The Blue Team Bible: 25+ Commands to Fortify Your Defenses and Thwart the Modern Adversary

Listen to this Post

Featured Image

Introduction:

In the relentless cat-and-mouse game of cybersecurity, defenders require a deep, practical knowledge of their operating environment to identify and neutralize threats. This guide provides a critical toolkit of commands and procedures, transforming theoretical security concepts into actionable defense protocols for both Linux and Windows ecosystems, enabling you to proactively harden systems and investigate incidents.

Learning Objectives:

  • Master essential command-line tools for system hardening and real-time monitoring on Linux and Windows.
  • Develop the skills to conduct initial incident response and forensic data collection.
  • Understand and implement specific commands to mitigate common attack vectors.

You Should Know:

1. System Hardening and Baselining

A secure system begins with a hardened baseline. This involves configuring the OS to minimize its attack surface by disabling unnecessary services, enforcing strict permissions, and establishing a known-good state for critical files. On Linux, the `lynis` tool provides an excellent audit, but native commands are the first line of defense. On Windows, PowerShell is your powerhouse for configuration.

Linux: File Integrity and Service Auditing

 Find world-writable files (common misconfiguration)
find / -xdev -type f -perm -0002 -print

List all running services
systemctl list-units --type=service --state=running

Check for setuid/setgid binaries (potential privilege escalation vectors)
find / -xdev -type f -perm -4000 -o -perm -2000 -print

Audit package integrity (Debian/Ubuntu)
dpkg --verify

Step-by-step guide:

  1. Run the `find` command for world-writable files. Any unexpected results should have their permissions corrected with chmod o-w <filename>.
  2. Use `systemctl` to review running services. Disable any that are non-essential using `systemctl disable ` and systemctl stop <service-name>.
  3. The `find` command for setuid/setgid binaries helps identify potential privilege escalation paths. Research any unknown binaries.
    4. `dpkg –verify` will show discrepancies in installed packages. Any “5” at the start of the line indicates a checksum mismatch, a potential sign of tampering.

Windows: PowerShell Hardening Commands

 Get a list of all installed software
Get-WmiObject -Class Win32_Product | Select-Object Name, Version

Check the status of the Windows Firewall
Get-NetFirewallProfile | Format-Table Name, Enabled

List all running processes
Get-Process | Format-Table Id, Name, CPU, WorkingSet

Check for weak network security settings (e.g., LLMNR)
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name EnableMulticast

Step-by-step guide:

  1. Use `Get-WmiObject` to inventory software and uninstall any unauthorized applications.
  2. Ensure the Windows Firewall is enabled for all profiles (Domain, Private, Public) using the `Get-NetFirewallProfile` command.
    3. `Get-Process` provides a snapshot of all executing code; compare this against a known-good baseline to spot anomalies.
  3. Check the registry for LLMNR, a protocol often used in internal network attacks. A value of ‘0’ disables it.

2. Network Security and Monitoring

Visibility into network traffic is non-negotiable for detecting data exfiltration, command and control (C2) beacons, and unauthorized connections. Mastering native packet inspection and connection analysis tools is a fundamental blue team skill.

Linux: Netfilter and Socket Interrogation

 Display iptables firewall rules
iptables -L -v -n

List all active network connections
netstat -tunlp

Monitor network traffic in real-time
tcpdump -i any -c 100

Check which process is using a specific port
lsof -i :443

Step-by-step guide:

1. `iptables -L -v -n` shows your current firewall ruleset. Ensure default policies are set to DROP and only necessary ports are open.
2. `netstat -tunlp` lists all listening (-l) and established TCP (-t) and UDP (-u) connections, showing the associated PID and program.
3. Use `tcpdump` to capture packets for protocol analysis or to verify if traffic is reaching the host. The `-c 100` flag captures 100 packets and exits.
4. If `netstat` shows an unknown service on port 443, use `lsof -i :443` to get detailed information about the process, including its binary path.

Windows: Netstat and PowerShell Equivalents

 Show all listening ports and owning process ID
netstat -ano | findstr LISTENING

PowerShell equivalent for established connections
Get-NetTCPConnection -State Established

Check Windows Firewall rules
Get-NetFirewallRule -Enabled True | Format-Table Name, DisplayName, Direction, Action

Display DNS cache (can reveal C2 domains)
Get-DnsClientCache

Step-by-step guide:

1. `netstat -ano` is a classic. The `-a` shows all connections, `-n` prevents name resolution (faster), and `-o` shows the Process ID (PID).
2. Cross-reference the PID from `netstat` with the Task Manager or `Get-Process -Id ` to identify the application.
3. Use `Get-NetFirewallRule` to audit which rules are active. Look for rules that allow traffic that should be blocked.
4. A poisoned DNS cache can be used for spoofing. Regularly check `Get-DnsClientCache` for suspicious or non-corporate domains.

3. Log Analysis and Auditing

Logs are the silent witnesses to all activity on a system. The ability to quickly parse, filter, and correlate log data is crucial for diagnosing security events, from failed logins to successful breaches.

Linux: Grep, Awk, and Journalctl

 Search for failed SSH login attempts
grep "Failed password" /var/log/auth.log

Check the last 10 system reboots
last reboot | head -10

Use journalctl to follow systemd logs in real-time
journalctl -f

Count unique IPs attempting SSH access
awk '/Failed password/ {print $11}' /var/log/auth.log | sort | uniq -c | sort -nr

Step-by-step guide:

  1. The `grep` command for “Failed password” immediately shows brute-force activity. The output can be piped to `wc -l` to get a count.
    2. `last reboot` helps establish a timeline of system stability or potential unauthorized restarts.
    3. `journalctl -f` is the equivalent of `tail -f` for the systemd journal, allowing you to watch logs as they are written, which is invaluable during live incident response.
  2. The `awk` one-liner extracts the IP addresses from failed login attempts, sorts them, and counts occurrences, quickly revealing the most aggressive attackers.

Windows: PowerShell Log Parsing

 Get the last 100 System log events
Get-EventLog -LogName System -Newest 100

Query for specific Event ID (e.g., 4625: Failed logon)
Get-EventLog -LogName Security -InstanceId 4625 -Newest 20

Filter events using Get-WinEvent (more modern)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} -MaxEvents 10

Export logs for offline analysis
wevtutil epl Security C:\temp\security_backup.evtx

Step-by-step guide:

  1. Use `Get-EventLog` to get a quick overview of recent System or Application log events.
  2. To hunt for brute-force attacks, query the Security log for Event ID 4625 (failed logon). A high count from a single source IP is a red flag.
    3. `Get-WinEvent` is more powerful and is the preferred cmdlet for complex filtering and querying across multiple logs.
    4. `wevtutil` is essential for backing up log files before they roll over, preserving evidence for forensic analysis.

4. Incident Response & Forensic Data Collection

When a breach is suspected, speed and precision are critical. The initial commands you run can make the difference between containing the threat and a full-scale data breach. This phase is about collecting volatile data and creating a system snapshot.

Linux: Live Response Triage

 Capture a timeline of all file access (requires inotify-tools)
inotifywait -m -r /etc /var/www 2>/dev/null &

Create a memory dump (requires LiME or similar)
insmod lime.ko "path=/tmp/memdump.lime format=lime"

Create a bit-for-bit disk image of a suspicious USB device
dd if=/dev/sdb of=/evidence/usb_image.img bs=4M status=progress

Dump the process memory of a specific PID
gcore -o /tmp/dump <PID>

Step-by-step guide:

1. `inotifywait` can be set up to monitor critical directories like `/etc` (configs) and web roots for any changes, alerting you to real-time tampering.
2. Memory analysis is crucial, as malware resides in RAM. Loading a kernel module like LiME allows you to dump memory to a file for later analysis with Volatility.
3. The `dd` command is the gold standard for creating forensic images. The `if` is the input file (the device), and `of` is the output file (the image).
4. `gcore` generates a core dump of a running process, allowing you to analyze its memory space without killing the process, which is perfect for analyzing a potential malicious binary.

Windows: Volatile Data Collection

 Dump RAM using built-in Windows tool (creates a hiberfile-like dump)
rundll32.exe C:\Windows\System32\comres.dll, MiniDump <PID> C:\temp\process.dmp full

Collect network information pre-disconnection
Get-NetTCPConnection | Export-Csv -Path C:\evidence\netconn.csv -NoTypeInformation

Get a list of all auto-start programs (persistence)
wmic startup get caption, command

Check for unsigned drivers (potential rootkits)
driverquery /fo table | findstr /v /i "Microsoft"

Step-by-step guide:

  1. The `rundll32` method is a well-known technique to dump the memory of a process for analysis. This is a live response essential.
  2. Immediately export all network connections to a CSV file. This provides a snapshot of what the machine was connected to at the time of investigation.
  3. Use WMIC to check startup locations, as malware often establishes persistence here. Compare the output against a known-clean baseline.
  4. The `driverquery` command piped through `findstr` to exclude Microsoft-signed drivers can help identify potentially malicious, unsigned kernel drivers.

5. Active Defense and Mitigation

Beyond detection, a blue team must be able to actively respond and mitigate threats. This involves blocking malicious IPs, isolating compromised hosts, and revoking unauthorized access.

Linux: Blocking and Isolation

 Block an attacker's IP address using iptables
iptables -A INPUT -s 192.168.1.100 -j DROP

Temporarily block an IP with fail2ban (more dynamic)
fail2ban-client set sshd banip 192.168.1.100

Kill a process by its PID
kill -9 <PID>

Change all user passwords in bulk (post-incident)
chpasswd < /tmp/new_passwords.txt

Step-by-step guide:

  1. The `iptables` command immediately blocks all traffic from the specified source IP. Use `-A INPUT` to append to the chain.
  2. Tools like `fail2ban` automate this by watching log files and dynamically updating firewall rules. The `banip` command allows for manual intervention.
  3. The `kill -9` signal (SIGKILL) force-terminates a unresponsive or malicious process. First, try `kill -15` (SIGTERM) for a graceful shutdown.
  4. After a breach, forcing a password reset is critical. Create a file with `username:newpassword` pairs and use `chpasswd` to update them in bulk.

Windows: Isolation and Access Revocation

 Block an IP using the Windows Firewall
New-NetFirewallRule -DisplayName "Block Attacker" -Direction Inbound -RemoteAddress 192.168.1.100 -Action Block

Disable a compromised user account
Disable-LocalUser -Name "compromised_user"

Force a group policy update to apply new security settings
gpupdate /force

Remove a scheduled task (common persistence mechanism)
Unregister-ScheduledTask -TaskName "SuspiciousTask" -Confirm:$false

Step-by-step guide:

  1. Use the `New-NetFirewallRule` PowerShell cmdlet to instantly create a new rule blocking the attacker’s IP address.
  2. Immediately disable any user account suspected of being compromised using Disable-LocalUser. This prevents further use of that credential.
  3. If new security policies (e.g., disabling SMBv1) have been pushed out, force an immediate update with gpupdate /force.
  4. Persistence is often achieved via scheduled tasks. Use `Unregister-ScheduledTask` to remove any malicious tasks you identify.

What Undercode Say:

  • A defender’s effectiveness is directly proportional to their fluency with the native tools of their operating system. Automation and scripting of these commands elevate a good blue team to a great one.
  • The line between offense and defense is blurring. The most successful defenders think like attackers, using the same tools for reconnaissance and vulnerability assessment to find and fix weaknesses first.

The modern security landscape demands a shift from passive monitoring to active defense. The commands outlined here are not just a reactionary checklist but the building blocks of a resilient security posture. Mastery of these tools allows defenders to move at the speed of the adversary, transforming a sprawling digital estate from a soft target into a hardened fortress. The future of defense is not just in sophisticated AI-driven platforms, but in the foundational, scriptable, and automatable power of the command line. The most critical prediction is that organizations which fail to cultivate these core technical skills within their blue teams will be consistently outpaced by threats, regardless of their security budget.

Prediction:

The increasing automation and commoditization of attack tools will be met by an equal and opposite rise in automated, command-line-driven defense playbooks. The future blue team operator will be less a console jockey and more a orchestrator of scripts and APIs, where the deep command-line knowledge showcased here will be the critical differentiator between a contained incident and a catastrophic breach. Organizations that embed this CLI-centric expertise into their SOC and IR workflows will achieve a faster Mean Time to Respond (MTTR), fundamentally lowering their risk profile.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Mohamedshahat Shiky – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky