Core Tree Commands Every Analyst Should Know
- Advanced Tree Commands for Forensics and Malware Hunting
- Detection Use Cases: Spotting Hidden Threats with Tree
- Prevention and Hardening Tips
- Expert Tips from the Field
- Related Reading
- FAQ
- Conclusion
What Is the Tree Command and Why Security Teams Use It?
At its core, tree is a command-line utility available on Linux, macOS (via Homebrew), and Windows (via WSL or standalone binaries) that recursively displays the contents of a directory in a visual, indented tree structure. Most people learn it as a way to document project folders. Security professionals learn it as a fast triage tool.
When you land on a potentially compromised host — whether during an incident response engagement, a penetration test, or a routine audit — one of your first questions is simple: what does this file system actually look like? Attackers don't always announce themselves with an obvious ransom note. Sometimes it's a single rogue script hidden four directories deep, disguised with a legitimate-looking name. tree gives you that bird's-eye view instantly, without needing a GUI file explorer or a forensic imaging tool spun up yet.
Real-World Scenario: Mapping a Compromised Web Server
Consider a common incident pattern seen across US enterprise environments: a web application server starts making unusual outbound connections. The SOC flags it through EDR telemetry, and a responder is dispatched to investigate.
Instead of manually navigating with repeated cd and ls commands — which is slow and easy to miss things with — the analyst runs a targeted tree scan of the web root and upload directories. Within seconds, they spot it: a file named images/logo_v2.php sitting inside what should be a static image folder. That's a classic web shell placement pattern, and tree surfaced it visually in a way that a flat file listing would have buried in noise.
This is the kind of pattern-spotting that experienced defenders develop over time — anomalies jump out visually once you can see file system structure laid out clearly, rather than scrolling through hundreds of lines of unstructured output.
Core Tree Commands Every Analyst Should Know
These are the foundational commands you'll use in nearly every investigation, sorted by how often they show up in real triage work.
tree
What it does: Displays the current directory and all its contents in a tree format.
When to use it: Your first command after landing in a suspicious directory during triage.
Expected output: A full nested listing of folders and files with connecting lines showing hierarchy.
tree -d
What it does: Shows only directories, no files.
When to use it: When you need to understand the overall folder architecture of an application before drilling into specific files — useful for quickly mapping an unfamiliar server layout.
Expected output: A clean hierarchy of folders only.
tree -L 2
What it does: Limits the display depth to 2 levels.
When to use it: On large enterprise file systems where a full recursive scan would flood your terminal. Great for getting oriented before going deeper.
Expected output: Only the first two levels of nesting are shown.
tree -a
What it does: Includes hidden files and directories (anything starting with a dot).
When to use it: Almost always during forensic work. Attackers frequently hide persistence mechanisms, cron jobs, and staging folders in dotfiles like .cache, .config, or custom hidden directories.
Expected output: Standard tree output plus all hidden entries.
tree -f
What it does: Displays the complete file path for each entry instead of just the file name.
When to use it: When you need to copy exact paths into your incident report or into a hash-checking script — no manual path reconstruction needed.
Expected output: Every line shows the full path from the root of the scan.
Advanced Tree Commands for Forensics and Malware Hunting
tree -p
What it does: Shows file and directory permissions alongside the structure.
When to use it: Hunting for privilege escalation vectors — world-writable directories, SUID binaries, or scripts with unusually permissive access.
Expected output: Standard Unix-style permission strings next to each entry.
tree -u
What it does: Displays the owner of each file and directory.
When to use it: Identifying files created by a compromised service account or a user who shouldn't have write access to that directory.
Expected output: Username shown next to each file/folder.
tree -g
What it does: Displays group ownership information.
When to use it: Paired with -u during access control audits, especially in multi-tenant or shared hosting environments.
Expected output: Group name shown next to each entry.
tree -D
What it does: Shows last modification date and time for every file.
When to use it: Building a rough timeline of activity — files modified around the time of the alert are your highest-priority leads.
Expected output: Timestamp column added to each line.
tree -s
What it does: Displays the size of each file.
When to use it: Spotting unusually large log files (possible data staging before exfiltration) or suspiciously small "image" files that are actually text-based payloads.
Expected output: File size in bytes next to each entry.
tree -i
What it does: Displays inode numbers.
When to use it: Advanced forensic correlation — matching files referenced in other forensic tools (like debugfs or file carving output) back to their tree location.
Expected output: Inode number prefixed to each file.
tree -F
What it does: Appends type indicators — a trailing / for directories, * for executables, and similar symbols for other special file types.
When to use it: Quickly spotting executables sitting in directories where they don't belong, like an uploads or media folder.
Expected output: Symbol appended to relevant entries.
tree -t
What it does: Sorts output by modification time instead of alphabetically.
When to use it: Fast timeline building — the most recently touched files appear grouped together, which is exactly what you want when hunting for recent attacker activity.
Expected output: Same tree structure, reordered by recency.
tree --dirsfirst
What it does: Lists all directories before files at each level.
When to use it: Improves readability when documenting findings for a report or client deliverable.
Expected output: Cleaner, grouped structure.
tree -I "node_modules"
What it does: Excludes directories or files matching the given pattern.
When to use it: Filtering out noisy, irrelevant directories (dependency folders, cache directories) so you can focus on what actually matters during an investigation.
Expected output: Full tree with the excluded pattern omitted.
tree -P "*.txt"
What it does: Displays only files matching the specified pattern.
When to use it: Hunting for specific file types tied to an attack — for example, -P "*.php" across an image directory to find planted web shells, or -P "*.exe" in a Documents folder that should never contain executables.
Expected output: Only matching files shown, folder structure preserved.
tree -H . -o tree.html
What it does: Generates an HTML representation of the directory tree.
When to use it: Producing shareable evidence for incident reports or client-facing documentation.
Expected output: An HTML file with a clickable, styled directory tree.
tree > tree.txt
What it does: Saves the directory tree output to a text file.
When to use it: Preserving a snapshot of the file system state as evidence before you start remediation — chain of custody matters in real investigations.
Expected output: A plain text file containing the full tree output.
tree -a -L 3
What it does: Shows hidden files and directories, limited to 3 levels deep.
When to use it: A balanced scan for large systems — deep enough to catch hidden persistence mechanisms without overwhelming output.
Expected output: Hidden files included, capped at three levels of nesting.
tree -a -L 5 --dirsfirst
What it does: Produces a complete, deeply nested project structure with hidden files included and directories listed first.
When to use it: Full documentation of a compromised application's structure for a formal incident report or forensic case file.
Expected output: A comprehensive, well-organized full tree snapshot.
Detection Use Cases: Spotting Hidden Threats with Tree
In real SOC and DFIR (Digital Forensics and Incident Response) work, tree pairs naturally with other investigation techniques:
- Web shell hunting: Combine
tree -P "*.php"or similar patterns with directories that shouldn't contain executable code, like/uploadsor/images. - Persistence mechanism discovery: Use
tree -aon home directories and/etc/cron.dequivalents to catch hidden autostart scripts. - Timeline reconstruction: Pair
tree -D -tto surface the most recently modified files first, narrowing your window around the suspected compromise time. - Privilege escalation review: Run
tree -p -uacross sensitive directories to flag misconfigured permissions before an attacker exploits them. - Data exfiltration staging: Look for unusually large archive files with
tree -sin temp directories, a common staging pattern before data is pushed out.
Detection & Prevention Techniques
While tree itself is an investigative tool rather than a defensive control, the patterns it helps you find point directly to prevention measures every organization should implement:
- Restrict write permissions on web-accessible upload directories to prevent web shell placement.
- Monitor file integrity on critical directories using tools like Tripwire, OSSEC, or a modern EDR agent, so unauthorized changes trigger alerts automatically rather than relying solely on manual review.
- Regularly audit hidden directories and dotfiles across production servers as part of scheduled hardening reviews.
- Enforce least-privilege file ownership so unexpected owner or group changes (visible via
tree -u -g) are immediately suspicious. - Bake a documented file-system baseline (a saved
treeoutput) into your asset management process, so any deviation is easy to spot during future incidents.
Expert Tips from the Field
- Always run
tree -abefore drawing conclusions — a huge number of real intrusions hide behind a leading dot in the filename. - Combine
-Ppattern matching with-Iexclusions to cut through noisy directories like dependency folders during large enterprise investigations. - Redirect output to a file immediately on arrival at a compromised host — this creates a timestamped forensic snapshot before you start making changes.
treeis read-only and low-impact, making it one of the safest first commands to run on a live production system without risking further compromise or evidence contamination.- If
treeisn't installed on a minimal server image (common in hardened production environments), don't install unfamiliar packages mid-incident — usefindwith similar flags as a fallback to preserve evidentiary integrity.
Related Cybersecurity Topics You Should Explore
- This One Linux Command Exposed a Hacker's Fake Timestamps
- locate Command in Linux: Small Tool, Big Security Implications
- The Linux find Command: A SOC Analyst's Guide to Hunting Hackers
- mv Command Guide: How SOC Analysts Use It Safely (2026)
- I Found a Hacker Hiding in a Single Linux cp Command
- Kali Linux 2026.2 Released: 9 New Hacking Tools & Major Upgrades
- rm Command in Linux: The Tutorial (And the Mistake That Kills Servers)
- rmdir vs rm -r: The Linux Command Mistake That Costs Evidence
FAQ
1. Is the tree command safe to run on a potentially compromised system?
Yes. tree is a read-only utility that doesn't modify files or metadata, making it one of the safest commands to run during initial triage.
2. Does tree work on Windows?
Windows has a built-in tree command with more limited options, but the full-featured version described here is available through WSL (Windows Subsystem for Linux) or third-party ports.
3. Can tree replace a proper forensic imaging tool?
No. Tree is a triage and visualization tool, not a forensic acquisition tool. Always follow proper chain-of-custody procedures with dedicated imaging tools like FTK Imager or dd for formal evidence collection.
4. Why would an attacker hide files in dotfiles or hidden directories?
Hidden files don't show up in default directory listings, making them a simple way to evade casual inspection. Security analysts counter this by always including -a in their scans.
5. How is tree different from ls -R?
ls -R produces a flat, harder-to-read recursive listing, while tree visually structures the hierarchy, making anomalies far easier to spot at a glance.
6. Can tree help during a penetration test?
Yes. After gaining access to a target system, penetration testers often use tree to quickly map the file system and identify configuration files, credentials, or sensitive data worth investigating further.
7. What should I do if tree isn't installed on the target system?
Avoid installing new packages on a live incident system, as this can alter the environment and complicate evidence handling. Use find . -print piped into simple formatting, or request approval through your incident response plan before installing tools.
Conclusion
The tree command doesn't get the spotlight that flashy EDR dashboards or SIEM correlation rules get, but in the hands of an experienced analyst, it's one of the fastest ways to build situational awareness on an unfamiliar or compromised system. From spotting a rogue web shell buried in an image folder to reconstructing a rough attack timeline with modification timestamps, this simple utility earns its place in every SOC analyst's, forensic investigator's, and penetration tester's toolkit.
Next time you're staring down a suspicious file system at 3 AM, skip the endless cd and ls cycle. Run tree -a -L 5 --dirsfirst, save the output, and let the structure tell you where to look first.







