Endpoint Monitoring Flashcards
Software capable of detecting and removing virus infections and (in most cases)
other types of malwares, such as worms, Trojans, rootkits, adware, spyware,
password crackers, network mappers, DoS tools, and others
Anti-virus (AV)
A type of IDS or IPS that monitors a computer system for unexpected behavior or
drastic changes to the system’s state on an endpoint
Host-based IDS/IPS (HIDS/HIPS)
A software agent and monitoring system that performs multiple security tasks
such as anti-virus, HIDS/HIPS, firewall, DLP, and file encryption
Endpoint Protection Platform (EPP)
A software agent that collects system data and logs for analysis by a monitoring
system to provide early detection of threats
Endpoint Detection and Response (EDR)
A system that can provide automated identification of suspicious activity by user
accounts and computer hosts
User and Entity Behavior Analytics (UEBA)
A computing environment that is isolated from a host system to guarantee that the
environment runs in a controlled, secure fashion and that communication links between the sandbox and the host are usually completely prohibited
Sandboxing
The process of analyzing the structure of hardware or software to reveal more
about how it functions
Reverse Engineering
A computer program that translates machine language into assembly language
Disassembler
The binary code executed by the processor, typically represented as 2 hex digits
for each byte
Machine Code
The first two bytes of a binary header that indicates it file type
When reading the first two bytes of a Windows portable executable file (EXE, DLL,
SYS, DRV, or COM), it will always start with 4D 5A in HEX, MZ in ASCII, or TV in
Base64 encoding
File Signature (or Magic Number)
The native processor instructions used to implement the program
Assembly Code
Software that translate a binary or low-level machine language code into higher
level code
Decompiler
Real or pseudocode in human readable form that makes it easier to identify
functions, variables, and programming logic used in the cod
High-level Code
Any sequence of encoded characters that appears within the executable file
Strings
A method of compression in which an executable is mostly compressed and the
part that isn’t compressed contains the code to decompress the executable
Program Packer
Describes the specific method by which malware code infects a target host
Exploit Technique
Malware designed to install or run other types of malwares embedded in a
payload on an infected host
Dropper
A piece of code that connect to the Internet to retrieve additional tools after the
initial infection by a dropper
Downloader
Any lightweight code designed to run an exploit on the target, which may include
any type of code format from scripting languages to binary code
Shellcode
Exploit technique that runs malicious code with the identification number of a
legitimate process
▪ Masquerading
▪ DLL injection
▪ DLL sideloading
▪ Process hollowing
Code Injection
Exploit techniques that use standard system tools and packages to perform
intrusions
Living Off the Land
Threat hunting and security monitoring must use behavioral-based techniques to
identify infections
Behavioral Analysis
A suite of tools designed to assist with troubleshooting issues with Windows, and
many of the tools are suited to investigating security issues
Sysinternals
A kernel-level binary that is the parent of the first user-mode process (Session
Manager SubSystem – smss.exe)
System Idle (PID 0) and System (PID 4)
Manages low-level Windows functions and it is normal to see several of these
running
(as long as they are launched from %SystemRoot%\System32 and have no parent)
Client Server Runtime SubSystem (csrss.exe)
Manages drivers and services and should only have a single instance running as a
process
WININIT (wininit.exe)
Hosts nonboot drivers and background services, this process should only have one
instance of services.exe running as a child of wininit.exe, with other service
processes showing a child of services.exe or svchost.exe
Services.exe
Handles authentication and authorization services for the system, and should
have a single instance running as a child of wininit.exe
Local Security Authority SubSystem (lsass.exe)
Manages access to the user desktop and should have only one instance for each
user session with the Desktop Window Manager (dwm.exe) as a child process in
modern versions of Windows
WINLOGON (winlogon.exe)
Sets up the shell (typically explorer.exe) and then quits, so you should only see
this process briefly after log-on
USERINIT (userinit.exe)
This is the typical user shell, launched with the user’s account privileges rather
than SYSTEM’s, and is likely to be the parent for all processes started by the
logged-on user
Explorer (explorer.exe)
Endpoint detection and response (EDR) requires tuning to reduce false positives
EDR Configuration
Inspects items with over 70 antivirus scanners and URL/domain
blacklisting services, in addition to a myriad of tools to extract signals from the
studied content
VirusTotal (virustotal.com)
A standardized language for sharing structured information about malware that is
complementary to STIX and TAXII to improve the automated sharing of threat
intelligence
Malware Attribute Enumeration and Characterization (MAEC) Scheme
A multi-platform program running on Windows, Linux and Mac OS X for
identifying, classifying, and describing malware samples
Yara
The process of blocking known applications, services, traffic, and other
transmission to and from your systems
Blacklisting
The process of allowing only known applications, services, traffic, and other
transmission to and from your systems
Whitelisting
The process of determining what additional software may be installed on a client
or server beyond its baseline
Execution control can be configured as a whitelisting or blacklisting approach
Execution Control in Windows
▪ Software Restriction Policies (SRP)
▪ AppLocker
▪ Windows Defender Application Control (WDAC)
Execution Control in Linux
▪ Mandatory Access Control (MAC)
▪ Linux Security Module (LSM)
Execution Control
