504.5

Question 1

Ghost

Answer 1

Modifying the assembly of an executable in order to bypass an EDR systems by inserting junk code. The junk code modifies the program but with no lasting changes to how the program executes.

Question 2

Defender Check

Answer 2

Takes a malicious file and scans it on a local windows 10 machine with windows Defender. If the file code raises an alert it will split the code into 2 smaller chunks and scan each piece independently while discarding the code that did not trigger the alarm.

Question 3

Metasm Framework

Answer 3

Tool that uses scripts to disassemble payload raw source code into ASCII assembly source code.

Question 4

Keyed Payloads

Answer 4

A technique where the payload is encrypted using a key that is taken from an environment variable.

Question 5

Live of the Land

Answer 5

Instead of adding third party executables, the attacker reuses existing tools to accomplish their goals. Because these existing tools are generally considered non-malicious by the infected OS.

Question 6

MSBuild

Answer 6

A built-in tool for building and executing C, C++, C# code. An attacker can use MSBuild to run code written in any of these languages by compiling and running a source file.

Question 7

Hijacking Attack

Answer 7

An adversary responds to system requests for services and pretends to be the legitimate system

Question 8

Responder

Answer 8

Hijacking tool that impersonates servers and harvest credentials. (works with SMB and other protocols)

Question 9

UTMP File

Answer 9

Unix file for storing info about all users currently logged into the system.

Question 10

wmtp file

Answer 10

stores information about all the users who have ever logged on to the machine

Question 11

btmp file

Answer 11

stores information about bad login attempts. often disabled by sysadmins because a file would be left around containing passwords in clear text if users entered passwords into username field and vice versa.

Question 12

lastlog file

Answer 12

shows information associated with the most recent login time and date for each user.

Question 13

Persistence goals

Answer 13

1) Regain Access
2) Avoid Detection
3) Preserve Privileges
4) Flexible in reestablishing access

Question 14

persistence_service

Answer 14

metasploit module for automating the process of creating a service and automatically running an automatically-generated payload written to a temporary directory

Question 15

silent exit process

Answer 15

Target process can be launched when another process exits. intended for developers to use to launch a debugger process when a target process terminates (normally or unexpectedly)

Question 16

Real Intelligence Threat Analytics (RITA)

Answer 16

Offline tool that uses statistical threat identification to analyze data over time for threat hunting instead of packet analysis. 24 hr packet capture is ideal.

Question 17

Exploded DNS Analysis

Answer 17

Shows you the unique sub-domain and reference count. Look for irregularly high number of sub-domains

Question 18

Security Token Service

Answer 18

AWS service that allows users to request temporary IAM credentials with limited privileges. Serves as a post-exploitation account enumeration technique for attackers

Question 19

WeirdAAL

Answer 19

Python script that automates the process of enumerating AWS access privileges and cloud assets.

Question 20

AzureStealth

Answer 20

Windows tool for enumerating shadow admin accounts.

Question 21

Pacu

Answer 21

AWS interrogation and attack framework similar to metasploit. Includes several exploit and enumeration modules.

Question 22

Cloud Mapper

Answer 22

Discovers and illustrates relationships in an AWS environment

Question 23

atbroker

Answer 23

a way to start malware through a trusted library (atbroker.exe) so an attacker can bypass endpoint protection