# Lab SEC-4: Malware Recognition and Safe Inspection

Domain:
- 2.0 Security

Works on:
- Windows
- Linux
- Optional macOS

## Goal

Practice safe inspection commands and malware/tool matching. Do not download or run malware.

## Windows Steps

Run:

```powershell
windowsdefender:
taskmgr
resmon
eventvwr.msc
netstat -ano
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10
```

Record:
- Defender status:
- Highest CPU process:
- Highest memory process:
- One listening port or connection:
- One log area you would inspect after suspected malware:

## Linux Steps

Run:

```bash
top
ps aux
ss -tulpn
journalctl -p err
```

Record:
- Highest CPU process:
- One listening service:
- One recent error:
- One process you would investigate further:

## Optional macOS Steps

Run:

```bash
top
ps aux
```

Record:
- Highest CPU process:
- One unfamiliar process to research:

## Tabletop Scenarios

For each, write likely malware/tool/next action.

1. User files are encrypted and a payment note appears.
2. A free installer added browser toolbars and pop-up ads.
3. CPU stays near 100% while the system is idle.
4. A laptop shows signs of surveillance: location tracking, microphone access, screenshots.
5. A system has a suspected boot-level infection and normal tools cannot remove it.
6. Users receive malicious email attachments before endpoint tools can stop them.
7. Security team wants endpoint behavior detection and isolation.

## What You Should Learn

- Malware type is identified by behavior.
- EDR responds on endpoints.
- MDR is managed by a third party.
- XDR correlates endpoint/network/cloud data.
- Severe persistent infections may require reimage/reinstall.