Incident Response Mastery: The Ultimate Windows & Linux Cheatsheet for DFIR Professionals + Video

Listen to this Post

Featured Image

Introduction:

Incident response (IR) is the structured process of detecting, investigating, and mitigating security breaches across endpoints and servers. Security professionals must rapidly collect volatile data—user accounts, processes, network connections, and logs—before it is lost or tampered with by adversaries. This article provides a cross-platform command reference and step-by-step investigation guide for Windows and Linux systems, derived from the latest Hacking Articles cheatsheets and real-world DFIR methodologies.

Learning Objectives:

  • Execute live response data collection commands on both Windows and Linux compromised systems.
  • Identify malicious persistence mechanisms, anomalous processes, and unauthorized network connections.
  • Apply forensic triage techniques to preserve evidence and accelerate root cause analysis.

You Should Know:

1. User Account & Session Triage

Start your investigation by enumerating logged-on users, recent logins, and privileged accounts. Attackers often create backdoor accounts or escalate privileges on compromised machines.

Windows commands (run in cmd or PowerShell as Administrator):

net user
net localgroup administrators
query user
whoami /all
wmic useraccount get name,sid,status
Get-LocalUser | Format-Table Name,Enabled,LastLogon

Linux commands:

cat /etc/passwd | grep -E "/bin/bash|/bin/sh"
cat /etc/shadow (requires root)
last -n 20
who
w
grep 'Accepted' /var/log/auth.log | tail -20 (Debian/Ubuntu)
grep 'Accepted' /var/log/secure | tail -20 (RHEL/CentOS)

Step‑by‑step guide:

  • Run `query user` or `w` to see currently active sessions.
  • Compare output with known employee lists – look for unknown usernames or suspicious login times.
  • For Windows, check `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList` for unauthorized profiles.
  • On Linux, review `/etc/passwd` for users with UID 0 (except root) or accounts added recently using ls -la /etc/passwd.

2. Running Processes & Services Investigation

Malware often hides as legitimate process names or injects code into trusted executables. Capture process lists before terminating anything.

Windows PowerShell (elevated):

Get-Process | Format-Table -AutoSize
Get-Service | Where-Object {$_.Status -eq "Running"}
tasklist /svc /fo csv > running_processes.csv
wmic process get name,processid,parentprocessid,executablepath

Linux:

ps auxf --sort=-%cpu | head -20
ps -eo pid,ppid,cmd,user --sort=-pcpu
systemctl list-units --type=service --state=running
lsof -i -P -n | grep LISTEN

Step‑by‑step guide:

  • Export process lists to a write-protected external drive (e.g., `ps auxf > ps_export.txt` on Linux).
  • Cross-reference suspicious process names (e.g., `svchost.exe` running from a user temp folder) using VirusTotal or local hash database.
  • For Linux, check processes with no binary on disk ( `ls -l /proc/
    /exe` ) – common rootkit behavior.</li>
    <li>Use `sysinternals autoruns` on Windows to check auto-start services and drivers.</li>
    </ul>
    
    <h2 style="color: yellow;">3. Scheduled Tasks & Cron Jobs (Persistence Hunting)</h2>
    
    Attackers maintain access via scheduled tasks (Windows) or cron/systemd timers (Linux). Review these for malicious entries.
    
    <h2 style="color: yellow;">Windows:</h2>
    
    [bash]
    schtasks /query /fo LIST /v > scheduled_tasks.txt
    Get-ScheduledTask | Where-Object {$<em>.State -ne "Disabled"}
    Get-ScheduledTask | ForEach-Object { $</em>.Actions }
    

    Linux:

    crontab -l -u root
    ls -la /etc/cron /var/spool/cron/
    systemctl list-timers --all
    grep -r "wget|curl|bash -i" /etc/cron /var/spool/cron/ 2>/dev/null
    

    Step‑by‑step guide:

    • On Windows, pay attention to tasks with obfuscated names (e.g., `UpdateOrchestrator` misspelled) or those running from `%TEMP%` or AppData.
    • On Linux, examine user crontabs (/var/spool/cron/crontabs/) – attackers often drop a reverse shell via `@reboot` entries.
    • Use `auditd` to monitor cron modifications: auditctl -w /etc/crontab -p wa.

    4. Network Connections & Open Ports Analysis

    Identify command-and-control (C2) beacons, lateral movement, and data exfiltration channels.

    Windows (netstat + PowerShell):

    netstat -ano | findstr ESTABLISHED
    netstat -anob > netstat_connections.txt
    Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} | Select-Object LocalAddress,LocalPort,RemoteAddress,RemotePort,OwningProcess
    

    Linux:

    ss -tunap
    netstat -tunap
    lsof -i -P -n
    ip neigh show (ARP table for suspicious MACs)
    

    Step‑by‑step guide:

    • Map each established connection to its process ID (-o in netstat, `-p` in ss). Kill only after documenting.
    • Look for outbound connections on unusual ports (4444, 1337, 8080, 53 outside DNS) or to known bad IP ranges.
    • On Linux, use `tcpdump -i eth0 -c 1000 -w capture.pcap` for deeper inspection.
    • Check firewall exceptions: `netsh advfirewall show currentprofile` (Windows) or `iptables -L -n` (Linux).

    5. Log Analysis & Evidence Collection

    Logs are the cornerstone of incident reconstruction. Prioritize authentication, process creation, and PowerShell logs.

    Windows (Event Viewer command line):

    wevtutil qe Security /f:text /c:100 /rd:true /q:"[System[(EventID=4624 or EventID=4625)]]"
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688; StartTime=(Get-Date).AddDays(-7)} | Format-List
    wevtutil epl System C:\IR\System_Logs.evtx (export binary logs)
    

    Linux:

    journalctl -xe -p err -b (errors since boot)
    grep "Failed password" /var/log/auth.log | awk '{print $1,$2,$3,$9,$11}' | uniq -c
    ausearch -ts recent -m user_login,user_logout
    dmesg | tail -50 (kernel ring buffer)
    

    Step‑by‑step guide:

    • For Windows, enable PowerShell ScriptBlock logging (Event ID 4104) if not already – this captures deobfuscated malicious commands.
    • Use `log2timeline` (Plaso) to create a super timeline from multiple Linux log files.
    • Preserve logs by copying to a forensically sterile USB drive: dd if=/var/log/auth.log of=/mnt/evidence/auth.log.dd.

    6. File System & Permission Anomalies

    Attackers drop webshells, modified binaries, or alter file permissions to evade detection.

    Windows:

    Get-ChildItem -Path C:\Windows\Temp -Recurse -Include .exe,.ps1,.vbs | Select-Object FullName,LastWriteTime
    icacls C:\inetpub\wwwroot /grant "IUSR":F (check for overprivileged write access)
    Get-FileHash -Algorithm MD5 C:\Windows\System32\drivers\etc\hosts
    

    Linux:

    find / -type f -perm -4000 -ls 2>/dev/null (SUID binaries)
    find /home -name ".php" -mtime -7 (recently modified web files)
    ls -la /tmp /var/tmp (world-writable directories)
    stat /etc/passwd /etc/shadow (check modification timestamps)
    

    Step‑by‑step guide:

    • Use `sigcheck -h` (Sysinternals) on Windows to verify Microsoft-signed binaries.
    • On Linux, compare package manager file integrity: `rpm -Va` (RHEL) or `debsums -c` (Debian).
    • Search for alternate data streams (ADS) on NTFS: dir /r C:\path.

    7. Live Response & Memory Acquisition

    The most volatile data lives in RAM. Collect memory before shutting down.

    Windows (WinPmem / DumpIt):

    .\winpmem_mini_x64_rc2.exe memdump.raw
    .\DumpIt.exe (simpler tool)
    Get-Process lsass | select -ExpandProperty Id (for later Mimikatz if authorized)
    

    Linux (LiME / fmem):

    sudo insmod lime.ko "path=memdump.raw format=lime"
    dd if=/proc/kcore of=memdump.raw bs=1M (alternative)
    strings memdump.raw | grep -i "password|api_key"
    

    Step‑by‑step guide:

    • Acquire memory first, then disk image, then shutdown to prevent anti-forensic triggers.
    • Use `volatility3` or `Rekall` to analyze the memory dump – look for hidden processes (pslist vs psscan) and network artifacts.
    • On Linux, capture `history` files for each user before they exit: for u in $(ls /home); do cat /home/$u/.bash_history >> all_history.txt; done.

    What Undercode Say:

    • Speed and order matter – volatile data (processes, network connections, logged-in users) must be collected before any non-volatile evidence. Use a pre-validated IR script or toolkit to ensure consistency.
    • Automation is not a replacement for analysis – while tools like `velociraptor` or `GRR` accelerate triage, manual review of unexpected outbound connections or new scheduled tasks remains essential for detecting sophisticated threats.
    • Linux and Windows differ fundamentally – Windows relies heavily on event logs (ETW, Sysmon) and registry artifacts; Linux depends on syslog, auditd, and filesystem timestamps. A cross-platform responder must master both paradigms.

    Prediction:

    As attackers increasingly deploy living-off-the-land (LotL) binaries and fileless malware, traditional process and file-based detection will degrade. Future incident response cheatsheets will prioritize endpoint detection and response (EDR) telemetry feeds, YARA rule triage, and cloud-native IR (e.g., AWS GuardDuty + Lambda automation). By 2027, AI-assisted IR assistants will auto-correlate commands from this cheatsheet with MITRE ATT&CK techniques, reducing mean time to containment (MTTC) by 60%. However, the foundational commands listed here will remain the last line of defense when automation fails or adversaries disable EDR agents.

    ▶️ Related Video (84% Match):

    🎯Let’s Practice For Free:

    IT/Security Reporter URL:

    Reported By: Incident Response – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

    💬 Whatsapp | 💬 Telegram

    📢 Follow UndercodeTesting & Stay Tuned:

    𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky