Command Line Essentials for Security Analysts

1. File System Navigation & Basic Operations

Navigation Commands

ls (Linux) / dir (Windows) - List directory contents

• When to use: Initial reconnaissance of compromised systems, identifying suspicious files, checking file permissions and timestamps during investigations

• Why important: First step in understanding system state; helps identify anomalies, unusual files, or permission changes that indicate compromise

• Key options: ls -la (detailed with hidden files), ls -lrt (sorted by time), ls -lah (human-readable sizes)

• Security context: Look for recently modified files, unusual permissions (777), files with suspicious names or extensions

cd - Change directory

• When to use: Navigate to log directories (/var/log), system directories (/etc, /bin), user directories during investigations

• Why important: Essential for systematic investigation workflows, accessing different system areas for evidence collection

• Security context: Common paths include /var/log for logs, /tmp for temporary files that may contain malware, /home for user data

pwd - Print working directory

• When to use: Verify current location during complex investigations, confirm you're in the correct directory before executing commands

• Why important: Prevents mistakes during evidence collection, ensures proper documentation of file locations

• Security context: Critical for maintaining chain of custody and accurate incident documentation

find (Linux) / where (Windows) - Search for files and directories

• When to use: Locate suspicious files, find files modified within specific timeframes, search for files with unusual permissions or ownership

• Why important: Essential for comprehensive system searches during incident response and threat hunting

• Key options: find / -name "*.exe" -mtime -7 (executables modified in last 7 days), find /home -perm 777 (world-writable files)

• Security context: Hunt for malware, identify persistence mechanisms, locate configuration files, find evidence of data exfiltration

File Operations

cat (Linux) / type (Windows) - Display file contents

• When to use: Examine log files, configuration files, suspicious scripts, malware samples (with caution)

• Why important: Quick way to view file contents without opening editors, preserves file timestamps

• Security context: View system logs, examine malicious scripts, check configuration changes, analyze attack artifacts

head / tail - Display first/last lines of file

• When to use: head for file headers/beginning of logs; tail -f for real-time log monitoring during active incidents

• Why important: Efficient way to sample large log files without loading entire contents into memory

• Key options: tail -f /var/log/syslog (follow log in real-time), head -n 50 (first 50 lines), tail -n 100 (last 100 lines)

• Security context: Monitor live attack activity, check recent log entries, examine file structure without full content exposure

grep (Linux) / findstr (Windows) - Search text patterns in files

• When to use: Search logs for specific IP addresses, usernames, error messages, attack patterns, indicators of compromise (IOCs)

• Why important: Core tool for log analysis, pattern matching, and evidence discovery in large datasets

• Key options: grep -i (case-insensitive), grep -r (recursive), grep -v (invert match), grep -E (extended regex)

• Security context: Hunt for attack signatures, find evidence of specific threats, correlate events across multiple log files

• Examples: grep "Failed password" /var/log/auth.log, grep -i "malware" /var/log/syslog

less / more - Page through file contents

• When to use: Navigate through large log files, examine lengthy configuration files, review system output that exceeds screen size

• Why important: Allows controlled viewing of large files without loading everything into memory

• Security context: Systematic review of large log files, examination of system configurations during hardening assessments

File Permissions & Ownership (Linux)

chmod - Change file permissions

• When to use: Secure sensitive files during incident response, fix permission-based vulnerabilities, implement access controls

• Why important: Essential for system hardening and preventing privilege escalation attacks

• Security context: Remove world-writable permissions that attackers exploit, secure configuration files, implement least privilege

• Examples: chmod 600 /etc/shadow (secure password file), chmod +x script.sh (make executable)

chown - Change file ownership

• When to use: Fix ownership issues after compromise, secure files during system remediation, implement proper access controls

• Why important: Prevents unauthorized access through ownership manipulation

• Security context: Restore proper ownership after attacks, secure sensitive system files, implement role-based access

2. Process & System Monitoring

Process Management

ps (Linux) / tasklist (Windows) - Display running processes

• When to use: Identify suspicious processes during incident response, baseline system state, hunt for malware processes

• Why important: Core tool for identifying malicious activity, unauthorized processes, and system compromise indicators

• Key options: ps aux (all processes, detailed), ps -ef (full format), tasklist /svc (Windows with services)

• Security context: Look for processes with unusual names, high CPU/memory usage, processes running as wrong user, unknown executables

top / htop - Real-time process viewer

• When to use: Monitor system performance during attacks, identify resource-intensive malicious processes, track system behavior in real-time

• Why important: Provides dynamic view of system state, helps identify performance-impacting malware or attacks

• Security context: Detect cryptocurrency miners, DDoS attack processes, resource exhaustion attacks, unusual system behavior

kill / taskkill - Terminate processes

• When to use: Stop malicious processes during incident containment, terminate unresponsive security tools, halt suspicious activities

• Why important: Essential for immediate threat containment and system control during active incidents

• Key options: kill -9 (force kill), taskkill /f /pid (Windows force), killall process_name (kill by name)

• Security context: Stop malware execution, terminate unauthorized processes, halt data exfiltration attempts

System Information

uname (Linux) / systeminfo (Windows) - System information

• When to use: Gather system details for vulnerability assessment, understand target environment during investigations, document system specifications

• Why important: Essential for understanding attack surface, identifying system-specific vulnerabilities, contextualizing security findings

• Key options: uname -a (all system info), systeminfo | findstr /B "OS" (Windows OS details)

• Security context: Identify unpatched systems, understand attack vectors, assess system hardening status

whoami - Current user identity

• When to use: Verify current privilege level during investigations, confirm user context for commands, validate access during penetration testing

• Why important: Critical for understanding privilege escalation status and command context

• Security context: Confirm you're not running as root unnecessarily, understand attack privilege level, verify user impersonation

3. Network Analysis & Monitoring

Network Connectivity

ping - Test network connectivity

• When to use: Verify network connectivity during incident response, test if compromised systems can reach command-and-control servers, validate network isolation

• Why important: Basic network troubleshooting and verification of network-based containment measures

• Security context: Test if malware can communicate externally, verify network segmentation, confirm system isolation during containment

traceroute / tracert - Trace network path

• When to use: Investigate unusual network traffic routes, understand attack traffic paths, troubleshoot network-based security controls

• Why important: Helps understand network topology and identify routing anomalies that may indicate compromise

• Security context: Track malicious traffic paths, identify compromised network infrastructure, verify security appliance placement

nslookup / dig - DNS lookup

• When to use: Investigate suspicious domain names, analyze DNS-based attacks, verify domain reputation, investigate DNS tunneling

• Why important: DNS is commonly abused by attackers for command-and-control, data exfiltration, and malware distribution

• Key options: dig @8.8.8.8 example.com (specific DNS server), nslookup -type=MX (mail records)

• Security context: Check domain reputation, investigate DNS-based malware communication, analyze phishing domains

curl / wget - HTTP requests and file downloads

• When to use: Test web application security, download threat intelligence feeds, replicate attack techniques for analysis, verify web server responses

• Why important: Essential for web application testing and replicating HTTP-based attacks

• Security context: Test for web vulnerabilities, download malware samples safely, verify web-based IOCs, test HTTP security headers

Network Configuration

ifconfig / ipconfig - Network interface configuration

• When to use: Verify network configuration during investigations, identify network interface anomalies, gather system network information

• Why important: Understanding network configuration is essential for incident response and security assessment

• Key options: ipconfig /all (detailed Windows info), ifconfig -a (all interfaces)

• Security context: Identify unusual network interfaces, verify IP configurations, detect network-based persistence mechanisms

netstat - Network connections and statistics

• When to use: Identify active network connections during incident response, detect malware communication, find listening services

• Why important: Core tool for identifying unauthorized network activity and malware communication

• Key options: netstat -antp (all connections with processes), netstat -ln (listening ports)

• Security context: Find backdoors listening on ports, identify malware communication, detect unauthorized remote access

ss - Socket statistics (Linux)

• When to use: Modern replacement for netstat with better performance, identify network connections, monitor socket states

• Why important: More efficient and detailed than netstat for network connection analysis

• Key options: ss -tuln (TCP/UDP listening), ss -p (show processes)

• Security context: Faster identification of network-based threats, detailed socket analysis for forensics

4. Security-Specific Commands

Network Security Tools

nmap - Network discovery and security auditing

• When to use: Conduct network reconnaissance, verify firewall rules, identify open services, assess network security posture

• Why important: Essential tool for network security assessment and vulnerability discovery

• Key options: nmap -sS (stealth scan), nmap -sV (version detection), nmap -A (aggressive scan)

• Security context: Port scanning, service enumeration, vulnerability assessment, network mapping for penetration testing

netcat / nc - Network utility for reading/writing network connections

• When to use: Test port connectivity, create simple network listeners, transfer files, establish reverse shells for testing

• Why important: Swiss army knife of networking tools, useful for testing and exploitation

• Security context: Test firewall rules, establish communication channels, create backdoors for testing, port scanning

tcpdump - Packet capture and analysis

• When to use: Capture network traffic during active incidents, analyze malware communication, investigate network-based attacks

• Why important: Essential for deep packet inspection and network forensics

• Key options: tcpdump -i eth0 (specific interface), tcpdump host 192.168.1.1 (specific host), tcpdump -w file.pcap (save to file)

• Security context: Capture malware traffic, analyze attack patterns, collect network evidence, monitor command-and-control communication

Security Scanning & Analysis

openssl - SSL/TLS toolkit and cryptography

• When to use: Test SSL/TLS configurations, analyze certificate information, perform cryptographic operations, verify secure communications

• Why important: Essential for assessing encryption implementations and certificate security

• Key options: openssl s_client -connect host:443 (test SSL connection), openssl x509 -text (analyze certificate)

• Security context: Verify SSL implementations, check certificate validity, test for SSL vulnerabilities, analyze encryption strength

Log Analysis

journalctl - Query systemd logs (Linux)

• When to use: Analyze system logs on modern Linux systems, investigate service failures, track system events during incidents

• Why important: Central logging system for modern Linux distributions

• Key options: journalctl -u ssh.service (specific service), journalctl --since "2 hours ago" (time-based filtering)

• Security context: Investigate authentication failures, track service compromises, analyze system events during attacks

tail -f - Follow log files in real-time

• When to use: Monitor active attacks in real-time, watch for specific events during incident response, observe system behavior

• Why important: Provides live monitoring capabilities essential for active incident response

• Security context: Watch for continued malicious activity, monitor containment effectiveness, observe attacker behavior patterns

5. Windows-Specific Security Commands

PowerShell Security Commands

Get-Process - List running processes

• When to use: Identify suspicious processes on Windows systems, analyze process relationships, investigate malware execution

• Why important: Core Windows process analysis tool with rich filtering and formatting capabilities

• Key options: Get-Process | Sort-Object CPU -Descending (by CPU usage), Get-Process -IncludeUserName (show users)

• Security context: Identify malicious processes, analyze process behavior, investigate persistence mechanisms

Get-EventLog / Get-WinEvent - View Windows event logs

• When to use: Investigate Windows security events, analyze logon patterns, track system changes, investigate attacks

• Why important: Windows Event Logs contain crucial security information for incident response

• Key options: Get-EventLog -LogName Security -InstanceId 4625 (failed logons), Get-WinEvent -FilterHashtable @{LogName='System'; Level=2}

• Security context: Investigate authentication attacks, track privilege escalation, analyze system compromise indicators

Set-ExecutionPolicy - Configure script execution policy

• When to use: Secure PowerShell environments, prevent unauthorized script execution, investigate PowerShell-based attacks

• Why important: Critical security control for preventing malicious PowerShell script execution

• Security context: Harden PowerShell against malicious scripts, investigate policy bypass attempts, secure automation environments

Windows System Commands

wmic - Windows Management Instrumentation Command-line

• When to use: Gather detailed system information, investigate system configuration, analyze installed software, perform remote system queries

• Why important: Powerful tool for system investigation and remote management, commonly abused by attackers

• Key options: wmic process list full, wmic service list brief, wmic product list brief

• Security context: Investigate system compromise, gather forensic information, track software installations, analyze system configuration

net commands - Network and user management

• When to use: Investigate user accounts, check group memberships, analyze network shares, investigate lateral movement

• Why important: Core Windows networking and user management commands frequently used by attackers

• Key options: net user (list users), net localgroup administrators (admin users), net use (network connections)

• Security context: Investigate privilege escalation, track lateral movement, analyze user compromise, check unauthorized access

6. Text Processing & Analysis

Text Manipulation

awk - Pattern scanning and processing

• When to use: Extract specific fields from log files, perform calculations on log data, create custom log analysis scripts

• Why important: Powerful tool for structured text processing and log analysis

• Security context: Parse complex log formats, extract IOCs from logs, create custom security metrics from log data

• Example: awk '{print $1}' access.log | sort | uniq -c (count unique IP addresses)

sed - Stream editor

• When to use: Modify log files for analysis, clean up data formats, replace patterns in configuration files

• Why important: Essential for text manipulation and data cleanup in security workflows

• Security context: Clean sensitive data from logs, standardize log formats, modify configuration files during hardening

7. Incident Response Commands

Evidence Collection

dd - Create disk images

• When to use: Create forensic copies of hard drives, create bit-for-bit copies of storage devices, preserve evidence integrity

• Why important: Essential for digital forensics and evidence preservation

• Key options: dd if=/dev/sda of=/mnt/evidence/disk.img bs=4M (copy entire disk), dd if=/dev/sda of=/mnt/evidence/mbr.img bs=512 count=1 (just MBR)

• Security context: Preserve evidence for legal proceedings, create analysis copies, maintain chain of custody

strings - Extract printable strings from files

• When to use: Analyze binary malware samples, extract readable text from unknown files, investigate compiled executables

• Why important: Reveals human-readable content in binary files that may contain IOCs or configuration data

• Security context: Extract malware configuration, find embedded URLs or IP addresses, analyze packed executables

Timeline Analysis

stat - File metadata and timestamps

• When to use: Investigate file modification times, verify file integrity, create timeline of file system changes

• Why important: Critical for establishing timeline of events during forensic analysis

• Security context: Determine when files were compromised, track attacker activity timeline, verify file authenticity

find with time options - Find files by modification time

• When to use: Identify files modified during specific timeframes, locate recently created files, track attacker activity

• Key options: find /var -mtime -1 (modified within 24 hours), find /home -atime +30 (not accessed in 30 days)

• Security context: Identify compromised files, track data exfiltration timing, locate persistence mechanisms by creation time

Usage Notes & Best Practices

Command Combinations and Workflows

Piping for Complex Analysis

• When to use: Chain multiple commands to create complex analysis workflows

• Examples: ps aux | grep -i suspicious | awk '{print $2}' | xargs kill (find and kill suspicious processes)

• Security context: Create automated threat hunting queries, build incident response workflows

Redirection for Evidence Preservation

• When to use: Save command output for documentation, preserve evidence, create audit trails

• Examples: netstat -antp > network_connections.txt, ps aux >> running_processes.log

• Security context: Document system state, preserve evidence, create incident reports

Security-Focused Command Usage

Log Analysis Workflows

• Combine tail -f, grep, and awk for real-time security monitoring

• Use find with time parameters to identify suspicious file activity

• Chain netstat, lsof, and ps to investigate network-based threats

Incident Response Procedures

• Document all commands used during investigation for report writing

• Use read-only operations when possible to preserve evidence integrity

• Verify system state before and after containment actions

Threat Hunting Patterns

• Regular expressions with grep for IOC searching across multiple log files

• Time-based analysis using find and grep to correlate events

• Network analysis combining netstat, ss, and packet capture tools

Critical Safety Considerations

Evidence Preservation

• Always work on copies when possible

• Document exact commands used and their output

• Maintain proper chain of custody for legal proceedings

• Use write-blockers when examining original media

System Impact Awareness

• Understand resource impact of commands (especially network scans)

• Use appropriate nice levels for resource-intensive operations

• Consider network impact of scanning operations

• Test commands in lab environments before production use