Analyzing Application-related IOCs

Question 1

Symptoms of anomalous activity include strange log entries, excessive per-process ports
and resource consumption, and unusual user accounts

Answer 1

Anomalous Activity

Question 2

Verify any outbound network connections understood and approved

Answer 2

Unexpected Outbound Communication

Question 3

Unusual request patterns or responses can be indicative of an ongoing
or past attack

Answer 3

Unexpected Output

Question 4

Occurs when an attacker gains control of a web server and alters the
website’s presentation

Answer 4

Service Defacement

Question 5

Application services may fail to start or stop unexpectedly for any number of reasons

Answer 5

Service Interruptions

Question 6

An application interruption caused by a service either failing to start or halting
abruptly
▪ Security services are prevented from running
▪ Process running the service is compromised
▪ Service is disabled by DDoS/DoS
▪ Excessive bandwidth usage is disrupting a service

Answer 6

Failed Application Services

Question 7

Tools that can help identify suspicious service activity even when antimalware
scanners fail to identify it

Answer 7

Service Analysis Tools for Windows

Question 8

You can view running services in Task Manager

Answer 8

Services.msc
net start displays all running services on a computer from the command
line

Question 9

There are also Linux tools available for service analysis

Answer 9

cron
systemctl
The ps and top commands are used to monitor running processes

Question 10

A task scheduler in Linux that can configure processes to run as
daemons (background processes or services) during the
machine’s startup

Answer 10

cron

Question 11

Can list and monitor the startup processes using the
appropriate control for the init daemon

Answer 11

systemctl

Question 12

Most applications can be configured to log events

Answer 12

Application Logs

Question 13

Contains a log an event each time the DNS server handles a request to convert
between a domain name and an IP address

Answer 13

DNS Event Logs

Question 14

A log containing HTTP traffic that encountered an error or traffic that matches
some
pre-defined rule set

Answer 14

HTTP Access Logs

Question 15

Status Codes in the 400 Range
Some web server software logs HTTP header information for both the requests
and responses

Answer 15

Client-based Error Codes

Question 16

Identifies the type of application making the request, such as the web browser
version or the client’s operating system

Answer 16

User-Agent Field

Question 17

An unstandardized type of log that can provide basic client/server session
information

Answer 17

SSH Access Logs

Question 18

An event/error log that records events with fields like date, time, and the action
taken, such as server startup, individual database startup, database cache
clearing, and databases not starting or shutting down unexpectedly

Answer 18

SQL Event Logs

Question 19

Creating rogue accounts is a method for an adversary to maintain access

Answer 19

New Accounts

Question 20

Windows tool that is used for the management of local accounts on a system

Answer 20

Local Users and Groups

Question 21

Windows tool that is used for the management of accounts on a domain
controller (DC)

Answer 21

Active Directory Users and Computers

Question 22

Linux command that shows what user accounts are logged in, what
terminal teletypes (TTYs) they have active for each running process, and
what date/time they logged in

Answer 22

who

Question 23

Displays the same basic information as who, but also returns the
remote host (if applicable), how long the account has been idle, the
name of processes the account is actively running, the execution time
of each process, and more

Answer 23

w

Question 24

Displays the same basic information as who, but also returns the
remote host (if applicable), how long the account has been idle, the
name of processes the account is actively running, the execution time
of each process, and more

Answer 24

w

Question 25

Displays the same basic information as who, but runs on a client/server
architecture

Answer 25

rwho

Question 26

Retrieves the log-on history from the /var/log/lastlog file and displays the account
name, the TTY, the remote host, and the last time the user was logged in

Answer 26

lastlog

Question 27

Linux command that displays only authentication failures

Answer 27

faillog

Question 28

Virtualization provides numerous security challenges that must be mitigated
o Process and memory analysis
o Persistent data acquisition
o File-carving-deleted VM disk images
o Lost system logs

Answer 28

Virtualization Forensics

Question 29

Uses tools installed to the hypervisor to retrieve pages of memory for
analysis

Answer 29

VM Introspection (VMI)

Question 30

Suspending VM memory files are loaded into a memory analysis tool

Answer 30

Saved State Files

Question 31

Acquiring data from persistent devices, such as virtual hard drives and other
virtualized mass storage devices to an image-based format

Answer 31

Persistent Data Acquisition

Question 32

▪ Virtual machine hosts utilize proprietary file systems, such as VMware’s
VMFS, which can make disk analysis difficult
▪ File carving can be used to reconstruct files that have been fragmented
across the host file system

Answer 32

File-carving-deleted VM Disk Images

Question 33

Virtual machines are optimized to spin up when needed and be destroyed when
no longer required
Configure virtual machines to log events to a remote logging server to prevent
system logs from being lost during deprovisioning

Answer 33

Lost System Logs

Question 34

Tools that facilitate imaging the mobile device’s system memory (RAM) and the
flash memory used for persistent storage

Answer 34

Data Collection

Question 35

Analysis techniques for mobile devices is like that of Windows and Linux
workstations since most mobile devices rely on Unix-like operating systems
▪ Manual extraction
▪ Logical extraction
▪ File system extraction
▪ Call data extraction

Answer 35

Extraction and Analysis Methods

Question 36

e
▪ Tool focused on evidence extraction from smartphones and other
mobile devices, including older feature phones, and from cloud data
and metadata using a universal forensic extraction device (UFED)

Answer 36

Cellebrite

Question 37

A mobile device forensics tool created by AccessData, the developers of
FTK

Answer 37

Mobile Phone Examiner Plus (MPE+)

Question 38

A mobile device forensics tool created by Guidance Software, the
developers of EnCase

Answer 38

EnCase Portable

Question 39

Any records of device activity that can be acquired from the mobile device’s
service provider with the use of a warrant

Answer 39

Carrier Provider Logs