Looking for Malware on Windows Systems
In this lab, we will investigate a suspicious process running on a Windows host, document key data points, and create a dump file of the process. NOTE: Once the lab is ready, please wait 2 additional minutes before attempting to remote desktop to the Windows machine. Prior to that, the provided credentials will not work. This is because the Windows machine runs several preparation scripts once it starts.
Identifying Malware on Windows Systems
In this lab, we will investigate a suspicious process running on a Windows host, document key data points, and create a dump file of the process.
Setting Up the Environment
- Use RDP (Remote Desktop) to connect to the public IP address on port 3389 of the instance.
- Log in with the username and password provided on the lab instructions page.
Document Suspicious Process Information
- Open the Notepad text editor.
- In a new document, write the following information:
- Process name: amazon-ssm-agent
- Username process is running as:
- Service name:
- Directory where service .exe file is located:
- Open the Task Manager.
- In the Processes tab, find the process called
- Right-click on amazon-ssm-agent, and select Go to details.
- In the Details tab, locate the PID and user name for the
- Write the PID ("2500") and user name ("SYSTEM") in the Notepad document.
- Right-click the process name again, and select Go to service(s).
- Write the service name ("AmazonSSMAgent") in the Notepad document.
- Go back to the Processes tab.
- Right-click the amazon-ssm-agent process, and select Open file location.
- Copy the file path, and paste it in the Notepad document.
- Name the Notepad document "investigation.txt", and save it to your desktop.
Create a Dump File of the Suspicious Service
- Go back to the Task Manager.
- In the Proceses tab, find the
- Right-click on the process name, and select Create dump file.
Congratulations, you've successfully completed this hands-on lab!