Scenario: Your endpoint security system flagged suspicious activity. A process named badprocess.exe is consuming unusual CPU resources. You suspect malware has been downloaded into the user's Downloads folder.

Objective: Investigate and remove the suspicious process and any related malicious files.

Learning Goals:

  • Understand how to list running processes and identify suspicious ones.
  • Terminate malicious processes safely.
  • Search the filesystem for potentially harmful files.
  • Remove malicious files and verify deletion.
  1. tasklist – List all running processes.
    Use tasklist to see all processes currently running on the system. Look for suspicious or unknown processes consuming high CPU or memory.
  2. taskkill /IM badprocess.exe /F – Terminate the malicious process.
    The /IM flag specifies the process name. The /F flag forces termination. Always verify the process before killing it to avoid stopping critical system tasks.
  3. dir /s /b C:\Users\username\Downloads – Search for suspicious files.
    The /s option searches all subdirectories, and /b provides a bare list of file paths. Use this to locate newly downloaded or unknown files.
  4. del /f /q suspicious_file.exe – Delete the suspicious file.
    The /f flag forces deletion of read-only files, and /q suppresses confirmation prompts. Only delete files after verifying they are malicious.

CLI Guidance: Enter each command in the CyberLab CLI above. The teaching note below will guide you through why each command is important and what to observe.

Scenario: Your server logs indicate repeated suspicious SSH login attempts, possibly a brute-force attack.

Objective: Investigate the source and block the unauthorized IP address to protect your system.

  1. sudo cat /var/log/auth.log | grep "Failed password"
    Explanation: This command checks the auth.log file for failed login attempts.
    Learning Note: Monitoring logs helps detect brute-force attempts. Attackers often try multiple username/password combinations to gain access.
  2. sudo ufw deny from 192.168.1.100
    Explanation: Blocks all traffic from the suspicious IP address using UFW (Uncomplicated Firewall).
    Learning Note: Blocking at the firewall level prevents the attacker from even reaching your SSH service.
  3. sudo systemctl restart ssh
    Explanation: Restarts the SSH service to ensure changes take effect.
    Learning Note: Restarting services is a common step after configuration or security changes.
  4. sudo ufw status
    Explanation: Confirms the firewall rule is applied and active.
    Learning Note: Always verify that security configurations are working as intended.

Scenario: Your monitoring system has flagged unusual outbound traffic to the IP address 203.0.113.25. This could be an indication of data exfiltration or communication with a command-and-control server.

Objective: Capture the network traffic for analysis, review the findings, and block the suspicious IP to prevent further communication.

  1. sudo tcpdump -i eth0 host 203.0.113.25 -w capture.pcap
    Explanation: Captures all traffic between your system and the suspicious IP (203.0.113.25) and saves it into a file called capture.pcap.
    Learning Note: Capturing packets allows forensic investigation of traffic patterns, protocols used, and potential malicious payloads.
  2. tcpdump -r capture.pcap
    Explanation: Reads and displays the contents of the packet capture file.
    Learning Note: Reviewing captured traffic helps determine whether the IP is part of legitimate communication or linked to malicious activity.
  3. sudo iptables -A OUTPUT -d 203.0.113.25 -j DROP
    Explanation: Creates a firewall rule to drop all outbound traffic to the suspicious IP address.
    Learning Note: Blocking malicious IPs at the firewall level helps immediately stop data leaks or further attacker communication.
  4. sudo iptables -L -v
    Explanation: Lists current firewall rules with packet counters, confirming the new block rule is active.
    Learning Note: Verification is essential—always check that mitigation steps are properly applied and effective.

Scenario: A user reports receiving a suspicious email that may be a phishing attempt. You need to analyze the email headers and contents to confirm whether it is malicious.

Objective: Investigate the suspicious email by reviewing its subject, searching for keywords, and identifying the sender details.

  1. cat emails/inbox.eml | grep "Subject"
    Explanation: Extracts the subject line of the email from the raw .eml file.
    Learning Note: Phishing emails often use urgent or alarming subject lines to trick users into clicking malicious links.
  2. grep -i "suspicious" emails/inbox.eml
    Explanation: Searches the email file for the keyword "suspicious" (case insensitive).
    Learning Note: Keyword searches help quickly identify malicious links, attachments, or red-flag terms commonly used in phishing campaigns.
  3. cat emails/inbox.eml | grep "From"
    Explanation: Displays the sender's email address from the headers.
    Learning Note: Attackers often spoof legitimate-looking email addresses. Comparing the “From” address to the actual sending domain is crucial in detecting phishing attempts.
  4. grep -i "http" emails/inbox.eml
    Explanation: Searches for URLs inside the email body.
    Learning Note: Malicious phishing emails frequently include fraudulent links that redirect to credential-harvesting websites.

Scenario: A ransomware attack has encrypted files in a user’s home directory. Investigate the infected files, move them to a quarantine folder, and collect hashes for analysis.

  1. find /home/user -type f -name "*.locked"

    Explanation: Searches the /home/user directory for files ending with .locked, which is a common ransomware extension. Helps locate all encrypted files.

  2. mkdir -p /home/user/quarantine

    Explanation: Creates a quarantine folder to safely store suspicious files without deleting them.

  3. mv /home/user/*.locked /home/user/quarantine/

    Explanation: Moves all encrypted files into the quarantine folder to isolate them from the rest of the system, preventing accidental execution or spreading.

  4. sha256sum /home/user/quarantine/*.locked > ransomware_hashes.txt

    Explanation: Generates SHA-256 hashes of the quarantined files and saves them into ransomware_hashes.txt. Useful for malware identification and cross-referencing threat intelligence databases.

  5. ls -lh /home/user/quarantine/

    Explanation: Lists the quarantined files with details like size and permissions, useful for documentation and further analysis.

  6. file /home/user/quarantine/sample.locked

    Explanation: Inspects the file type of an encrypted sample to confirm its format. Provides clues about the ransomware behavior.

Mitigation / Next Steps:

  • Restore files from a verified backup if available.
  • Report the incident to your Security Operations Center (SOC) or IT security team.
  • Check for available decryptors from reputable sources if this ransomware strain is known.
  • Perform a full system scan to ensure no residual malware remains.
  • Update security policies and educate users to prevent future ransomware infections.

Scenario: Suspicious activity has been detected on the system. There is evidence that a user may be attempting unauthorized privilege escalation to gain administrative rights.

Objective: Investigate potential privilege escalation, verify user activity, and secure the system by locking compromised accounts.

  1. sudo cat /var/log/auth.log | grep sudo

    Explanation: Checks the auth.log for any usage of sudo. Helps identify unauthorized or unusual attempts to execute commands with elevated privileges.

    Learning Note: Monitoring sudo usage is critical to detect privilege abuse and insider threats.

  2. last | grep username

    Explanation: Shows the login history for a specific user to determine if there were abnormal login times or multiple access attempts.

    Learning Note: Reviewing login patterns can reveal compromised accounts or suspicious activity from specific users.

  3. sudo usermod -L suspicioususer

    Explanation: Locks the suspicious user account to prevent further access while investigation is ongoing.

    Learning Note: Immediate account lockdown is a standard incident response step to limit damage.

  4. sudo passwd -S suspicioususer

    Explanation: Checks the status of the user account to confirm it is locked.

    Learning Note: Verification ensures that mitigation steps were correctly applied.

  5. sudo chage -l suspicioususer

    Explanation: Lists account expiration and password change information to check for irregularities that could indicate tampering.

    Learning Note: Account policies can be abused to maintain unauthorized access; always review for anomalies.

  6. sudo tail -n 50 /var/log/auth.log

    Explanation: Displays the last 50 lines of the authentication log for real-time insights into recent login attempts or sudo activity.

    Learning Note: Rapidly reviewing recent logs can help spot ongoing attacks or repeated intrusion attempts.

Mitigation / Next Steps:

  • Lock any compromised accounts and review all users with sudo privileges.
  • Force a password reset for the affected user accounts.
  • Review system and application logs for suspicious activity across all services.
  • Apply security patches and ensure the system follows the principle of least privilege.
  • Educate users and administrators on proper privilege management and warning signs of escalation attempts.
  • Document the incident and incorporate findings into your incident response plan to prevent future escalation attempts.

Welcome to CyberLab CLI. Practice the commands from the scenarios above.