Endpoint Monitoring Flashcards
HIPS/HIDS
Host based IDS/IPS, monitors the computer
EDR
software collects system data and logs for analysis for early detection
UEBA
A system that can provide automated identification of suspicious activity
by user accounts and computer hosts. AI or machine learning
Disassembler
a computer program that translates machine language into assembly
language.
Machine code (binary)
File Signature (file type)
Assembly code (instruction to implement program)
De compiler
a software that translate a binary or low-level machine language code
into higher level code.
High-lvl code (human readable)
strings (signature detection, sequence of encoded characters, malware usually has InternetOpenUrl in URL its an attempt to download from web address)
Program Packer (compressed executable, avoids scanners sometimes)
Dropper vs downloader
Malware to install or run payload vs code that retrieve additional tools after infection by dropper
Shellcode
Any lightweight code designed to run an exploit on the target, which may
include any type of code format from scripting languages to binary code
Behavioral Analysis
Threat hunting and security monitoring must use behavioral-based techniques to
identify infections
Sysinternals
A suite of tools designed to assist with troubleshooting issues with
Windows, and many of the tools are suited to investigating security issues. Filters good from abnormal behavior
System Idle (PID 0) and System (PID 4)
kernel-level binaries that is the parent of the first user-mode
process (Session Manager SubSystem – smss.exe)
csrss.exe
Manages low-level Windows functions and it is normal to see
several of these running (as long as they are launched from
%SystemRoot%\System32 and have no parent)
wininit.exe
Manages drivers and services and should only have a single
instance running as a process
Services.exe
Hosts nonboot drivers and background services, this process
should only have one instance of services.exe running as a child of
wininit.exe, with other service processes showing a child of
services.exe or svchost.exe
lsass.exe
authentication of services for system
winlogon.exe
Manages access to the user desktop and should have only one
instance for each user session with the Desktop Window Manager
(dwm.exe) as a child process in modern versions of Windows
userinit.exe
Sets up the shell (typically explorer.exe) and then quits, so you
should only see this process briefly after log-on
explorer.exe
This is the typical user shell, launched with the user’s account
privileges rather than SYSTEM’s, and is likely to be the parent for
all processes started by the logged-on user
EDR
Endpoint detection and response (EDR) requires tuning to reduce false positives
VirusTotal (inspects items over all data sources)
MAEC (signature detection same as STIX and TAXII sharing)
Yara (matches strings to data sources)
Execution Control
The process of determining what additional software may be installed on
a client or server beyond its baseline
SRP (creates allow list file for different system locations)
AppLocker (improve config options of SRP)
WDAC (create a code integrity policy and can be used with AppLocker)
