Host-based Analysis and Network Intrusion Analysis

Question 1

What is a process made up of?

Answer 1

A process is made up of one or more threads

Question 2

What is a thread?

Answer 2

the basic units an operating system allocates process time to

Question 3

What is a Job Object?

Answer 3

Processes grouped together and managed as a unit

Question 4

A thread pool ?

Answer 4

a group of worker threads that efficiently

execute asynchronous callbacks for the application

Question 5

What is a Fiber?

Answer 5

is unit of execution that is manually scheduled by an application

Question 6

What is CreateProcessWithTokenW function?

Answer 6

Using tokens to specify the current security context for a process by Windows.

Question 7

Static memory allocation?

Answer 7

is when a program allocates memory at compile time

Question 8

Dynamic memory allocation?

Answer 8

is when a program allocates memory at runtime

Question 9

A heap

Answer 9

is memory set aside for dynamic allocation.

Question 10

A stack ?

Answer 10

is the memory set aside as spare space for a thread of execution

Question 11

A virtual address space?

Answer 11

is the virtual memory used by processes.

Question 12

A virtual address ?

Answer 12

is a reference to the physical location of an object in memory

Question 13

HKEY_CLASSES_ROOT (HKCR): ?

Answer 13

HKCR information ensures that the correct program
opens when it is executed in Windows Explorer. HKCR also contains further details on
drag-and-drop rules, shortcuts, and information on the user interface. The reference location is HKLM\Software\Classes.

Question 14

HKEY_CURRENT_CONFIG (HCU): ?

Answer 14

HCU stores information about the system’s current

configuration. The reference for HCU is HKLM\Config\profile.

Question 15

HKEY_LOCAL_MACHINE (HKLM): ?

Answer 15

HKLM contains machine hardware-specific information that the operating system runs on. This includes a list of drives mounted on the
system and generic configurations of installed hardware and applications. HKLM is a hive
that isn’t referenced from within another hive.

Question 16

HKEY_USERS (HKU): ?

Answer 16

HKU contains configuration information of all user profiles on
the system. This includes application configurations and visual settings. HKU is a hive
that isn’t referenced from within another hive.

Question 17

What are some of the Registry functions?

Answer 17

Some functions of the registry are to load device drivers, run startup programs, set environment variables, and store user settings and operating system parameters.

Question 18

What is WMI ?

Answer 18

is a scalable system management infrastructure built around a single, consistent, standards-based, extensible, object-oriented interface.

Question 19

How does WMI get the data?

Answer 19

pulled in with scripting or tools because WMI by itself doesn’t show data.

Question 20

A handle ?

Answer 20

A handle is an abstract reference value to a resource.

Question 21

A handle leak ?

Answer 21

A handle leak can occur if a handle is not released after being used.

Question 22

How Windows administrators can manage services?

Answer 22

using the Services snap-in, Sc.exe, or

Windows PowerShell.

Question 23

What is A log parser ?

Answer 23

A log parser is a tool that provides universal query access to text-based data such
as event logs, the registry, the file system, XML files, CVE files, and so on.

Question 24

types of processes can run in UNIX?

Answer 24

■ Child process
■ Init process
■ Orphan process
■ Zombie process
■ Daemon process

Question 25

What are the two methods for starting a process ?

Answer 25

starting it in the foreground and starting it in | the background.

Question 26

An orphan process results when ?

Answer 26

when a parent process is terminated and the child process is permitted to continue on its own.

Question 27

A zombie process ?

Answer 27

is a process that releases its associated memory and resources but remains in the entry table .

Question 28

What are the common Security Event Artifacts?

Answer 28

``` IP Addresses Hostnames and Domain Names URI / URL Client and Server Port Identity Process (File or Registry) System API Calls Hashes ```

Question 29

What are common evasion techniques against traditional IDS and IPS ?

Answer 29

``` ■ Fragmentation: ■ Using low-bandwidth attacks: ■ Address spoofing/proxying: ■ Pattern change evasion: ■ Encryption: ```

Question 30

what is a regular expression (sometimes referred to as “regex”) ?

Answer 30

is a text string for describing a search pattern.

Question 31

What is regex used for ?

Answer 31

To create intrusion detection signatures and search patterns.

Question 32

What does the regular expression ^o do in | cyberOps$ ls -1 | grep ^o ?

Answer 32

list all files that start with the letter o

Question 33

Using regex display any transactions of the host with IP address 192.168.78.8 that took place at 15:46:15. in a log file.

Answer 33

cat packets.txt | grep ^15\:46:15.*78\.8

Question 34

What are the benefits of Protocol header analysis ?

Answer 34

- better detection of both known and unknown attacks. by alerting and blocking traffic on anomalies within the protocol transactions - more difficult for threat actors to evade.

Question 35

What is an advantage for using Packet Captures for Intrusion Analysis?

Answer 35

- used for security event research and analysis. - confirm false positives and true positives. - to follow a TCP stream and see all the packets in that stream or session