MALWARE CONTAINMENT LAB

MISSION: Users report audio issues. Investigate Workstations AND Servers. Search email clients on all hosts and report phishing attempts.

1. Identify: Check the Services Tab for stopped audio services or suspicious names.
2. Remediate: Use the Terminal to stop threats (`sc stop`, `taskkill`) and restart audio (`sc start`).

Sales Department
Marketing Department
Access Switch
Core Firewall
Data Center
Quarantine

Drag Infected Assets Here

CLASSIFIED INTELLIGENCE

Complete the mission successfully to decrypt this data.

MISSION DEBRIEF & INTEL

File Decrypted. Key Concepts for Exam Success.

Service Masquerading

Malware often hides in plain sight. In this Lab, the service was Wind0ws Audio Endpoint Builder (Zero vs O).

Firewall Containment

Block outbound C2 traffic (Port 4444) to neutralize the threat even if the host is compromised.

Server Hardening

Servers should not have Email Clients. This reduces the attack surface.

7-Step Process

  1. Identify
  2. Quarantine
  3. Disable System Restore
  4. Remediate
  5. Schedule Scans
  6. Enable System Restore
  7. Educate End User

Email Forensics

Malware often enters via Phishing. Analyze these 3 key areas:

  • Sender Mismatch: Display Name says "IT Support", but the actual email is admin@payrol-update.com. Always check the actual address.
  • Double Extensions: Windows often hides known extensions. Attackers use this: bonus.pdf.exe looks like "bonus.pdf" to the user.
  • Urgency Triggers: Phrases like "Immediate Action Required" or "Account Suspended" are designed to bypass critical thinking.

Network Signals

The Firewall Logs tell the story. Look for these patterns:

The 5-Tuple

Every connection is defined by 5 points:
Src IP, Src Port, Dst IP, Dst Port, Protocol.

Egress vs. Ingress

Ingress (Inbound): Attacks trying to get in.
Egress (Outbound): Infected hosts "phoning home" to a Command & Control (C2) server.
*In this lab, spotting Egress traffic on Port 4444 is your smoking gun.*

Critical Ports

Common ports seen in exams and logs:

PORT SERVICE RISK PROFILE
21FTPCleartext creds (High Risk)
22SSHSecure remote access (Safe)
53DNSCheck for tunneling/exfil
445SMBLateral Movement Vector
3389RDPBrute-force target
4444MetasploitDefault C2 / Listener

COMMAND LINE ARSENAL

Process Warfare

TASKLIST

Displays all running processes and their Process ID (PID).

tasklist /v

/v (Verbose): Shows which user is running the process. Useful for finding malware running as "System" vs "User".

tasklist /svc

/svc: Shows which services are hosted in each svchost.exe. Critical for tracking malware hiding in generic processes.

TASKKILL

Terminates a process.

taskkill /PID 1234 /F

/PID: Target by ID (safer than name).
/F (Force): The "Hammer". Forces the process to die. Essential for malware that refuses to close.

Network Recon

NETSTAT

Displays active TCP connections and listening ports.

netstat -ano

-a: All connections/listening ports.
-n: Numerical (IPs instead of DNS names - faster).
-o: Shows the PID. This is the "Golden Flag". It links the connection back to the specific malware process.

PING

Tests reachability.

ping -t 8.8.8.8

-t: Pings continuously until stopped (Ctrl+C). Useful for testing intermittent connections.
-a: Resolves IP to hostname (Reverse DNS).

Service Control

SC (Service Control)

Advanced command for communicating with Service Control Manager.

sc query "Service Name"

Unlike net start, this shows STOPPED services too. Essential for verifying if a security service was disabled.

sc stop "MalwareName"
sc config "MalwareName" start= disabled

config start= disabled: Prevents the service from restarting on reboot (Persistence removal).

NET START / STOP

Legacy commands. Simple but limited.

net start

Only lists RUNNING services. If the malware stopped your Audio, you won't see "Windows Audio" in this list!

CONFIGURATION
C:\Windows\System32>
CORE FIREWALL ADMIN
Traffic Logs
Access Rules
Rule NamePortAction