Introduction UTMStack provides powerful incident response capabilities through its integrated console, allowing security teams to execute immediate containment and remediation actions across all managed endpoints. This guide covers the most critical commands for responding to security incidents in real-time.
These commands can significantly impact system operations. Always verify the target system and parameters before execution. Actions may disrupt user workflows and should be executed with proper authorization.
Quick Actions Reference
Network Isolation Immediately isolate compromised hosts from the network
User Management Disable compromised accounts and sessions
Threat Blocking Block malicious IPs and prevent further attacks
Process Control Terminate malicious processes and services
1. Isolate Host (Disable Network) Immediately disconnect a compromised system from the network to prevent lateral movement and data exfiltration.
Windows
Linux (RHEL/CentOS)
Linux (Debian/Ubuntu)
Linux (OpenSUSE)
macOS
PowerShell Command Get-NetAdapter | Disable-NetAdapter - Confirm: $false
What it does:
Lists all network adapters on the system
Disables each adapter without confirmation prompts
Completely isolates the system from the network
This command disables ALL network adapters. The system will be completely isolated until adapters are manually re-enabled.
Bash Command for interface in $( ip link show | grep -E '^[0-9]+:' | grep -v 'lo:' | awk -F: '{print $2}' | tr -d ' ' ); do ip link set $interface down done
What it does:
Lists all network interfaces
Filters out the loopback interface
Disables each network interface
Bash Command for interface in $( ip link show | grep -E '^[0-9]+:' | grep -v 'lo:' | awk -F: '{print $2}' | tr -d ' ' ); do ip link set $interface down done
Bash Command for interface in $( ip link show | grep -E '^[0-9]+:' | grep -v 'lo:' | awk -F: '{print $2}' | tr -d ' ' ); do ip link set $interface down done
Bash Command for interface in $( networksetup -listallnetworkservices | grep -v "asterisk" ); do networksetup -setnetworkserviceenabled " $interface " off done
What it does:
Lists all network services
Excludes already disabled services
Disables each active network service
2. Disable User Account Immediately disable a compromised or suspicious user account to prevent unauthorized access.
Windows
Linux (RHEL/CentOS)
Linux (Debian/Ubuntu)
Linux (OpenSUSE)
macOS
PowerShell Command net user [ username ] / active:no
Example: net user test_user / active:no
Replace [username] with the actual username. UTMStack can automatically substitute variables from alert context.
Bash Command usermod -s /sbin/nologin [username]
Example: usermod -s /sbin/nologin test_user
What it does:
Changes the user shell to nologin
Prevents interactive login
Account remains in system but cannot authenticate
Bash Command usermod -s /sbin/nologin [username]
Example: usermod -s /sbin/nologin test_user
Bash Command usermod -s /sbin/nologin [username]
Example: usermod -s /sbin/nologin test_user
Bash Command chsh -s /usr/bin/ false [username]
Example: chsh -s /usr/bin/ false test_user
3. Block Adversary IP Address Block incoming traffic from a malicious IP address to prevent further attacks.
Windows
Linux (RHEL/CentOS)
Linux (Debian/Ubuntu)
Linux (OpenSUSE)
macOS
PowerShell Command netsh advfirewall firewall add rule name = "Block-Attack-[IP]" dir = in action = block remoteip = "[IP]" enable = yes
Example: netsh advfirewall firewall add rule name = "Block-Attack-8.8.8.8" dir = in action = block remoteip = "8.8.8.8" enable = yes
This creates a permanent firewall rule that persists across reboots.
Bash Command firewall-cmd --zone=public --add-rich-rule= 'rule family="ipv4" source address="[IP]" drop' --permanent firewall-cmd --reload
Example: firewall-cmd --zone=public --add-rich-rule= 'rule family="ipv4" source address="192.168.1.100" drop' --permanent firewall-cmd --reload
Bash Command iptables -A INPUT -s [IP] -j DROP
Example: iptables -A INPUT -s "10.34.22.55" -j DROP
This rule is not persistent by default. Use iptables-save to make it permanent.
Bash Command firewall-cmd --zone=public --add-rich-rule= 'rule family="ipv4" source address="[IP]" drop' --permanent firewall-cmd --reload
Bash Command echo "block drop in from [IP] to any" | pfctl -f - && pfctl -e
Example: echo "block drop in from 192.168.1.100 to any" | pfctl -f - && pfctl -e
4. Kill Malicious Process Terminate a suspicious or malicious process immediately.
PowerShell Command taskkill / F / IM [ process -name.exe ]
Example: taskkill / F / IM notepad.exe
Options:
/F = Force termination
/IM = Identifies process by image name
Bash Command Examples: pkill -9 malware_process pkill -9 suspicious_script
Signal 9 (SIGKILL) force kills the process without allowing cleanup. Use with caution.
5. Stop Malicious Service Stop a compromised or suspicious system service.
PowerShell Command Stop-Service - Name "[service-name]" - Force
Example: Stop-Service - Name "Spooler" - Force
The -Force parameter stops the service even if it has dependent services.
Bash Command systemctl stop [service-name]
Example: systemctl stop suspicious_service
To prevent restart on reboot: systemctl stop [service-name] systemctl disable [service-name]
Bash Command launchctl stop [service-name]
Example: launchctl stop com.example.service
6. Delete Malicious File Permanently remove a malicious file from the system.
PowerShell Command Remove-Item - LiteralPath "[file-path]" - Force - Recurse
Example: Remove-Item - LiteralPath "C:\Users\john\Documents\malware.exe" - Force
Alternative (CMD): Bash Command Example: rm -f /tmp/malware-file.txt
The -f flag forces deletion without confirmation. Verify the path before execution.
Bash Command Example: sudo rm -f /tmp/suspicious-file.sh
7. Block Server Outbound Network Access Prevent a compromised server from communicating with external malicious infrastructure.
PowerShell Command netsh advfirewall firewall add rule name = "Block-Outbound-[IP]" dir = out action = block remoteip = "[IP]"
Example: netsh advfirewall firewall add rule name = "Block-Outbound-203.0.113.45" dir = out action = block remoteip = "203.0.113.45"
Bash Command iptables -A OUTPUT -d [IP] -j DROP
Example: iptables -A OUTPUT -d "10.23.33.44" -j DROP
Bash Command echo "block out from any to [IP]" | pfctl -f -
8. Block Server Inbound Network Access Block incoming connections from a specific malicious IP address.
Windows
Linux (RHEL/CentOS)
Linux (Debian/Ubuntu)
macOS
PowerShell Command netsh advfirewall firewall add rule name = "Block-Inbound-[IP]" dir = in action = block remoteip = "[IP]"
Bash Command firewall-cmd --zone=public --add-rich-rule= 'rule family="ipv4" source address="[IP]" drop' --permanent firewall-cmd --reload
Example: firewall-cmd --zone=public --add-rich-rule= 'rule family="ipv4" source address="8.8.8.8" drop' --permanent firewall-cmd --reload
Bash Command iptables -A INPUT -s [IP] -j DROP
Example: iptables -A INPUT -s "10.33.44.55" -j DROP
Bash Command echo "block in from [IP] to any" | pfctl -f -
9. Uninstall Malicious Application Remove a malicious or compromised application from the system.
Windows
Linux (RHEL/CentOS)
Linux (Debian/Ubuntu)
Linux (OpenSUSE)
macOS
PowerShell Command (searches and uninstalls silently) Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\ * | Where-Object { $_ .DisplayName -like "*[app-name]*" } | ForEach-Object { Start-Process - FilePath $_ .UninstallString - ArgumentList "/S" - Wait}
Example: Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\ * | Where-Object { $_ .DisplayName -like "*VLC*" } | ForEach-Object { Start-Process - FilePath $_ .UninstallString - ArgumentList "/S" - Wait}
Bash Command yum remove -y [package-name]
Example: Bash Command apt-get remove -y [package-name]
Example: For complete removal including config files: apt-get purge -y [package-name]
Bash Command zypper remove -y [package-name]
Bash Command brew uninstall --force [app-name] 2> /dev/null || find /Applications -iname "[app-name].app" -maxdepth 2 -type d -exec rm -rf {} + 2> /dev/null
Attempts Homebrew uninstall first, then falls back to direct removal from Applications folder.
10. Remove All User Permissions Strip all elevated permissions from a compromised user account.
PowerShell Command Get-LocalGroup | Where-Object { $_ .Name -ne "Users" } | ForEach-Object { Remove-LocalGroupMember - Group $_ .Name - Member "[username]" - ErrorAction SilentlyContinue }
Example: Get-LocalGroup | Where-Object { $_ .Name -ne "Users" } | ForEach-Object { Remove-LocalGroupMember - Group $_ .Name - Member "TestUser" - ErrorAction SilentlyContinue }
Removes the user from all groups except the base Users group.
Bash Command for grp in $( id -nG [username] | tr ' ' '\n' | grep -v "^[username]$" ); do gpasswd -d [username] " $grp " done
Example: for grp in $( id -nG testuser | tr ' ' '\n' | grep -v "^testuser$" ); do gpasswd -d testuser " $grp " done
Bash Command for grp in $( id -nG [username] | tr ' ' '\n' | grep -v -E "^([username]|staff|everyone)$" ); do dseditgroup -o edit -d [username] -t user " $grp " 2> /dev/null done
Excludes standard system groups (staff, everyone) to prevent system instability.
11. Kill Session and Logout User Forcefully terminate all active sessions of a compromised user account.
Command Example: Terminates active sessions but does not prevent re-login. Combine with Disable User Account for complete containment.
Bash Command pkill -KILL -u [username]
Example: SIGKILL signal immediately terminates all processes without allowing graceful shutdown. May cause data loss.
Bash Command pkill -KILL -u [username]
Variable Substitution in UTMStack UTMStack automatically substitutes context variables from alerts and incidents when executing commands.
Common Variables Target Variables (affected system/resource):
$(target.user) - Username of affected account$(target.applicationname) - Name of target application$(target.hostname) - Hostname of affected system$(target.ip) - IP address of target system
Adversary Variables (threat actor):
$(adversary.ip) - Attacker IP address$(adversary.user) - Compromised username$(adversary.process) - Malicious process name/path$(adversary.service) - Suspicious service name$(adversary.windowsServiceDisplayName) - Windows service display name
Log Variables (from log data):
$(log.winlogEventDataProcessName) - Windows process path from event log$(log.sourceIp) - Source IP from log entry$(log.username) - Username from log entry
Best Practices
Verify Before Execute Always verify the target system and parameters before executing commands. Review alert context for accuracy.
Document Actions Log all incident response actions including timestamps, commands executed, and outcomes for compliance.
Coordinate with Team Communicate with your security team before taking disruptive actions. Monitor for unintended consequences.
Test in Lab First When possible, test commands in a lab environment before deploying to production systems.
Have Rollback Plan Know how to reverse each action if needed. Keep documentation for re-enabling services, users, or network access.
Follow Playbooks Adhere to incident response playbooks and escalation procedures. Ensure proper authorization.
Command Impact Reference
Action Severity User Impact Reversibility Requires Admin Isolate Host Critical All users Manual Yes Disable User High Target user Easy Yes Block IP High Specific connections Easy Yes Kill Process Medium App users N/A Sometimes Stop Service Medium Service users Easy Yes Uninstall App High App users Difficult Yes Delete File Critical N/A Impossible Sometimes Block Outbound High Specific connections Easy Yes Block Inbound Medium External only Easy Yes Remove Permissions High Target user Manual Yes Kill Session Medium Target user User can re-login Yes
Troubleshooting Common Issues Permission Denied Errors Ensure the UTMStack agent is running with appropriate privileges:
Linux/macOS: Verify sudo permissions
Windows: Ensure administrative rights
Check if remote execution is enabled on target system
Variable Substitution Not Working
Verify the alert context contains required fields
Check variable name spelling and case sensitivity
Ensure execution is from UTMStack console, not manual
Review alert data source configuration
Firewall Rules Not Persisting
iptables : Save with iptables-save > /etc/iptables/rules.v4firewall-cmd : Always use --permanent flag and --reloadWindows : Rules created with netsh advfirewall persist automaticallymacOS : Add rules to /etc/pf.conf for persistence Service Won’t Stop
Check for service dependencies
Use force flags when available
Kill the process directly if service does not respond
Check service logs for errors
Consider disabling: systemctl disable [service-name]
Security Considerations Critical Security Reminders
Authorization Required - All actions must be authorized by appropriate security personnelAudit Trail - Every command execution is logged in UTMStackChange Management - Follow organization procedures, even during incidentsBusiness Impact - Consider operations before isolating critical systemsEvidence Preservation - Ensure evidence preservation before destructive actionsLegal Compliance - Adhere to legal and regulatory requirements UTMStack Integration Benefits
All commands executed through UTMStack console are automatically logged
Execution results are recorded in the incident timeline
Failed commands trigger alerts for security team review
Commands can be integrated into automated response playbooks
Historical execution data available for compliance reporting
