Lesson 13: Analyze Indicators of Malicious Activity Flashcards
What are examples of virus types?
Non-resident/file infectors, memory-resident, boot sector, and script/macro-based viruses.
What distinguishes worms from other malware?
Worms are self-replicating and can cause resource exhaustion (e.g., Code Red and Conficker).
How does fileless malware operate?
It works in memory and often uses tools like PowerShell or WMI to evade detection.
What is the function of spyware and keyloggers?
They monitor user activity, capture keystrokes, and steal sensitive data.
What are backdoors and RATs used for?
A remote access Trojan (RAT) is a malware program that opens a backdoor, enabling administrative control over the victim’s computer.
How do rootkits conceal their presence?
They operate with SYSTEM-level privileges and hide in processes, logs, or firmware.
What is ransomware?
Malware that blocks access to data or systems, demanding payment for restoration.
What distinguishes Crypto-Malware from regular ransomware?
Crypto-Malware encrypts files and requires a decryption key for recovery (ex. CryptoLocker)
What is cryptojacking?
The unauthorized use of system resources for cryptocurrency mining.
How does a logic bomb operate?
It triggers malicious actions based on specific conditions or events, lying dormant until those conditions are met.
What are Indicators of Compromise (IoCs)
Residual signs of attacks linked to Tactics, Techniques, and Procedures (TTPs) cataloged in resources like the MITRE ATT&CK database.
What are examples of physical attack risks?
Damage to hardware, power disruptions, or rogue devices.
What is RFID cloning and skimming?
The creation of counterfeit access cards for unauthorized entry.
What types of attacks fall under DDoS?
SYN floods, reflected attacks, and amplified attacks.
How do On-Path attacks like ARP poisoning work?
They intercept or manipulate communications covertly.
What does Command and Control (C2) do?
Covertly manages compromised hosts using beaconing and persistence.
Describe a DNS attack
A DNS attack exploits vulnerabilities in the Domain Name System (DNS) to disrupt its functionality, redirect users to malicious websites, or gain unauthorized access to sensitive data.
How is a DNS attack performed, and how what are indicators for spotting the attack?
Cache poisoning, rogue DNS resolvers, and exploiting domain resolution vulnerabilities.
Indicators include DNS lookup failures and spikes in anomalous traffic.
What is a Rogue Access Point?
A rogue access point is an unauthorized wireless access point on a network.
Rogue APs can be deployed by legitimate users (e.g., employees) for convenience or by malicious actors to gain unauthorized access to the network.
What is an Evil Twin attack?
An evil twin attack is a specific type of rogue access point that mimics a legitimate network to deceive users and intercept their data.
How do disassociation and replay attacks impact wireless networks?
Disassociation attacks: Disconnect users from a network.
Replay attacks: Capture and reuse authentication data.
What are examples of privilege escalation?
Vertical Escalation: Gaining SYSTEM or administrative privileges.
Horizontal Escalation: Accessing privileges or data meant for other users.
What is a buffer overflow attack?
Exploiting poorly handled memory buffers for arbitrary code execution.
What are examples of injection attacks?
SQL injection, LDAP injection, and XML External Entity (XXE) exploitation.
How does CSRF differ from SSRF?
CSRF (Cross-Site Request Forgery): Exploits active sessions to perform unauthorized actions.
SSRF (Server-Side Request Forgery): Exploits server requests to compromise internal services.
What insights can Web Server Logs provide?
HTTP status codes (e.g., 403, 502) can reveal access violations or server issues.
What is the purpose of a URL Analysis?
To inspect encoded data and query parameters for obfuscated or malicious input.
How is Percent Encoding used maliciously in URLs?
Although legitimate for Unicode or reserved characters, it can obfuscate malicious data.
