Analyzing Host-related IOCs

Question 1

A process executed without proper authorization from the system owner for the
purpose of damaging or compromising the system

Answer 1

Malicious Process

Question 2

Indicators that a legitimate process has been corrupted with malicious code for
the purpose of damaging or compromising the system

Answer 2

Abnormal Process Behavior

Question 3

▪ Process Monitor
▪ Process Explorer
▪ tasklist
▪ PE Explorer

Answer 3

Windows Tools

Question 4

▪ pstree
▪ ps

Answer 4

Linux Tools

Question 5

A background service in the Linux operating system that runs as a process with
the letter “d” after it (e.g., httpd, sshd, ftpd)

Answer 5

Daemons

Question 6

The init daemon in Linux that is first executed by the kernel during the boot up
process and always has the process ID (PID) of 1

Answer 6

systemd

Question 7

A unique identification number of a process launched by a Linux system

Answer 7

Process Identification (PID)

Question 8

A unique identification number of the parent process for every process launched
by a Linux system

Answer 8

Parent PID (PPID)

Question 9

A Linux command that provides the parent/child relationship of the processes on
a given system

Answer 9

pstree

Question 10

Command that lists the attributes of all current processes
▪ The ps command shows only processes started by the current user by
default
The command ps –A or ps -e will provide a full list of all running
processes for all users
ps –C cron - Command to display the process for the cron command
ps –A | sort –k 3Command to display the process sorted by the third
column (execution time)

Answer 10

ps

Question 11

executes from memory without saving anything to the filesystem

Answer 11

Fileless malware

Question 12

Techniques that require analysis of the contents of system memory, and of
process behavior, rather than relying on scanning the file system

Answer 12

Fileless Detection Techniques

Question 13

An open-source memory forensics tool that has many different modules for
analyzing specific elements of memory such as a web browser module, command
prompt history module, and others

Answer 13

The Volatility Framework

Question 14

Resource consumption is a key indicator of malicious activity, but also occurs with
legitimate software

Answer 14

Consumption

Question 15

Percentage of CPU time utilized on a per-process level

Answer 15

Processor Usage

Question 16

Amount of memory utilized on a per-process level

Answer 16

Memory Consumption

Question 17

Command that outputs a summary of the amount of used and freely available
memory on the computer

Answer 17

free

Question 18

A command that creates a scrollable table of every running process and is
constantly refreshed so that you see the most up-to-date statistics

Answer 18

top

Question 19

A means of exploiting a vulnerability in an application to execute arbitrary code or
to crash the process (or with an ongoing memory leak to crash the system)

Answer 19

Memory Overflow

Question 20

An attack meant to shut down a machine or network that makes it inaccessible to
its intended users

Answer 20

Denial of Service

Question 21

Malware is still likely to leave metadata on the file system even if it is fileless

Answer 21

Disk and File System

Question 22

A place where an adversary begins to collect data in preparation for data
exfiltration, such as temporary files and folders, user profile locations, data
masked as logs, alternate data streams (ADS), or in the recycle bin

Answer 22

Staging Areas

Question 23

Tool that allows you to search the file system for keywords quickly, including
system areas such as the Recycle Bin and NTFS shadow copy and system volume
information

Answer 23

File System Viewers

Question 24

The Windows dir command has some advanced functionality for file system
analysis

Answer 24

▪ dir /Ax - filters all file/folder types that match the given parameter (x),
such as dir /AH displays only hidden files and folders
▪ dir /Q - displays who owns each file, along with the standard
information
▪ dir /R - displays alternate data streams for a file

Question 25

Tool that retrieves a list of all files currently open on the OS

Answer 25

lsof

Question 26

ool that retrieves how much disk space is being used by all
mounted file systems and how much space is available for each

Answer 26

df

Question 27

Tool that enables you to retrieve how much disk space each
directory is using based on the specified directory - du /var/log

Answer 27

du

Question 28

Tools used to determine the type of encryption algorithm used and assess the
strength of the encryption key

Answer 28

Cryptographic Analysis Tools

Question 29

The practice of exploiting flaws in an operating system or other application to
gain a greater level of access than was intended for the user or application

Answer 29

Privilege Escalation

Question 30

Occurs when certain accounts access devices or services that
they should not be authorized to access

Answer 30

Unauthorized sessions

Question 31

An attempt to authenticate to the system using the incorrect
username/password combination or other credentials

Answer 31

Failed Log-ons

Question 32

An attacker may be able to create new accounts in a system
and can be especially dangerous if they create an
administrator account

Answer 32

New Accounts

Question 33

Guest accounts can enable an attacker to log on to a domain
and begin footprinting the network

Answer 33

Guest Account Usage

Question 34

An account being used in off hours may indicate an attacker
attempting to catch the organization unaware

Answer 34

Off-hours Usage

Question 35

A more subtle software-based IoC involves the presence of attack tools on a
system

Answer 35

Unauthorized Software

Question 36

A file that records the names of applications that have been run, as well as the
date and time, file path, run count, and DLLs used by the executable

Answer 36

Prefetch Files

Question 37

An application usage cache that is stored in the Registry as the key
HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\AppCompatCache\AppCompatCach

Answer 37

Shimcache

Question 38

An application usage cache that is stored as a hive file at
C:\Windows\appcompat\Programs\Amcache.hve

Answer 38

Amcache

Question 39

Any change that has been made to a configuration file, software profile, or
hardware without proper authorization or undergoing the change management
process

Answer 39

Unauthorized Change

Question 40

The ability of a threat actor to maintain covert access to a target host or network

Answer 40

Persistence

Question 41

A hierarchical database that stores low-level settings for the
Microsoft Windows operating system and for the kernel, device drivers, services,
Security Accounts Manager, and the user interface

Answer 41

Registry

Question 42

A tool that dumps the contents of the registry in a text file with simple formatting
so that you can search specific strings in the file with find

Answer 42

regdump

Question 43

Initializes its values asynchronously when loading them from the registry

Answer 43

Run

Question 44

Initializes its values in order when loading them from the registry
▪ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
▪ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
▪ HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
▪ HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Initializes its values in order when loading them from the registry
▪ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
▪ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
▪ HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
▪ HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Answer 44

RunOnce

Question 45

Enables you to create new tasks to run at predefined times

Answer 45

Windows Task Scheduler

Question 46

Tool that manages cron jobs, the Linux equivalent of scheduled tasks

Answer 46

crontab