Incident Response Commands
Essential command-line commands for rapid incident response through UTMStack console across Windows, Linux, and macOS systems.
Introduction
UTMStack provides powerful incident response capabilities through its integrated console, allowing security teams to execute immediate containment and remediation actions across all managed endpoints. This guide covers the most critical commands for responding to security incidents in real-time.
⚠️ Warning: These commands can significantly impact system operations. Always verify the target system and parameters before execution. Actions may disrupt user workflows and should be executed with proper authorization.
Quick Actions Reference
1. Isolate Host (Disable Network)
Immediately disconnect a compromised system from the network to prevent lateral movement and data exfiltration.
Windows
PowerShell Command
Get-NetAdapter | Disable-NetAdapter -Confirm:$falseWhat it does:
Lists all network adapters on the system
Disables each adapter without confirmation prompts
Completely isolates the system from the network
Note: This command disables ALL network adapters. The system will be completely isolated until adapters are manually re-enabled.
Linux (RHEL/CentOS)
Bash Command
for interface in $(ip link show | grep -E '^[0-9]+:' | grep -v 'lo:' | awk -F: '{print $2}' | tr -d ' '); do
ip link set $interface down
doneWhat it does:
Lists all network interfaces
Filters out the loopback interface
Disables each network interface
Linux (Debian/Ubuntu)
Bash Command
for interface in $(ip link show | grep -E '^[0-9]+:' | grep -v 'lo:' | awk -F: '{print $2}' | tr -d ' '); do
ip link set $interface down
doneLinux (OpenSUSE)
Bash Command
for interface in $(ip link show | grep -E '^[0-9]+:' | grep -v 'lo:' | awk -F: '{print $2}' | tr -d ' '); do
ip link set $interface down
donemacOS
Bash Command
for interface in $(networksetup -listallnetworkservices | grep -v "asterisk"); do
networksetup -setnetworkserviceenabled "$interface" off
doneWhat it does:
Lists all network services
Excludes already disabled services
Disables each active network service
2. Disable User Account
Immediately disable a compromised or suspicious user account to prevent unauthorized access.
Windows
PowerShell Command
net user [username] /active:noExample:
net user test_user /active:noℹ️ Info: Replace [username] with the actual username. UTMStack can automatically substitute variables from alert context.
Linux (RHEL/CentOS)
Bash Command
usermod -s /sbin/nologin [username]Example:
usermod -s /sbin/nologin test_userWhat it does:
Changes the user shell to nologin
Prevents interactive login
Account remains in system but cannot authenticate
Linux (Debian/Ubuntu)
Bash Command
usermod -s /sbin/nologin [username]Example:
usermod -s /sbin/nologin test_userLinux (OpenSUSE)
Bash Command
usermod -s /sbin/nologin [username]Example:
usermod -s /sbin/nologin test_usermacOS
Bash Command
chsh -s /usr/bin/false [username]Example:
chsh -s /usr/bin/false test_user3. Block Adversary IP Address
Block incoming traffic from a malicious IP address to prevent further attacks.
Windows
PowerShell Command
netsh advfirewall firewall add rule name="Block-Attack-[IP]" dir=in action=block remoteip="[IP]" enable=yesExample:
netsh advfirewall firewall add rule name="Block-Attack-8.8.8.8" dir=in action=block remoteip="8.8.8.8" enable=yesNote: This creates a permanent firewall rule that persists across reboots.
Linux (RHEL/CentOS)
Bash Command
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="[IP]" drop' --permanent
firewall-cmd --reloadExample:
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" drop' --permanent
firewall-cmd --reloadLinux (Debian/Ubuntu)
Bash Command
iptables -A INPUT -s [IP] -j DROPExample:
iptables -A INPUT -s "10.34.22.55" -j DROP⚠️ Warning: This rule is not persistent by default. Use iptables-save to make it permanent.
Linux (OpenSUSE)
Bash Command
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="[IP]" drop' --permanent
firewall-cmd --reloadmacOS
Bash Command
echo "block drop in from [IP] to any" | pfctl -f - && pfctl -eExample:
echo "block drop in from 192.168.1.100 to any" | pfctl -f - && pfctl -e4. Kill Malicious Process
Terminate a suspicious or malicious process immediately.
Windows
PowerShell Command
taskkill /F /IM [process-name.exe]Example:
taskkill /F /IM notepad.exeOptions:
/F = Force termination
/IM = Identifies process by image name
Linux (All Distributions)
Bash Command
pkill -9 [process-name]Examples:
pkill -9 malware_process
pkill -9 suspicious_scriptNote: Signal 9 (SIGKILL) force kills the process without allowing cleanup. Use with caution.
macOS
Bash Command
pkill -9 [process-name]5. Stop Malicious Service
Stop a compromised or suspicious system service.
Windows
PowerShell Command
Stop-Service -Name "[service-name]" -ForceExample:
Stop-Service -Name "Spooler" -Forceℹ️ Info: The -Force parameter stops the service even if it has dependent services.
Linux (All Distributions)
Bash Command
systemctl stop [service-name]Example:
systemctl stop suspicious_serviceTo prevent restart on reboot:
systemctl stop [service-name]
systemctl disable [service-name]macOS
Bash Command
launchctl stop [service-name]Example:
launchctl stop com.example.service6. Delete Malicious File
Permanently remove a malicious file from the system.
Windows
PowerShell Command
Remove-Item -LiteralPath "[file-path]" -Force -RecurseExample:
Remove-Item -LiteralPath "C:\Users\john\Documents\malware.exe" -ForceAlternative (CMD):
del /f "[file-path]"Linux (All Distributions)
Bash Command
sudo rm -f [file-path]Example:
rm -f /tmp/malware-file.txt⚠️ Warning: The -f flag forces deletion without confirmation. Verify the path before execution.
macOS
Bash Command
sudo rm -f [file-path]Example:
sudo rm -f /tmp/suspicious-file.sh7. Block Server Outbound Network Access
Prevent a compromised server from communicating with external malicious infrastructure.
Windows
PowerShell Command
netsh advfirewall firewall add rule name="Block-Outbound-[IP]" dir=out action=block remoteip="[IP]"Example:
netsh advfirewall firewall add rule name="Block-Outbound-203.0.113.45" dir=out action=block remoteip="203.0.113.45"Linux (All Distributions)
Bash Command
iptables -A OUTPUT -d [IP] -j DROPExample:
iptables -A OUTPUT -d "10.23.33.44" -j DROPmacOS
Bash Command
echo "block out from any to [IP]" | pfctl -f -8. Block Server Inbound Network Access
Block incoming connections from a specific malicious IP address.
Windows
PowerShell Command
netsh advfirewall firewall add rule name="Block-Inbound-[IP]" dir=in action=block remoteip="[IP]"Linux (RHEL/CentOS)
Bash Command
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="[IP]" drop' --permanent
firewall-cmd --reloadExample:
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="8.8.8.8" drop' --permanent
firewall-cmd --reloadLinux (Debian/Ubuntu)
Bash Command
iptables -A INPUT -s [IP] -j DROPExample:
iptables -A INPUT -s "10.33.44.55" -j DROPmacOS
Bash Command
echo "block in from [IP] to any" | pfctl -f -9. Uninstall Malicious Application
Remove a malicious or compromised application from the system.
Windows
PowerShell Command (searches and uninstalls silently)
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like "*[app-name]*"} | ForEach-Object {Start-Process -FilePath $_.UninstallString -ArgumentList "/S" -Wait}Example:
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like "*VLC*"} | ForEach-Object {Start-Process -FilePath $_.UninstallString -ArgumentList "/S" -Wait}Linux (RHEL/CentOS)
Bash Command
yum remove -y [package-name]Example:
yum remove -y nanoLinux (Debian/Ubuntu)
Bash Command
apt-get remove -y [package-name]Example:
apt-get remove -y wgetFor complete removal including config files:
apt-get purge -y [package-name]Linux (OpenSUSE)
Bash Command
zypper remove -y [package-name]macOS
Bash Command
brew uninstall --force [app-name] 2>/dev/null || find /Applications -iname "[app-name].app" -maxdepth 2 -type d -exec rm -rf {} + 2>/dev/nullNote: Attempts Homebrew uninstall first, then falls back to direct removal from Applications folder.
10. Remove All User Permissions
Strip all elevated permissions from a compromised user account.
Windows
PowerShell Command
Get-LocalGroup | Where-Object { $_.Name -ne "Users" } | ForEach-Object { Remove-LocalGroupMember -Group $_.Name -Member "[username]" -ErrorAction SilentlyContinue }Example:
Get-LocalGroup | Where-Object { $_.Name -ne "Users" } | ForEach-Object { Remove-LocalGroupMember -Group $_.Name -Member "TestUser" -ErrorAction SilentlyContinue }Note: Removes the user from all groups except the base Users group.
Linux (All Distributions)
Bash Command
for grp in $(id -nG [username] | tr ' ' '\n' | grep -v "^[username]$"); do
gpasswd -d [username] "$grp"
doneExample:
for grp in $(id -nG testuser | tr ' ' '\n' | grep -v "^testuser$"); do
gpasswd -d testuser "$grp"
donemacOS
Bash Command
for grp in $(id -nG [username] | tr ' ' '\n' | grep -v -E "^([username]|staff|everyone)$"); do
dseditgroup -o edit -d [username] -t user "$grp" 2>/dev/null
doneNote: Excludes standard system groups (staff, everyone) to prevent system instability.
11. Kill Session and Logout User
Forcefully terminate all active sessions of a compromised user account.
Windows
Command
logoff [username]Example:
logoff testuserℹ️ Info: Terminates active sessions but does not prevent re-login. Combine with Disable User Account for complete containment.
Linux (All Distributions)
Bash Command
pkill -KILL -u [username]Example:
pkill -KILL -u usertest⚠️ Warning: SIGKILL signal immediately terminates all processes without allowing graceful shutdown. May cause data loss.
macOS
Bash Command
pkill -KILL -u [username]Variable Substitution in UTMStack
UTMStack automatically substitutes context variables from alerts and incidents when executing commands.
Common Variables
Target Variables (affected system/resource):
$(target.user)- Username of affected account$(target.applicationname)- Name of target application$(target.hostname)- Hostname of affected system$(target.ip)- IP address of target system
Adversary Variables (threat actor):
$(adversary.ip)- Attacker IP address$(adversary.user)- Compromised username$(adversary.process)- Malicious process name/path$(adversary.service)- Suspicious service name$(adversary.windowsServiceDisplayName)- Windows service display name
Log Variables (from log data):
$(log.winlogEventDataProcessName)- Windows process path from event log$(log.sourceIp)- Source IP from log entry$(log.username)- Username from log entry
Best Practices
Command Impact Reference
| Action | Severity | User Impact | Reversibility | Requires Admin |
|---|---|---|---|---|
| Isolate Host | Critical | All users | Manual | Yes |
| Disable User | High | Target user | Easy | Yes |
| Block IP | High | Specific connections | Easy | Yes |
| Kill Process | Medium | App users | N/A | Sometimes |
| Stop Service | Medium | Service users | Easy | Yes |
| Uninstall App | High | App users | Difficult | Yes |
| Delete File | Critical | N/A | Impossible | Sometimes |
| Block Outbound | High | Specific connections | Easy | Yes |
| Block Inbound | Medium | External only | Easy | Yes |
| Remove Permissions | High | Target user | Manual | Yes |
| Kill Session | Medium | Target user | User can re-login | Yes |
Troubleshooting Common Issues
💡 Tip: Permission Denied Errors
Ensure the UTMStack agent is running with appropriate privileges:
Linux/macOS: Verify sudo permissions
Windows: Ensure administrative rights
Check if remote execution is enabled on target system
💡 Tip: Variable Substitution Not Working
Verify the alert context contains required fields
Check variable name spelling and case sensitivity
Ensure execution is from UTMStack console, not manual
Review alert data source configuration
💡 Tip: Firewall Rules Not Persisting
iptables: Save with
iptables-save > /etc/iptables/rules.v4firewall-cmd: Always use
--permanentflag and--reloadWindows: Rules created with netsh advfirewall persist automatically
macOS: Add rules to
/etc/pf.conffor persistence
💡 Tip: Service Won't Stop
Check for service dependencies
Use force flags when available
Kill the process directly if service does not respond
Check service logs for errors
Consider disabling:
systemctl disable [service-name]
Security Considerations
⚠️ Warning: Critical Security Reminders
Authorization Required - All actions must be authorized by appropriate security personnel
Audit Trail - Every command execution is logged in UTMStack
Change Management - Follow organization procedures, even during incidents
Business Impact - Consider operations before isolating critical systems
Evidence Preservation - Ensure evidence preservation before destructive actions
Legal Compliance - Adhere to legal and regulatory requirements
ℹ️ Info: UTMStack Integration Benefits
All commands executed through UTMStack console are automatically logged
Execution results are recorded in the incident timeline
Failed commands trigger alerts for security team review
Commands can be integrated into automated response playbooks
Historical execution data available for compliance reporting