Analyzing Application-related IOCs Flashcards

1
Q

Symptoms of anomalous activity include strange log entries, excessive per-process ports
and resource consumption, and unusual user accounts

A

Anomalous Activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Verify any outbound network connections understood and approved

A

Unexpected Outbound Communication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Unusual request patterns or responses can be indicative of an ongoing
or past attack

A

Unexpected Output

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Occurs when an attacker gains control of a web server and alters the
website’s presentation

A

Service Defacement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Application services may fail to start or stop unexpectedly for any number of reasons

A

Service Interruptions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An application interruption caused by a service either failing to start or halting
abruptly
▪ Security services are prevented from running
▪ Process running the service is compromised
▪ Service is disabled by DDoS/DoS
▪ Excessive bandwidth usage is disrupting a service

A

Failed Application Services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Tools that can help identify suspicious service activity even when antimalware
scanners fail to identify it

A

Service Analysis Tools for Windows

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You can view running services in Task Manager

A

Services.msc
net start displays all running services on a computer from the command
line

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

There are also Linux tools available for service analysis

A

cron
systemctl
The ps and top commands are used to monitor running processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A task scheduler in Linux that can configure processes to run as
daemons (background processes or services) during the
machine’s startup

A

cron

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Can list and monitor the startup processes using the
appropriate control for the init daemon

A

systemctl

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Most applications can be configured to log events

A

Application Logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Contains a log an event each time the DNS server handles a request to convert
between a domain name and an IP address

A

DNS Event Logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A log containing HTTP traffic that encountered an error or traffic that matches
some
pre-defined rule set

A

HTTP Access Logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Status Codes in the 400 Range
Some web server software logs HTTP header information for both the requests
and responses

A

Client-based Error Codes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Identifies the type of application making the request, such as the web browser
version or the client’s operating system

A

User-Agent Field

17
Q

An unstandardized type of log that can provide basic client/server session
information

A

SSH Access Logs

18
Q

An event/error log that records events with fields like date, time, and the action
taken, such as server startup, individual database startup, database cache
clearing, and databases not starting or shutting down unexpectedly

A

SQL Event Logs

19
Q

Creating rogue accounts is a method for an adversary to maintain access

A

New Accounts

20
Q

Windows tool that is used for the management of local accounts on a system

A

Local Users and Groups

21
Q

Windows tool that is used for the management of accounts on a domain
controller (DC)

A

Active Directory Users and Computers

22
Q

Linux command that shows what user accounts are logged in, what
terminal teletypes (TTYs) they have active for each running process, and
what date/time they logged in

A

who

23
Q

Displays the same basic information as who, but also returns the
remote host (if applicable), how long the account has been idle, the
name of processes the account is actively running, the execution time
of each process, and more

A

w

24
Q

Displays the same basic information as who, but also returns the
remote host (if applicable), how long the account has been idle, the
name of processes the account is actively running, the execution time
of each process, and more

A

w

25
Q

Displays the same basic information as who, but runs on a client/server
architecture

A

rwho

26
Q

Retrieves the log-on history from the /var/log/lastlog file and displays the account
name, the TTY, the remote host, and the last time the user was logged in

A

lastlog

27
Q

Linux command that displays only authentication failures

A

faillog

28
Q

Virtualization provides numerous security challenges that must be mitigated
o Process and memory analysis
o Persistent data acquisition
o File-carving-deleted VM disk images
o Lost system logs

A

Virtualization Forensics

29
Q

Uses tools installed to the hypervisor to retrieve pages of memory for
analysis

A

VM Introspection (VMI)

30
Q

Suspending VM memory files are loaded into a memory analysis tool

A

Saved State Files

31
Q

Acquiring data from persistent devices, such as virtual hard drives and other
virtualized mass storage devices to an image-based format

A

Persistent Data Acquisition

32
Q

▪ Virtual machine hosts utilize proprietary file systems, such as VMware’s
VMFS, which can make disk analysis difficult
▪ File carving can be used to reconstruct files that have been fragmented
across the host file system

A

File-carving-deleted VM Disk Images

33
Q

Virtual machines are optimized to spin up when needed and be destroyed when
no longer required
Configure virtual machines to log events to a remote logging server to prevent
system logs from being lost during deprovisioning

A

Lost System Logs

34
Q

Tools that facilitate imaging the mobile device’s system memory (RAM) and the
flash memory used for persistent storage

A

Data Collection

35
Q

Analysis techniques for mobile devices is like that of Windows and Linux
workstations since most mobile devices rely on Unix-like operating systems
▪ Manual extraction
▪ Logical extraction
▪ File system extraction
▪ Call data extraction

A

Extraction and Analysis Methods

36
Q

e
▪ Tool focused on evidence extraction from smartphones and other
mobile devices, including older feature phones, and from cloud data
and metadata using a universal forensic extraction device (UFED)

A

Cellebrite

37
Q

A mobile device forensics tool created by AccessData, the developers of
FTK

A

Mobile Phone Examiner Plus (MPE+)

38
Q

A mobile device forensics tool created by Guidance Software, the
developers of EnCase

A

EnCase Portable

39
Q

Any records of device activity that can be acquired from the mobile device’s
service provider with the use of a warrant

A

Carrier Provider Logs