Incident Response Cheat Sheet

IR Lifecycle (NIST SP 800-61)

1. Preparation      → Policies, tools, training
2. Detection        → Identify potential incident
3. Analysis         → Confirm, scope, triage
4. Containment      → Stop the spread
5. Eradication      → Remove the threat
6. Recovery         → Restore normal operations
7. Post-Incident    → Lessons learned, reporting

Triage: First 15 Minutes

# Who is logged in?
who / w / last

# What processes are running?
ps aux --sort=-%cpu | head -20

# Active network connections
netstat -antp
ss -antp

# Recent file modifications
find / -mtime -1 -type f 2>/dev/null | head -50
find /tmp /var/tmp /dev/shm -type f 2>/dev/null

# Scheduled jobs
crontab -l
ls -la /etc/cron*
cat /etc/crontab

# SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Check bash history
cat ~/.bash_history
cat /home/*/.bash_history

Windows Triage

# Running processes
Get-Process | Sort-Object CPU -Descending | Select-Object -First 20

# Network connections
Get-NetTCPConnection | Where-Object State -eq 'Established'

# Recent event logs (login failures)
Get-WinEvent -LogName Security -MaxEvents 50 | Where-Object {$_.Id -eq 4625}

# Recently modified files
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue |
  Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-1)}

# Startup items
Get-CimInstance Win32_StartupCommand
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

# Scheduled tasks
Get-ScheduledTask | Where-Object {$_.State -ne 'Disabled'}

Log Locations

Linux

/var/log/auth.log          # Authentication (Debian/Ubuntu)
/var/log/secure            # Authentication (RHEL/CentOS)
/var/log/syslog            # General system
/var/log/messages          # General (RHEL)
/var/log/apache2/          # Apache web server
/var/log/nginx/            # Nginx web server
/var/log/cron              # Cron jobs
/var/log/lastlog           # Last logins
/home/*/.bash_history      # User history

Windows

Security    → 4624/4625 (logon), 4720 (user created)
System      → 7045 (new service), 7040 (service changed)
Application → Application errors
PowerShell  → Microsoft-Windows-PowerShell/Operational
Sysmon      → Detailed process, network, file events

Memory Forensics (Volatility)

# Identify profile
volatility -f memory.dmp imageinfo

# Running processes
volatility -f memory.dmp --profile=Win7SP1x64 pslist
volatility -f memory.dmp --profile=Win7SP1x64 pstree

# Network connections
volatility -f memory.dmp --profile=Win7SP1x64 netscan

# Command history
volatility -f memory.dmp --profile=Win7SP1x64 cmdscan
volatility -f memory.dmp --profile=Win7SP1x64 consoles

# Dump process
volatility -f memory.dmp --profile=Win7SP1x64 procdump -p PID -D /output/

# Find injected code
volatility -f memory.dmp --profile=Win7SP1x64 malfind

Disk Forensics

# Create forensic image (Linux)
dd if=/dev/sda of=image.dd bs=4M status=progress
dcfldd if=/dev/sda of=image.dd hash=sha256 hashlog=hash.txt

# Mount read-only
mount -o ro,loop image.dd /mnt/evidence

# File carving
foremost -i image.dd -o /output/
photorec image.dd

# Hash verification
md5sum image.dd
sha256sum image.dd

Containment Actions

# Isolate Linux host
iptables -I INPUT -j DROP
iptables -I OUTPUT -j DROP
iptables -I INPUT -s SIEM_IP -j ACCEPT   # Keep SIEM connected

# Block malicious IP
iptables -A INPUT -s 1.2.3.4 -j DROP
iptables -A OUTPUT -d 1.2.3.4 -j DROP

# Kill malicious process
kill -9 PID

# Disable compromised user
passwd -l username
usermod -L username

IOC Types

Severity Classification