Lesson 13: Analyze Indicators of Malicious Activity Flashcards
What is the purpose of the preparation phrase in CompTIA’s incident response lifecycle?
Identifies data sources that can support investigation; Tools to aggregate/correlate data; Alerting/identifying.
Define ‘Malware’
Software that serves a malicious purpose, typically installed without the user’s consent (or knowledge).
What is the purpose of malware classification?
Describes the vector used by the malware; Method by which the malware executes on a computer and potentially spreads to other network hosts.
Define a ‘virus’
First types of malware; Spread without any authorization by being concealed within executable code of another processes - the processes are described as being infected with malware.
Define a ‘trojan’ malware
A malicious software program hidden within an innocuous-seeming piece of software; Designed to operate discreetly without authorization.
Define a ‘Potentially unwanted program (PUP)’ malware
Software that cannot definitively be classed as malicious, but may not have been chosen by or wanted by the user.
What are the 4 classifications of malware/viruses?
- Non-resident/file infector
- Memory resident
- Boot
- Script and macro viruses
Define a ‘Non-resident/file infector’ malware/virus
Virus is contained within a host executable file and runs with the host process.
Define a ‘Memory resident’ malware/virus
When the payload is executed, the virus creates a new process for itself in memory and remains in memory, even if the host process is terminated.
Define a ‘boot’ malware/virus
Virus code is written to the disk boot sector or the partition table of a fixed disk and executes as a memory-resident process when the OS starts or the media is attached to the computer.
Define a ‘Script and macro viruses’ malware/virus
Malware uses the programming features available in local scripting engines for the OS and/or browser, such as PowerShell, Windows Management Instrumentation (WMI), JavaScript.
Define a ‘multipartite’ malware/virus
Viruses that use multiple vectors.
Define a ‘polymorphic’ malware/virus
Viruses that can dynamically change or obfuscate their code to evade detection.
What is the common goal of all malware/virus classifications and vectors?
To infect a host file or media.
Define a ‘worm’
A type of malware that replicates between processes in system memory and can spread over client/server network connections without user intervention.
How is modern malware defined as ‘fileless’
The malware won’t write code to disk; Malware uses memory-resident techniques to run in its own process, within a host process or dynamic link library (DLL), or within a scripting host.
How can fileless malware remain persistent in a system without writing code to disk?
By changing registry values that execute if the host computer is restarted.
How can fileless malware evade detection and create backdoors?
By using shellcode to exploit a software vulnerability to gain initial access to a victim system.
Define a ‘live off the land’ technique that a fileless malware might use to evade detection
If an attacker has sufficient permissions, malware code can use legitimate system scripting tools, notably PowerShell and Windows Management Instrumentation (WMI), to execute payload actions.
Define the term ‘advanced persistent threat (APT)’
An attacker’s ability to obtain, maintain, and diversify access to network systems using exploits and malware.
How can a cookie be viewed as a malicious file?
Third-party cookies can be used to record web activity, track the user’s IP address, and harvest various other metadata.
Define a ‘Supercookie’
A type of tracking cookie stored on a computer indefinitely used to monitor behavior and collect data.
Define a ‘beacon’
A single pixel image embedded into a website. While invisible to the user, the browser must make a request to download the pixel to load the site, giving the beacon host the opportunity to collect metadata.
Define ‘adware’
A class of PUP/bloatware that performs browser reconfigurations, such as allowing tracking cookies, changing default search providers, opening sponsor’s pages at startup, adding bookmarks, and so on, with the purpose of recording information about the user and its computer.
Define ‘spyware’
Malware that can perform adware-like tracking, but also monitor local application activity, take screenshots, activate recording devices, and perform DNS redirection.
Define a ‘keylogger’
Malicious software or hardware that can record user keystrokes.
Define a ‘backdoor’
Any type of access method to a host that circumvents the usual authentication method and gives the remote user administrative control.
Define a ‘remote access Trojan (RAT)’
Malware that creates a backdoor remote administration channel to allow a threat actor to access and control the infected host.
Define a ‘bot’
Automated script or tool that performs some malicious activity.
Define a ‘botnet’
A group of hosts or devices that has been infected by a bot, which enables attackers to exploit the hosts to mount attacks.
How is a botnet controlled?
By a command and control (C2 or C&C) host or network.
Define a ‘command and control (C2 or C&C)’ host/network
Infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets.
Define a ‘cover channel’
Subverts network security to transfer data without authorization or detection.
Once activated by a user, what permissions do a trojan malware adopt?
Inherits the privileges of that user account.
Define a ‘rootkit’
Malware that runs with SYSTEM level permissions; Class of malware that modifies system files, often at the kernel level, to conceal its presence.
What is the danger of a rootkit that attacks firmware?
Can survive any attempt to remove the rootkit by reformatting a drive or reinstalling OS.
Define ‘ransomeware’
Malware that tries to extort money from the victim by blocking normal operation of a computer and/or encrypting the victim’s files and demanding payment.
What are typical ways ransomware will demand payment to avoid revealing their identity?
Cryptocurrency; wire transfers; premium rate phonelines.
Define ‘crypto-ransomeware’
Crypto class of ransomware attempts to encrypt data files on any fixed, removable, and network drives.
Define ‘Cryptojacking malware’
Type of crypto-malware hijacks the resources of the host to perform cryptocurrency mining.
Define a ‘logic bomb’
A malicious program or script that is set to run under particular circumstances or in response to a defined event.
Define a ‘tactic’ in terms of bad actor behavior
Behaviors such as reconnaissance, persistence, and privilege escalation are examples of tactics.
Define a ‘technique’ in terms of bad actor behavior
Description of how a threat actor progresses a tactic.
Define a ‘procedure’ in terms of bad actor behavior
Description of how a technique is performed.
Define an ‘indicator of compromise (IoC)’
A sign that an asset or network has been attacked or is currently under attack.
Define a ‘sheep dip’
An isolated host used to test new software and removable media for malware indicators before it is authorized on the production network.
Define ‘Impossible travel’
A potential indicator of malicious activity where authentication attempts are made from different geographical locations within a short timeframe.
How can concurrent sessions be a sign of malicious activity?
Indicates that the threat actor has obtained the account credentials and is signed in on another workstation or over a remote access connection.
Define a ‘physical attack’ in terms of cybersecuirty
An attack directed against cabling infrastructure, hardware devices, or the environment of the site facilities hosting a network.
Define an ‘environmental attack’
A physical threat directed against power, cooling, or fire suppression systems.
Define ‘RFID cloning’
Making a copy of a contactless RIFD access card.
Define ‘RIFD skimming’
Using a counterfeit reader to capture card or badge details, which are then used to program a duplicate.
