Listen to this Post

Introduction:
Incident response (IR) is the structured process of detecting, investigating, and mitigating security breaches across endpoints and servers. Security professionals must rapidly collect volatile data—user accounts, processes, network connections, and logs—before it is lost or tampered with by adversaries. This article provides a cross-platform command reference and step-by-step investigation guide for Windows and Linux systems, derived from the latest Hacking Articles cheatsheets and real-world DFIR methodologies.
Learning Objectives:
- Execute live response data collection commands on both Windows and Linux compromised systems.
- Identify malicious persistence mechanisms, anomalous processes, and unauthorized network connections.
- Apply forensic triage techniques to preserve evidence and accelerate root cause analysis.
You Should Know:
1. User Account & Session Triage
Start your investigation by enumerating logged-on users, recent logins, and privileged accounts. Attackers often create backdoor accounts or escalate privileges on compromised machines.
Windows commands (run in cmd or PowerShell as Administrator):
net user net localgroup administrators query user whoami /all wmic useraccount get name,sid,status Get-LocalUser | Format-Table Name,Enabled,LastLogon
Linux commands:
cat /etc/passwd | grep -E "/bin/bash|/bin/sh" cat /etc/shadow (requires root) last -n 20 who w grep 'Accepted' /var/log/auth.log | tail -20 (Debian/Ubuntu) grep 'Accepted' /var/log/secure | tail -20 (RHEL/CentOS)
Step‑by‑step guide:
- Run `query user` or `w` to see currently active sessions.
- Compare output with known employee lists – look for unknown usernames or suspicious login times.
- For Windows, check `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList` for unauthorized profiles.
- On Linux, review `/etc/passwd` for users with UID 0 (except root) or accounts added recently using
ls -la /etc/passwd.
2. Running Processes & Services Investigation
Malware often hides as legitimate process names or injects code into trusted executables. Capture process lists before terminating anything.
Windows PowerShell (elevated):
Get-Process | Format-Table -AutoSize
Get-Service | Where-Object {$_.Status -eq "Running"}
tasklist /svc /fo csv > running_processes.csv
wmic process get name,processid,parentprocessid,executablepath
Linux:
ps auxf --sort=-%cpu | head -20 ps -eo pid,ppid,cmd,user --sort=-pcpu systemctl list-units --type=service --state=running lsof -i -P -n | grep LISTEN
Step‑by‑step guide:
- Export process lists to a write-protected external drive (e.g., `ps auxf > ps_export.txt` on Linux).
- Cross-reference suspicious process names (e.g., `svchost.exe` running from a user temp folder) using VirusTotal or local hash database.
- For Linux, check processes with no binary on disk ( `ls -l /proc/
/exe` ) – common rootkit behavior.</li> <li>Use `sysinternals autoruns` on Windows to check auto-start services and drivers.</li> </ul> <h2 style="color: yellow;">3. Scheduled Tasks & Cron Jobs (Persistence Hunting)</h2> Attackers maintain access via scheduled tasks (Windows) or cron/systemd timers (Linux). Review these for malicious entries. <h2 style="color: yellow;">Windows:</h2> [bash] schtasks /query /fo LIST /v > scheduled_tasks.txt Get-ScheduledTask | Where-Object {$<em>.State -ne "Disabled"} Get-ScheduledTask | ForEach-Object { $</em>.Actions }Linux:
crontab -l -u root ls -la /etc/cron /var/spool/cron/ systemctl list-timers --all grep -r "wget|curl|bash -i" /etc/cron /var/spool/cron/ 2>/dev/null
Step‑by‑step guide:
- On Windows, pay attention to tasks with obfuscated names (e.g., `UpdateOrchestrator` misspelled) or those running from `%TEMP%` or
AppData. - On Linux, examine user crontabs (
/var/spool/cron/crontabs/) – attackers often drop a reverse shell via `@reboot` entries. - Use `auditd` to monitor cron modifications:
auditctl -w /etc/crontab -p wa.
4. Network Connections & Open Ports Analysis
Identify command-and-control (C2) beacons, lateral movement, and data exfiltration channels.
Windows (netstat + PowerShell):
netstat -ano | findstr ESTABLISHED netstat -anob > netstat_connections.txt Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} | Select-Object LocalAddress,LocalPort,RemoteAddress,RemotePort,OwningProcessLinux:
ss -tunap netstat -tunap lsof -i -P -n ip neigh show (ARP table for suspicious MACs)
Step‑by‑step guide:
- Map each established connection to its process ID (
-oin netstat, `-p` in ss). Kill only after documenting. - Look for outbound connections on unusual ports (4444, 1337, 8080, 53 outside DNS) or to known bad IP ranges.
- On Linux, use `tcpdump -i eth0 -c 1000 -w capture.pcap` for deeper inspection.
- Check firewall exceptions: `netsh advfirewall show currentprofile` (Windows) or `iptables -L -n` (Linux).
5. Log Analysis & Evidence Collection
Logs are the cornerstone of incident reconstruction. Prioritize authentication, process creation, and PowerShell logs.
Windows (Event Viewer command line):
wevtutil qe Security /f:text /c:100 /rd:true /q:"[System[(EventID=4624 or EventID=4625)]]" Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688; StartTime=(Get-Date).AddDays(-7)} | Format-List wevtutil epl System C:\IR\System_Logs.evtx (export binary logs)Linux:
journalctl -xe -p err -b (errors since boot) grep "Failed password" /var/log/auth.log | awk '{print $1,$2,$3,$9,$11}' | uniq -c ausearch -ts recent -m user_login,user_logout dmesg | tail -50 (kernel ring buffer)Step‑by‑step guide:
- For Windows, enable PowerShell ScriptBlock logging (Event ID 4104) if not already – this captures deobfuscated malicious commands.
- Use `log2timeline` (Plaso) to create a super timeline from multiple Linux log files.
- Preserve logs by copying to a forensically sterile USB drive:
dd if=/var/log/auth.log of=/mnt/evidence/auth.log.dd.
6. File System & Permission Anomalies
Attackers drop webshells, modified binaries, or alter file permissions to evade detection.
Windows:
Get-ChildItem -Path C:\Windows\Temp -Recurse -Include .exe,.ps1,.vbs | Select-Object FullName,LastWriteTime icacls C:\inetpub\wwwroot /grant "IUSR":F (check for overprivileged write access) Get-FileHash -Algorithm MD5 C:\Windows\System32\drivers\etc\hosts
Linux:
find / -type f -perm -4000 -ls 2>/dev/null (SUID binaries) find /home -name ".php" -mtime -7 (recently modified web files) ls -la /tmp /var/tmp (world-writable directories) stat /etc/passwd /etc/shadow (check modification timestamps)
Step‑by‑step guide:
- Use `sigcheck -h` (Sysinternals) on Windows to verify Microsoft-signed binaries.
- On Linux, compare package manager file integrity: `rpm -Va` (RHEL) or `debsums -c` (Debian).
- Search for alternate data streams (ADS) on NTFS:
dir /r C:\path.
7. Live Response & Memory Acquisition
The most volatile data lives in RAM. Collect memory before shutting down.
Windows (WinPmem / DumpIt):
.\winpmem_mini_x64_rc2.exe memdump.raw .\DumpIt.exe (simpler tool) Get-Process lsass | select -ExpandProperty Id (for later Mimikatz if authorized)
Linux (LiME / fmem):
sudo insmod lime.ko "path=memdump.raw format=lime" dd if=/proc/kcore of=memdump.raw bs=1M (alternative) strings memdump.raw | grep -i "password|api_key"
Step‑by‑step guide:
- Acquire memory first, then disk image, then shutdown to prevent anti-forensic triggers.
- Use `volatility3` or `Rekall` to analyze the memory dump – look for hidden processes (pslist vs psscan) and network artifacts.
- On Linux, capture `history` files for each user before they exit:
for u in $(ls /home); do cat /home/$u/.bash_history >> all_history.txt; done.
What Undercode Say:
- Speed and order matter – volatile data (processes, network connections, logged-in users) must be collected before any non-volatile evidence. Use a pre-validated IR script or toolkit to ensure consistency.
- Automation is not a replacement for analysis – while tools like `velociraptor` or `GRR` accelerate triage, manual review of unexpected outbound connections or new scheduled tasks remains essential for detecting sophisticated threats.
- Linux and Windows differ fundamentally – Windows relies heavily on event logs (ETW, Sysmon) and registry artifacts; Linux depends on syslog, auditd, and filesystem timestamps. A cross-platform responder must master both paradigms.
Prediction:
As attackers increasingly deploy living-off-the-land (LotL) binaries and fileless malware, traditional process and file-based detection will degrade. Future incident response cheatsheets will prioritize endpoint detection and response (EDR) telemetry feeds, YARA rule triage, and cloud-native IR (e.g., AWS GuardDuty + Lambda automation). By 2027, AI-assisted IR assistants will auto-correlate commands from this cheatsheet with MITRE ATT&CK techniques, reducing mean time to containment (MTTC) by 60%. However, the foundational commands listed here will remain the last line of defense when automation fails or adversaries disable EDR agents.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Incident Response – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeTesting & Stay Tuned:
- On Windows, pay attention to tasks with obfuscated names (e.g., `UpdateOrchestrator` misspelled) or those running from `%TEMP%` or


