76 lines
1.4 KiB
Markdown
76 lines
1.4 KiB
Markdown
# Lab SEC-6: Malware Removal Process Tabletop
|
|
|
|
Domain:
|
|
- 2.0 Security
|
|
|
|
Works on:
|
|
- Windows
|
|
- Tabletop/scenario practice
|
|
|
|
## Goal
|
|
|
|
Practice the malware removal order without working on live malware.
|
|
|
|
## Safe Windows Inspection
|
|
|
|
Run or open:
|
|
|
|
```powershell
|
|
windowsdefender:
|
|
taskmgr
|
|
resmon
|
|
SystemPropertiesProtection
|
|
```
|
|
|
|
Optional reboot command to know, but do not run unless you are ready to restart:
|
|
|
|
```powershell
|
|
shutdown /r /o /t 0
|
|
```
|
|
|
|
Record:
|
|
- Defender status:
|
|
- Highest CPU process:
|
|
- System Protection enabled:
|
|
- Where you would find Advanced Startup:
|
|
|
|
## Process Drill
|
|
|
|
Write the 10 steps from memory:
|
|
|
|
1.
|
|
2.
|
|
3.
|
|
4.
|
|
5.
|
|
6.
|
|
7.
|
|
8.
|
|
9.
|
|
10.
|
|
|
|
## Next-Step Scenarios
|
|
|
|
Identify the next correct step.
|
|
|
|
1. User reports browser redirects and fake security alerts.
|
|
2. You verify symptoms and identify likely malware.
|
|
3. The infected system is still on the network.
|
|
4. The system is quarantined.
|
|
5. System Restore is disabled.
|
|
6. Remediation is complete.
|
|
7. Anti-malware is updated.
|
|
8. Scan/removal fails and system trust is low.
|
|
9. Known-good image is restored.
|
|
10. Scheduled scans and updates are enabled.
|
|
11. System Protection is re-enabled.
|
|
|
|
## What You Should Learn
|
|
|
|
- Quarantine comes early.
|
|
- Disable System Restore before remediation.
|
|
- Update anti-malware before scanning/removal.
|
|
- Reimage/reinstall when cleanup cannot be trusted.
|
|
- Re-enable System Protection only after cleanup.
|
|
- User education is part of the process.
|
|
|