Interview Questions

Question 1

Name the protocols that run on these ports:
88
143
137-139
161-162
110
389
445

Answer 1

88 - Kerberos
143 - IMAP
137-139 - NetBIOS
161-162 - SNMP
110 - POP3
389 - LDAP
445 - SMB

Question 2

How can Malware maintain persistence?

Answer 2

Auto-run key/Start Up, scheduled tasks,

Question 3

What family of malware often targets Volume Shadow Copies?

Answer 3

Ransomware

Question 4

Why would you see DNS going over TCP?

Answer 4

DNS Zone transfers

Question 5

What do you know about Alternate Data Streams?

Answer 5

A half-assed implemented feature. ADS is a second stream of data stored in a file. This information isn’t natively seen by the OS, so adversaries can use it to hide information.

Question 6

Explain a Web shell.

Answer 6

Script that can be uploaded to a web server to enable remote administration. Can be used to pivot further internally.

Question 7

Name some Windows Event ID's:
4608
4609
4624
4625

Answer 7

4608 - Windows is starting up
4609 - Windows is shutting down
4624 - Account Successfully logged on
4625 - Account failed to log on.

Question 8

What is a .DLL file?

Answer 8

Dynamic Link Library file. Holds a repository of code other applications can reference

Question 9

What is DLL search order hijacking?

Answer 9

Windows has a specified order in which it searches for DLL files. Attackers can put a DLL file by the same name in a directory Windows will search first before it finds the legitimate file.

Question 10

Name the 4 Windows NTFS Timestamps

Answer 10

File last accessed, file last modified, file created, and metadata last modified.