Lesson 13: Analyze Indicators of Malicious Activity Flashcards

1
Q

What is the purpose of the preparation phrase in CompTIA’s incident response lifecycle?

A

Identifies data sources that can support investigation; Tools to aggregate/correlate data; Alerting/identifying.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Define ‘Malware’

A

Software that serves a malicious purpose, typically installed without the user’s consent (or knowledge).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the purpose of malware classification?

A

Describes the vector used by the malware; Method by which the malware executes on a computer and potentially spreads to other network hosts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Define a ‘virus’

A

First types of malware; Spread without any authorization by being concealed within executable code of another processes - the processes are described as being infected with malware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define a ‘trojan’ malware

A

A malicious software program hidden within an innocuous-seeming piece of software; Designed to operate discreetly without authorization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define a ‘Potentially unwanted program (PUP)’ malware

A

Software that cannot definitively be classed as malicious, but may not have been chosen by or wanted by the user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the 4 classifications of malware/viruses?

A
  1. Non-resident/file infector
  2. Memory resident
  3. Boot
  4. Script and macro viruses
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Define a ‘Non-resident/file infector’ malware/virus

A

Virus is contained within a host executable file and runs with the host process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Define a ‘Memory resident’ malware/virus

A

When the payload is executed, the virus creates a new process for itself in memory and remains in memory, even if the host process is terminated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Define a ‘boot’ malware/virus

A

Virus code is written to the disk boot sector or the partition table of a fixed disk and executes as a memory-resident process when the OS starts or the media is attached to the computer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Define a ‘Script and macro viruses’ malware/virus

A

Malware uses the programming features available in local scripting engines for the OS and/or browser, such as PowerShell, Windows Management Instrumentation (WMI), JavaScript.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Define a ‘multipartite’ malware/virus

A

Viruses that use multiple vectors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Define a ‘polymorphic’ malware/virus

A

Viruses that can dynamically change or obfuscate their code to evade detection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the common goal of all malware/virus classifications and vectors?

A

To infect a host file or media.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Define a ‘worm’

A

A type of malware that replicates between processes in system memory and can spread over client/server network connections without user intervention.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How is modern malware defined as ‘fileless’

A

The malware won’t write code to disk; Malware uses memory-resident techniques to run in its own process, within a host process or dynamic link library (DLL), or within a scripting host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How can fileless malware remain persistent in a system without writing code to disk?

A

By changing registry values that execute if the host computer is restarted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How can fileless malware evade detection and create backdoors?

A

By using shellcode to exploit a software vulnerability to gain initial access to a victim system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Define a ‘live off the land’ technique that a fileless malware might use to evade detection

A

If an attacker has sufficient permissions, malware code can use legitimate system scripting tools, notably PowerShell and Windows Management Instrumentation (WMI), to execute payload actions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Define the term ‘advanced persistent threat (APT)’

A

An attacker’s ability to obtain, maintain, and diversify access to network systems using exploits and malware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How can a cookie be viewed as a malicious file?

A

Third-party cookies can be used to record web activity, track the user’s IP address, and harvest various other metadata.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Define a ‘Supercookie’

A

A type of tracking cookie stored on a computer indefinitely used to monitor behavior and collect data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Define a ‘beacon’

A

A single pixel image embedded into a website. While invisible to the user, the browser must make a request to download the pixel to load the site, giving the beacon host the opportunity to collect metadata.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Define ‘adware’

A

A class of PUP/bloatware that performs browser reconfigurations, such as allowing tracking cookies, changing default search providers, opening sponsor’s pages at startup, adding bookmarks, and so on, with the purpose of recording information about the user and its computer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Define 'spyware'
Malware that can perform adware-like tracking, but also monitor local application activity, take screenshots, activate recording devices, and perform DNS redirection.
26
Define a 'keylogger'
Malicious software or hardware that can record user keystrokes.
27
Define a 'backdoor'
Any type of access method to a host that circumvents the usual authentication method and gives the remote user administrative control.
28
Define a 'remote access Trojan (RAT)'
Malware that creates a backdoor remote administration channel to allow a threat actor to access and control the infected host.
29
Define a 'bot'
Automated script or tool that performs some malicious activity.
30
Define a 'botnet'
A group of hosts or devices that has been infected by a bot, which enables attackers to exploit the hosts to mount attacks.
31
How is a botnet controlled?
By a command and control (C2 or C&C) host or network.
32
Define a 'command and control (C2 or C&C)' host/network
Infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets.
33
Define a 'cover channel'
Subverts network security to transfer data without authorization or detection.
34
Once activated by a user, what permissions do a trojan malware adopt?
Inherits the privileges of that user account.
35
Define a 'rootkit'
Malware that runs with SYSTEM level permissions; Class of malware that modifies system files, often at the kernel level, to conceal its presence.
36
What is the danger of a rootkit that attacks firmware?
Can survive any attempt to remove the rootkit by reformatting a drive or reinstalling OS.
37
Define 'ransomeware'
Malware that tries to extort money from the victim by blocking normal operation of a computer and/or encrypting the victim’s files and demanding payment.
38
What are typical ways ransomware will demand payment to avoid revealing their identity?
Cryptocurrency; wire transfers; premium rate phonelines.
39
Define 'crypto-ransomeware'
Crypto class of ransomware attempts to encrypt data files on any fixed, removable, and network drives.
40
Define 'Cryptojacking malware'
Type of crypto-malware hijacks the resources of the host to perform cryptocurrency mining.
41
Define a 'logic bomb'
A malicious program or script that is set to run under particular circumstances or in response to a defined event.
42
Define a 'tactic' in terms of bad actor behavior
Behaviors such as reconnaissance, persistence, and privilege escalation are examples of tactics.
43
Define a 'technique' in terms of bad actor behavior
Description of how a threat actor progresses a tactic.
44
Define a 'procedure' in terms of bad actor behavior
Description of how a technique is performed.
45
Define an 'indicator of compromise (IoC)'
A sign that an asset or network has been attacked or is currently under attack.
46
Define a 'sheep dip'
An isolated host used to test new software and removable media for malware indicators before it is authorized on the production network.
47
Define 'Impossible travel'
A potential indicator of malicious activity where authentication attempts are made from different geographical locations within a short timeframe.
48
How can concurrent sessions be a sign of malicious activity?
Indicates that the threat actor has obtained the account credentials and is signed in on another workstation or over a remote access connection.
49
Define a 'physical attack' in terms of cybersecuirty
An attack directed against cabling infrastructure, hardware devices, or the environment of the site facilities hosting a network.
50
Define an 'environmental attack'
A physical threat directed against power, cooling, or fire suppression systems.
51
Define 'RFID cloning'
Making a copy of a contactless RIFD access card.
52
Define 'RIFD skimming'
Using a counterfeit reader to capture card or badge details, which are then used to program a duplicate.
53
Define a 'network attack'
General category for a number of strategies and techniques that used to disrupt or gain access to systems via a network vector.
54
List types of network attacks
Reconnaissance; Credential harvesting; DoS; C&C; Lateral movement; Data exfiltration.
55
Define a 'denial of service (DoS)' attack
Any type of physical, application, or network attack that affects the availability of a managed resource.
56
How is a denial of service attack described when the target is a network host or gateway?
distributed DoS (DDoS).
57
Define 'distributed DoS (DDoS)'
Use of a botnet to disrupt the normal flow of traffic of a server or service by overwhelming the target with traffic.
58
What is the typical outcome of an individual client host being affected by a malware based denial of service (DoS) attack?
Might destroy a file system or engineer excessive CPU, memory, storage, or network bandwidth consumption.
59
Define a 'SYN flood attack'
DoS attack where the malicious client's ACK packet is withheld from the 3-way handshake, causing a router/firewall/server to build a queue of pending connections to overwhelm the host by causing it to wait for an acknowledgement of SYN/ACK from the malicious client.
60
Define a 'distributed reflected DoS (DRDoS)'
A DoS attack where the attacker sends outing packets to random third party servers using the IP address of the intended target with the goal to flood it with DNS or other traffic from the devices that were manipulated to communicate with it.
61
Define an 'amplification attack'
UDP based reflection attack that exploits the way the protocols function and causing them to return network information to the attacker.
62
What is a typical indicator of a Distributed Denial of Service (DDoS) attack?
Traffic spikes that have no legitimate explanation.
63
How can a Distributed Denial of Service (DDoS) attack be mitigated?
High availability services, such as load balancing and cluster services.
64
Define an 'on-path/man-in-the-middle' attack
An attack where the threat actor makes an independent connection between two victims and is able to read and possibly modify traffic.
65
Define 'arp poisoning'
Attacker with network access redirects an IP address to the MAC address of a computer that is not the intended recipient.
66
What two types of attacks could use ARP poisoning as a technique?
DoS and on-path/man-in-the-middle.
67
Define 'DNS poisoning'
An attack where a threat actor injects false resource records into a client or server cache to redirect a domain name to an IP address of the attacker's choosing.
68
What are the 3 types of DNS poisoning?
1. DNS-Based On-Path Attacks 2. DNS Client Cache Poisoning 3. DNS Server Cache Poisoning
69
What technique/attack method is used to perform DNS-Based On-Path Attacks when the attacker and victim are on the same network?
ARP poisoning or a rouge DHCP server.
70
How is a DNS Client Cache Poisoning performed?
Attacker must place a spoofed DNS mapping in the clients host file.
71
Where is the windows host file?
%SystemRoot%\System32\Drivers\etc\hosts
72
Where is the Linux host file?
/etc/hosts
73
Define a 'rouge access point'
One that has been installed on the network without authorization, that creates a backdoor to the network.
74
Define an 'evil twin'
A rogue access point masquerading as a legitimate one.
75
Define a 'disassociation' attack
Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack by exploiting the lack of encryption in management frame traffic to send spoofed frames.
76
Define a 'KRACK' attack
Uses a replay mechanism that targets the WPA and WPA2 4-way handshake to capture the hashes used when a wireless station associates with an access point.
77
Define a 'password' attack
Any attack where the attacker tries to gain unauthorized access to and use of passwords.
78
Define a 'brute force' password attack
Attacker uses an application to try every possible alphanumeric combination to crack encrypted passwords.
79
Define a 'dictionary' password attack
Compares encrypted passwords against a predetermined list of possible password hash values.
80
Define 'password spraying'
A brute force attack in which multiple user accounts are tested with a dictionary of common passwords.
81
Define a 'credential replay' attack
An attack that uses a captured authentication token to start an unauthorized session without having to discover the plaintext password for an account.
82
Define a 'downgrade' attack
Cryptographic attack where the attacker exploits the need for backward compatibility to force a computer system to abandon the use of encrypted messages in favor of plaintext messages.
83
How can a downplay attack be detected?
In server logs, WAF/load balancer logs, IDS.
84
Define a 'collision' attack
Exploiting a weak cryptographic hashing function allowing generation of the same digest value for two different input files/data to forge a digital signature.
85
Define a 'birthday' attack
Password based collision attack taking advantage of the probability that different input can produce the same digest value for a different unknown encrypted password.
86
Define 'Shellcode'
Minimal program designed to exploit a vulnerability in the OS or in a legitimate app to gain privileges.
87
Define 'credential dumping'
The act of using malware to access a credential file or sniff credentials held in memory.
88
Define an 'application attack'
Targets a vulnerability in OS or application software.
89
What is an indicator of an application attack?
Increased numbers of application crashes and errors; Anomalous CPU, memory, storage, or network utilization.
90
What is the purpose of most application attacks?
Arbitrary code execution; To allow the threat actor to run their own code on the system.
91
Define 'arbitrary code execution'
A vulnerability that allows an attacker to run their own code or a module that exploits such a vulnerability.
92
Define 'remote code execution'
A vulnerability that allows an attacker to transmit code from a remote host for execution on a target host.
93
Define 'privilege escalation'
Practice of exploiting flaws in an OS or application to gain a greater level of access than was initially intended for the user or application.
94
What are the two type of privilege escalation?
1. Vertical privilege escalation 2. Horizontal privilege escalation
95
Define 'Vertical privilege escalation'
When an attacker can access functionality or data that should not be available to them.
96
Define 'Horizontal privilege escalation'
When an attacker accesses or modifies specific resources that they are not entitled to or is intended for someone else.
97
How can privilege escalation be detected?
Detailed analysis of code or process execution in real time or application logging as well as endpoint protection.
98
Define an applicaiton 'buffer'
An area of memory that an application reserves to store some value.
99
Define a 'buffer overflow' attack
Attacker passes data that deliberately fills the buffer to its end and then overwrites data at its start.
100
Define a 'replay attack'
Attacker intercepts a session token from a cookie used to authenticate a user and reuses it to try to reestablish an illegitimate session.
101
How can an attacker capture HTTP cookies?
Sniffing network traffic via an on-path attack or when they are sent over an unsecured network; Malware infecting a host; cross-site scripting (XSS).
102
Define a 'forgery' attack
exploits weak authenticated sessions to perform an unauthorized request via a hijacked session.
103
Define 'cross-site request forgery (CSRF)'
A malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser.
104
What is the function of performing cross-site request forgery (CSRF)?
Exploit applications that use cookies to authenticate users and track sessions.
105
How is cross-site request forgery (CSRF) accomplished?
Attacker must convince the victim to start a session with the target site, then pass an HTTP request to the victim's browser that spoofs an action on the target site, such as changing a password or an email address.
106
Define 'server-side request forgery (SSRF)'
Exploits the lack of authentication between the internal servers and services and lack of input validation - causing a server application to process an arbitrary request that targets another service.
107
Define a 'server-side' attack
Typically and injection attack; Causes the server to do some processing or run a script or query in a way that is not authorized by the application design.
108
Define an 'injection attack'
An attack that exploits weak request handling or input validation to run arbitrary code in a client browser or on a server.
109
Along with SQL, what other protocols/languages are susceptible to injection attacks?
LDAP, XML.
110
Define a 'Directory traversal'
Web application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.
111
How is a directory transversal performed?
Threat actor submits a request for a file outside the web server's root directory by submitting a path to navigate to the parent directory.
112
How is a directory transversal mitigated?
Input validation and proper access permissions.
113
Define a 'canonicalization attack' and how it is executed
Attack method where input characters are encoded in such a way as to evade vulnerable input validation measures.
114
What is the purpose of utilizing a canonicalization attack?
To disguise the nature of the malicious input.
115
Define a 'command injection'
Threat actor is able to execute arbitrary shell commands on a host via a vulnerable web application.
116
What level of privilege should a webserver give a client to prevent any type of injection attack?
Guest
117
What are the typical areas/mechanisms used to initially detect a high-jacking/replay, forgery, and injection attack?
URL analysis and the web server's access log.
118
How can a URL be manipulated to be an attack vector?
By being encoded with some type of action or data to submit to the host server.
119
What are the 5 components of an HTTP request?
1. Method 2. Resource (URL path) 3. Version number 4. Headers 5. Body
120
What are the 3 types of HTTP requests methods?
1. HTTP Get 2. HTTP Post 3. HTTP Put
121
Define a 'HTTP get' request method
Used to retrieve a resource.
122
Define a 'HTTP post' request method
Used to data to the server for processing by the requested resource.
123
Define a 'HTTP put' request method
Used to create or replace the resource.
124
What ways can data be submitted to a server?
Post/Put methods, HTTP headers/body, or by encoding the data within the URL used to access the resource.
125
What character is used to identify data submitted via URL?
Data submitted via a URL is delimited by the '?' character, which follows the resource path.
126
How is a query defined in a URL?
The query string begins after the question mark (?); Query parameters are represented as a unique key-value pair or two linked data items with an (=) separating each value.
127
Define a HTTP response code
The header value returned by a server when a client requests a URL.
128
What is the purpose of a reserved character in a URL?
Used as delimiters within the URL syntax.
129
Define 'percent encoding'
A mechanism for encoding characters as hexadecimal values delimited by the percent sign.
130
What do HTTP response codes in the 400 range indicate?
Indicate client-based errors.
131
What do HTTP response codes in the 500 range indicate?
Indicate server-based errors.