comptia-a-plus-core2/labs/SEC-4-malware-response-lab.md

Lab SEC-4: Malware Recognition and Safe Inspection

Domain:

• 2.0 Security

Works on:

• Windows
• Linux
• Optional macOS

Goal

Practice safe inspection commands and malware/tool matching. Do not download or run malware.

Windows Steps

Run:

windowsdefender:
taskmgr
resmon
eventvwr.msc
netstat -ano
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10

Record:

• Defender status:
• Highest CPU process:
• Highest memory process:
• One listening port or connection:
• One log area you would inspect after suspected malware:

Linux Steps

Run:

top
ps aux
ss -tulpn
journalctl -p err

Record:

• Highest CPU process:
• One listening service:
• One recent error:
• One process you would investigate further:

Optional macOS Steps

Run:

top
ps aux

Record:

• Highest CPU process:
• One unfamiliar process to research:

Tabletop Scenarios

For each, write likely malware/tool/next action.

1. User files are encrypted and a payment note appears.
2. A free installer added browser toolbars and pop-up ads.
3. CPU stays near 100% while the system is idle.
4. A laptop shows signs of surveillance: location tracking, microphone access, screenshots.
5. A system has a suspected boot-level infection and normal tools cannot remove it.
6. Users receive malicious email attachments before endpoint tools can stop them.
7. Security team wants endpoint behavior detection and isolation.

What You Should Learn

• Malware type is identified by behavior.
• EDR responds on endpoints.
• MDR is managed by a third party.
• XDR correlates endpoint/network/cloud data.
• Severe persistent infections may require reimage/reinstall.