Skip to main content

Looking for Malware on Windows Systems

Hands-On Lab

 

Photo of

Training Architect

Length

00:30:00

Difficulty

Beginner

In this lab, we will investigate a suspicious process running on a Windows host, document key data points, and create a dump file of the process. NOTE: Once the lab is ready, please wait 2 additional minutes before attempting to remote desktop to the Windows machine. Prior to that, the provided credentials will not work. This is because the Windows machine runs several preparation scripts once it starts.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Identifying Malware on Windows Systems

Introduction

In this lab, we will investigate a suspicious process running on a Windows host, document key data points, and create a dump file of the process.

Setting Up the Environment

  1. Use RDP (Remote Desktop) to connect to the public IP address on port 3389 of the instance.
  2. Log in with the username and password provided on the lab instructions page.

Document Suspicious Process Information

  1. Open the Notepad text editor.
  2. In a new document, write the following information:
    • Process name: amazon-ssm-agent
    • PID:
    • Username process is running as:
    • Service name:
    • Directory where service .exe file is located:
  3. Open the Task Manager.
  4. In the Processes tab, find the process called amazon-ssm-agent.
  5. Right-click on amazon-ssm-agent, and select Go to details.
  6. In the Details tab, locate the PID and user name for the amazon-ssm-agent process.
  7. Write the PID ("2500") and user name ("SYSTEM") in the Notepad document.
  8. Right-click the process name again, and select Go to service(s).
  9. Write the service name ("AmazonSSMAgent") in the Notepad document.
  10. Go back to the Processes tab.
  11. Right-click the amazon-ssm-agent process, and select Open file location.
  12. Copy the file path, and paste it in the Notepad document.
  13. Name the Notepad document "investigation.txt", and save it to your desktop.

Create a Dump File of the Suspicious Service

  1. Go back to the Task Manager.
  2. In the Proceses tab, find the amazon-ssm-agent process.
  3. Right-click on the process name, and select Create dump file.

Conclusion

Congratulations, you've successfully completed this hands-on lab!