Check if EDR/XDR is running

Crowdstrike

ps -e | grep falcon-sensor

Find interesting file using keyword

grep -rni --exclude-dir={proc,sys,dev,run} "password" </target/directory> 2>/dev/null

Find running process and listening ports associated

sudo lsof -nP -iTCP -sTCP:LISTEN

More advanced (reports full binary path, parameters, listening port, PID, and running user)

sudo lsof -nP -iTCP -sTCP:LISTEN -iUDP | awk 'NR>1 {print $2, $3, $9}' | sort -u | while read pid user port; do exe=$(readlink -f /proc/$pid/exe 2>/dev/null); cmdline=$(tr "\\0" " " < /proc/$pid/cmdline 2>/dev/null); echo "User $user | PID $pid | Port $port => $exe $cmdline"; done