Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

SANS SEC504 > 504.1 > Flashcards

504.1 Flashcards

1
Q

PICERL

A

Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Preparation

A

All the things an organization does before an incident. Including policy, procedure, introducing internal monitoring, security best practices, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Identification

A

When the incident is identified. Maybe through an IDS, customer report

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Containment

A

There are several ways to contain an incident. short and long term containment with evidence collection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Eradication

A

Undoing the damage the attackers did. Killing attacker processes, changing passwords, removing malicious data, launching fraud investigations etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Recovery

A

Steps taken to get business systems back up and running.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Lessons Learned

A

When the final report is written, and the vulnerabilities the threat actors exploited are fixed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Cyber Chef

A

Tool for transforming encoded data to its natural state for analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

wmic

A

used to search for processes. search for running processes that have base 64 encoded command line options, especially powershell.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

netstat

A

use to search for listening and active tcp and udp ports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ASEPs

A

registry and file locations that can be used to start software without a user taking a specific action to activate it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Process explorer

A

gives detailed information for running processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Autoruns

A

gives list of autostart extensibility points

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

process monitor

A

Shows file system,registry, network, and process information in real time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

TCPView

A

maps listening and active tcp and udp activity to the associated applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Sysmon

A

collects detailed event information for system monitoring and analysis

17
Q

procdump

A

cli tool to capture memory for a running process for analysis

18
Q

tcpdump

A

command line tool to capture and display network traffic

19
Q

Volatility

A

python framework and tool for analyzing images of memory

20
Q

winpmem

A

tool used to capture RAM from a windows system, which can the be analyzed.

21
Q

RegShot

A

takes and compares a snapshot of the registry and the file system then provides a summary of changes between first and second snapshots after running malware

22
Q

Scoping

A

Determine where threat actors are for proper containment. Scan networks for known IOCs

23
Q

Velociraptor

A

Server software for data collection and analysis to help with scoping. Query’s file system, registry, runs remote commands, interrogate client artifacts

24
Q

Berkeley Packet Filters

A

Specialized language to filter network packets

25
Q

certutil

A

calculate the MD5 hash of a file on windows

SANS SEC504 (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions