>NOTE: This lab will take some time to start. This is because the Windows machine runs several preparation scripts once it starts, we ask the environment to wait until this is done before marking the lab as ready for your use.
In this lab, we will investigate a suspicious process running on a Windows host, document key data points, and create a dump file of the process.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Document suspicious process information.
- Use a Remote Desktop client to connect to the lab server on it’s public IP address on port 3389. The Windows lab servers take a few minutes to come up so please be patient.
- Open up
notepad.exe
. - Open up the Task Manager.
- On the Processes tab, find the process named
amazon-ssm-agent
, right click on the amazon-ssm-agent and select Go to details. - From the Details tab, document the PID and Username for the
amazon-ssm-agent
process. - Right click on the amazon-ssm-agent and select Go to service(s), document the service name.
- Go back to the Processes tab and right click on the amazon-ssm-agent process and select Open file location. Document the file path.
- Save all this information in a file named "investigation.txt" on the Desktop of the server.
- Create a dump file of the suspicious service.
- Open up the Task Manager.
- On the Proceses tab, find the procecess named
amazon-ssm-agent
, then right click on it and select Create dump file.