Host-based Analysis and Network Intrusion Analysis Flashcards

1
Q

What is a process made up of?

A

A process is made up of one or more threads

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a thread?

A

the basic units an operating system allocates process time to

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a Job Object?

A

Processes grouped together and managed as a unit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A thread pool ?

A

a group of worker threads that efficiently

execute asynchronous callbacks for the application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is a Fiber?

A

is unit of execution that is manually scheduled by an application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is CreateProcessWithTokenW function?

A

Using tokens to specify the current security context for a process by Windows.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Static memory allocation?

A

is when a program allocates memory at compile time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Dynamic memory allocation?

A

is when a program allocates memory at runtime

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A heap

A

is memory set aside for dynamic allocation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A stack ?

A

is the memory set aside as spare space for a thread of execution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A virtual address space?

A

is the virtual memory used by processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A virtual address ?

A

is a reference to the physical location of an object in memory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

HKEY_CLASSES_ROOT (HKCR): ?

A

HKCR information ensures that the correct program
opens when it is executed in Windows Explorer. HKCR also contains further details on
drag-and-drop rules, shortcuts, and information on the user interface. The reference location is HKLM\Software\Classes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

HKEY_CURRENT_CONFIG (HCU): ?

A

HCU stores information about the system’s current

configuration. The reference for HCU is HKLM\Config\profile.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

HKEY_LOCAL_MACHINE (HKLM): ?

A

HKLM contains machine hardware-specific information that the operating system runs on. This includes a list of drives mounted on the
system and generic configurations of installed hardware and applications. HKLM is a hive
that isn’t referenced from within another hive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

HKEY_USERS (HKU): ?

A

HKU contains configuration information of all user profiles on
the system. This includes application configurations and visual settings. HKU is a hive
that isn’t referenced from within another hive.

17
Q

What are some of the Registry functions?

A

Some functions of the registry are to load device drivers, run startup programs, set environment variables, and store user settings and operating system parameters.

18
Q

What is WMI ?

A

is a scalable system management infrastructure built around a single, consistent, standards-based, extensible, object-oriented interface.

19
Q

How does WMI get the data?

A

pulled in with scripting or tools because WMI by itself doesn’t show data.

20
Q

A handle ?

A

A handle is an abstract reference value to a resource.

21
Q

A handle leak ?

A

A handle leak can occur if a handle is not released after being used.

22
Q

How Windows administrators can manage services?

A

using the Services snap-in, Sc.exe, or

Windows PowerShell.

23
Q

What is A log parser ?

A

A log parser is a tool that provides universal query access to text-based data such
as event logs, the registry, the file system, XML files, CVE files, and so on.

24
Q

types of processes can run in UNIX?

A
■ Child process
■ Init process
■ Orphan process
■ Zombie process
■ Daemon process
25
Q

What are the two methods for starting a process ?

A

starting it in the foreground and starting it in

the background.

26
Q

An orphan process results when ?

A

when a parent process is terminated and the child process is permitted to continue on its own.

27
Q

A zombie process ?

A

is a process that releases its associated memory and resources but remains in the entry table .

28
Q

What are the common Security Event Artifacts?

A
IP Addresses
Hostnames and Domain Names
URI / URL
Client and Server Port Identity
Process (File or Registry)
System API Calls
Hashes
29
Q

What are common evasion techniques against traditional IDS and IPS ?

A
■ Fragmentation: 
■ Using low-bandwidth attacks: 
■ Address spoofing/proxying: 
■ Pattern change evasion: 
■ Encryption:
30
Q

what is a regular expression (sometimes referred to as “regex”) ?

A

is a text string for describing a search pattern.

31
Q

What is regex used for ?

A

To create intrusion detection signatures and search patterns.

32
Q

What does the regular expression ^o do in

cyberOps$ ls -1 | grep ^o ?

A

list all files that start with the letter o

33
Q

Using regex display any transactions of the host with IP address 192.168.78.8 that took place at 15:46:15.
in a log file.

A

cat packets.txt | grep ^15:46:15.*78.8

34
Q

What are the benefits of Protocol header analysis ?

A
  • better detection of both known and unknown attacks. by alerting and blocking traffic on anomalies within the
    protocol transactions
  • more difficult for threat actors to evade.
35
Q

What is an advantage for using Packet Captures for Intrusion Analysis?

A
  • used for security event research and analysis.
  • confirm false positives and true positives.
  • to follow a TCP stream and see all the packets in that stream or session