Novice Level

Looking for Malware on Windows Systems

30 minutes

2 Learning Objectives

In this lab, we will investigate a suspicious process running on a Windows host, document key data points, and create a dump file of the process.

NOTE: Once the lab is ready, please wait 4 additional minutes before attempting to remote desktop to the Windows machine. Prior to that, the provided credentials will not work. This is because the Windows machine runs several preparation scripts once it starts.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Document suspicious process information.

Use a Remote Desktop client to connect to the lab server on it’s public IP address on port 3389. The Windows lab servers take a few minutes to come up so please be patient.
Open up notepad.exe.
Open up the Task Manager.
On the Processes tab, find the process named amazon-ssm-agent, right click on the amazon-ssm-agent and select Go to details.
From the Details tab, document the PID and Username for the amazon-ssm-agent process.
Right click on the amazon-ssm-agent and select Go to service(s), document the service name.
Go back to the Processes tab and right click on the amazon-ssm-agent process and select Open file location. Document the file path.
Save all this information in a file named "investigation.txt" on the Desktop of the server.

Create a dump file of the suspicious service.

Open up the Task Manager.
On the Proceses tab, find the procecess named amazon-ssm-agent, then right click on it and select Create dump file.

Additional Resources

The security team has identified a suspicious process running on a Windows server. Your supervisor has sent you the following email about the situation:

Good morning,
The process in question is named amazon-ssm-agent. This server is not running in AWS nor has it ever, that's why this is suspicious. Please investigate the process and document the following information in a text file on the Desktop of the server named investigation.txt:

Process name:
PID:
Username process is running as:
Service name:
Directory where service .exe file is located:

Once you've completed collecting this data, create a dump file of the process and leave it in its default location.

Thank you,
Billy Lumbergh

PS: I may need you to come in and work this weekend; I'll let you know.

Connecting to the lab:

Use RDP (Remote Desktop) to connect to the public IP address on port 3389 of the instance.
Log in with the username and password generated by the lab.

For information on RDP clients, see:

For Windows: https://support.microsoft.com/en-us/help/4028379/windows-10-how-to-use-remote-desktop

For Mac: https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-mac

For Linux: https://remmina.org/

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started

Who’s going to be learning?

Myself My Organization

How many seats do you need?

$499 USD per seat per year
Billed Annually
Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.

$2,495.00

Checkout

Welcome Back!

Psst…this one if you’ve been moved to ACG!