CySA+ Study Notes 7 Flashcards
The Autoruns tool shows processes set to autostart and list where autostart entries are configured in the Registry and file system. User-mode malware that is attempting to run at startup should be identifiable in one of these locations.
info
??? is a test for matching certain string combinations within a data source. The data source can be a binary file, or other data such as a log file, packet capture, or email. The strings could be ASCII or Unicode text or hex digits. The filter definitions can also use regular expression (regex) syntax.
Yara Rule
(MAEC) scheme is complementary to the STIX and TAXII projects to improve automated sharing of threat intelligence.
blacklist = block what you know, whitelist = block everything expect what you trust
info
Available for most versions and editions of Windows, ??? can be configured as group policy objects (GPOs) to whitelist file system locations from which executables and scripts can launch. Rules can also be configured by publisher signature or by file hash. There is also support for creating blacklist-based rules.
Software Restriction Policies (SRP)—EPP (Execution Control)
Improves configuration options and default usage of SRP. Notably ??? policies can be applied to user and group accounts rather than just computer accounts. However, ??? GPOs can only be configured for Enterprise and Ultimate editions of Windows 7 and later.
AppLocker—EPP (Execution Control)
Formerly Device Guard, this can be used to create Code Integrity (CI) policies, which can be used on their own or in conjunction with AppLocker. CI policies apply to the computer and affect all users. CI policies can be based on version-aware and publisher digital signatures, as well as image hashes and/or file paths.
??? is a useful option for preventing administrator accounts from disabling execution control options, ??? is principally configured using XML policy statements and PowerShell.
Windows Defender Application Control (WDAC)—EPP (Execution Control)
??? for an attacker to hijack a business user’s email account, either through compromising a computer or mobile device, or by hacking a cloud service.
*** A missing or poorly formatted email signature block is an indicator for a phishing message.
*** use DNS-based sinkholing to capture malicious traffic trying to exit from your network.
business email compromise (BEC)
??? uses a DNS record published by an org. for configuring authentication for email server systems; can identified by IP, CIDR address blocks, or hostnames; can reject, flag, or accept mail from servers not on its list.
SPF
??? 220 = server is ready, 250 = message is accepted, 450/451/452 = different issues w/sending message; repeated failures could be sign of DoS on either remote or local SMTP server.
*** S/MIME can be used to add a digital signature to a message and optionally to encrypt the message contents.
SMTP Log Status Codes
??? perform triage alerts, escalating true positives to incident response and dismissing false positives. Review security data sources to check that log collection and information feeds are functioning as expected. Review CTI to identify priorities or potential impacts from events occurring at other companies and all over the Internet. Perform vulnerability scanning and management. Identify opportunities for threat hunting, based on CTI and overall alert and incident status.
SIEM will help with most duties involving staffing in SOC or CSIRT like :
