If this article is going to be useful, it should help you investigate real incidents fast. This version is a practical command pack for Linux and Windows with context on when to run each command and what to look for.
Use this pack for 3 common situations
- Suspected credential abuse or brute force attempts
- Unexpected process/network activity on servers
- Post-change validation after hardening or patching
Linux command pack (high signal)
1) Who logged in and from where
last -ai | head -n 30
who
w
Look for unusual source IPs, odd login times, and unknown TTY sessions.
2) Failed SSH authentication spikes
# Debian/Ubuntu
grep "Failed password" /var/log/auth.log | tail -n 100
# RHEL/CentOS/Alma
grep "Failed password" /var/log/secure | tail -n 100
If one source repeatedly fails across many usernames, treat it as brute-force behavior and block quickly.
3) Privilege escalation trail (sudo)
grep "sudo" /var/log/auth.log | tail -n 100
Correlate who escalated and what commands were run.
4) Listening services and process owners
ss -tulpen
lsof -i -P -n | grep LISTEN
Flag unexpected listeners, especially on internet-exposed hosts.
5) Active outbound connections (possible beaconing)
ss -tpn state established
Investigate persistent connections to unfamiliar external addresses.
6) Persistence checks (cron/systemd)
crontab -l
ls -la /etc/cron*
systemctl list-timers --all
systemctl list-unit-files | grep enabled
Look for unknown scheduled tasks/services created recently.
7) World-writable file quick check
find / -xdev -type f -perm -0002 2>/dev/null | head -n 200
Use with care; verify whether writable files are expected for the application role.
Windows command pack (PowerShell-first)
1) Failed logons (Event ID 4625)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddHours(-6)} |
Select-Object TimeCreated, Message
High failed-logon volume against multiple accounts often indicates spray or stuffing attempts.
2) Privileged logons (Event ID 4672)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672; StartTime=(Get-Date).AddHours(-6)} |
Select-Object TimeCreated, Message
Validate that privileged logons match known admin activity windows.
3) Process creation (Event ID 4688)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=(Get-Date).AddHours(-4)} |
Select-Object TimeCreated, Message
Hunt for LOLBins (e.g., rundll32, mshta, suspicious PowerShell execution chains).
4) New service installation (Event ID 4697)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4697; StartTime=(Get-Date).AddDays(-1)} |
Select-Object TimeCreated, Message
Unexpected services can indicate persistence attempts.
5) Listening ports and owning process
Get-NetTCPConnection -State Listen |
Sort-Object LocalPort |
Select-Object LocalAddress, LocalPort, OwningProcess
Map suspicious process IDs with Get-Process -Id <PID>.
6) Local Administrators drift
Get-LocalGroupMember Administrators
Detect unauthorized membership changes quickly.
7) Recent updates (patch visibility)
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 20
Use this during post-patch validation and incident containment windows.
Fast triage workflow (15 minutes)
- Check authentication anomalies (failed + privileged logons).
- Check suspicious process execution and service creation.
- Check listening ports and active outbound connections.
- Capture evidence and isolate affected host if compromise is likely.
What to avoid
- Do not run destructive cleanup before collecting evidence.
- Do not assume one alert = one host; pivot laterally across related systems.
- Do not skip timeline correlation between auth, process, and network events.
This command pack is built for operators who need signal fast, not generic theory.
