2016-S2-SEC601-Lab 2 / Trojans and Malware Protection

Exercise 1: Activating a Trojan

Ran GTSLEARNING-setuplab-2-scsh1

Installed ‘Odysseus’lab-2-scsh2

Immediately after installation Windows Defender popped up saying that it had detected and Malware. Also after installation Minesweeper game opened on desktoplab-2-scsh3

Went into Defender, scanned and found offending file: (Virus:DOS/EICAR_Test_File)lab-2-scsh8

Looked in task manager- processes for anything unusual – in Apps it shows “Entertainment Pack Minesweeper’lab-2-scsh4

In Event Viewer inspected Windows logs re Application and system – in Application log several Security-SPP processes started since completed installation of ‘Odysseus’lab-2-scsh5

In system log no suspicious activity shows up since installationlab-2-scsh6

Inspected Inbound Rules in Windows Firewall – nothing unusual noticedlab-2-scsh7

Exercise 2: Exploiting the Trojan

Connected to VM-Rogue and opened network scannerlab-2-scsh9

Found 3 live hosts and Client IP – 10.1.0.128 with an open port(4450)lab-2-scsh10

Opened PuTTY and proceeded to connect to the clientlab-2-scsh11

PuTTY connected to the command prompt of the client and accessed system files…lab-2-scsh12

…as well as running the shutdown-restart prompt, which causes the client to shut downlab-2-scsh15

Exercise 3: Blocking the Trojan

Attempted to connect again to client, while client is logged off, which was unsuccessfullab-2-scsh16

Logged into client and went into task manager, found ‘ini’ file that was added to registry by ‘Odysseus’ and inspected Scriptlab-2-scsh18

Disabled both ‘Service Firewall’ rules in Windows Firewalllab-2-scsh19

Was unable to reconnect from Rogue to Clientlab-2-scsh20

Exercise 4: Deploying Malware Protection

Opened Server console, went into Server Manager and to ‘Group Policy Management’lab-2-scsh21

Navigated through classroom Domain Policy…lab-2-scsh22

…to Windows Defender and disabled the options to ‘Turn off Windows Defender’ and to ‘Turn off routine remediation’lab-2-scsh23

…as well as disabling the ‘Turn off Real-time protection’ optionlab-2-scsh24

Exercise 5: Using the Anti-Virus Software

Opened Client and looked for ‘diary’ file, but Defender had already deleted itlab-2-scsh25

Went into Defender, which showed PC status: Protectedlab-2-scsh26

Went into Defender ‘History’ to inspect the ‘Virus’ filelab-2-scsh27

Did a ‘Quick’ Scan which didn’t show any threats, then started a ‘Full’ scanlab-2-scsh28

While the ‘Full’ scan was running, went back to ‘Rogue’ and tried to reconnect to ‘Client’ which, despite LAB notice, didn’t worklab-2-scsh29

Opened ‘Firewall’ and configured in the ‘Inbound Rules’, according to LAB instructions, a new rule…lab-2-scsh30

…to ‘Block netcat’lab-2-scsh31

After enabling the new rule the ‘PuTTY’ in ‘Rogue’ couldn’t connect to the ‘Client’lab-2-scsh32

Back in the ‘Client’ the ‘Defender’ scan had finished and showed the infectionslab-2-scsh33

The infection were then ‘removed’ by ‘Defender’lab-2-scsh34

Exercise 6: Completing the Lab

All three VMs were reverted to the ‘pre-lab’ snapshot

Leave a comment