84 lines
1.7 KiB
Markdown
84 lines
1.7 KiB
Markdown
# Lab SEC-4: Malware Recognition and Safe Inspection
|
|
|
|
Domain:
|
|
- 2.0 Security
|
|
|
|
Works on:
|
|
- Windows
|
|
- Linux
|
|
- Optional macOS
|
|
|
|
## Goal
|
|
|
|
Practice safe inspection commands and malware/tool matching. Do not download or run malware.
|
|
|
|
## Windows Steps
|
|
|
|
Run:
|
|
|
|
```powershell
|
|
windowsdefender:
|
|
taskmgr
|
|
resmon
|
|
eventvwr.msc
|
|
netstat -ano
|
|
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10
|
|
```
|
|
|
|
Record:
|
|
- Defender status:
|
|
- Highest CPU process:
|
|
- Highest memory process:
|
|
- One listening port or connection:
|
|
- One log area you would inspect after suspected malware:
|
|
|
|
## Linux Steps
|
|
|
|
Run:
|
|
|
|
```bash
|
|
top
|
|
ps aux
|
|
ss -tulpn
|
|
journalctl -p err
|
|
```
|
|
|
|
Record:
|
|
- Highest CPU process:
|
|
- One listening service:
|
|
- One recent error:
|
|
- One process you would investigate further:
|
|
|
|
## Optional macOS Steps
|
|
|
|
Run:
|
|
|
|
```bash
|
|
top
|
|
ps aux
|
|
```
|
|
|
|
Record:
|
|
- Highest CPU process:
|
|
- One unfamiliar process to research:
|
|
|
|
## Tabletop Scenarios
|
|
|
|
For each, write likely malware/tool/next action.
|
|
|
|
1. User files are encrypted and a payment note appears.
|
|
2. A free installer added browser toolbars and pop-up ads.
|
|
3. CPU stays near 100% while the system is idle.
|
|
4. A laptop shows signs of surveillance: location tracking, microphone access, screenshots.
|
|
5. A system has a suspected boot-level infection and normal tools cannot remove it.
|
|
6. Users receive malicious email attachments before endpoint tools can stop them.
|
|
7. Security team wants endpoint behavior detection and isolation.
|
|
|
|
## What You Should Learn
|
|
|
|
- Malware type is identified by behavior.
|
|
- EDR responds on endpoints.
|
|
- MDR is managed by a third party.
|
|
- XDR correlates endpoint/network/cloud data.
|
|
- Severe persistent infections may require reimage/reinstall.
|
|
|