Lesson 13: Analyze Indicators of Malicious Activity Flashcards
What is the purpose of the preparation phrase in CompTIA’s incident response lifecycle?
Identifies data sources that can support investigation; Tools to aggregate/correlate data; Alerting/identifying.
Define ‘Malware’
Software that serves a malicious purpose, typically installed without the user’s consent (or knowledge).
What is the purpose of malware classification?
Describes the vector used by the malware; Method by which the malware executes on a computer and potentially spreads to other network hosts.
Define a ‘virus’
First types of malware; Spread without any authorization by being concealed within executable code of another processes - the processes are described as being infected with malware.
Define a ‘trojan’ malware
A malicious software program hidden within an innocuous-seeming piece of software; Designed to operate discreetly without authorization.
Define a ‘Potentially unwanted program (PUP)’ malware
Software that cannot definitively be classed as malicious, but may not have been chosen by or wanted by the user.
What are the 4 classifications of malware/viruses?
- Non-resident/file infector
- Memory resident
- Boot
- Script and macro viruses
Define a ‘Non-resident/file infector’ malware/virus
Virus is contained within a host executable file and runs with the host process.
Define a ‘Memory resident’ malware/virus
When the payload is executed, the virus creates a new process for itself in memory and remains in memory, even if the host process is terminated.
Define a ‘boot’ malware/virus
Virus code is written to the disk boot sector or the partition table of a fixed disk and executes as a memory-resident process when the OS starts or the media is attached to the computer.
Define a ‘Script and macro viruses’ malware/virus
Malware uses the programming features available in local scripting engines for the OS and/or browser, such as PowerShell, Windows Management Instrumentation (WMI), JavaScript.
Define a ‘multipartite’ malware/virus
Viruses that use multiple vectors.
Define a ‘polymorphic’ malware/virus
Viruses that can dynamically change or obfuscate their code to evade detection.
What is the common goal of all malware/virus classifications and vectors?
To infect a host file or media.
Define a ‘worm’
A type of malware that replicates between processes in system memory and can spread over client/server network connections without user intervention.
How is modern malware defined as ‘fileless’
The malware won’t write code to disk; Malware uses memory-resident techniques to run in its own process, within a host process or dynamic link library (DLL), or within a scripting host.
How can fileless malware remain persistent in a system without writing code to disk?
By changing registry values that execute if the host computer is restarted.
How can fileless malware evade detection and create backdoors?
By using shellcode to exploit a software vulnerability to gain initial access to a victim system.
Define a ‘live off the land’ technique that a fileless malware might use to evade detection
If an attacker has sufficient permissions, malware code can use legitimate system scripting tools, notably PowerShell and Windows Management Instrumentation (WMI), to execute payload actions.
Define the term ‘advanced persistent threat (APT)’
An attacker’s ability to obtain, maintain, and diversify access to network systems using exploits and malware.
How can a cookie be viewed as a malicious file?
Third-party cookies can be used to record web activity, track the user’s IP address, and harvest various other metadata.
Define a ‘Supercookie’
A type of tracking cookie stored on a computer indefinitely used to monitor behavior and collect data.
Define a ‘beacon’
A single pixel image embedded into a website. While invisible to the user, the browser must make a request to download the pixel to load the site, giving the beacon host the opportunity to collect metadata.
Define ‘adware’
A class of PUP/bloatware that performs browser reconfigurations, such as allowing tracking cookies, changing default search providers, opening sponsor’s pages at startup, adding bookmarks, and so on, with the purpose of recording information about the user and its computer.
Define ‘spyware’
Malware that can perform adware-like tracking, but also monitor local application activity, take screenshots, activate recording devices, and perform DNS redirection.
Define a ‘keylogger’
Malicious software or hardware that can record user keystrokes.
Define a ‘backdoor’
Any type of access method to a host that circumvents the usual authentication method and gives the remote user administrative control.
Define a ‘remote access Trojan (RAT)’
Malware that creates a backdoor remote administration channel to allow a threat actor to access and control the infected host.
Define a ‘bot’
Automated script or tool that performs some malicious activity.
Define a ‘botnet’
A group of hosts or devices that has been infected by a bot, which enables attackers to exploit the hosts to mount attacks.
How is a botnet controlled?
By a command and control (C2 or C&C) host or network.
Define a ‘command and control (C2 or C&C)’ host/network
Infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets.
Define a ‘cover channel’
Subverts network security to transfer data without authorization or detection.
Once activated by a user, what permissions do a trojan malware adopt?
Inherits the privileges of that user account.
Define a ‘rootkit’
Malware that runs with SYSTEM level permissions; Class of malware that modifies system files, often at the kernel level, to conceal its presence.
What is the danger of a rootkit that attacks firmware?
Can survive any attempt to remove the rootkit by reformatting a drive or reinstalling OS.
Define ‘ransomeware’
Malware that tries to extort money from the victim by blocking normal operation of a computer and/or encrypting the victim’s files and demanding payment.
What are typical ways ransomware will demand payment to avoid revealing their identity?
Cryptocurrency; wire transfers; premium rate phonelines.
Define ‘crypto-ransomeware’
Crypto class of ransomware attempts to encrypt data files on any fixed, removable, and network drives.
Define ‘Cryptojacking malware’
Type of crypto-malware hijacks the resources of the host to perform cryptocurrency mining.
Define a ‘logic bomb’
A malicious program or script that is set to run under particular circumstances or in response to a defined event.
Define a ‘tactic’ in terms of bad actor behavior
Behaviors such as reconnaissance, persistence, and privilege escalation are examples of tactics.
Define a ‘technique’ in terms of bad actor behavior
Description of how a threat actor progresses a tactic.
Define a ‘procedure’ in terms of bad actor behavior
Description of how a technique is performed.
Define an ‘indicator of compromise (IoC)’
A sign that an asset or network has been attacked or is currently under attack.
Define a ‘sheep dip’
An isolated host used to test new software and removable media for malware indicators before it is authorized on the production network.
Define ‘Impossible travel’
A potential indicator of malicious activity where authentication attempts are made from different geographical locations within a short timeframe.
How can concurrent sessions be a sign of malicious activity?
Indicates that the threat actor has obtained the account credentials and is signed in on another workstation or over a remote access connection.
Define a ‘physical attack’ in terms of cybersecuirty
An attack directed against cabling infrastructure, hardware devices, or the environment of the site facilities hosting a network.
Define an ‘environmental attack’
A physical threat directed against power, cooling, or fire suppression systems.
Define ‘RFID cloning’
Making a copy of a contactless RIFD access card.
Define ‘RIFD skimming’
Using a counterfeit reader to capture card or badge details, which are then used to program a duplicate.
Define a ‘network attack’
General category for a number of strategies and techniques that used to disrupt or gain access to systems via a network vector.
List types of network attacks
Reconnaissance; Credential harvesting; DoS; C&C; Lateral movement; Data exfiltration.
Define a ‘denial of service (DoS)’ attack
Any type of physical, application, or network attack that affects the availability of a managed resource.
How is a denial of service attack described when the target is a network host or gateway?
distributed DoS (DDoS).
Define ‘distributed DoS (DDoS)’
Use of a botnet to disrupt the normal flow of traffic of a server or service by overwhelming the target with traffic.
What is the typical outcome of an individual client host being affected by a malware based denial of service (DoS) attack?
Might destroy a file system or engineer excessive CPU, memory, storage, or network bandwidth consumption.
Define a ‘SYN flood attack’
DoS attack where the malicious client’s ACK packet is withheld from the 3-way handshake, causing a router/firewall/server to build a queue of pending connections to overwhelm the host by causing it to wait for an acknowledgement of SYN/ACK from the malicious client.
Define a ‘distributed reflected DoS (DRDoS)’
A DoS attack where the attacker sends outing packets to random third party servers using the IP address of the intended target with the goal to flood it with DNS or other traffic from the devices that were manipulated to communicate with it.
Define an ‘amplification attack’
UDP based reflection attack that exploits the way the protocols function and causing them to return network information to the attacker.
What is a typical indicator of a Distributed Denial of Service (DDoS) attack?
Traffic spikes that have no legitimate explanation.
How can a Distributed Denial of Service (DDoS) attack be mitigated?
High availability services, such as load balancing and cluster services.
Define an ‘on-path/man-in-the-middle’ attack
An attack where the threat actor makes an independent connection between two victims and is able to read and possibly modify traffic.
Define ‘arp poisoning’
Attacker with network access redirects an IP address to the MAC address of a computer that is not the intended recipient.
What two types of attacks could use ARP poisoning as a technique?
DoS and on-path/man-in-the-middle.
Define ‘DNS poisoning’
An attack where a threat actor injects false resource records into a client or server cache to redirect a domain name to an IP address of the attacker’s choosing.
What are the 3 types of DNS poisoning?
- DNS-Based On-Path Attacks
- DNS Client Cache Poisoning
- DNS Server Cache Poisoning
What technique/attack method is used to perform DNS-Based On-Path Attacks when the attacker and victim are on the same network?
ARP poisoning or a rouge DHCP server.
How is a DNS Client Cache Poisoning performed?
Attacker must place a spoofed DNS mapping in the clients host file.
Where is the windows host file?
%SystemRoot%\System32\Drivers\etc\hosts
Where is the Linux host file?
/etc/hosts
Define a ‘rouge access point’
One that has been installed on the network without authorization, that creates a backdoor to the network.
Define an ‘evil twin’
A rogue access point masquerading as a legitimate one.
Define a ‘disassociation’ attack
Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack by exploiting the lack of encryption in management frame traffic to send spoofed frames.
Define a ‘KRACK’ attack
Uses a replay mechanism that targets the WPA and WPA2 4-way handshake to capture the hashes used when a wireless station associates with an access point.
Define a ‘password’ attack
Any attack where the attacker tries to gain unauthorized access to and use of passwords.
Define a ‘brute force’ password attack
Attacker uses an application to try every possible alphanumeric combination to crack encrypted passwords.
Define a ‘dictionary’ password attack
Compares encrypted passwords against a predetermined list of possible password hash values.
Define ‘password spraying’
A brute force attack in which multiple user accounts are tested with a dictionary of common passwords.
Define a ‘credential replay’ attack
An attack that uses a captured authentication token to start an unauthorized session without having to discover the plaintext password for an account.
Define a ‘downgrade’ attack
Cryptographic attack where the attacker exploits the need for backward compatibility to force a computer system to abandon the use of encrypted messages in favor of plaintext messages.
How can a downplay attack be detected?
In server logs, WAF/load balancer logs, IDS.
Define a ‘collision’ attack
Exploiting a weak cryptographic hashing function allowing generation of the same digest value for two different input files/data to forge a digital signature.
Define a ‘birthday’ attack
Password based collision attack taking advantage of the probability that different input can produce the same digest value for a different unknown encrypted password.
Define ‘Shellcode’
Minimal program designed to exploit a vulnerability in the OS or in a legitimate app to gain privileges.
Define ‘credential dumping’
The act of using malware to access a credential file or sniff credentials held in memory.
Define an ‘application attack’
Targets a vulnerability in OS or application software.
What is an indicator of an application attack?
Increased numbers of application crashes and errors; Anomalous CPU, memory, storage, or network utilization.
What is the purpose of most application attacks?
Arbitrary code execution; To allow the threat actor to run their own code on the system.
Define ‘arbitrary code execution’
A vulnerability that allows an attacker to run their own code or a module that exploits such a vulnerability.
Define ‘remote code execution’
A vulnerability that allows an attacker to transmit code from a remote host for execution on a target host.
Define ‘privilege escalation’
Practice of exploiting flaws in an OS or application to gain a greater level of access than was initially intended for the user or application.
What are the two type of privilege escalation?
- Vertical privilege escalation
- Horizontal privilege escalation
Define ‘Vertical privilege escalation’
When an attacker can access functionality or data that should not be available to them.
Define ‘Horizontal privilege escalation’
When an attacker accesses or modifies specific resources that they are not entitled to or is intended for someone else.
How can privilege escalation be detected?
Detailed analysis of code or process execution in real time or application logging as well as endpoint protection.
Define an applicaiton ‘buffer’
An area of memory that an application reserves to store some value.
Define a ‘buffer overflow’ attack
Attacker passes data that deliberately fills the buffer to its end and then overwrites data at its start.
Define a ‘replay attack’
Attacker intercepts a session token from a cookie used to authenticate a user and reuses it to try to reestablish an illegitimate session.
How can an attacker capture HTTP cookies?
Sniffing network traffic via an on-path attack or when they are sent over an unsecured network; Malware infecting a host; cross-site scripting (XSS).
Define a ‘forgery’ attack
exploits weak authenticated sessions to perform an unauthorized request via a hijacked session.
Define ‘cross-site request forgery (CSRF)’
A malicious script hosted on the attacker’s site that can exploit a session started on another site in the same browser.
What is the function of performing cross-site request forgery (CSRF)?
Exploit applications that use cookies to authenticate users and track sessions.
How is cross-site request forgery (CSRF) accomplished?
Attacker must convince the victim to start a session with the target site, then pass an HTTP request to the victim’s browser that spoofs an action on the target site, such as changing a password or an email address.
Define ‘server-side request forgery (SSRF)’
Exploits the lack of authentication between the internal servers and services and lack of input validation - causing a server application to process an arbitrary request that targets another service.
Define a ‘server-side’ attack
Typically and injection attack; Causes the server to do some processing or run a script or query in a way that is not authorized by the application design.
Define an ‘injection attack’
An attack that exploits weak request handling or input validation to run arbitrary code in a client browser or on a server.
Along with SQL, what other protocols/languages are susceptible to injection attacks?
LDAP, XML.
Define a ‘Directory traversal’
Web application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.
How is a directory transversal performed?
Threat actor submits a request for a file outside the web server’s root directory by submitting a path to navigate to the parent directory.
How is a directory transversal mitigated?
Input validation and proper access permissions.
Define a ‘canonicalization attack’ and how it is executed
Attack method where input characters are encoded in such a way as to evade vulnerable input validation measures.
What is the purpose of utilizing a canonicalization attack?
To disguise the nature of the malicious input.
Define a ‘command injection’
Threat actor is able to execute arbitrary shell commands on a host via a vulnerable web application.
What level of privilege should a webserver give a client to prevent any type of injection attack?
Guest
What are the typical areas/mechanisms used to initially detect a high-jacking/replay, forgery, and injection attack?
URL analysis and the web server’s access log.
How can a URL be manipulated to be an attack vector?
By being encoded with some type of action or data to submit to the host server.
What are the 5 components of an HTTP request?
- Method
- Resource (URL path)
- Version number
- Headers
- Body
What are the 3 types of HTTP requests methods?
- HTTP Get
- HTTP Post
- HTTP Put
Define a ‘HTTP get’ request method
Used to retrieve a resource.
Define a ‘HTTP post’ request method
Used to data to the server for processing by the requested resource.
Define a ‘HTTP put’ request method
Used to create or replace the resource.
What ways can data be submitted to a server?
Post/Put methods, HTTP headers/body, or by encoding the data within the URL used to access the resource.
What character is used to identify data submitted via URL?
Data submitted via a URL is delimited by the ‘?’ character, which follows the resource path.
How is a query defined in a URL?
The query string begins after the question mark (?); Query parameters are represented as a unique key-value pair or two linked data items with an (=) separating each value.
Define a HTTP response code
The header value returned by a server when a client requests a URL.
What is the purpose of a reserved character in a URL?
Used as delimiters within the URL syntax.
Define ‘percent encoding’
A mechanism for encoding characters as hexadecimal values delimited by the percent sign.
What do HTTP response codes in the 400 range indicate?
Indicate client-based errors.
What do HTTP response codes in the 500 range indicate?
Indicate server-based errors.
