Module 12 - Evading IDS , Firewalls, and Honeypots ( EC Mode Part 01 ) Flashcards
Deleted
Which of the following attributes in a packet can be used to check whether the packet originated from an unreliable zone?
A. TCP flag bits
B. Direction
C. Interface
D. Source IP address
Correct Answer: C. Interface
Which of the following types of firewall inspects only header information in network traffic?
A. Application-level gateway
B. Stateful inspection
C. Packet filter
D. Circuit-level gateway
Correct Answer: C. Packet filter
Which of the following intrusion detection technique involves first creating models of possible intrusions and then comparing these models with incoming events to make a detection decision?
A. Anomaly Detection
B. Signature Recognition
C. Protocol Anomaly Detection
D. Obfuscating
Correct Answer: B. Signature Recognition
Which of the following statements concerning proxy firewalls is correct?
A. Proxy firewalls block network packets from passing to and from a protected network
B. Firewall proxy servers decentralize all activity for an application
C. Computers establish a connection with a proxy firewall that initiates a new network connection for the client
D. Proxy firewalls increase the speed and functionality of a network
Correct Answer: C. Computers establish a connection with a proxy firewall that initiates a new network connection for the client
Which solution can be used to emulate computer services, such as mail and ftp, and to capture information related to logins or actions?
A. Honeypot
B. Intrusion detection system (IDS)
C. DeMilitarized zone (DMZ)
D. Firewall
Correct Answer: A. Honeypot
which of the following conditions does the IDS generate a true positive alert?
A. A true positive is a condition occurring when an IDS fails to react to an actual attack event
B. A true positive is a condition occurring when an IDS identifies an activity as acceptable behavior and the activity is acceptable
C. A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress
D. A true positive is a condition occurring when an event triggers an alarm when no actual attack is in progress
Correct Answer: C. A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress
What is the main advantage that a network-based IDS/IPS system has over a host-based solution?
A. They are easier to install and configure
B. They will not interfere with user interfaces
C. They are placed at the boundary, allowing them to inspect all traffic
D. They do not use host system resources
Correct Answer: D. They do not use host system resources
Which of the following indicators identifies a network intrusion?
A. Repeated probes of the available services on your machines
B. Sudden decrease in bandwidth consumption is an indication of intrusion
C. Connection requests from IPs from those systems within the network range
D. Rare login attempts from remote hosts
Correct Answer: A. Repeated probes of the available services on your machines
At which two traffic layers do most commercial IDSes generate signatures? (Select Two)
A. Application layer
B. Network layer
C. Session layer
D. Transport layer
Correct Answer: B. Network layer and D. Transport layer
Jamie has purchased and deployed an application firewall to protect his company infrastructure which includes various email servers, file server shares, and applications. Also, all the systems in his company share the same onsite physical datacenter. Jamie has positioned the newly purchased firewall nearest to the application systems so as to protect the applications from attackers. This positioning does not protect the complete network.
What can be done to address the security issues by this deployment for Jamie?
A. Jamie will need to add at least three additional firewalls at the DMZ, internet, and intranet
B. Jamie will need to add at least three additional firewalls at the untrusted network, router side, and application side
C. Jamie will need to replace the application firewall with a packet filtering firewall at the network edge
D. Jamie will need to add at least one additional firewall at the network edge
Correct Answer: D. Jamie will need to add at least one additional firewall at the network edge
Jamie was asked by their director to make new additions to the firewall in order to allow traffic for a new software package. After the firewall changes, Jamie receives calls from users that they cannot access other services, such as email and file shares, that they were able to access earlier.
What was the problem in the latest changes that is denying existing users from accessing network resources?
A. Jamie’s additional entries were processed first
B. Jamie needs to restart the firewall to make the changes effective
C. Jamie should exit privileged mode to allow the settings to be effective
D. Jamie needs to have the users restart their computers in order to make settings effective
Correct Answer: A. Jamie’s additional entries were processed first
When analyzing the IDS logs, the system administrator notices connections from outside of the LAN have been sending packets where the source IP address and destination IP address are the same. However, no alerts have been sent via email or logged in the IDS. Which type of an alert is this?
A. False negative
B. True negative
C. False positive
D. True positive
Correct Answer: A. False negative
When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator’s computer to update the router configuration. What type of an alert is this?
A. True-negative
B. True-positive
C. False-negative
D. False-positive
Correct Answer: D. False-positive
A network administrator received an administrative alert at 3:00 a.m. from the intrusion detection system. The alert was generated because a large number of packets were coming into the network over ports 20 and 21. During analysis, there were no signs of attack on the FTP servers. How should the administrator understand this situation?
A. False negatives
B. True positives
C. True negatives
D. False positives
Correct Answer: D. False positives
Which of the following methods detects an intrusion based on the fixed behavioral characteristics of the users and components of a computer system?
A. Signature recognition
B. Bastion host
C. Anomaly detection
D. Protocol anomaly detection
Answer: C. Anomaly detection
The general indicators of which of the following types of intrusions are repeated login attempts from remote hosts, a sudden influx of log data, and a sudden increase in bandwidth consumption?
A. System intrusion
B. File-system intrusion
C. Signature recognition
D. Network intrusion
Answer: D. Network intrusion
Which of the following types of honeypots is very effective in determining the entire capabilities of adversaries and is mostly deployed in an isolated virtual environment along with a combination of vulnerable servers?
A. Honeynets
B. Spider honeypots
C. Spam honeypots
D. Malware honeypots
Correct Answer: A. Honeynets
Which of the following attributes in a packet can be used to check whether the packet originated from an unreliable zone?
A. Source IP address
B. Interface
C. Direction
D. TCP flag bits
Correct Answer: B. Interface
In which of the following conditions does the IDS generate a true positive alert?
A. A true positive is a condition occurring when an IDS identifies an activity as acceptable behavior and the activity is acceptable
B. A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress
C. A true positive is a condition occurring when an event triggers an alarm when no actual attack is in progress
D. A true positive is a condition occurring when an IDS fails to react to an actual attack event
Correct Answer: B. A true positive is a condition occurring when an event triggers an alarm and causes the IDS to react as if a real attack is in progress
What is the main advantage that a network-based IDS/IPS system has over a host-based solution?
A. They are easier to install and configure
B. They do not use host system resources
C. They are placed at the boundary, allowing them to inspect all traffic
D. They will not interfere with user interfaces
Correct Answer: B. They do not use host system resources
Which of the following is a hardware requirement that either an IDS/IPS system or a proxy server must have in order to properly function?
A. Similar RAM requirements
B. They must be dual-homed
C. Fast processor to help with network traffic analysis
D. Fast network interface cards
Correct Answer: B. They must be dual-homed
Which type of intrusion detection system can monitor and alert on attacks, but cannot stop them?
A. Detective
B. Passive
C. Intuitive
D. Reactive
Correct Answer: B. Passive
An advantage of an application-level firewall is the ability to
A. Filter packets at the network level
B. Monitor TCP handshaking
C. Filter specific commands, such as http:post
D. Retain state information for each packet
Correct Answer: C. Filter specific commands, such as http:post
Teyla is a security analyst for BAYARA Company. She is responsible for the firewall, antivirus, IPS, and web filtering security controls. She wants to protect the employees from a new phishing attack. What should Teyla do?
A. Use the web filtering application to prevent the employees from accessing the phishing webpage
B. Use IPS to block phishing
C. Block the phishing via antivirus
D. Block outbound traffic to the ports 80 and 443 in the firewall
Correct Answer: A. Use the web filtering application to prevent the employees from accessing the phishing webpage
When analyzing the IDS logs, the system administrator notices connections from outside of the LAN have been sending packets where the source IP address and destination IP address are the same. However, no alerts have been sent via email or logged in the IDS. Which type of an alert is this?
A. True negative
B. False positive
C. False negative
D. True positive
Correct Answer: C. False negative
Which of the following is a mobile intrusion detection tool that allows users to find all the devices connected to a network and provides relevant data such as the IP addresses, manufacturer names, device names, and MAC addresses of the connected devices?
A. Wifiphisher
B. Wifi Inspector
C. WIBR+
D. Reaver
Correct Answer: B. Wifi Inspector
Which of the following commands is an example of a Snort rule using a bidirectional operator?
A. log tcp any any -> 192.168.1.0/24 !6000:6010
B. alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 111
C. 192.168.1.0/24 1:1024
D. log !192.168.1.0/24 any <> 192.168.1.0/24 23
Correct Answer: D. log !192.168.1.0/24 any <> 192.168.1.0/24 23
Which of the following is a security solution for mobile devices that can reduce a mobile device’s network traffic and battery consumption as well as allow users to create network rules based on apps, IP addresses, and domain names?
A. Bitvise
B. NetPatch Firewall
C. KFSensor
D. Snort
Correct Answer: B. NetPatch Firewall
When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following:
A. Blocks the connection with the source IP address in the packet
B. Continues to evaluate the packet until all rules are checked
C. Stops checking rules, sends an alert, and lets the packet continue
D. Drops the packet and moves on to the next one
Correct Answer: B. Continues to evaluate the packet until all rules are checked
Which of the following is not an action present in Snort IDS?
A. Alert
B. Pass
C. Audit
D. Log
Correct Answer: C. Audit
Which of the following firewalls is used to secure mobile device?
A. NetPatch firewall
B. Glasswire
C. TinyWall
D. Comodo firewall
Correct Answer: A. NetPatch firewall
Manav wants to simulate a complete system and provide an appealing target to push hackers away from the production systems of his organization. Can you identify the tool?
A. PeerBlock
B. TinyWall
C. SPECTER
D. Glasswire
Correct Answer: C. SPECTER
Which of the following firewall solution tool has the following features:
Two-way firewall that monitors and blocks inbound as well as outbound traffic
Allows users to browse the web privately
Identity protection services help to prevent identity theft by guarding crucial data of the users. It also offers PC protection and data encryption
Through Do Not Track, it stops data-collecting companies from tracking the online users
Online Backup to backs up files and restores the data in the event of loss, theft, accidental deletion or disk failure
A. Vangaurd Enforcer
B. zIPS
C. Wifi Inspector
D. ZoneAlarm Free Firewall
Correct Answer: D. ZoneAlarm Free Firewall
Which of the following is a malware research tool that allows security analysts to detect and classify malware or other malicious codes through a rule-based approach?
A. Hping3
B. Nmap
C. YARA
D. Fing
Correct Answer: C. YARA
Which of the following tools helps security professionals in generating YARA rules from strings identified in malware files?
A. yarGen
B. Weevely
C. Tamper Chrome
D. HoneyBOT
Correct Answer: A. yarGen
Which of the following is an IDS evasion technique used by an attacker to confuse the IDS by forcing it to read invalid packets as well as blindly trust and accept a packet that an end system rejects?
A. Insertion attack
B. Fragmentation attack
C. Obfuscation
D. Invalid RST packets
Correct Answer: A. Insertion attack
One of the following is an IDS evasion technique used by an attacker to send a huge amount of unnecessary traffic to produce noise or fake traffic. If the IDS does not analyze the noise traffic, the true attack traffic goes undetected.
A. Flooding
B. Encryption
C. Overlapping fragments
D. Denial-of-service attack
Correct Answer: A. Flooding
In which of the following IDS evasion techniques does an attacker use an existing buffer-overflow exploit and set the “return” memory address on the overflowed stack to the entrance point of the decryption code?
A. Urgency flag
B. Polymorphic shellcode
C. Invalid RST packets
D. Overlapping fragments
Correct Answer: B. Polymorphic shellcode
Which of the following techniques is used by an attacker to exploit a host computer and results in the IDS discarding packets while the host that must receive the packets accepts them?
A. Fragmentation attack
B. Obfuscation
C. Evasion
D. Session splicing
Correct Answer: C. Evasion
In which of the following IDS evasion techniques does an attacker split the attack traffic into an excessive number of packets such that no single packet triggers the IDS?
A. Evasion
B. Session splicing
C. Insertion attack
D. Denial-of-service attack (DoS)
Correct Answer: B. Session splicing
The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities?
A. Network packets are dropped if the volume exceeds the threshold
B. Thresholding interferes with the IDS’ ability to reassemble fragmented packets
C. The IDS will not distinguish among packets originating from different sources
D. An attacker, working slowly enough, can evade detection by the IDS
Correct Answer: D. An attacker, working slowly enough, can evade detection by the IDS
Which evasion technique is used by attackers to encode the attack packet payload in such a way that the destination host can only decode the packet but not the IDS?
A. Unicode evasion
B. Obfuscation
C. Session splicing
D. Fragmentation attack
Correct Answer: B. Obfuscation
How many bit checksum is used by the TCP protocol for error checking of the header and data and to ensure that communication is reliable?
A. 14-bit
B. 16-bit
C. 15-bit
D. 13-bit
Correct Answer: B. 16-bit
An attacker hides the shellcode by encrypting it with an unknown encryption algorithm and by including the decryption code as part of the attack packet. He encodes the payload and then places a decoder before the payload. Identify the type of attack executed by attacker.
A. Polymorphic shellcode
B. Preconnection SYN
C. Postconnection SYN
D. ASCII shellcode
Correct Answer: A. Polymorphic shellcode
Which network-level evasion method is used to bypass IDS where an attacker splits the attack traffic in too many packets so that no single packet triggers the IDS?
A. Unicode evasion
B. Overlapping fragments
C. Fragmentation attack
D. Session splicing
Correct Answer: D. Session splicing
Which of the following is an IDS evasion technique used by an attacker to confuse the IDS by forcing it to read invalid packets as well as blindly trust and accept a packet that an end system rejects?
A. Invalid RST packets
B. Obfuscation
C. Insertion attack
D. Fragmentation attack
Correct Answer: C. Insertion attack
Which network-level evasion method is used to bypass IDS where an attacker splits the attack traffic in too many packets so that no single packet triggers the IDS?
A. Fragmentation attack
B. Overlapping fragments
C. Session splicing
D. Unicode evasion
Correct Answer: C. Session splicing
Which of the following is a technique used by an attacker masquerading as a trusted host to conceal their identity for hijacking browsers or gaining unauthorized access to a network?
A. Port scanning
B. IP address spoofing
C. Firewalking
D. Banner grabbing
Correct Answer: B. IP address spoofing
Which of the following techniques routes all traffic through an encrypted tunnel directly from a laptop to secure and harden servers and networks?
A. Tiny fragments
B. Source routing
C. ACK tunneling method
D. Anonymizer
Correct Answer: D. Anonymizer
Which of the following attack techniques is used by an attacker to exploit the vulnerabilities that occur while processing the input parameters of end users and the server responses in a web application?
A. Denial-of-service attack
B. XSS attack
C. MITM attack
D. Social engineering attack
Correct Answer: B. XSS attack
Which of the following techniques is used by attackers for collecting information about remote networks behind firewalls, where the TTL value is used to determine ACL gateway filters and map networks by analyzing the IP packet response?
A. Firewalking
B. Banner grabbing
C. Tiny fragments
D. Source routing
Correct Answer: A. Firewalking
Firewalk has just completed the second phase (the scanning phase) and a technician receives the output shown below.
What conclusions can be drawn based on these scan results?
TCP port 21—no response
TCP port 22—no response
TCP port 23—Time-to-live exceeded
A. The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall.
B. The scan on port 23 was able to make a connection to the destination host prompting the firewall to respond with a TTL error.
C. The lack of response from ports 21 and 22 indicate that those services are not running on the destination server.
D. The firewall itself is blocking ports 21 through 23 and a service is listening on port 23 of the target host.
Correct Answer: A. The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall.
Check Point’s FireWall-1 listens to which of the following TCP ports?
A. 1745
B. 1080
C. 259
D. 1072
Correct Answer: C. 259
Which of the following is a two-way HTTP tunneling software tool that allows HTTP, HTTPS, and SOCKS tunneling of any TCP communication between any client–server systems?
A. Super network tunnel
B. Bitvise
C. Loki
D. Secure Pipes
Correct Answer: B. Loki
Which of the following tools is used to execute commands of choice by tunneling them inside the payload of ICMP echo packets if ICMP is allowed through a firewall?
A. Anonymizer
B. Loki
C. HTTPTunnel
D. AckCmd
Correct Answer: D. AckCmd
Which feature of Secure Pipes tool open application communication ports to remote servers without opening those ports to public networks?
A. Remote backwards
B. SOCKS proxies
C. Local forwards
D. Remote forwards
Correct Answer: C. Local forwards
Which of the following is a hijacking technique where an attacker masquerades as a trusted host to conceal his identity, hijack browsers or websites, or gain unauthorized access to a network?
A. IP address spoofing
B. Port scanning
C. Firewalking
D. Source routing
Correct Answer: A. IP address spoofing
An organization’s web application firewall (WAF) allows specific queries and syntaxes that originate from their internal addresses. Jack, a professional hacker, exploited this functionality to send spoofed requests to trick the target WAF and server into believing that the request originated from their internal network. Jack also appended various extensions such as X-Originating-IP, X-Forwarded-For, X-Remote-IP, and X-Remote-Addr to the spoofed requests to bypass the target WAF.
Identify the technique employed by Jack to bypass the target WAF.
A. HTTP header spoofing
B. VLAN hopping
C. MAC spoofing
D. ARP spoofing
Correct Answer: A. HTTP header spoofing
In which of the following techniques do attackers first send payloads to the WAF connected to their local network to identify the payloads that can be used for evasion and then send those payloads to the target WAF for evasion?
A. Fuzzing/brute-forcing
B. Code emulation
C. Function testing
D. Runtime execution path profiling
Correct Answer: A. Fuzzing/brute-forcing
In which of the following attacks does an attacker create a malicious link by developing a JavaScript-based blob with a compatible MIME that is set to automatically download the malware on the victim’s machine?
A. URL encoding
B. Pre-connection SYN
C. HTML smuggling
D. Polymorphic shellcode
Correct Answer: C. HTML smuggling
Which of the following practices helps security professionals in defending against HTML smuggling attacks?
A. Recommend user to access web browser activated with Microsoft Defender SmartScreen
B. Disable cloud delivery-based protection
C. Never block auto-execution of .js and .jse files
D. Never verify the perimeter operation of security devices
Correct Answer: A. Recommend user to access web browser activated with Microsoft Defender SmartScreen
Mark, a professional hacker, has targeted an organization’s employee to create a backdoor on his system. To achieve his goal, Mark exploited a standard service of Microsoft-based OS that distributes automatic updates to its global users. The administrators often disregard monitoring this service as it delivers continuous updates.
Which of the following features did Mark abuse in the above scenario?
A. ICMP protocol
B. SSH tunneling
C. Windows BITS
D. HTTP tunneling
Correct Answer: C. Windows BITS
Which of the following tools audits and validates the behavior of security devices and is generally used by security personnel for assessing, auditing, and testing the behavioral characteristics of a non-proxy packet filtering device?
A. Colasoft Packet Builder
B. AckCmd
C. SPECTER
D. Traffic IQ Professional
Correct Answer: D. Traffic IQ Professional
In which of the following attacks does an attacker create a malicious link by developing a JavaScript-based blob with a compatible MIME that is set to automatically download the malware on the victim’s machine?
A. Polymorphic shellcode
B. URL encoding
C. Pre-connection SYN
D. HTML smuggling
Correct Answer: D. HTML smuggling
Mark, a professional hacker, has targeted an organization’s employee to create a backdoor on his system. To achieve his goal, Mark exploited a standard service of Microsoft-based OS that distributes automatic updates to its global users. The administrators often disregard monitoring this service as it delivers continuous updates.
Which of the following features did Mark abuse in the above scenario?
A. Windows BITS
B. HTTP tunneling
C. SSH tunneling
D. ICMP protocol
Correct Answer: A. Windows BITS
Which of the following tools is used by attackers to bypass antivirus software by utilizing binary deconstruction, insertion of arbitrary assembly code, and reconstruction?
A. Ghostwriting.sh
B. FaceNiff
C. Colasoft Packet Builder
D. KFSensor
Correct Answer: A. Ghostwriting.sh
Identify the evasion technique in which attackers perform DDL hijacking to place a malicious DLL with a legitimate name that the application is looking for in the same directory where the executable resides and then the malicious DLL gets executed along with the application to disable the endpoint security.
A. Application whitelisting
B. Using blacklist detection
C. Fake security applications
D. Overlapping fragments
Correct Answer: A. Application whitelisting
Identify the technique in which attackers abuse Microsoft Excel macro sheets to bypass endpoint protection and execute a malicious payload on a target system.
A. Fuzzing/brute-forcing
B. Fast flux DNS method
C. XLM weaponization
D. Password grabbing
Correct Answer: C. XLM weaponization
Which of the following tools allows an attacker to identify the hooked syscalls that are stored in the memory during execution?
A. USM Anywhere
B. X64dbg debugger
C. Censys
D. WIBR+-WIfi BRuteforce
Correct Answer: B. X64dbg debugger
Which of the following is a cyber defense software suite with antivirus, anti-malware, and intrusion detection capabilities?
A. Mention
B. Euromonitor
C. Symantec Endpoint Protection
D. Followerwonk
Correct Answer: C. Symantec Endpoint Protection
Which of the following tools allows attackers to create malicious payload or launcher to bypass endpoint protection?
A. Covenant C2 Framework
B. Metagoofil
C. Sherlock
D. Octoparse
Correct Answer: A. Covenant C2 Framework
Identify the bypass technique in which attackers use hex-format encryption to ping different IP addresses for evading detection mechanisms.
A. Heuristic analysis
B. Passing encoded commands
C. Website defacement
D. Honey trap
Correct Answer: B. Passing encoded commands
Which of the following techniques helps an attacker circumvent blacklists and hide the C&C server behind the compromised systems operating as reverse proxies?
A. Web application fuzz testing
B. Reverse DNS lookup
C. Fast flux DNS method
D. WHOIS lookup
Correct Answer: C. Fast flux DNS method
James, a professional hacker, was targeted to bypass endpoint security and gain access to the internal systems connected to a corporate network. For this purpose, he employed a technique through which malware is executed when a victim performs specific actions such as opening a particular window and clicking it; as a result, the malware gets activated after the system reboots.
Identify the technique employed by James to evade endpoint security.
A. Timing-based evasion
B. Unicode evasion
C. Flooding
D. IP address spoofing
Correct Answer: A. Timing-based evasion
Which of the following techniques allows attackers to leverage trusted in-built utilities for the execution of malicious codes to evade EDR solutions?
A. Distortion techniques
B. Signed binary proxy execution
C. Masking and filtering
D. Spawning using XMLDOM
Correct Answer: B. Signed binary proxy execution
Identify the evasion technique used by attackers to bypass endpoint detection and response (EDR) to infect the devices with potential malware and establish command and control to maintain a foothold without being detected.
A. Dark web footprinting
B. Website mirroring
C. Banner grabbing
D. XLM weaponization
Correct Answer: D. XLM weaponization
Which of the following is a simple VLAN enumeration and hopping script that sniffs out CDP packets and extracts the VTP domain name, VLAN management address, native VLAN ID, and IOS version of Cisco devices?
A. Nikto
B. got-responded
C. Frogger
D. Maltego
Correct Answer: C. Frogger
Which of the following tools allows attackers to place their device between a network switch and an authenticated device to ensure that the traffic flows through their device?
A. InSpectre
B. nac_bypass_setup.sh
C. Dependency Walker
D. OmniPeek
Correct Answer: B. nac_bypass_setup.sh
Identify the evasion technique in which attackers perform DDL hijacking to place a malicious DLL with a legitimate name that the application is looking for in the same directory where the executable resides and then the malicious DLL gets executed along with the application to disable the endpoint security.
A. Using blacklist detection
B. Application whitelisting
C. Overlapping fragments
D. Fake security applications
Correct Answer: B. Application whitelisting
Which of the following tools allows attackers to analyze the detection rate of a malicious file that is being propagated to bypass the antivirus solution?
A. Zsteg
B. VirusTotal
C. BeRoot
D. Robber
Correct Answer: B. VirusTotal
Which of the following is a cyber defense software suite with antivirus, anti-malware, and intrusion detection capabilities?
A. Euromonitor
B. Symantec Endpoint Protection
C. Mention
D. Followerwonk
Correct Answer: B. Symantec Endpoint Protection
Which of the following tools allows attackers to create malicious payload or launcher to bypass endpoint protection?
A. Metagoofil
B. Octoparse
C. Covenant C2 Framework
D. Sherlock
Correct Answer: C. Covenant C2 Framework
Which of the following commands allows attackers to transform a malicious payload created using Covenant C2 Framework into a position-independent shellcode?
A. Get-ObjectAcl -SamAccountName “users” -ResolveGUIDs
B. mimikatz “lsadump::dcsync /domain:(domain name) /user:Administrator”
C. ntdsutil “ac in ntds” “ifm” “cr fu c:\temp” q
D. ./donut -c GruntStager -a 3 -b 2 -z 2 -x -e 3 GruntHTTP.exe -o gruntloader.bin
Correct Answer: D. ./donut -c GruntStager -a 3 -b 2 -z 2 -x -e 3 GruntHTTP.exe -o gruntloader.bin
Identify the bypass technique in which attackers use hex-format encryption to ping different IP addresses for evading detection mechanisms.
A. Passing encoded commands
B. Heuristic analysis
C. Website defacement
D. Honey trap
Correct Answer: A. Passing encoded commands
Which of the following techniques helps an attacker circumvent blacklists and hide the C&C server behind the compromised systems operating as reverse proxies?
A. WHOIS lookup
B. Web application fuzz testing
C. Reverse DNS lookup
D. Fast flux DNS method
Correct Answer: D. Fast flux DNS method
Which of the following is a simple VLAN enumeration and hopping script that sniffs out CDP packets and extracts the VTP domain name, VLAN management address, native VLAN ID, and IOS version of Cisco devices?
A. Frogger
B. Nikto
C. got-responded
D. Maltego
Correct Answer: A. Frogger
Which of the following techniques manipulates the TCP/IP stack and is effectively employed to slow down the spread of worms and backdoors?
A. Layer 4 tar pits
B. Layer 2 tar pits
C. Layer 7 tar pits
D. Honeyd honeypot
Correct Answer: A. Layer 4 tar pits
One of the following techniques redirects all malicious network traffic to a honeypot after any intrusion attempt is detected. Attackers can identify such honeypots by examining specific TCP/IP parameters such as the round-trip time (RTT), time to live (TTL), and TCP timestamp. Which is this technique?
A. User-Mode Linux (UML)
B. Fake AP
C. Snort_inline
D. Bait and switch
Correct Answer: D. Bait and switch
Which honeypot detection tool has the following features:
Checks lists of HTTPS, SOCKS4, and SOCKS5 proxies with any ports
Checks several remote or local proxylists at once
Can upload “Valid proxies” and “All except honeypots” files to FTP
Can process proxylists automatically every specified period
May be used for usual proxylist validating as well
A. WAN Killer
B. Send-Safe Honeypot Hunter
C. Ostinato
D. WireEdit
Correct Answer: B. Send-Safe Honeypot Hunter
Which of the following methods is NOT a countermeasure to defend against IDS evasions?
A. Regularly update the antivirus signature database
B. Never define the DNS server for client resolver in routers
C. Shut down switch ports associated with known attack hosts
D. Train users to identify attack patterns
Correct Answer: B. Never define the DNS server for client resolver in routers
Which of the following countermeasures allows security professionals to defend against IDS evasion?
A. Always open switch ports associated with known attack hosts
B. Never store the attack information for future analysis
C. Avoiding traffic normalization solutions at the IDS to protect the system from evasions
D. Use the TCP FIN or Reset (RST) packet to terminate malicious TCP sessions
Correct Answer: D. Use the TCP FIN or Reset (RST) packet to terminate malicious TCP sessions
Riya wants to defend against the polymorphic shellcode problem. What countermeasure should she take against this IDS evasion technique?
A. Configure a remote syslog server and apply strict measures to protect it from malicious users
B. Look for the nopopcode other than 0x90
C. Catalog and review all inbound and outbound traffic
D. Disable all FTP connections to or from the network
Correct Answer: B. Look for the nopopcode other than 0x90
Which of the following practices makes an organization’s network susceptible to IDS evasion attempts?
A. Perform an in-depth analysis of ambiguous network traffic for all possible threats
B. Allow malicious script injection in snort rules directory
C. Use TCP FIN or Reset (RST) packet to terminate malicious TCP sessions
D. Look for the nop opcode other than 0x90 to defend against the polymorphic shellcode problem
Correct Answer: B. Allow malicious script injection in snort rules directory
Which of the following practices helps security professionals defend their organizational network against IDS evasion attempts?
A. Ensure that the packets are arriving from a path secured with IDS
B. Do not store the attack information for future analysis
C. Look for 0x90 other than nop opcode to defend against the polymorphic shellcode problem
D. Never use a traffic normalizer to remove potential ambiguity from the packet stream
Correct Answer: A. Ensure that the packets are arriving from a path secured with IDS
Which of the following practices helps security professionals defend their network against firewall bypass attempts?
A. By default, enable all FTP connections to or from the network
B. Never configure a remote syslog server
C. Use HTTP Evader to run automated testing for suspected firewall evasions
D. The firewall should be configured such that the IP address of an intruder should not be filtered out
Correct Answer: C. Use HTTP Evader to run automated testing for suspected firewall evasions
Which of the following practices makes an organization’s network susceptible to firewall evasion attempts?
A. Specify the source and destination IP addresses as well as the ports
B. Do not use HTTP Evader to run automated testing for suspected firewall evasions
C. Run regular risk queries to identify vulnerable firewall rules
D. Monitor user access to firewalls and control who can modify the firewall configuration
Correct Answer: B. Do not use HTTP Evader to run automated testing for suspected firewall evasions
Which of the following is a honeypot application that captures rootkits and other malicious malware that hijacks the read() system call?
A. Sebek
B. Bait and switch
C. Tar pits
D. Fake AP
Correct Answer: A. Sebek
In what way do the attackers identify the presence of layer 7 tar pits?
A. By looking at the IEEE standards for the current range of MAC addresses
B. By looking at the latency of the response from the service
C. By analyzing the TCP window size
D. By looking at the responses with unique MAC address 0:0:f:ff:ff:ff
Correct Answer: B. By looking at the latency of the response from the service
