Lesson 13: Analyze Indicators of Malicious Activity Flashcards
What is the purpose of the preparation phrase in CompTIA’s incident response lifecycle?
Identifies data sources that can support investigation; Tools to aggregate/correlate data; Alerting/identifying.
Define ‘Malware’
Software that serves a malicious purpose, typically installed without the user’s consent (or knowledge).
What is the purpose of malware classification?
Describes the vector used by the malware; Method by which the malware executes on a computer and potentially spreads to other network hosts.
Define a ‘virus’
First types of malware; Spread without any authorization by being concealed within executable code of another processes - the processes are described as being infected with malware.
Define a ‘trojan’ malware
A malicious software program hidden within an innocuous-seeming piece of software; Designed to operate discreetly without authorization.
Define a ‘Potentially unwanted program (PUP)’ malware
Software that cannot definitively be classed as malicious, but may not have been chosen by or wanted by the user.
What are the 4 classifications of malware/viruses?
- Non-resident/file infector
- Memory resident
- Boot
- Script and macro viruses
Define a ‘Non-resident/file infector’ malware/virus
Virus is contained within a host executable file and runs with the host process.
Define a ‘Memory resident’ malware/virus
When the payload is executed, the virus creates a new process for itself in memory and remains in memory, even if the host process is terminated.
Define a ‘boot’ malware/virus
Virus code is written to the disk boot sector or the partition table of a fixed disk and executes as a memory-resident process when the OS starts or the media is attached to the computer.
Define a ‘Script and macro viruses’ malware/virus
Malware uses the programming features available in local scripting engines for the OS and/or browser, such as PowerShell, Windows Management Instrumentation (WMI), JavaScript.
Define a ‘multipartite’ malware/virus
Viruses that use multiple vectors.
Define a ‘polymorphic’ malware/virus
Viruses that can dynamically change or obfuscate their code to evade detection.
What is the common goal of all malware/virus classifications and vectors?
To infect a host file or media.
Define a ‘worm’
A type of malware that replicates between processes in system memory and can spread over client/server network connections without user intervention.
How is modern malware defined as ‘fileless’
The malware won’t write code to disk; Malware uses memory-resident techniques to run in its own process, within a host process or dynamic link library (DLL), or within a scripting host.
How can fileless malware remain persistent in a system without writing code to disk?
By changing registry values that execute if the host computer is restarted.
How can fileless malware evade detection and create backdoors?
By using shellcode to exploit a software vulnerability to gain initial access to a victim system.
Define a ‘live off the land’ technique that a fileless malware might use to evade detection
If an attacker has sufficient permissions, malware code can use legitimate system scripting tools, notably PowerShell and Windows Management Instrumentation (WMI), to execute payload actions.
Define the term ‘advanced persistent threat (APT)’
An attacker’s ability to obtain, maintain, and diversify access to network systems using exploits and malware.
How can a cookie be viewed as a malicious file?
Third-party cookies can be used to record web activity, track the user’s IP address, and harvest various other metadata.
Define a ‘Supercookie’
A type of tracking cookie stored on a computer indefinitely used to monitor behavior and collect data.
Define a ‘beacon’
A single pixel image embedded into a website. While invisible to the user, the browser must make a request to download the pixel to load the site, giving the beacon host the opportunity to collect metadata.
Define ‘adware’
A class of PUP/bloatware that performs browser reconfigurations, such as allowing tracking cookies, changing default search providers, opening sponsor’s pages at startup, adding bookmarks, and so on, with the purpose of recording information about the user and its computer.