3 - Malicious Code Flashcards
Given scenarios, analyze potential indicators to determine type of attack - and potential indicators associated with network attacks
A system has been compromised via insider. If a developer’s access was terminated and the org does not believe that they would have had access to any systems or code after they left the org, what type of malware should a SECOFF look for?
Logic Bomb
Naomi believes that an attacker has compromised a Windows workstation using a file-less malware package. What Windows scripting tool was most likely used to download and execute the malware?
PowerShell
Scott notices that one of the systems on his net contacted a number of systems via encrypted web traffic, downloaded some files, and then uploaded a large amount of data to a remote system. What type of infection should he look for?
Bot
Amanda notices traffic between her system and a known malicious host on TCP port 6667. What type of traffic is she most likely detecting?
Command and Control
Mike discovers that attackers have left software that allows them remote access to systems on a pc in his company’s net. How should he describe or classify this malware?
Backdoor.
Naomi wants to provide guidance on how to keep her organization’s new machine learning tools secure. What are the common means of securing machine learning algorithms?
Use high-quality source data, secure your work environment, and review/test any changes
What type of malware is adware typically classified as?
PUP
Matt uploads a malware sample to a third-party malware scanning site that uses multiple antimalware and antivirus engines to scan the sample. He receives several different answers for what the malware package is. What has occurred?
Different vendors use different name for malware packages
Nancy is concerned that there is a software keylogger on the system she is investigating. What data has been stolen?
Keyboard and other inputs from the user
Crypto malware is a type of what sort of malware?
Ransomware
Rick runs a virus scan to attempt to find a rootkit, but he finds nothing. If he has other data that indicates the system is infected, what should his next step be if he wants to determine the malware used?
Mount the drive on another system (in read-only) and scan it that way
Tracy is concerned about attacks against the machine learning algorithm that her org is using to access their network. What step should she take to ensure her baseline data is not tainted?
She should run the ML algorithm on the network only if she believes it is secure
Selah wants to ensure the malware is completely removed from a system. What should she do to ensure this?
Wipe the drive and reinstall from known good media
What type of malware is frequently called stalkerware because of its use by those in intimate relationships to spy on their partners?
RAT
Ben wants to analyze Python code that he believes may be malicious code written by an employee of his organization. What can he do to determine if the code is malicious?
Open the file using a text editor to review the code