Endpoint Monitoring Flashcards
Software capable of detecting and removing virus infections and (in most cases)
other types of malwares, such as worms, Trojans, rootkits, adware, spyware,
password crackers, network mappers, DoS tools, and others
Anti-virus (AV)
A type of IDS or IPS that monitors a computer system for unexpected behavior or
drastic changes to the system’s state on an endpoint
Host-based IDS/IPS (HIDS/HIPS)
A software agent and monitoring system that performs multiple security tasks
such as anti-virus, HIDS/HIPS, firewall, DLP, and file encryption
Endpoint Protection Platform (EPP)
A software agent that collects system data and logs for analysis by a monitoring
system to provide early detection of threats
Endpoint Detection and Response (EDR)
A system that can provide automated identification of suspicious activity by user
accounts and computer hosts
User and Entity Behavior Analytics (UEBA)
A computing environment that is isolated from a host system to guarantee that the
environment runs in a controlled, secure fashion and that communication links between the sandbox and the host are usually completely prohibited
Sandboxing
The process of analyzing the structure of hardware or software to reveal more
about how it functions
Reverse Engineering
A computer program that translates machine language into assembly language
Disassembler
The binary code executed by the processor, typically represented as 2 hex digits
for each byte
Machine Code
The first two bytes of a binary header that indicates it file type
When reading the first two bytes of a Windows portable executable file (EXE, DLL,
SYS, DRV, or COM), it will always start with 4D 5A in HEX, MZ in ASCII, or TV in
Base64 encoding
File Signature (or Magic Number)
The native processor instructions used to implement the program
Assembly Code
Software that translate a binary or low-level machine language code into higher
level code
Decompiler
Real or pseudocode in human readable form that makes it easier to identify
functions, variables, and programming logic used in the cod
High-level Code
Any sequence of encoded characters that appears within the executable file
Strings
A method of compression in which an executable is mostly compressed and the
part that isn’t compressed contains the code to decompress the executable
Program Packer
Describes the specific method by which malware code infects a target host
Exploit Technique
Malware designed to install or run other types of malwares embedded in a
payload on an infected host
Dropper
A piece of code that connect to the Internet to retrieve additional tools after the
initial infection by a dropper
Downloader
Any lightweight code designed to run an exploit on the target, which may include
any type of code format from scripting languages to binary code
Shellcode
Exploit technique that runs malicious code with the identification number of a
legitimate process
▪ Masquerading
▪ DLL injection
▪ DLL sideloading
▪ Process hollowing
Code Injection
Exploit techniques that use standard system tools and packages to perform
intrusions
Living Off the Land
Threat hunting and security monitoring must use behavioral-based techniques to
identify infections
Behavioral Analysis
A suite of tools designed to assist with troubleshooting issues with Windows, and
many of the tools are suited to investigating security issues
Sysinternals
A kernel-level binary that is the parent of the first user-mode process (Session
Manager SubSystem – smss.exe)
System Idle (PID 0) and System (PID 4)
