Windows Applications Forensics
Premium roomPerform a live analysis on Windows systems, focused on determining the outliers based on known behaviour of scheduled tasks, services, and installed applications.
medium
60 min
4,008
To access material, start machines and answer questions login.
Typical applications running on a Windows machine in an enterprise environment play an essential role in the day-to-day life of an organisation. However, threat actors can abuse these applications, posing significant risks to the organisation's security and . Given this, it is crucial to consider the applications installed during an incident investigation as it may lead to notable findings and discoveries.
Learning Objectives
In this room, we will learn to analyse a live Windows machine, focusing on hunting unusual behaviours in common applications abused by threat actors and typical applications installed on enterprise workstations. In addition, we will tackle the following topics throughout the room:
- Build the mindset to conduct a live investigation on Windows applications.
- Inspect built-in applications and differentiate benign behaviours from malicious ones.
- Analyse artefacts from different browser applications and correlate the information gathered to existing host artefacts.
- Deep-dive on metadata generated by commonly used applications to determine potentially malicious activity.
Prerequisites
It is suggested to clear the following rooms first before proceeding with this room:
- Intro to Endpoint Security
- Windows Event Logs
- Digital Forensics and Incident Response Module
- Windows Incident Surface
Compromised Machine
Before we proceed with the following tasks, start the attached virtual machine by clicking the Start Machine button at the top-right of this task. The machine will start in Split-Screen view. If the is not visible, use the blue Show Split View button at the top of the page. You can also use these credentials to access the machine via .
| Username | administrator |
| Password | Resp0nder! |
| IP Address | MACHINE_IP |
Your team has already prepared the compromised machine with standalone applications that can be used for the investigation. The tools are ready as Desktop shortcuts or are pinned in the taskbar.
WARNING: Do not directly interact with the artefacts (URLs, domains, ) or pull the malicious samples (executables) out of the machine. Handle every artefact with care during the investigation process.
Investigation Scenario
A startup company, Swift Spend Logistics LLC, has started to build a security team to support the expansion of its online presence. With this opportunity, you were able to land a job within the company as a security analyst.
One day, a critical alert was triggered from a workstation owned by the customer support department. This said, three employees are sharing the workstation on a rotating schedule, which presents that any of these employees may have caused the infection.
Since your team is just starting to centralise your organisation's logs into your , your visibility to host events is still incomplete. Given that, you are tasked to conduct an immediate live investigation on a compromised machine while waiting to complete the download of the disk and memory artefacts collected by your team.
Ready to learn Cyber Security?
The Windows Applications Forensics room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.
Already have an account? Log in