Most Useful Cybersecurity Commands in 2026 (Linux + Windows)

If you only keep one security runbook open during an incident, make it command-first and repeatable. This is a practical command pack for quick triage across Linux and Windows.

1) Internet-facing exposure and service check

# Linux - local listening services
sudo ss -ltnp
sudo lsof -iTCP -sTCP:LISTEN -P

# External from a jump box
nmap -sV -p- --open your-public-ip

Use this first to confirm what is truly exposed before spending time on endpoint-only assumptions.

2) Prioritize vulnerabilities that matter now

Use CISA KEV as a daily prioritization input, not just CVSS sorting.

# Example KEV quick pull
curl -s https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json | jq '.vulnerabilities[] | {cveID, vendorProject, product, dateAdded}' | head -n 40

3) Linux auth and privilege triage

# Failed and successful auth attempts
sudo journalctl -u ssh --since "24 hours ago"
sudo grep -E "Failed password|Accepted" /var/log/auth.log | tail -n 200

# Privilege and sudo usage
sudo grep -i "sudo" /var/log/auth.log | tail -n 200

# Suspicious persistence
sudo crontab -l
sudo ls -lah /etc/cron* /var/spool/cron 2>/dev/null

4) Linux process/network suspicious activity

# Top process and parent-child visibility
ps aux --sort=-%cpu | head -n 25
ps -eo pid,ppid,user,cmd --sort=-pid | head -n 100

# Outbound connections with process mapping
sudo ss -tpn
sudo lsof -i -n -P | egrep "ESTABLISHED|LISTEN"

5) Windows logon and lateral movement triage

# Recent successful logons (4624)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=(Get-Date).AddHours(-24)} |
  Select-Object TimeCreated, Id, Message -First 40

# Failed logons (4625)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddHours(-24)} |
  Select-Object TimeCreated, Id, Message -First 40

# New services (7045)
Get-WinEvent -FilterHashtable @{LogName='System'; Id=7045; StartTime=(Get-Date).AddHours(-24)} |
  Select-Object TimeCreated, Message -First 30

6) Windows process + network triage

# Running processes and command lines
Get-CimInstance Win32_Process | Select-Object ProcessId, ParentProcessId, Name, CommandLine | Out-GridView

# Active connections with owning PID
Get-NetTCPConnection -State Established |
  Select-Object LocalAddress,LocalPort,RemoteAddress,RemotePort,OwningProcess

# Map PID to process name
Get-Process -Id <PID>

7) Ransomware-ready hygiene checks (quick wins)

# Backup presence and last run checks (example placeholders)
# Linux
ls -lah /backup

# Windows
Get-ScheduledTask | Where-Object {$_.TaskName -match 'backup|veeam|snapshot'} | Select TaskName,State

Offline and tested backups remain one of the highest-leverage controls for ransomware resilience.

8) Encryption and legacy protocol cleanup

For file transfer and admin access, prefer modern encrypted protocols and remove fallback behavior.

# FTP STARTTLS check
openssl s_client -connect host:21 -starttls ftp

# SSH hardening sanity (Linux)
sudo sshd -T | egrep "passwordauthentication|permitrootlogin|pubkeyauthentication"

9) Minimal incident workflow using this pack

1. Confirm exposure (what is reachable).
2. Pull high-confidence indicators from logs (auth, services, process tree).
3. Correlate process + network ownership.
4. Contain suspicious host/account quickly.
5. Patch KEV-relevant exposed assets first.

References

• CISA Known Exploited Vulnerabilities (KEV) Catalog
• CISA StopRansomware guidance
• MITRE ATT&CK knowledge base