Listen to this Post

Introduction:
In the high-stakes world of Security Operations Centers (SOC), efficiency and precision are paramount. While memes lighten the mood, the real work hinges on a responder’s ability to swiftly investigate and contain threats across diverse environments. This article provides a critical toolkit of verified commands for Linux, Windows, and security tools that every SOC analyst must master.
Learning Objectives:
- Master fundamental command-line investigations for both Linux and Windows systems.
- Learn to utilize EDR and log analysis tools for rapid threat hunting.
- Understand key commands for initial incident triage and evidence collection.
You Should Know:
1. Linux Process and Network Analysis
A primary step in any incident response is understanding what is running and communicating on a system.
ps auxfw | head -20 netstat -tulnp ss -tuln lsof -i -P
Step-by-step guide:
The `ps auxfw` command provides a snapshot of all running processes (a), with detailed information including the user (u) and a forest view (f) to show parent-child relationships. Piping to `head -20` shows the first 20 entries. `netstat -tulnp` and its modern equivalent `ss -tuln` list all listening (-l) TCP/UDP (-t/-u) ports and the associated process ID (-p). `lsof -i -P` lists all open internet connections and the files (processes) that opened them, showing port numbers numerically (-P).
2. Windows System Interrogation
Windows environments require a different set of tools for live response.
tasklist /svc netstat -ano | findstr LISTENING wmic process get Name,ProcessId,CommandLine Get-NetTCPConnection | Where-Object State -Eq Listen
Step-by-step guide:
`tasklist /svc` displays all running processes alongside their associated services, crucial for identifying malicious services. `netstat -ano` shows network connections and the owning Process ID (-o), which can be filtered for listening ports. For deeper insight, `wmic process` provides the full command line used to execute a process, often revealing hidden arguments. In PowerShell, `Get-NetTCPConnection` offers a more powerful and scriptable alternative.
3. File System Timeline and Persistence Hunting
Attackers leave traces; finding them quickly is key.
Linux: find / -name ".sh" -mtime -1 2>/dev/null Linux: ls -laht /etc/cron /var/spool/cron/ Windows: dir C:\Users\ /s /b /a:-D | findstr .exe | findstr /v Windows Windows: wmic startup get caption,command
Step-by-step guide:
On Linux, the `find` command searches for files (e.g., Shell scripts modified in the last day -mtime -1). Checking cron directories (/etc/cron, /var/spool/cron/) is essential for finding scheduled persistence. On Windows, the `dir` command can recursively (/s) search all user directories for executable files, excluding Windows system paths. `wmic startup` queries the Windows Management Instrumentation to list all applications configured to run at startup.
4. Log Analysis with Built-in Tools
Centralized SIEMs are ideal, but analysts must be able to work locally.
Linux: journalctl --since "1 hour ago" | grep -i "failed"
Linux: tail -f /var/log/auth.log | grep -i accepted
Windows: Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=(Get-Date).AddHours(-1)}
Windows: wevtutil qe Security /c:10 /f:text /q:"Event[System[(EventID=4624)]]"
Step-by-step guide:
On Linux, `journalctl` queries the systemd journal. The example filters for events in the last hour containing “failed”. `tail -f` follows a log file in real-time, useful for monitoring live authentication events. In Windows PowerShell, `Get-WinEvent` is a powerful cmdlet for querying event logs; this example fetches successful logon events (ID 4624) from the last hour. The legacy `wevtutil` command provides similar functionality from the classic command prompt.
5. EDR and Forensics Data Collection
Leveraging EDR tools and collecting volatile data is a cornerstone of IR.
Crowdstrike Falcon (via RTR)
cs.exe forensic package create
Generic Memory Capture (FTK Imager CLI)
ftkimager.exe --affexport \.\PhysicalMemory C:\Evidence\mem.aff4
Live Response Script Starter
Linux: for i in $(ps aux | awk '{print $2}'); do ls -la /proc/$i/exe; done
Step-by-step guide:
If Crowdstrike Falcon is installed, its Real-Time Response (RTR) console allows analysts to remotely execute commands like `cs.exe forensic` to create a data collection package. Tools like FTK Imager CLI can be used to capture physical memory to an analysis-friendly format like AFF4. The Linux one-liner iterates through all Process IDs and examines the executable file linked in the `/proc` filesystem, which can reveal processes running from temporary or suspicious locations.
6. Network Threat Hunting
Identifying anomalous network activity can reveal command-and-control channels.
tcpdump -i any -n -c 100 'tcp port 443 or 80' tshark -i eth0 -Y "dns.qry.type == 1" -c 50 Windows: Get-NetTCPConnection | Group-Object RemotePort | Sort-Count -Descending
Step-by-step guide:
`tcpdump` is the classic packet capture tool. This command listens on any interface (-i any), doesn’t resolve hostnames (-n), and captures 100 packets on common web ports. `tshark` (Wireshark’s CLI) can be more expressive; this example uses a display filter (-Y) to show only standard DNS queries. In PowerShell, `Get-NetTCPConnection` can be piped to `Group-Object` to quickly identify which remote ports a host is communicating with most frequently, potentially spotting beaconing activity.
7. Vulnerability and Configuration Assessment
Proactive checks are part of a robust security posture.
nmap -sV -sC -O <target_ip> Linux: grep PASS_MAX_DAYS /etc/login.defs Windows: auditpol /get /category: Windows: sc query windefend
Step-by-step guide:
`nmap` is the quintessential network scanner. The `-sV` probes service versions, `-sC` runs default scripts, and `-O` attempts OS detection. On Linux, checking password policies in `/etc/login.defs` is a basic hardening step. On Windows, `auditpol` displays the current audit policy, critical for ensuring log coverage, and `sc query` checks the status of essential services like Windows Defender.
What Undercode Say:
- The CLI is Your Single Source of Truth: Graphical interfaces can be manipulated or may not show low-level activity. The command line provides a more reliable view of system state during an investigation.
- Automation is Force Multiplication: While knowing these commands is vital, the ultimate goal for a Tier 2/3 analyst is to script these checks for rapid, consistent execution across thousands of endpoints.
The shift from manual, GUI-driven investigation to scripted, command-line-focused response is what separates mature SOCs from reactive ones. The commands listed are the foundational vocabulary for this language of response. Mastery allows an analyst to cut through the noise of false positives, validate alerts with precision, and gather irrefutable evidence for containment and eradication. The meme culture shared by professionals like Jenito Pankiras highlights a shared experience, but the technical proficiency demonstrated here is what ultimately defends the enterprise.
Prediction:
The future of SOC work will see a diminished role for manual command execution as AI-driven EDRs automate initial triage and response. However, the underlying principles these commands represent will become even more critical. Analysts will evolve from command-line operators to orchestrators of automated playbooks and interpreters of AI-generated findings. The ability to understand, validate, and fine-tune the automated systems will be the new benchmark for senior incident responders, making this foundational knowledge a permanent requirement.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Jenito Pankiras – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


