Analyzing Host-related IOCs Flashcards

1
Q

A process executed without proper authorization from the system owner for the
purpose of damaging or compromising the system

A

Malicious Process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Indicators that a legitimate process has been corrupted with malicious code for
the purpose of damaging or compromising the system

A

Abnormal Process Behavior

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

▪ Process Monitor
▪ Process Explorer
▪ tasklist
▪ PE Explorer

A

Windows Tools

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

▪ pstree
▪ ps

A

Linux Tools

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A background service in the Linux operating system that runs as a process with
the letter “d” after it (e.g., httpd, sshd, ftpd)

A

Daemons

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The init daemon in Linux that is first executed by the kernel during the boot up
process and always has the process ID (PID) of 1

A

systemd

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A unique identification number of a process launched by a Linux system

A

Process Identification (PID)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A unique identification number of the parent process for every process launched
by a Linux system

A

Parent PID (PPID)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A Linux command that provides the parent/child relationship of the processes on
a given system

A

pstree

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Command that lists the attributes of all current processes
▪ The ps command shows only processes started by the current user by
default
The command ps –A or ps -e will provide a full list of all running
processes for all users
ps –C cron - Command to display the process for the cron command
ps –A | sort –k 3Command to display the process sorted by the third
column (execution time)

A

ps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

executes from memory without saving anything to the filesystem

A

Fileless malware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Techniques that require analysis of the contents of system memory, and of
process behavior, rather than relying on scanning the file system

A

Fileless Detection Techniques

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An open-source memory forensics tool that has many different modules for
analyzing specific elements of memory such as a web browser module, command
prompt history module, and others

A

The Volatility Framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Resource consumption is a key indicator of malicious activity, but also occurs with
legitimate software

A

Consumption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Percentage of CPU time utilized on a per-process level

A

Processor Usage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Amount of memory utilized on a per-process level

A

Memory Consumption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Command that outputs a summary of the amount of used and freely available
memory on the computer

A

free

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A command that creates a scrollable table of every running process and is
constantly refreshed so that you see the most up-to-date statistics

A

top

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A means of exploiting a vulnerability in an application to execute arbitrary code or
to crash the process (or with an ongoing memory leak to crash the system)

A

Memory Overflow

20
Q

An attack meant to shut down a machine or network that makes it inaccessible to
its intended users

A

Denial of Service

21
Q

Malware is still likely to leave metadata on the file system even if it is fileless

A

Disk and File System

22
Q

A place where an adversary begins to collect data in preparation for data
exfiltration, such as temporary files and folders, user profile locations, data
masked as logs, alternate data streams (ADS), or in the recycle bin

A

Staging Areas

23
Q

Tool that allows you to search the file system for keywords quickly, including
system areas such as the Recycle Bin and NTFS shadow copy and system volume
information

A

File System Viewers

24
Q

The Windows dir command has some advanced functionality for file system
analysis

A

▪ dir /Ax - filters all file/folder types that match the given parameter (x),
such as dir /AH displays only hidden files and folders
▪ dir /Q - displays who owns each file, along with the standard
information
▪ dir /R - displays alternate data streams for a file

25
Q

Tool that retrieves a list of all files currently open on the OS

A

lsof

26
Q

ool that retrieves how much disk space is being used by all
mounted file systems and how much space is available for each

A

df

27
Q

Tool that enables you to retrieve how much disk space each
directory is using based on the specified directory - du /var/log

A

du

28
Q

Tools used to determine the type of encryption algorithm used and assess the
strength of the encryption key

A

Cryptographic Analysis Tools

29
Q

The practice of exploiting flaws in an operating system or other application to
gain a greater level of access than was intended for the user or application

A

Privilege Escalation

30
Q

Occurs when certain accounts access devices or services that
they should not be authorized to access

A

Unauthorized sessions

31
Q

An attempt to authenticate to the system using the incorrect
username/password combination or other credentials

A

Failed Log-ons

32
Q

An attacker may be able to create new accounts in a system
and can be especially dangerous if they create an
administrator account

A

New Accounts

33
Q

Guest accounts can enable an attacker to log on to a domain
and begin footprinting the network

A

Guest Account Usage

34
Q

An account being used in off hours may indicate an attacker
attempting to catch the organization unaware

A

Off-hours Usage

35
Q

A more subtle software-based IoC involves the presence of attack tools on a
system

A

Unauthorized Software

36
Q

A file that records the names of applications that have been run, as well as the
date and time, file path, run count, and DLLs used by the executable

A

Prefetch Files

37
Q

An application usage cache that is stored in the Registry as the key
HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\AppCompatCache\AppCompatCach

A

Shimcache

38
Q

An application usage cache that is stored as a hive file at
C:\Windows\appcompat\Programs\Amcache.hve

A

Amcache

39
Q

Any change that has been made to a configuration file, software profile, or
hardware without proper authorization or undergoing the change management
process

A

Unauthorized Change

40
Q

The ability of a threat actor to maintain covert access to a target host or network

A

Persistence

41
Q

A hierarchical database that stores low-level settings for the
Microsoft Windows operating system and for the kernel, device drivers, services,
Security Accounts Manager, and the user interface

A

Registry

42
Q

A tool that dumps the contents of the registry in a text file with simple formatting
so that you can search specific strings in the file with find

A

regdump

43
Q

Initializes its values asynchronously when loading them from the registry

A

Run

44
Q

Initializes its values in order when loading them from the registry
▪ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
▪ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
▪ HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
▪ HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Initializes its values in order when loading them from the registry
▪ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
▪ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
▪ HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
▪ HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

A

RunOnce

45
Q

Enables you to create new tasks to run at predefined times

A

Windows Task Scheduler

46
Q

Tool that manages cron jobs, the Linux equivalent of scheduled tasks

A

crontab