Exercise 1: Activating a Trojan
Ran GTSLEARNING-setup
Installed ‘Odysseus’
Immediately after installation Windows Defender popped up saying that it had detected and Malware. Also after installation Minesweeper game opened on desktop
Went into Defender, scanned and found offending file: (Virus:DOS/EICAR_Test_File)
Looked in task manager- processes for anything unusual – in Apps it shows “Entertainment Pack Minesweeper’
In Event Viewer inspected Windows logs re Application and system – in Application log several Security-SPP processes started since completed installation of ‘Odysseus’
In system log no suspicious activity shows up since installation
Inspected Inbound Rules in Windows Firewall – nothing unusual noticed
Exercise 2: Exploiting the Trojan
Connected to VM-Rogue and opened network scanner
Found 3 live hosts and Client IP – 10.1.0.128 with an open port(4450)
Opened PuTTY and proceeded to connect to the client
PuTTY connected to the command prompt of the client and accessed system files…
…as well as running the shutdown-restart prompt, which causes the client to shut down
Exercise 3: Blocking the Trojan
Attempted to connect again to client, while client is logged off, which was unsuccessful
Logged into client and went into task manager, found ‘ini’ file that was added to registry by ‘Odysseus’ and inspected Script
Disabled both ‘Service Firewall’ rules in Windows Firewall
Was unable to reconnect from Rogue to Client
Exercise 4: Deploying Malware Protection
Opened Server console, went into Server Manager and to ‘Group Policy Management’
Navigated through classroom Domain Policy…
…to Windows Defender and disabled the options to ‘Turn off Windows Defender’ and to ‘Turn off routine remediation’
…as well as disabling the ‘Turn off Real-time protection’ option
Exercise 5: Using the Anti-Virus Software
Opened Client and looked for ‘diary’ file, but Defender had already deleted it
Went into Defender, which showed PC status: Protected
Went into Defender ‘History’ to inspect the ‘Virus’ file
Did a ‘Quick’ Scan which didn’t show any threats, then started a ‘Full’ scan
While the ‘Full’ scan was running, went back to ‘Rogue’ and tried to reconnect to ‘Client’ which, despite LAB notice, didn’t work
Opened ‘Firewall’ and configured in the ‘Inbound Rules’, according to LAB instructions, a new rule…
…to ‘Block netcat’
After enabling the new rule the ‘PuTTY’ in ‘Rogue’ couldn’t connect to the ‘Client’
Back in the ‘Client’ the ‘Defender’ scan had finished and showed the infections
The infection were then ‘removed’ by ‘Defender’
Exercise 6: Completing the Lab
All three VMs were reverted to the ‘pre-lab’ snapshot