The Blue Teamer’s Arsenal: 25+ Essential Commands to Detect and Neutralize Cyber Threats

Listen to this Post

Featured Image

Introduction:

In the high-stakes world of cybersecurity, defenders require a formidable arsenal of verified commands and techniques to identify, analyze, and mitigate threats swiftly. This guide provides a critical toolkit for Security Operations Center (SOC) analysts and blue teamers, compiling essential procedures for incident response across Linux and Windows environments.

Learning Objectives:

  • Master fundamental command-line tools for threat hunting and digital forensics.
  • Learn to analyze network traffic, processes, and system logs for indicators of compromise.
  • Develop skills to isolate malicious activity and gather evidence for incident reporting.

You Should Know:

1. Network Connection Analysis

Understanding active network connections is the first step in identifying unauthorized communication.

Linux:

netstat -tulnp
ss -tulnp
lsof -i

Windows:

netstat -ano | findstr ESTABLISHED
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"}

Step-by-step guide:

The `netstat -tulnp` command displays all listening (-l) and established TCP (-t) and UDP (-u) sockets, showing the process name (-n) and PID (-p) owning the port. On Windows, `netstat -ano` shows all connections and listening ports, with the -a (all), -n (numerical), and -o (process ID) flags. Cross-reference suspicious foreign IPs with threat intelligence feeds. The `ss` command is a faster modern replacement for `netstat` on Linux.

2. Process Investigation and Management

Malicious software often runs as a background process. Identifying these is crucial.

Linux:

ps aux | grep -i suspicious_string
pstree -p
kill -9 <PID>

Windows:

Get-Process | Where-Object {$_.CPU -gt 50}
tasklist /svc
Stop-Process -Id <PID> -Force

Step-by-step guide:

Use `ps aux` to list all running processes with detailed information like user, CPU, and memory usage. The `grep` command filters this list for known malicious names or unusual resource consumption. In Windows PowerShell, `Get-Process` retrieves all running processes. The `tasklist /svc` command is critical as it shows which services are hosted in each process, helping to identify disguised malware. To terminate a confirmed malicious process, use `kill -9 ` on Linux or `Stop-Process -Id -Force` on Windows.

3. File System Forensics and Integrity Checking

Detecting altered or suspicious files is a core defensive task.

Linux:

find / -name ".sh" -mtime -1
find / -perm -4000
md5sum /bin/bash
stat /path/to/suspicious_file

Windows:

Get-FileHash C:\Windows\System32\cmd.exe -Algorithm SHA256
Get-ChildItem -Path C:\ -Include .exe -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-1)}

Step-by-step guide:

The Linux `find` command can locate files modified in the last day (-mtime -1) or with SUID permissions set (-perm -4000), which are common persistence mechanisms. Always hash critical system binaries like `cmd.exe` or `bash` and compare them to known-good hashes from a clean system. The `Get-FileHash` PowerShell cmdlet is indispensable for this. The `stat` command provides detailed file metadata including creation and modification times.

4. Log Analysis for Incident Response

System and security logs provide a timeline of attacker activity.

Linux:

journalctl -u ssh --since "1 hour ago"
grep "Failed password" /var/log/auth.log
tail -f /var/log/syslog

Windows:

Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=(Get-Date).AddHours(-1)} | Where-Object {$_.Id -eq 4625}
Get-EventLog -LogName System -Newest 50

Step-by-step guide:

On Linux systems using journald, the `journalctl -u ssh –since “1 hour ago”` command filters logs for the SSH service from the last hour. Searching for “Failed password” entries in `/var/log/auth.log` can reveal brute-force attacks. In Windows, `Get-WinEvent` is a powerful cmdlet for querying the Security log; event ID 4625 specifically indicates failed logons. The `tail -f` command provides real-time monitoring of log files as new entries are written.

5. User and Account Management Auditing

Attackers often create or compromise user accounts for persistence.

Linux:

cat /etc/passwd | grep -E "/bin/(bash|sh)"
last
who -b

Windows:

Get-LocalUser | Where-Object {$_.Enabled -eq $True}
net user
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720}

Step-by-step guide:

Reviewing the `/etc/passwd` file for unexpected interactive shells (/bin/bash or /bin/sh) can reveal hidden user accounts. The `last` command shows a history of user logins, including source IP addresses, which is vital for tracking lateral movement. In Windows, `Get-LocalUser` lists all local accounts, while `net user ` provides detailed information about a specific account’s privileges and group memberships. Security event ID 4720 specifically logs the creation of a new user account.

6. Firewall and Network Security Interrogation

Ensuring host-based firewalls are properly configured blocks attacker exfiltration.

Linux:

iptables -L -n -v
ufw status verbose

Windows:

Get-NetFirewallRule | Where-Object {$_.Enabled -eq 'True'}
netsh advfirewall show allprofiles

Step-by-step guide:

The `iptables -L -n -v` command lists all active firewall rules with numerical addresses and verbose packet counters. On systems using Uncomplicated Firewall (UFW), `ufw status verbose` provides a clear overview of the default policies and active rules. In Windows, the PowerShell `Get-NetFirewallRule` cmdlet is the modern way to audit the Windows Firewall. The older `netsh advfirewall show allprofiles` command displays the state and settings for the Domain, Private, and Public firewall profiles.

7. Scheduled Task and Persistence Mechanism Hunting

Attackers use automated tasks to maintain access.

Linux:

crontab -l
ls -la /etc/cron./
systemctl list-timers

Windows:

Get-ScheduledTask | Where-Object {$_.State -ne 'Disabled'}
schtasks /query /fo LIST /v

Step-by-step guide:

Check the current user’s crontab with `crontab -l` and inspect system-wide cron directories (/etc/cron.hourly/, /etc/cron.daily/, etc.) for suspicious scripts. The `systemctl list-timers` command reveals all systemd timers, a modern persistence vector. In Windows, `Get-ScheduledTask` retrieves all tasks, and filtering out disabled ones helps focus the investigation. The classic `schtasks` command with verbose output provides a detailed, parseable list of all scheduled jobs, including their triggers and actions.

What Undercode Say:

  • A proactive defender is defined by the speed and efficiency of their command-line fluency. Manual verification beats over-reliance on automated tools.
  • The convergence of system administration and security commands means the modern analyst must be bilingual in both Linux and Windows ecosystems.
  • Analysis: The provided LinkedIn post, while light on technical detail, underscores a vital metaphor: cybersecurity is about “putting out digital fires.” The commands listed here are the fire extinguishers and hoses. In an incident, there is no time to search for syntax; muscle memory and a pre-established playbook are paramount. The most effective blue teamers are those who have internalized these fundamental procedures, allowing them to cut through the noise and identify the root cause of a breach without hesitation. This foundational knowledge forms the bedrock upon which more advanced Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) platforms are effectively utilized.

Prediction:

The increasing automation of attacks via AI will force defenders to rely less on slow, GUI-based tools and more on scriptable, command-line-driven investigations. The ability to rapidly execute and chain together the fundamental commands outlined above will become the differentiator between a contained incident and a full-scale breach. We will see a resurgence of focus on core digital forensics and incident response (DFIR) skills at the command line, even as the security stack evolves.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Joonpoore A – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky