Lesson 13: Analyze Indicators of Malicious Activity Flashcards

Question

Define 'spyware'

Answer 1

Malware that can perform adware-like tracking, but also monitor local application activity, take screenshots, activate recording devices, and perform DNS redirection.

Answer 2

Malicious software or hardware that can record user keystrokes.

Answer 3

Any type of access method to a host that circumvents the usual authentication method and gives the remote user administrative control.

Answer 4

Malware that creates a backdoor remote administration channel to allow a threat actor to access and control the infected host.

Answer 5

Automated script or tool that performs some malicious activity.

Answer 6

A group of hosts or devices that has been infected by a bot, which enables attackers to exploit the hosts to mount attacks.

Answer 7

By a command and control (C2 or C&C) host or network.

Answer 8

Infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets.

Answer 9

Subverts network security to transfer data without authorization or detection.

Answer 10

Inherits the privileges of that user account.

Answer 11

Malware that runs with SYSTEM level permissions; Class of malware that modifies system files, often at the kernel level, to conceal its presence.

Answer 12

Can survive any attempt to remove the rootkit by reformatting a drive or reinstalling OS.

Answer 13

Malware that tries to extort money from the victim by blocking normal operation of a computer and/or encrypting the victim’s files and demanding payment.

Answer 14

Cryptocurrency; wire transfers; premium rate phonelines.

Answer 15

Crypto class of ransomware attempts to encrypt data files on any fixed, removable, and network drives.

Answer 16

Type of crypto-malware hijacks the resources of the host to perform cryptocurrency mining.

Answer 17

A malicious program or script that is set to run under particular circumstances or in response to a defined event.

Answer 18

Behaviors such as reconnaissance, persistence, and privilege escalation are examples of tactics.

Answer 19

Description of how a threat actor progresses a tactic.

Answer 20

Description of how a technique is performed.

Answer 21

A sign that an asset or network has been attacked or is currently under attack.

Answer 22

An isolated host used to test new software and removable media for malware indicators before it is authorized on the production network.

Answer 23

A potential indicator of malicious activity where authentication attempts are made from different geographical locations within a short timeframe.

Answer 24

Indicates that the threat actor has obtained the account credentials and is signed in on another workstation or over a remote access connection.

Answer 25

An attack directed against cabling infrastructure, hardware devices, or the environment of the site facilities hosting a network.

Answer 26

A physical threat directed against power, cooling, or fire suppression systems.

Answer 27

Making a copy of a contactless RIFD access card.

Answer 28

Using a counterfeit reader to capture card or badge details, which are then used to program a duplicate.

Answer 29

General category for a number of strategies and techniques that used to disrupt or gain access to systems via a network vector.

Answer 30

Reconnaissance; Credential harvesting; DoS; C&C; Lateral movement; Data exfiltration.

Answer 31

Any type of physical, application, or network attack that affects the availability of a managed resource.

Answer 32

distributed DoS (DDoS).

Answer 33

Use of a botnet to disrupt the normal flow of traffic of a server or service by overwhelming the target with traffic.

Answer 34

Might destroy a file system or engineer excessive CPU, memory, storage, or network bandwidth consumption.

Answer 35

DoS attack where the malicious client's ACK packet is withheld from the 3-way handshake, causing a router/firewall/server to build a queue of pending connections to overwhelm the host by causing it to wait for an acknowledgement of SYN/ACK from the malicious client.

Answer 36

A DoS attack where the attacker sends outing packets to random third party servers using the IP address of the intended target with the goal to flood it with DNS or other traffic from the devices that were manipulated to communicate with it.

Answer 37

UDP based reflection attack that exploits the way the protocols function and causing them to return network information to the attacker.

Answer 38

Traffic spikes that have no legitimate explanation.

Answer 39

High availability services, such as load balancing and cluster services.

Answer 40

An attack where the threat actor makes an independent connection between two victims and is able to read and possibly modify traffic.

Answer 41

Attacker with network access redirects an IP address to the MAC address of a computer that is not the intended recipient.

Answer 42

DoS and on-path/man-in-the-middle.

Answer 43

An attack where a threat actor injects false resource records into a client or server cache to redirect a domain name to an IP address of the attacker's choosing.

Answer 44

1. DNS-Based On-Path Attacks 2. DNS Client Cache Poisoning 3. DNS Server Cache Poisoning

Answer 45

ARP poisoning or a rouge DHCP server.

Answer 46

Attacker must place a spoofed DNS mapping in the clients host file.

Answer 47

%SystemRoot%\System32\Drivers\etc\hosts

Answer 48

/etc/hosts

Answer 49

One that has been installed on the network without authorization, that creates a backdoor to the network.

Answer 50

A rogue access point masquerading as a legitimate one.

Answer 51

Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack by exploiting the lack of encryption in management frame traffic to send spoofed frames.

Answer 52

Uses a replay mechanism that targets the WPA and WPA2 4-way handshake to capture the hashes used when a wireless station associates with an access point.

Answer 53

Any attack where the attacker tries to gain unauthorized access to and use of passwords.

Answer 54

Attacker uses an application to try every possible alphanumeric combination to crack encrypted passwords.

Answer 55

Compares encrypted passwords against a predetermined list of possible password hash values.

Answer 56

A brute force attack in which multiple user accounts are tested with a dictionary of common passwords.

Answer 57

An attack that uses a captured authentication token to start an unauthorized session without having to discover the plaintext password for an account.

Answer 58

Cryptographic attack where the attacker exploits the need for backward compatibility to force a computer system to abandon the use of encrypted messages in favor of plaintext messages.

Answer 59

In server logs, WAF/load balancer logs, IDS.

Answer 60

Exploiting a weak cryptographic hashing function allowing generation of the same digest value for two different input files/data to forge a digital signature.

Answer 61

Password based collision attack taking advantage of the probability that different input can produce the same digest value for a different unknown encrypted password.

Answer 62

Minimal program designed to exploit a vulnerability in the OS or in a legitimate app to gain privileges.

Answer 63

The act of using malware to access a credential file or sniff credentials held in memory.

Answer 64

Targets a vulnerability in OS or application software.

Answer 65

Increased numbers of application crashes and errors; Anomalous CPU, memory, storage, or network utilization.

Answer 66

Arbitrary code execution; To allow the threat actor to run their own code on the system.

Answer 67

A vulnerability that allows an attacker to run their own code or a module that exploits such a vulnerability.

Answer 68

A vulnerability that allows an attacker to transmit code from a remote host for execution on a target host.

Answer 69

Practice of exploiting flaws in an OS or application to gain a greater level of access than was initially intended for the user or application.

Answer 70

1. Vertical privilege escalation 2. Horizontal privilege escalation

Answer 71

When an attacker can access functionality or data that should not be available to them.

Answer 72

When an attacker accesses or modifies specific resources that they are not entitled to or is intended for someone else.

Answer 73

Detailed analysis of code or process execution in real time or application logging as well as endpoint protection.

Answer 74

An area of memory that an application reserves to store some value.

Answer 75

Attacker passes data that deliberately fills the buffer to its end and then overwrites data at its start.

Answer 76

Attacker intercepts a session token from a cookie used to authenticate a user and reuses it to try to reestablish an illegitimate session.

Answer 77

Sniffing network traffic via an on-path attack or when they are sent over an unsecured network; Malware infecting a host; cross-site scripting (XSS).

Answer 78

exploits weak authenticated sessions to perform an unauthorized request via a hijacked session.

Answer 79

A malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser.

Answer 80

Exploit applications that use cookies to authenticate users and track sessions.

Answer 81

Attacker must convince the victim to start a session with the target site, then pass an HTTP request to the victim's browser that spoofs an action on the target site, such as changing a password or an email address.

Answer 82

Exploits the lack of authentication between the internal servers and services and lack of input validation - causing a server application to process an arbitrary request that targets another service.

Answer 83

Typically and injection attack; Causes the server to do some processing or run a script or query in a way that is not authorized by the application design.

Answer 84

An attack that exploits weak request handling or input validation to run arbitrary code in a client browser or on a server.

Answer 85

LDAP, XML.

Answer 86

Web application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.

Answer 87

Threat actor submits a request for a file outside the web server's root directory by submitting a path to navigate to the parent directory.

Answer 88

Input validation and proper access permissions.

Answer 89

Attack method where input characters are encoded in such a way as to evade vulnerable input validation measures.

Answer 90

To disguise the nature of the malicious input.

Answer 91

Threat actor is able to execute arbitrary shell commands on a host via a vulnerable web application.

Answer 92

URL analysis and the web server's access log.

Answer 93

By being encoded with some type of action or data to submit to the host server.

Answer 94

1. Method 2. Resource (URL path) 3. Version number 4. Headers 5. Body

Answer 95

1. HTTP Get 2. HTTP Post 3. HTTP Put

Answer 96

Used to retrieve a resource.

Answer 97

Used to data to the server for processing by the requested resource.

Answer 98

Used to create or replace the resource.

Answer 99

Post/Put methods, HTTP headers/body, or by encoding the data within the URL used to access the resource.

Answer 100

Data submitted via a URL is delimited by the '?' character, which follows the resource path.

Answer 101

The query string begins after the question mark (?); Query parameters are represented as a unique key-value pair or two linked data items with an (=) separating each value.

Answer 102

The header value returned by a server when a client requests a URL.

Answer 103

Used as delimiters within the URL syntax.

Answer 104

A mechanism for encoding characters as hexadecimal values delimited by the percent sign.

Answer 105

Indicate client-based errors.

Answer 106

Indicate server-based errors.