Endpoint Monitoring

Question 1

Software capable of detecting and removing virus infections and (in most cases)
other types of malwares, such as worms, Trojans, rootkits, adware, spyware,
password crackers, network mappers, DoS tools, and others

Answer 1

Anti-virus (AV)

Question 2

A type of IDS or IPS that monitors a computer system for unexpected behavior or
drastic changes to the system’s state on an endpoint

Answer 2

Host-based IDS/IPS (HIDS/HIPS)

Question 3

A software agent and monitoring system that performs multiple security tasks
such as anti-virus, HIDS/HIPS, firewall, DLP, and file encryption

Answer 3

Endpoint Protection Platform (EPP)

Question 4

A software agent that collects system data and logs for analysis by a monitoring
system to provide early detection of threats

Answer 4

Endpoint Detection and Response (EDR)

Question 5

A system that can provide automated identification of suspicious activity by user
accounts and computer hosts

Answer 5

User and Entity Behavior Analytics (UEBA)

Question 6

A computing environment that is isolated from a host system to guarantee that the
environment runs in a controlled, secure fashion and that communication links between the sandbox and the host are usually completely prohibited

Answer 6

Sandboxing

Question 7

The process of analyzing the structure of hardware or software to reveal more
about how it functions

Answer 7

Reverse Engineering

Question 8

A computer program that translates machine language into assembly language

Answer 8

Disassembler

Question 9

The binary code executed by the processor, typically represented as 2 hex digits
for each byte

Answer 9

Machine Code

Question 10

The first two bytes of a binary header that indicates it file type
When reading the first two bytes of a Windows portable executable file (EXE, DLL,
SYS, DRV, or COM), it will always start with 4D 5A in HEX, MZ in ASCII, or TV in
Base64 encoding

Answer 10

File Signature (or Magic Number)

Question 11

The native processor instructions used to implement the program

Answer 11

Assembly Code

Question 12

Software that translate a binary or low-level machine language code into higher
level code

Answer 12

Decompiler

Question 13

Real or pseudocode in human readable form that makes it easier to identify
functions, variables, and programming logic used in the cod

Answer 13

High-level Code

Question 14

Any sequence of encoded characters that appears within the executable file

Answer 14

Strings

Question 15

A method of compression in which an executable is mostly compressed and the
part that isn’t compressed contains the code to decompress the executable

Answer 15

Program Packer

Question 16

Describes the specific method by which malware code infects a target host

Answer 16

Exploit Technique

Question 17

Malware designed to install or run other types of malwares embedded in a
payload on an infected host

Answer 17

Dropper

Question 18

A piece of code that connect to the Internet to retrieve additional tools after the
initial infection by a dropper

Answer 18

Downloader

Question 19

Any lightweight code designed to run an exploit on the target, which may include
any type of code format from scripting languages to binary code

Answer 19

Shellcode

Question 20

Exploit technique that runs malicious code with the identification number of a
legitimate process
▪ Masquerading
▪ DLL injection
▪ DLL sideloading
▪ Process hollowing

Answer 20

Code Injection

Question 21

Exploit techniques that use standard system tools and packages to perform
intrusions

Answer 21

Living Off the Land

Question 22

Threat hunting and security monitoring must use behavioral-based techniques to
identify infections

Answer 22

Behavioral Analysis

Question 23

A suite of tools designed to assist with troubleshooting issues with Windows, and
many of the tools are suited to investigating security issues

Answer 23

Sysinternals

Question 24

A kernel-level binary that is the parent of the first user-mode process (Session
Manager SubSystem – smss.exe)

Answer 24

System Idle (PID 0) and System (PID 4)

Question 25

Manages low-level Windows functions and it is normal to see several of these
running
(as long as they are launched from %SystemRoot%\System32 and have no parent)

Answer 25

Client Server Runtime SubSystem (csrss.exe)

Question 26

Manages drivers and services and should only have a single instance running as a
process

Answer 26

WININIT (wininit.exe)

Question 27

Hosts nonboot drivers and background services, this process should only have one
instance of services.exe running as a child of wininit.exe, with other service
processes showing a child of services.exe or svchost.exe

Answer 27

Services.exe

Question 28

Handles authentication and authorization services for the system, and should
have a single instance running as a child of wininit.exe

Answer 28

Local Security Authority SubSystem (lsass.exe)

Question 29

Manages access to the user desktop and should have only one instance for each
user session with the Desktop Window Manager (dwm.exe) as a child process in
modern versions of Windows

Answer 29

WINLOGON (winlogon.exe)

Question 30

Sets up the shell (typically explorer.exe) and then quits, so you should only see
this process briefly after log-on

Answer 30

USERINIT (userinit.exe)

Question 31

This is the typical user shell, launched with the user’s account privileges rather
than SYSTEM’s, and is likely to be the parent for all processes started by the
logged-on user

Answer 31

Explorer (explorer.exe)

Question 32

Endpoint detection and response (EDR) requires tuning to reduce false positives

Answer 32

EDR Configuration

Question 33

Inspects items with over 70 antivirus scanners and URL/domain
blacklisting services, in addition to a myriad of tools to extract signals from the
studied content

Answer 33

VirusTotal (virustotal.com)

Question 34

A standardized language for sharing structured information about malware that is
complementary to STIX and TAXII to improve the automated sharing of threat
intelligence

Answer 34

Malware Attribute Enumeration and Characterization (MAEC) Scheme

Question 35

A multi-platform program running on Windows, Linux and Mac OS X for
identifying, classifying, and describing malware samples

Answer 35

Yara

Question 36

The process of blocking known applications, services, traffic, and other
transmission to and from your systems

Answer 36

Blacklisting

Question 37

The process of allowing only known applications, services, traffic, and other
transmission to and from your systems

Answer 37

Whitelisting

Question 38

The process of determining what additional software may be installed on a client
or server beyond its baseline
Execution control can be configured as a whitelisting or blacklisting approach
Execution Control in Windows
▪ Software Restriction Policies (SRP)
▪ AppLocker
▪ Windows Defender Application Control (WDAC)
Execution Control in Linux
▪ Mandatory Access Control (MAC)
▪ Linux Security Module (LSM)

Answer 38

Execution Control