Skip to main content

Introduction

UTMStack provides powerful incident response capabilities through its integrated console, allowing security teams to execute immediate containment and remediation actions across all managed endpoints. This guide covers the most critical commands for responding to security incidents in real-time.
These commands can significantly impact system operations. Always verify the target system and parameters before execution. Actions may disrupt user workflows and should be executed with proper authorization.

Quick Actions Reference

Network Isolation

Immediately isolate compromised hosts from the network

User Management

Disable compromised accounts and sessions

Threat Blocking

Block malicious IPs and prevent further attacks

Process Control

Terminate malicious processes and services

1. Isolate Host (Disable Network)

Immediately disconnect a compromised system from the network to prevent lateral movement and data exfiltration.
  • Windows
  • Linux (RHEL/CentOS)
  • Linux (Debian/Ubuntu)
  • Linux (OpenSUSE)
  • macOS
PowerShell Command
Get-NetAdapter | Disable-NetAdapter -Confirm:$false
What it does:
  • Lists all network adapters on the system
  • Disables each adapter without confirmation prompts
  • Completely isolates the system from the network
This command disables ALL network adapters. The system will be completely isolated until adapters are manually re-enabled.

2. Disable User Account

Immediately disable a compromised or suspicious user account to prevent unauthorized access.
  • Windows
  • Linux (RHEL/CentOS)
  • Linux (Debian/Ubuntu)
  • Linux (OpenSUSE)
  • macOS
PowerShell Command
net user [username] /active:no
Example:
net user test_user /active:no
Replace [username] with the actual username. UTMStack can automatically substitute variables from alert context.

3. Block Adversary IP Address

Block incoming traffic from a malicious IP address to prevent further attacks.
  • Windows
  • Linux (RHEL/CentOS)
  • Linux (Debian/Ubuntu)
  • Linux (OpenSUSE)
  • macOS
PowerShell Command
netsh advfirewall firewall add rule name="Block-Attack-[IP]" dir=in action=block remoteip="[IP]" enable=yes
Example:
netsh advfirewall firewall add rule name="Block-Attack-8.8.8.8" dir=in action=block remoteip="8.8.8.8" enable=yes
This creates a permanent firewall rule that persists across reboots.

4. Kill Malicious Process

Terminate a suspicious or malicious process immediately.
  • Windows
  • Linux (All Distributions)
  • macOS
PowerShell Command
taskkill /F /IM [process-name.exe]
Example:
taskkill /F /IM notepad.exe
Options:
  • /F = Force termination
  • /IM = Identifies process by image name

5. Stop Malicious Service

Stop a compromised or suspicious system service.
  • Windows
  • Linux (All Distributions)
  • macOS
PowerShell Command
Stop-Service -Name "[service-name]" -Force
Example:
Stop-Service -Name "Spooler" -Force
The -Force parameter stops the service even if it has dependent services.

6. Delete Malicious File

Permanently remove a malicious file from the system.
  • Windows
  • Linux (All Distributions)
  • macOS
PowerShell Command
Remove-Item -LiteralPath "[file-path]" -Force -Recurse
Example:
Remove-Item -LiteralPath "C:\Users\john\Documents\malware.exe" -Force
Alternative (CMD):
del /f "[file-path]"

7. Block Server Outbound Network Access

Prevent a compromised server from communicating with external malicious infrastructure.
  • Windows
  • Linux (All Distributions)
  • macOS
PowerShell Command
netsh advfirewall firewall add rule name="Block-Outbound-[IP]" dir=out action=block remoteip="[IP]"
Example:
netsh advfirewall firewall add rule name="Block-Outbound-203.0.113.45" dir=out action=block remoteip="203.0.113.45"

8. Block Server Inbound Network Access

Block incoming connections from a specific malicious IP address.
  • Windows
  • Linux (RHEL/CentOS)
  • Linux (Debian/Ubuntu)
  • macOS
PowerShell Command
netsh advfirewall firewall add rule name="Block-Inbound-[IP]" dir=in action=block remoteip="[IP]"

9. Uninstall Malicious Application

Remove a malicious or compromised application from the system.
  • Windows
  • Linux (RHEL/CentOS)
  • Linux (Debian/Ubuntu)
  • Linux (OpenSUSE)
  • macOS
PowerShell Command (searches and uninstalls silently)
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like "*[app-name]*"} | ForEach-Object {Start-Process -FilePath $_.UninstallString -ArgumentList "/S" -Wait}
Example:
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like "*VLC*"} | ForEach-Object {Start-Process -FilePath $_.UninstallString -ArgumentList "/S" -Wait}

10. Remove All User Permissions

Strip all elevated permissions from a compromised user account.
  • Windows
  • Linux (All Distributions)
  • macOS
PowerShell Command
Get-LocalGroup | Where-Object { $_.Name -ne "Users" } | ForEach-Object { Remove-LocalGroupMember -Group $_.Name -Member "[username]" -ErrorAction SilentlyContinue }
Example:
Get-LocalGroup | Where-Object { $_.Name -ne "Users" } | ForEach-Object { Remove-LocalGroupMember -Group $_.Name -Member "TestUser" -ErrorAction SilentlyContinue }
Removes the user from all groups except the base Users group.

11. Kill Session and Logout User

Forcefully terminate all active sessions of a compromised user account.
  • Windows
  • Linux (All Distributions)
  • macOS
Command
logoff [username]
Example:
logoff testuser
Terminates active sessions but does not prevent re-login. Combine with Disable User Account for complete containment.

Variable Substitution in UTMStack

UTMStack automatically substitutes context variables from alerts and incidents when executing commands.

Common Variables

Target Variables (affected system/resource):
  • $(target.user) - Username of affected account
  • $(target.applicationname) - Name of target application
  • $(target.hostname) - Hostname of affected system
  • $(target.ip) - IP address of target system
Adversary Variables (threat actor):
  • $(adversary.ip) - Attacker IP address
  • $(adversary.user) - Compromised username
  • $(adversary.process) - Malicious process name/path
  • $(adversary.service) - Suspicious service name
  • $(adversary.windowsServiceDisplayName) - Windows service display name
Log Variables (from log data):
  • $(log.winlogEventDataProcessName) - Windows process path from event log
  • $(log.sourceIp) - Source IP from log entry
  • $(log.username) - Username from log entry

Best Practices

Verify Before Execute

Always verify the target system and parameters before executing commands. Review alert context for accuracy.

Document Actions

Log all incident response actions including timestamps, commands executed, and outcomes for compliance.

Coordinate with Team

Communicate with your security team before taking disruptive actions. Monitor for unintended consequences.

Test in Lab First

When possible, test commands in a lab environment before deploying to production systems.

Have Rollback Plan

Know how to reverse each action if needed. Keep documentation for re-enabling services, users, or network access.

Follow Playbooks

Adhere to incident response playbooks and escalation procedures. Ensure proper authorization.

Command Impact Reference

ActionSeverityUser ImpactReversibilityRequires Admin
Isolate HostCriticalAll usersManualYes
Disable UserHighTarget userEasyYes
Block IPHighSpecific connectionsEasyYes
Kill ProcessMediumApp usersN/ASometimes
Stop ServiceMediumService usersEasyYes
Uninstall AppHighApp usersDifficultYes
Delete FileCriticalN/AImpossibleSometimes
Block OutboundHighSpecific connectionsEasyYes
Block InboundMediumExternal onlyEasyYes
Remove PermissionsHighTarget userManualYes
Kill SessionMediumTarget userUser can re-loginYes

Troubleshooting Common Issues

Permission Denied ErrorsEnsure the UTMStack agent is running with appropriate privileges:
  • Linux/macOS: Verify sudo permissions
  • Windows: Ensure administrative rights
  • Check if remote execution is enabled on target system
Variable Substitution Not Working
  • Verify the alert context contains required fields
  • Check variable name spelling and case sensitivity
  • Ensure execution is from UTMStack console, not manual
  • Review alert data source configuration
Firewall Rules Not Persisting
  • iptables: Save with iptables-save > /etc/iptables/rules.v4
  • firewall-cmd: Always use --permanent flag and --reload
  • Windows: Rules created with netsh advfirewall persist automatically
  • macOS: Add rules to /etc/pf.conf for persistence
Service Won’t Stop
  • Check for service dependencies
  • Use force flags when available
  • Kill the process directly if service does not respond
  • Check service logs for errors
  • Consider disabling: systemctl disable [service-name]

Security Considerations

Critical Security Reminders
  1. Authorization Required - All actions must be authorized by appropriate security personnel
  2. Audit Trail - Every command execution is logged in UTMStack
  3. Change Management - Follow organization procedures, even during incidents
  4. Business Impact - Consider operations before isolating critical systems
  5. Evidence Preservation - Ensure evidence preservation before destructive actions
  6. Legal Compliance - Adhere to legal and regulatory requirements
UTMStack Integration Benefits
  • All commands executed through UTMStack console are automatically logged
  • Execution results are recorded in the incident timeline
  • Failed commands trigger alerts for security team review
  • Commands can be integrated into automated response playbooks
  • Historical execution data available for compliance reporting