All Flashcards
Examen
Motive Types cybercrime
Financial Gain
* Hacktivism
* Corporate Espionage
* Curiosity/Challenge
* Nation State-Sponsored Attacks
* Personal Vendetta
Victim Types
Individuals
* Corporations/Businesses
* Government Institutions
* Critical Infrastructure
* Non-Profit Organizations
Perpetrator Types
Individual Hackers
* Organized Cybercriminal Groups
* Hacktivists
* State-Sponsored Actors
* Script Kiddies
What Means or Methods are used for cyber crime
Latest Trends
+ Phishing / Social Engineering
+ Malware
+ Exploiting Vulnerabilities
+ Insider Threats
Timeline/actions of cybercrime attack
- Reconnaissance:
- Initial Breach:
- Exploitation
- Execution:
- Covering Tracks:
- Detection and Response:
- Investigation:
Malware analysis process
Extracting the malware
Static analysis
Blackboxing (Dynamic analysis)
Internet search (OSINT)
White boxing (reverse engineering)
Common signs of malware infection
Slow performance
Frequent freezing or crashing
Diminshed storage space
Unwanted pop-up advertisements
Modified or deleted files
New programs or icons
Changes in security settings
Unusual network activity
Browser changes
Unusual emails/social media messages
Programs running without consent
Error messages
Cmaera indicator light remains/turns on
Suspicious applications appear
Malware spreading techniques
Phising
malvertising: malware in ads
Drive-By downloads: automatically download when visiting compromised site
social engineering (more handso n than phishing)
Malicious links social media
Software bundling
RDP exploits
Lateral movement
Typosquatting
Torrents and P2P sharing
Infected removable media
Exploiting unpatched vulns
Payload types
Destructive
Non-Destructive
Criminal
What destructive payload types are there?
Designed to cause damage to system, data, or networks
Ransomware: Encrypts fiels and demans payment
Wiper malware: deletes data
Viruses: attaches to legit programs and corrupts/deletes files
Worms: self replicates and spreads across networks, causes disruptions
Non destructive malware payload types
Compromises privacy or performance without directly damaging data
Spyware: Monitors users
Adware: displays unwanted ads, tracks behavior
Trojan horses: Disguises as legit software to trick users
Fileless malware: operators in memory
Criminal malware payloads
Designed for financial gain or illegal activities:
Cryptojacking: hijacks resources to mine crypto
Botnets: network of infected devices used for coordinated attacks
Keyloggers
Backdoors
PE structure
Header: immediatly after DOS header, file header/optional header, metadata about the file architecture type, number of sections, characteristics
Section table: lists all section in executable (.text, .data, .rdata, . rsrc etc)
.text = executable code
.data initialized global vars
.rsrc contains resources icons and strings
Data directories
PE structure and malware analysis
Malware can insert additonal code into unsed section of PE file (CODE CAVES)
Alter section headers to cause unexpected behaviour/bypass detection
Static analysis, what aspects are analysed
Examines code and properties without execution
* Aspects analyzed:
+File Type
+File Hash
+Strings
+Embedded Elements
+Packer Information
+Imports and Exports
Static Analysis techniques used
Techniques Used
+ File Identification: Use ‘file’ or ‘sigcheck’
commands
+ Hashing: Calculate MD5, SHA1, SHA256 hashes
+ String Extraction: Use ‘strings’ command
+ Disassembly: Convert machine code to assembly
+ Code Analysis: Analyze for malicious patterns
+ Metadata Examination: Review file metadata
+ VirusTotal Submission: Scan against multiple AV
engines
Static analysis tools
PE studio
CFF explorer: Examines PE file structure
YARA
STrings
Floss
Capa
SSDEEP
Static analysis benefits and limitations
Benefits of Static Analysis
* Speed: Quick analysis without execution
* Safety: Avoids risks of running malware
* Comprehensive Insight: Examines entire code structure
* Detection of Known Threats: Identifies known malware families
Limitations of Static Analysis
* Inability to Detect Runtime Behavior: Misses dynamic threats
* Complexity with Obfuscation: Challenges with obfuscated code
* False Positives: May misidentify benign files as malicious
Packers, are what?
Software tools that transform executable files
Aspects:
Compression/Encryption/Obfuscation
Type of packers:
Commercial (UPX, ASPack, Themida)
Custom packers
Crypters
Indicated by high entropy
Tools to identify packers/packed data
PEiD
Detect it Easy (DIE)
Bintext
PE Explorer
CFF explorer
Autorun options for malware
Registry
Startup folders
Services
Browser helper objects
Scheduled tasks
Typical Windows 11 OS related Paths Relevant to Malware Analysis System Directories
- C:\Windows: Windows installation directory
- C:\Windows\System32: Primary system directory, often targeted for DLL hijacking
- C:\Windows\SysWOW64: 32-bit system directory on 64-bit systems
Typical Windows 11 Paths Relevant to Malware Analysis User Directories
C:\Users[Username]\AppData\Roaming: User-specific application data, often used
by malware for persistence
5. C:\Users[Username]\AppData\Local: Local application data, less commonly
synced
6. C:\Users[Username]\AppData\LocalLow: Used for low-integrity level processes
Startup system directories and reg run keys
Startup Locations
10. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp: Startup
folder for all users
11. C:\Users[Username]\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup: User-specific startup folder
Registry Run Keys
12. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run:
System-wide autorun programs
13. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run: User-
specific autorun programs
Registry hives, which 4 are there?
Registry data is stored in files known as hives. Each hive corresponds to a specific set of
keys and values. The main hives include:
* SYSTEM: Contains system configuration settings.
* SOFTWARE: Stores software-related settings.
* SECURITY: Holds security policies.
* SAM: Contains user account information.
These hives are loaded into memory by the Configuration Manager, which manages
registry operations.
All hives are stored as files under Windows\System32\config
Main Root Keys registry windows, which are there?
HKEY_LOCAL_MACHINE (HKLM): Contains configuration settings for the local
machine.
* HKEY_CURRENT_USER (HKCU): Stores settings specific to the currently logged-in
user.
* HKEY_USERS (HKU): Contains user profiles for all users on the machine.
* HKEY_CLASSES_ROOT (HKCR): Merges information from HKCU and HKLM
regarding file associations.
* HKEY_CURRENT_CONFIG (HKCC): Contains information about the current hardware
profile
Common Malware Persistence Locations registry
- The Windows Run keys:
HKLM\Software\Microsoft\CurrentVersion\Run - The Winlogon shell:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell - Services
Only 1-5, no need to remember details
1. Run Keys
– Description: Used to automatically start programs during system boot or
user login.
– Registry Paths:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Run
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersio
n\Run
2. RunServices Keys
– Description: Similar to Run Keys but specifically for Windows services.
– Registry Path:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session
Manager\RunServices
3. BootExecute
– Description: Executes specified programs early in the Windows boot process.
– Registry Path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\BootExecute
4. AppInit_DLLs
– Description: Allows specified DLLs to be loaded into every process that uses
User32.dll.
– Registry Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs
5. Active Setup
– Description: Configures Windows components before or during user logon.
– Registry Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed Components
Service and Process Manipulation reg keys
- Windows Services
– Description: Malware can create new services or modify existing ones to
achieve persistence.
– Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services - Image File Execution Options (IFEO)
– Description: Can be used to persist malware and intercept the execution of
legitimate programs by specifying a debugger or alternative executable.
– Registry Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options - Known DLLs
– Description: Forces the loading of malicious DLLs by overriding system DLLs
listed in the KnownDLLs registry key.
– Registry Path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\KnownDLLs
What are rootkits tldr?
Rootkits are programs that gain hidden control of a computer
system by modifying the operating system itself
* Their main purpose is to conceal malware activity from users and
security tools, preventing detection of the compromised state
* Despite the name, rootkits don’t provide root access - they
actually require admin/root privileges to be installed
* Initial system compromise and elevated privileges must be
achieved through other means before a rootkit can be deployed
Basic Rootkit Goals
Gain system access
Maintain persistence
Hide presence
Control resources
Rings of Control
Ring 3 (User Mode):
- Where normal applications run
- Limited privileges
- Restricted access to hardware
- Uses Windows API for system
requests
Ring 0 (Kernel Mode):
- Highest privilege level
- Direct hardware access
- Controls system resources
- Handles critical operationsa.
Application makes a request (e.g.,
CreateFile)
* Win32 API processes the request
* NTDLL.dll converts to system call
* Transition to kernel mode
* SSDT routes to correct kernel
function
Common Rootkit Techniques, what techniques are commonly used by?
- System Call Hooking:
+ Intercepts program requests
+ Modifies what system sees
+ Hides malicious activity
Driver Level Attack:
+ Loads malicious drivers
+ Gets kernel access
+ Modifies core system
Direct Kernel Manipulation:
+ Changes system tables
+ Modifies memory
+ Alters core function
OSINT Basics
Open-source intelligence (OSINT) is the collection and analysis
of data from publicly available sources to produce actionable
intelligence.
+ Collection
+ Processing
+ Analysis
+ Reporting
Tor feitjes
Directory updates
* Web Browsing -> Circuit A
* .onion sites -> Circuit B
* New HTTPS -> Circuit C
- Guard rotation
+ Every 2-3 months
+ Helps prevent profiling - Usage-based rotation
+ After specific data amounts
+ After number of TCP streams - Time-based rotation
+ New circuits every ~10 minutes
+ Clean circuits every ~30-60 seconds
