Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

GCFA > Enterprise Incident Response > Flashcards

Enterprise Incident Response Flashcards

(198 cards)

Start Studying
1
Q

What percentage of organizations took more than 90 days to detect the intrusion?

A

64%

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the median number of days attackers were present on a victim network before detection?

A

229 days

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is APT?

A

Advanced Persistent Threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How do most organizations find out about intrusions?

A

Third party notifications. In many cases, law enforcement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the steps of incident handling?

A 
Preparation
Identification
Containment
Eradication
Recovery
Lessons learned
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the first step of incident response?

A

Identification of all the systems compromised.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What percentage of compromised systems have malware installed? Implication?

A

54%

Just because a system doesn’t have malware installed doesn’t mean it isn’t compromised,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the difference between remediation and recovery?

A

Remediation actions are required to be completed in a very short time, often a weekend, and are intended to mitigate the current incident. Recovery is to move the enterprise back to day to day business.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

TTP?

A

Tactics, Techniques, and Procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Kill chain?

A

Aka Attack Progression.

Reconnaissance
Weaponization
Delivery
Compromise/exploit
C2
Exfiltration
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How is persistence in APT demonstrated?

A

Maintaining a presence on the network and repeated attempts to gain access to areas where presence is not established.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Why has there been a switch to remotely examining systems rather than imaging?

A

This has happened because in an Enterprise environment it’s often more important to identify the scope of the intrusion than to preserve every last bit of evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is rip.pl

A

RegRipper, an automated HIVE parser for SAM, SECURITY, SYSTEM, SOFTWARE, and NTUSER.DAT HIVES. Also works on restore point registries.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does pffexport do?

A

Pffexport accesses PFF (Personal Folder File) and OFF (Offline Folder File) formats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

pffexport options

A

Page 23, book 1.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Where are compromised images stored on the SIFT workstation?

A

/cases. Each case should have a separate subdirectory under /cases.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Where are filesystem mount points on the SIFT workstation?

A

/mnt

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How should the SIFT workstation be networked?

A

SANS recommends it be placed on the air-gapped Host Only network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is IR?

A

Incident Response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are the 6 steps of Incident Response handling?

A
  1. Preparation
  2. Identification
  3. Containment and Intelligence Gathering
  4. Remediation
  5. Recovery
  6. Follow Up
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Where should incident detects come from? Where do they?

A

They should be found by the security team, but often they’re from a third party, often law enforcement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the first critical step of incident response?

A

Identifying all the compromised systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Why is it critical to identify all compromised systems?

A

Intruders install malware on 54% of the systems they compromise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

How often is malware installed on a compromised system?

A

54% of the time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What is the benefit of intelligence gathering during a compromise?
Learning how the intruders are gaining access to systems may help identify traits of compromised systems. Those traits can be used to identify other compromised systems that hadn't yet been detected.
26
What is the difference between remediation and recovery?
Remediation includes the short term actions required to mitigate the current incident. Recovery is the return to day-to-day operations.
27
What might happen in the follow up stage of IR?
Verification that the mitigation is complete and effective. Possible additional monitoring or scanning.
28
What is the difference between digital forensics and enterprise forensics?
Digital forensics is the deep dive on specific systems looking at all processes, all timeline activity, all file system analysis. Enterprise forensics takes a broader view typically targeted at identifying systems that might be of interest. Enterprise forensics would look for select processes, specific timeline activity, and specific filesystem artifacts.
29
What is a vulnerability?
Not well defined on p.40.
30
What is impact?
Impact is the consequence of exploiting a vulnerability. The damage to confidentiality, integrity, or availability as a result. Often a property of the organization and often difficult to change.
31
What is a threat?
Not well defined on p.40.
32
What are the three components of a threat?
Intent, Opportunity, and Capability
33
What is Intent with regards to threat?
The goal the adversary is trying to accomplish. At a high level, often data theft. Often defined by the industry.
34
What is Opportunity with regards to a threat?
Timing and knowledge of the target space. Often paired with vulnerability.
35
What is Capability with regards to a threat?
The ability of adversaries to achieve their goal. Includes skills and resources (financial, human, technical).
36
What is CND?
p41. Might be Computer Network Defense.
37
What is TTP?
Tactics, Techniques, and Procedures (p44)
38
Why might you not block the IP an adversary is known to use?
You can instead monitor activity from the IP and watch for new attack signatures. Using those might enable detecting future attacks even if the adversary changes IPs.
39
What is the key to security intelligence?
Mapping intent to impact. If the goal is data theft, you probably don't have to worry about DDoS.
40
What is "the kill chain"?
The attack progression. p.43.
41
What are the different types of indicators (of what?)
Atomic, Behavioral Computed
42
Describe an atomic indicator
Pieces of data, like an IP address, email address, string, FQDN, that indicates adversary activity.
43
What is a behavioral indicator?
A combination of other indicators that form a profile. These can include other behaviors, like "targets sales force". Broadly, how does the adversary do their job.
44
What is a computed indicator?
Computed indicators include hashes and complex IDS signatures.
45
What are the stages of the kill chain?
1. Reconnaissance 2. Weaponization 3. Delivery 4. Compromise / Exploit 5. C2 6. Exfiltration
46
Describe the reconnaissance portion of the kill chain.
Recon consists of passive research such as examining web sites, reading PDFs, learning about the organization. Often indistinguishable from normal activity.
47
Describe the weaponization portion of the kill chain.
The act of placing malicious payload in a delivery vehicle, such as a trojan in a document.
48
Describe the delivery phase of the kill chain.
Straightforward. The payload is delivered to the target. For example, though email, HTTP, etc.
49
Describe the compromise or exploit phase of the kill chain.
Either a multi-phase or straightforward attack that might have software, hardware, and/or human components (aka social engineering). This typically provokes the classic incident response. Compromise doesn't guarantee that C2 is established.
50
Describe the C2 phase of the kill chain.
Command and Control (C2) is the period following the compromise where the adversary has control over the system. C2 may be established after compromise, but not always. For example, if an adversary inserts malware that isn't compatible with the system, or if you've studied the adversary and have mitigated the attack that would have established C2. This also includes lateral movement inside the organization, file system enumeration, additional tool dropping.
51
Describe the exfiltration phase of the kill chain.
Exfiltration is the phase where data is takenby the adversary. This doesn't include data taken for the purpose of furthering the attack. Such data movement happens during the C2 phase. Exfiltration removes the actual target data.
52
How is the P in APT manifested?
In two ways: maintaining a presence on the network and making repeated attempts to gain access to areas that are not yet compromised.
53
Why is it important to reconstruct the entire kill chain?
Failure to reconstruct the entire kill chain may result in detections only at the compromise stage, which leaves the organization continually vulnerable to intrusions.
54
What is an "Indicator of compromise"?
A combination of boolean expressions that can be used to identify general characteristics of malware. These can be host or network based.
55
How do you identify indicators of compromise?
Through malware reverse engineering and application footprinting.
56
What is IOC?
Indicator of Compromise
57
What is Cybox?
A Mitre project: Cyber Observable eXpression. A standardized schema for the specification, capture, characterization, and communications of events or stateful properties that are observable in the operational domain.
58
What is STIX?
Structured Threat Information eXpression. Also by Mitre. Community driven effort to define and develop a standardized language t represent structured cyber threat information.
59
CRITS?
p.51.
60
YARA?
p51
61
OpenIOC?
Originally for MANDIANT's products, now standardized and open sourced.
62
Describe IOC Editor
Part of OpenIOC, this GUI editor edits XML documents that capture attributes of malicious files, registry changes, memory artifacts, etc. Also supports detailed descriptions of attributes.
63
Add content on psexec.
.
64
How has the default "image anything" policy changed?
It's become more triage oriented, using remote and automated tools to identify indicators of compromise. Once found, those systems can be examined in more depth.
65
What does a Remote Access Agent do?
Provides a connector to raw disk and memory only.
66
What does a Remote Analysis Agent do?
Contains code to perform system analysis in addition or instead of a connector to raw disk and memory.
67
Pros of a Remote Access Agent compared to a Remote Analysis Agent?
Good for targeted analysis, file querying, quick artifact examination, and it's cheap.
68
Pros of a Remote Analysis Agent compared to a Remote Access Agent?
Great for targeted or deep analysis, registry, file querying and scanning, quick or deep artifact analysis, and memory analysis.
69
Cons of Remote Access Agent compared to a Remote Analysis Agent?
Poor for file carving, stream extraction, memory analysis since the data has to traverse the network for local processing.
70
Cons of Remote Analysis Agent compared to a Remote Access Agent?
Often a resource hog. Usually have to scan when the systems aren't being utilized. Expensive, and requires a separate controller.
71
F-Response stuff
p64
72
What is dc3dd?
?
73
Does malware have to be present on a system for it to be compromised?
No. Compromise a system and add an account. It's compromised, but no malware present.
74
If you have a compromised system that's malware free, what might you look for?
Unusual OS artifacts that wouldn't normally be present.
75
How do you analyze prefetch?
.
76
How do you analyze shimcache?
.
77
How do you analyze userassist registry keys?
.
78
How do you analyze jump lists?
.
79
What binary is used for command line access in Windows?
cmd.exe
80
What is cmd.exe?
A command line access tool (shell) in Windows.
81
What is rar.exe?
A file compressor with difficult to crack encryption.
82
What might at.exe or schtasks.exe suggest on a Windows system.
Evidence of compromise, possible privilege escalation or persistence.
83
What SysInternal tools might you find on a compromised Windows system, and what might they do?
PsExec: remote execution PsLoggedOn: interactive logon enumeration ProcDump: dumping of credentials within lsass.exe address space
84
What are wmic.exe, powershell.exe, and winrm.vbs?
They're all used for remote execution
85
What would net.exe use suggest
It's used for mapping drives and enumerating groups, such as "Domain Admins". Suggests possible attempts at lateral movement in the network.
86
What does reg.exe or sc.exe execution suggest?
Adding persistence such as run keys or services.
87
What does the MountPoints2 registry key do?
It shows shares on remote systems such as C$, Temp$, etc.
88
What is a .job file?
?
89
What is the "Malware Paradox"?
Malware can exist on a system, but it can't hide inactive forever. To do what it is intended for, it must run. See http://jessekornblum.com/publications/ijde06.html
90
What are the three possible detection situations?
1. Malware acive 2. Malware exists, but not active 3. No malware, but the system is compromised.
91
What detection situation is hardest to detect?
A system that's compromised, but no malware is present. There's little to look for.
92
What is the most popular malware file name for a system service?
svchost.exe. It's running 5-6 times on most systems, and it's hard to identify a good one from a bad one.
93
List common malware binary names.
svchost. exe iexplore. exe iprinp. dll winzf32. dll
94
How can malware avoid detection?
Process injection, service persistence
95
What services does malware often replace?
Wireless Zero Configuration Service RIP Listener Service Background Intelligent Transfer Service
96
What file types are often malware, according to Virustotal.
executables, libraries, PDFs, ZIPs, and other document types.
97
What advantages does hiding in plain sight have for malware?
Attempts to hide can make the system unstable or result in detection anyway.
98
What tactics does malware use to evade AV or host based intrusion detection?
Frequent compilation, packing, armoring.
99
How does trusted code signing work?
Duh
100
Why hasn't code signing eliminated malware?
It's proven too easy to steal certificates (Adobe, Opera). Stuxnet was signed code.
101
What advantage does signed malware have?
It spreads and hides easier on networks. It can remain hidden longer without arousing suspicion. Often espionage malware is hidden.
102
How likely is it that malware is signed?
According to McAfee, 4.5% of malware is signed. Malware discovered in the last year: 6%. This has been stable over the past several years. 6.6% in 2012.
103
What are the drawbacks to signing malware?
Slower development and release. Rapid devleopment and release is needed to thwart AV. Need "a plethora of signing certs" to avoid burning all their active malware when certs are revoked.
104
What adversaries are more likely to use signed malware?
Nation states.
105
If you wanted to limit the scope of signed code to examine, how might you do it?
Don't focus on big name companies that are more likely to stay on top of certificates and revocations, like Microsoft, Apple, Google.
106
If malware is not found on a system, do you know the system is not compromised?
No. Only about half of compromised systems have malware.
107
p103
p103 needs more examination.
108
p104
p104
109
What is an ASEP?
Auto Start Execution Points. These are places in Windows that automatically run programs. There are over 50.
110
What are the most popular ASEPs?
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce \Software\Microsoft\Windows\CurrentVersion\Run \Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run \Software\Microsoft\Windows\CurrentVersion\Runonce
111
What is the Userinit key?
A registry key, an ASEP, that should only contain a reference to userinit.exe. It runs logon scripts, reestablishes network connections, and starts explorer.exe.
112
What is explorer.exe?
The Windows user interface.
113
What is userinit.exe?
A program that is automatically started in Windows. It runs logon scripts, reestablishes network connections, and starts explorer.exe.
114
What malware persistence technique on Windows doesn't require admin rights?
Placing a program in %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. Shortcuts placed here start upon user logon.
115
RegRipper ASEPs
p110
116
What is svchost.exe?
It's a generic service host process.
117
How is svchost.exe configured?
Registry keys under HKLM\System\CurrentControlSet\Servces provide parameters for each service.
118
Why is it useful for malware to be configured as a windows service?
Services often start before antivirus, making it easier to avoid detection. Also, a typical Windows system may have > 100 services registered, making it easier to hide in plain sight.
119
What is service replacement?
Similar to service creation as a malware persistence method, but different in that it finds a service already set to auto start that is unimportant, or one that isn't typically started at boot. Not as common as service creation due to its complexity.
120
What Start value starts a Windows service?
0x02
121
Service Recovery Mode option?
p112
122
What tool can you use to identify and analyze services on a system?
Sysinternals autoruns
123
What is at.exe?
A windows method of scheduling a task to run later.
124
What artifacts does at.exe create?
Files named at*.job (at1.job and up) in the \Windows\Tasks and \Windows\System32\Tasks folders
125
Why was at.exe a popular attack vector?
At ran as SYSTEM regardless of the user's privileges.
126
What is schtasks.exe?
An upgraded at.exe, a windows tool for scheduling tasks for later execution.
127
If at.exe or schtasks.exe are used to schedule a task remotely, where are most artifacts found?
On the remote system where the task actually runs, not the one it was scheduled from.
128
What tool can collect currently scheduled jobs on Windows?
Sysinternals autoruns.
129
What SIFT tool can be used to parse AT job files?
jobparser.py. jobparse.pl also does this.
130
What does Event ID 106 record?
Newly created Scheduled Tasks. It contains the user and task name, but not a lot more (look into what).
131
What kinds of events are in the Task Scheduler/Operational log?
106: Scheduled Task Created 140: Scheduled Task Updated 141: Scheduled Task Deleted
132
How can you get more granular logging for Windows Scheduled Tasks?
Turn Object access auditing on and look in the Security log for: 4698: Scheduled Task Created 4699: Scheduled Task Deleted 4700: Scheduled Task Enabled 4701: Scheduled TAsk Diabled 4702: Scheduled Task Updated
133
How does DLL persistence attack work?
Search order hijacking: place a malicious DLL in the search path before the legitimate one. Search path starts at CWD and ends at c:\Windows\System32. Exception: DLLs listed in the KnownDLLs registry key.
134
What is Phantom DLL hijacking?
Abusing the fact that some old DLLs are still loaded (or attempted) by applications even though they aren't needed, and sometimes not present on the system.
135
What is DLL side loading?
p118
136
What is WMI?
Windows Management Instrumentation
137
What is a WMI Event Consumer?
A feature that permits monitoring for specific events, and when triggered, alert event consumers that can run scripts or execute code. Requires admin privs, but can be used to create a backdoor.
138
What privileged do WMI Consumers run at?
SYSTEM in XP and LOCAL_SERVICE in Win7+.
139
What is a MOF?
Managed Object Format file.
140
What can you use a MOF to do?
A MOF (managed object format) file can be used to register new classes into the WMI repository.
141
What is Get-WmiObject?
A PowerShell cmdlet for identifying and removing suspicious WMI entries.
142
What are the most common persistence mechanisms?
* Auto-start locations * Service creation / replacement * Service failure recovery * Scheduled tasks * DLL hijacking * WMI Event Consumers
143
What is the go-to tool for incident responders?
The autoruns tool from Sysinternals.
144
What is autorunsc.exe?
The command line version of the Sysinternals too, Autoruns.
145
Autoruns command line options?
p122
146
What limitation does autorunsc.exe have?
It has to be run on a live system.
147
How does autorunner differ from autorunsc.exe?
Autorunsc.exe has to be run on a live system. Autorunner works on a forensic image.
148
More from p124
p.124
149
What is the Windows kernel executable called?
ntoskrnl.exe
150
Poster
http://digital-forensics.sans.org/media/poster_2014_find_evil.pdf
151
What are the two major methods that malware authors use to obscure their processes?
Hide in plain sight or use code injection or rootkit methods to appear legitimate.
152
What, other than suspicious processes should you look for on a Windows system as evidence of compromise?
Suspicious DLLS executed through rundll32.exe, implemented as services with svchost.exe, or injected into legitimate processes.
153
What software will check on disk signatures for running code?
Mandiant Redline.
154
What software will check offline software for valid signatures?
Didier Stevens' Authenticode Tools or Sysinternals' sigcheck.exe.
155
How does code injection or rootkits benefit a malware author?
Hiding from normal analysis techniques.
156
How can you detect code injection or rootkits?
Memory analysis.
157
What is the one legitimate use of code injection?
Software debugging.
158
Why is code injection nearly always worth investigating?
It has few legitimate uses; notably software debugging. There may be no others.
159
What is a rootkit?
Software which can use any of a broad category of methods intended to subvert the operating system to hide activities and data.
160
List rootkit detection software:
GMER | Rootkit Revealer
161
How do rootkit detection tools work?`
By comparing the state of the system according to the OS compared to the state determined by the tool.
162
Why doesn't offline memory analysis work well for detecting rootkits?
It doesn't rely on the compromised OS, so artifacts like unlinked but still running processes and suspicious function hooks may be found.
163
Why are rootkits relatively rare?
They require skill to create a reliable exploit across various Windows versions.
164
What tools have robust features for finding code injection and rootkit behaviors?
Mandiant Redline and Volatility
165
What is svchost.exe?
A generic service host process. It's typical to see 5 or more running on a Windows system.
166
Under what registry key are service configurations and device driver configurations found?
HKLM\SYSTEM\CurrentControlSet\Services
167
What command can be used to investigate service configurations within the registry?
sc
168
What parameters can be used with the sc command to investigate service configurations within the registry?
queryex qc qprivs qtriggerinfo
169
Can a compromised system contain no malware?
Yes.
170
How should you look for evidence of compromise on a system that has no malware?
Look for unusual OS-based artifacts that wouldn't exist on a typical workstation or server in the organization.
171
When investigating program execution what should you focus on?
Prefetch, shimcache, userassist registry keys, and jump file lists.
172
What does cmd.exe do?
It provides command line access to a Windows system.
173
What does rar.exe do, or the presence of rar suggest?
Rar.exe is a hard-to-crack archiving tool. Rar files may suggest a compromise or evidence of exfiltration.
174
What are at.exe and schtasks.exe used for?
Privilege escalation and persistence.
175
What does the presence of sysinternals tools (psexec, psloggedon, ProcDump) suggest?
They are evidence of remote execution, interactive logon enumeration, and dumping of lsass.exe address space respectively.
176
What is wmic.exe powershell.exe, or winrm.vbs used for?
Remote execution.
177
What is net.exe used for?
Mapping drives (useful for lateral movement and enumerating groups like Domain Admins)
178
What is reg.exe or sc.exe used for?
Adding persistence such as run keys or services
179
What can the MountPoints2 registry key be used for?
It records shares on remote systems such as C$, Temp$, etc.
180
What do .job files in C:\Windows\Tasks suggest?
They can be related to odd application executions.
181
What anomalous characteristics should you look for when reviewing Windows processes?
* Started with the wrong parent processes * Image executable in the wrong path * Misspelled processes * Processes that are running under the wrong account (incorrect SID) * Processes with unusual boot times (minutes or hours after boot if it should be seconds) * Unusual command-line arguments * Packed executables
182
Describe the Windows system process:
``` Image Path: N/A Parent Process: None Number of Instances: One User Account: Local System Start Time: Boot Description: Responsible for most kernel-mode threads. Modules run under system are mostly drivers (.sys), but include several important DLLs and the kernel executable, ntoskrnl.exe. ```
183
Describe the Windows smss.exe process:
Image Path: %SystemRoot%\System32\smss.exe Parent Process: System Number of Instances: One master and another child per session. Children exit after creating their session User Account: Local System Start Time: Within seconds of boot for the master Description: Responsible for creating new sessions. Exits after starting csrss.exe and wininit.exe or winlogon.exe.
184
Describe the Windows csrss.exe process:
Image Path: %SystemRoot%\System32\csrss.exe Parent Process: smss.exe. Analysis tools usually can't provide this. Number of Instances: 2+ User Account: Local System Start Time: Within seconds of boot for first 2, later as other sessions are created. Description: Client/Server Run-Time Subsystem: the user mode process for the Windows subsystem. Manages processes and threads, imports DLLs that provide the Windows API, shuts down the GUI during system shutdown. *Searching the address space for csrss.exe processes is particularly useful when analyzing the memory of compromised hosts (why?).
185
Describe the Windows services.exe process:
Image Path: %SystemRoot%\System32\services.exe Parent Process: wininit.exe. Number of Instances: 1 User Account: Local System Start Time: Within seconds of boot Description: Implements the Unified Background Process Manager (UBPM), which is responsible for services and scheduled tasks. Also implements the Service Control Manager (SCM) which handles loadin gof services and device drivers marked for auto-start. Also sets the Last Known Good control set to the value of the CurrentControlSet once a user has successfully logged in.
186
Describe the Windows svchost.exe process:
Image Path: %SystemRoot%\System32\svchost.exe Parent Process: services.exe. Number of Instances: 5+ User Account: Varies, but typically Local System, Network Service or Local Service. Start Time: Within seconds of boot, unless services are started later. Description: Generic Windows host process. Used for running service DLLs. -k parameter used for grouping similar services. (List them p133).
187
Why do malware authors use svchost.exe?
It's ubiquitous, so easy to hide.
188
How do malware authors use svchost.exe?
Either as camoflage (misspelling, putting an executable in an incorrect directory), or directly to start illegitimate services.
189
Describe the Windows lsm.exe process:
Image Path: %SystemRoot%\System32\svchost.exe Parent Process: wininit.exe. Number of Instances: 1 User Account: Local System Start Time: Within seconds of boot Description: Local Session Manager handles terminal services including RDP and additional local sessions via Fast User Switching. Communicates with smss.exe to start new sessions. Should never have child processes.
190
Describe the Windows explorer.exe process:
Image Path: %SystemRoot%\explorer.exe Parent Process: userinit.exe. Analysis tools usually can't provide this. Number of Instances: 1 per interactively logged in user. User Account: the logged on user Start Time: When the user logs in Description: Provides access to files, file browser, user interface to desktop, start menu, task bar, control panel, application launching via file extension and shortcut files.
191
Describe the Windows iexplore.exe process:
Image Path: \ProgramFiles\Internet Explorer\iexplore.exe Parent Process: explorer.exe Number of Instances:0 to many User Account: the logged on user Start Time: When the user starts it. Can be started automatically via the -embedding switch, which causes a different parent process. Description: Web browser. Subprocess for each tab (several reasons, including enhanced security). Tabs run with low integrity to make it more difficult to modify sensitive areas of the registry or filesystem.
192
How do attackers use iexplorer.exe to hide?
Hiding in plain sight by naming their executable iexplore.exe and putting it in another directory or misspelling as iexplorer.exe.
193
Describe the Windows winlogon.exe process:
Image Path: %SystemRoot%\System32\winlogon.exe Parent Process: smss.exe which exits, so analysis tools usually don't provide it. Number of Instances: 1 or more User Account: Local System Start Time: Within seconds of boot for the first instance (Session 1). Additional as new sessions are created through RDP or Fast User Switching. Description: Handles interactive user logons and logoffs. Launches LoginUI.exe, which accepts the username and password. Credentials verified by lsass.exe, then loads the user's NTUSER.DAT into NKCU and starts the shell (explorer.exe) via userinit.exe.
194
Describe the Windows lsass.exe process:
Image Path: %SystemRoot%\System32\lsass.exe Parent Process: wininit.exe Number of Instances: 1 User Account: Local System Start Time: Within seconds of boot Description: Local Security Authentication Subsystem Server. Responsible for authenticating users by calling an appropriate security service provider (SSP) authenication package specified in HKLM\SYSTEM\CurrentControlSet\Control\Lsa. Typically kerberos SSP for domain accounts or MSV1_0 SSP for local. Generates an access token for the user that specifies security rights and constraints for the user and processes. Should never have child processes.
195
Describe the Windows taskhost.exe process:
Image Path: %SystemRoot%\System32\taskhost.exe Parent Process: services.exe Number of Instances: Multiple User Account: . One or more owned by logged in users and/or local service accounts Start Time: Vary greatly Description: Generic host process for Windows Tasks. Tasks are handled through Universal Background Process Manager (UBPM). Runs in a continuous loop listining for trigger events, such as: definied schedule, user logon, system startup idle CPU, Windows log event, workstation lock or unlock.
196
Describe the Windows wininit.exe process:
Image Path: %SystemRoot%\System32\wininit.exe Parent Process: smss.exe, which exits so analysis tools usuall can't provide it. Number of Instances: 1 User Account: . Local System Start Time: Within seconds of boot Description: Starts key background processes within Session 0. Starts the Service Control Manager (SCM, services.exe), Local Security Authority processes (lsass.exe), and the Local Session Manager (lsm.exe).
197
What should be in a minimal live response kit?
* Small hub or switch * CAT5 * Crossover cable * Enterprise scanning capability (F-Response, GRR, Mandiant MIR) * Live resonse tools * Memory and Drive Analysis and/or Acquisition Tools * Sysinternals tools + scripts * Drive Adapters (SATA/IDE/SCSI) or * SATA/IDE Hardware write-blocker * Large Capacity Target media
198
p142
p142

GCFA (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions