Finding Malicious Indicators

Students will examine a network breach and be able to identify the indicators of a compromise using a variety of command line and GUI (graphical user interface) utilities that will provide detailed information about the attacker’s foothold into a compromised Windows Server.

Overview

In this lab, you will get an opportunity to examine a system that was and is still actively compromised by an attacker. You have likely read articles in the news or heard from your professors about some of the various high-profile attacks where large companies had systems compromised. It is important to be able to look at a system and know how to examine it in order to determine if the system has been compromised. There are utilities that are built into the operating system as well as third-party utilities that can be utilized to help you determine if a system is compromised. Some of the common tasks that be performed to check for a system compromise include examining network connections, file time stamps, viewing the registry, and dumping and examining the RAM of the system. This lab will help you learn about the possible indications of a compromised system.

OUTCOMES

In this lab, you will learn to:

  1. Examined a compromised system’s connections, processes, and memory.
  2. Examine timestamps to find instances of potential breaches.
  3. Use Wireshark to capture and examine network traffic.
Courses

Key terms and descriptions

autoruns
A free tool from sysinternals that will alert you to startup registry entries as well as programs that will start automatically with user login or when the system starts up.
pslist
A free tool from sysinternals that will show you running processes.
netstat
A command to show the active TCP/IP connections.
Process Explorer
A free tool from sysinternals that will allow you to view the process running in memory on the system.
PID
PID stands for process ID and is a unique number assigned to a running process on a given machine.