Malware Infection Containment Lab

Lab overview 

Simulate a workstation compromise by malware; practice detection, containment, forensic evidence collection, eradication, recovery, and reporting.

 Learning objectives

• Detect and triage a suspected malware infection using logs and endpoint telemetry.
• Apply safe containment steps that preserve evidence.
• Collect key forensic artifacts (memory, disk, registry, network).
• Decide eradication vs. remediation strategies (re-image vs. clean).
• Produce a concise incident report and remediation plan.

Environment & prerequisites

• Virtual lab network with at least: 1 Windows 10/11 VM (victim), 1 Linux VM (analyst/tools), 1 simulated mail/web gateway (or log generator), and a SIEM/ELK/Graylog ingesting logs.
• EDR agent installed on Windows VM (or simulated EDR alert logs).
• Snapshot/backup capabilities for each VM.
• Tools on analyst box: PowerShell, Sysinternals (Procmon, Autoruns, PsExec), Volatility/rekall (for memory), file hash tool (sha256sum / Get-FileHash), Wireshark/tcpdump, and a file server to stage evidence.
• Instructor creates a restore point/snapshot before the exercise.

 Scenario (for students)

At 09:08 local time a user reports that their machine is slow and a browser window keeps redirecting to an unfamiliar site. EDR has generated an alert: “Suspicious child process spawned from Word” and the mail gateway logged delivery of an attachment Invoice_447.docx at 09:02. Network proxy logs show outbound HTTP connections to 198.51.100.70 starting at 09:05.

Artifacts provided to students

(These are handed out as files or log excerpts; instructors can paste in chat or load into the SIEM.)

1. Mail gateway entry (excerpt)

2025-10-08T09:02:12Z msgid=abc123 from=spoof@vendor.com to=user@corp.local subj="Invoice 447" attachment=Invoice_447.docx action=DELIVER

2. EDR alert (excerpt)

2025-10-08T09:05:20Z Host=WIN-01 AlertID=EDR-9342 Description="Process spawn: winword.exe -> cmd.exe -> powershell.exe -EncodedCommand" Severity=High

3. Network proxy logs (excerpt)

2025-10-08T09:05:28 10.0.0.25 -> 198.51.100.70 :80 GET /update/check
2025-10-08T09:06:05 10.0.0.25 -> 198.51.100.70 :80 POST /upload  Content-Length=2,560,000

4. Host process list (simulated)

PID  Description
1000  System Idle
2480  explorer.exe
3156  winword.exe
3301  cmd.exe
3333  powershell.exe -EncodedCommand
4012  svchost.exe

5. Basic file system hits (simulated)

C:\Users\user\Downloads\Invoice_447.docx
C:\Windows\Temp\payload.exe
C:\Users\user\AppData\Roaming\config.tmp  (recent write)

6. Sample suspicious hashes (fake)

• payload.exe — SHA256: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
• config.tmp — SHA256: bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb

 Student tasks (step-by-step)

Work through these and document each action in the incident log.

Triage (first 0–15 minutes)

1. Review artifacts (mail log, EDR alert, proxy logs). Identify immediate IOC candidates.
2. Decide initial containment: isolate host from network? suspend process? take snapshot?

Evidence collection (15–45 minutes)

3. Preserve a snapshot of the VM (instructor creates snapshot).
4. Collect volatile data (memory image) safely. Commands examples:
   • Windows (collection command example — do not run in production without approval):
     • C:\> procdump -ma 3333 C:\evidence\powershell_3333.dmp
     • C:\> mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit > C:\evidence\creds.txt (in controlled lab only)
   • Linux analyst box (copy memory file): scp win-memory.raw analyst@10.0.0.50:/evidence/
5. Collect host artifacts:
   • Running processes list (tasklist / Get-Process).
   • Autoruns/Startup registry keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run).
   • Recent files in temp and Downloads.
   • PowerShell history (if present): Get-Content (Get-PSReadlineOption).HistorySavePath.
   • Browser history / recent URLs.
6. Hash suspect files and move them to evidence store:
   • PowerShell: Get-FileHash C:\Windows\Temp\payload.exe -Algorithm SHA256
   • Copy to evidence share: Copy-Item C:\Windows\Temp\payload.exe \\evidence\host-win01\

Containment & eradication (45–90 minutes)

7. Decide containment method:
   • Recommended: Isolate host from network (switch port down or block at NAC), leave host running for evidence.
   • Alternative: Enable block in EDR (quarantine file) but preserve memory snapshot first.
8. If malware confirmed and lateral risk low: re-image host after evidence collection. If limited and safe: remove persistence, delete payload, and harden.

Investigation (90–120 minutes)

9. Analyze memory dump for injected processes, suspicious command lines, or network connections (use Volatility or Rekall). Identify any credentials or suspicious modules loaded.
10. Correlate with network logs: was there data exfiltration? Check proxy logs for large POSTs to 198.51.100.70.

Reporting & remediation (final 30 minutes)

11. Build incident timeline and severity assessment.
12. Provide containment, eradication, recovery, and prevention recommendations (e.g., block sender domain, add IOC to EDR/SIEM, deploy IOC-based hunts).

Instructor answers / expected observations (concise)

• Suspicious indicators: Invoice_447.docx delivered; Word spawned cmd.exe -> powershell.exe; unknown payload.exe in C:\Windows\Temp; outbound POST with large content to 198.51.100.70.
• Likely attack flow: Malicious doc (macro/embedded dropper) → powershell downloads/executes payload.exe → payload staged config (config.tmp) → data staged and exfiltrated via HTTP POST.
• Immediate containment actions (recommended):
  1. Isolate host from network (NAC or switch port down) to stop exfiltration while preserving VM runtime.
  2. Snapshot VM & collect memory image.
  3. Quarantine identical emails and block sender domain + URLs in proxy.
  4. Reset credentials for accounts used on the host (if credential theft suspected).
• Forensics to demonstrate: Memory contains suspicious process injection; file hashes match “malicious” list; proxy shows 2.5 MB POST indicating likely exfiltration.
• Eradication decision: Re-image host (recommended) — faster, more certain. If re-imaging not possible, remove persistence, clean registry, verify with AV/EDR, then monitor for 7–14 days.
• Prevention steps: Block sender domain, enable macro-blocking in mail gateway, enforce MFA, increase mail filtering, deploy time-of-click URL analysis.

 Evidence collection & safe commands (cheat sheet)

Windows (run as admin; lab only):

• Snapshot host via hypervisor.
• Collect running processes: tasklist /v > C:\evidence\tasklist.txt
• Get network connections: netstat -ano > C:\evidence\netstat.txt
• Hash file: Get-FileHash C:\Windows\Temp\payload.exe -Algorithm SHA256 | Out-File C:\evidence\hash_payload.txt
• Export registry run keys: reg export "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" C:\evidence\run_hkcu.reg
• Copy relevant files: Copy-Item C:\Windows\Temp\payload.exe -Destination \\evidence\host-win01\payload.exe

Linux analyst workstation (examples):

• Capture network traffic: tcpdump -w capture.pcap host 10.0.0.25 and not port 22
• Analyze pcap with tshark/wireshark.
• Hash verification: sha256sum payload.exe
• Use Volatility: volatility -f win-memory.raw --profile=Win10x64_19041 pslist

Safety note: Only collect memory and run intrusive tools inside controlled lab environments. Don’t run suspicious binaries on analyst machines.

Artifacts to submit (student deliverables)

• Incident timeline (bullet list with timestamps).
• Containment actions taken and why.
• Evidence collected: file hashes, memory dump name, registry exports, netstat, proxy logs.
• Root-cause hypothesis and confidence level.
• Remediation plan (short) and suggested IOC blocklist.
• One-page incident summary for management.

 Grading rubric (100 points)

• Triage & Decision Making — 20 pts (did they isolate and snapshot appropriately?)
• Evidence Collection — 25 pts (memory, file, registry, network artifacts captured and hashed)
• Forensic Analysis — 20 pts (clear identification of malware behavior and IOCs)
• Remediation Plan — 15 pts (re-image vs. clean justification; account resets)
• Communication & Reporting — 10 pts (concise timeline and management summary)
• Post-Incident Controls — 10 pts (suggested improvements like mail controls, MFA, detection rules)

Pass = ≥ 75 / 100

Sample instructor-provided IOC blocklist (paste into EDR/SIEM)

• 198.51.100.70 (malicious C2 / exfil domain)
• spoof@vendor.com and vendor.com (sending domain)
• payload.exe SHA256: aaaaaaaa...
• config.tmp SHA256: bbbbbbbb...
• URL path pattern: /update/check and /upload

(These are lab values — replace with real IOCs in production.)

Extensions / challenge variants

• Lateral movement: Add SMB authentication attempts from the host to other interior hosts. Students must find and stop lateral spread.
• Encrypted exfil: Exfil via HTTPS to a legitimate CDN — requires DNS + UEBA correlation.
• Insider twist: The infected host later shows an active authenticated session from suspicious geolocation; students must tie it to credential theft.
• SOAR automation: Students write a simple playbook: isolate host, collect artifacts, create ticket, notify user manager.

 Post-lab debrief questions (for discussion)

• What early signals were most valuable? (EDR process spawn, proxy POST size, mail gateway show)
• Were containment choices balanced between evidence preservation and limiting damage?
• If this hit production, which executive stakeholders should be notified and when?
• What telemetry could have detected this earlier?