Powerful Find Command Cheatsheet
Explore the versatility of the find command in Unix/Linux systems with this comprehensive cheatsheet. Discover various find commands to search for files based on modification time, access time, size, type, and more. Enhance your file searching skills and streamline your workflow efficiently.
Detecting Pipe-Based Command Execution in Shell Scripts
Explore methods to leverage find and xargs -P to pinpoint instances of command execution via pipes (|) in shell scripts, which may indicate potential vulnerabilities
Basic Parallel Scan
#!/usr/bin/env bash
TARGET_DIR="${1:-.}"
JOBS="${JOBS:-4}"
export LC_ALL=C
find "$TARGET_DIR" -type f \( -name "*.sh" -o -perm -111 \) -print0 \
| xargs -0 -P "$JOBS" -I{} bash -c '
file="{}"
grep -nE "\|[[:space:]]*[a-zA-Z0-9_./-]+" "$file" 2>/dev/null \
| grep -vE "^[[:space:]]*#" \
| while IFS= read -r line; do
printf "[%s] %s\n" "$file" "$line"
done
'
Parallelized full-filesystem string search with pruning and size limits
time find / -xdev \
\( -path '/mnt/usb' -o -path '/mnt/usb/*' -o -path '/proc' -o -path '/sys' -o -path '/dev' -o -path '/run' -o -path '/tmp' \) -prune -o \
-type f \( -name '*.sh' -o -name '*.conf' -o -name '*.db' -o -name '*.txt' \) \
-size -2M -print0 2>/dev/null \
| xargs -0 -n 500 -P 4 grep -nH -I -F -- 'wuseman' 2>/dev/null
Excluding Common Safe Patterns
Filters out known safe constructs like || and |&.
find . -type f -name "*.sh" -print0 \
| xargs -0 -P 4 -I{} bash -c '
grep -nE "\|[^|&]" "{}" 2>/dev/null \
| grep -vE "^[[:space:]]*#" \
| while read -r line; do
printf "[%s] %s\n" "{}" "$line"
done
'
Highlight Suspicious Dynamic Inputs
find . -type f -name "*.sh" -print0 \
| xargs -0 -P 4 -I{} bash -c '
grep -nE "\|.*(\$|\`|\$\()" "{}" 2>/dev/null \
| grep -vE "^[[:space:]]*#" \
| while read -r line; do
printf "[SUSPECT][%s] %s\n" "{}" "$line"
done
'
Strict POSIX-Compatible Version
find . -type f -name "*.sh" -print0 \
| xargs -0 -P 4 grep -HnE "\|"
Dry-Run Mode (Preview Files Only)
find . -type f -name "*.sh" -print0 \
| xargs -0 -P 4 -I{} echo "Scanning {}"
Misc
Search for various urls in files
find . -type f -print0 | xargs -0 -P $(nproc) -I {} bash -c '
for file in "$@"; do
strings "$file" | rg --pcre2 -o -i -e "(http|https|ftp|ftps|smtp|imap)://[a-zA-Z0-9./?=_-]+(?![a-zA-Z0-9./?=_-])" |
while read -r url; do
echo -e "Filename: $file \033[1;32m$url\033[0m"
done
done' bash {}
Search All .sh files while excluding /dev, /proc, and /sys
find / \( -path /dev -o -path /proc -o -path /sys \) -prune -o -type f -name '*.sh' -print 2>/dev/null | xargs grep -nH -F '<string_to_search_for>' 2>/dev/null
Recursively search /etc for a string in selected file types
find /etc/ -type f \( -name "*.sh" -o -name "*.conf" -o -name "*.db" -o -name "*.txt" \) -print 2>/dev/null | xargs grep -nH -F '<string_to_search_for>' 2>/dev/nul
Find the most recently changed files (recursively)
find . -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort
Search entire filesystem for .sh files (skip virtual filesystems)
find / \( -path /proc -o -path /sys -o -path /dev \) -prune -o -type f \( -name "*.sh" \) -print
Search entire filesystem for .sh and .lua files
find / -type f \( -name "*.sh" -o -name "*.lua" \)
Search entire filesystem for .sh and .lua files (skip virtual filesystems)
find / \( -path /proc -o -path /sys -o -path /dev \) -prune -o -type f \( -name "*.sh" -o -name "*.lua" \) -print
Find large log files
find /var/log -name "*.log" -size +100M
Find configuration files
find /etc -name "*.conf" | head -10
Locate header files
find /usr/include -name "*.h" | grep pattern
Find all files and delete them all exempt win10ent64.z* files and autorun.inf
find . -type f ! -name 'win10ent64.z*' ! -name 'autorun.inf' -delete
Change permission for all directories in the current dir by parallelizing the task
find . -type d -print0 | xargs -0 -P$(($(nproc) + 1)) chmod 777
For a faster deletion when we have a lot of folders to delete
find . -type d -print0 | xargs -0 rm -rf
Delete folders when it replies directory is not empty
find . -name ".git" -type d -exec rm -rf {} +
Find files modified within the last 1 day
find / -mtime -1
Find files modified within the last 2 days
find / -mtime -2
Find files modified within the last 3 days
find / -mtime -3
Find files modified within the last 4 days
find / -mtime -4
Find files modified within the last 5 days
find / -mtime -5
Find files modified within the last 6 days
find / -mtime -6
Find files modified within the last 1 week
find / -mtime -7
Find files modified within the last 2 weeks
find / -mtime -14
Find files modified within the last 3 weeks
find / -mtime -21
Find files modified within the last 1 hour
find / -mmin -60
Find files modified within the last 30 minutes
find / -mmin -30
Find files modified within the last 10 minutes
find / -mmin -10
Find files accessed within the last 1 day
find / -amin -1440
Find files accessed within the last 2 days
find / -amin -2880
Find files accessed within the last 3 days
find / -amin -4320
Find files accessed within the last 1 hour
find / -amin -60
Find files accessed within the last 30 minutes
find / -amin -30
Find files accessed within the last 10 minutes
find / -amin -10
Find files that had their status changed within the last 1 day
find / -cmin -1440
Find files that had their status changed within the last 2 days
find / -cmin -2880
Find files that had their status changed within the last 3 days
find / -cmin -4320
Search for Files Only
find -type f
Search for Folders Only
find -type d
Search for Symlinks Only
find -type l
Search 3 Levels Deep
find -depth 2
Search for Files via Regex
find -regex PATTERN
Exactly 8 512-bit Blocks
find -size 8
Smaller Than 128 Bytes
find -size -128c
Exactly 1440KiB
find -size 1440k
Larger Than 10MiB
find -size +10M
Larger Than 2GiB
find -size +2G
Search for All Files Larger Than 500MB
find / -type f -size +500M
Search for All Executable Files
for i in $(find -type f); do [ -x "$i" ] && echo "$i is executable"; done
Search for Foo Text Inside All Files in Current Folder Using Parallel
find . -type f | parallel -k -j150% -n 1000 -m grep -H -n 'foo' {}
Find Broken Symlinks and Delete Them
find -L /path/to/check -type l -delete
Find All the Links to a File
find -L / -samefile /path/to/file -exec ls -ld {} +
Find the Most Recently Changed Files (Recursively)
find . -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort
Remove 'Fucked' Dirnames from Microsoft Windows and Apple
ls -li | find . -inum 4063242 -delete
Find All Gz Files and Extract Them
find . -type f -iname "*.gz" -print0 | xargs -0 -I {} atool -x "{}" -delete
Last Accessed Between Now and 24 Hours Ago
find -atime 0
Accessed More Than 24 Hours Ago
find -atime +0
Find With Invert Match - E.g., Find Every File That Is Not Mp3
find . -name '*' -type f -not -iname '*.mp3'
Find Files/Directories Modified Within a Given Period
find . -type d -newermt "2019-01-01" ! -newermt "2019-02-01" -exec ls -ld {} \;
Store the Output of Find in an Array
mapfile -d $'\0' arr < <(find /path/to -print0)
Find All Log Files Modified 24 Hours Ago and Zip Them
find . -type f -mtime +1 -name "*.log" -exec zip -m {}.zip {} \; >/dev/null
Search for AT Atention commands
find . -type f -name "*.apk" -print0 | xargs -0 strings | grep -E 'AT[\+\*][A-Z]{2,10}([^A-Z]|$)'
Search for a pattern inside multiple tar.gz archives
find . -name '*.tar.gz' -print0 | xargs -0 -P $(nproc --all) -I {} tar -tzf {} | grep 'pattern'