Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

SEC504-Book 5 > Quiz Evasive and Post-Exploitation Attacks > Flashcards

Quiz Evasive and Post-Exploitation Attacks Flashcards

1
Q

Why would an attacker digitally sign malware to evade endpoint security

A

Endpoint security may allow malware execution if the digital signature is trusted.

why:
An Attacker can try digitally signing their malware. A number of istances where trusted digital signatures were used by attackers have been a big art of modern malware, from stuxnet to flame to Duqu.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following Metasploit modules can be used for pivoting (lateral movement) through a compromised host?

A

Auxilliary/server/socks4a

why:
Attackers reuse their Command and Control (c2) access to pivot and gain access to new hosts in the network. A Powerful example of this is the Meterpreter C2 Framework, either deployed as part of the initial exploit or through an independent payload generated using MsfVenom. An Attacker can start a proxy server on their system with auxiliary/server/socks4a and relay traffic through the pivot (compromised host) by reusing the Meterpreter session with a new route to the internal target.

page 21 book 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

which of the following built-in commands allows port forwarding on Windows?

A

On Windows sytems, the netsh command has built in feature to start listening on an arbitrary port number and forwarding any activity to a remote IP address and TCP port. Unlike meterpreter portfwd or SSH tunneling, the listening port in this example is on the victim system itself, NOT the attacker system. An attacker can still use this for pivoting and to obscure the source of the attack on the network, but it requires that they can connect to the victim system on the listening port. wmic and route are built in commands, but they cannot be used for port forwarding;plink can be used for port forwarding but is not a built in Windows command

page 25, book 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following defenses can help characterize data transfer totals and apps used after an attacker has exfiltrated data from a Windows victim host?

A

SRUM

why?
Following a compromise, incident responders can use System Resource Usage Monitor (SRUM) data to characterize data transfer tools by app name, which can be valuable for characterizing the amount of possible sources of data that are extracted from a compromised system. The other options are usefull defenses against data exfiltration, but none of them will characterize the data transfer totals in case of successful data exfiltration.

page 112 book 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

In Unix, which accounting file contains data about past user logins?

A

wtmp

why?
The wtmp file stores information about all users who have ever logged into the machine. The utmp file stores information about all users currently logged into the system. The btmp file stores information about bad login attempts (i.e; failures to properly authenticate). The lastlog file shows information associated with the most recent login time and date for each user.

page 66 book 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A securit analyst is making a recommendation to help identify suspicious activity that attempts to alter log files on an organizations network. Which of the following will allow you to look at how a system or user typically functions?

A

Installing a tool that uses user and entity behavior analytics (UEBA)

why?
The approach here is to stop looking for specific events to be generated, and rather, look at the behvaior of a user on an IT asset as a whole. This is called user and entity behavior analytics (UEBA). This is an effective way to look for activities like a user account logging on to multiple systems at the same time or an account accessing thousands of files on a server.
page 78 book 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following commands enables the forwarding of local port 8000 to host 10.10.10.100 on remote TCP port 80 through SSH?

A

One option for pivoting is to reuse existing capabilities on the compromised target systems. For Linux or UNIX systems, an SSH server offers many features for pivoting, allowing an attacker to leverage access to the SSH server to access other internal systems. One option is to setup a simple port forward through the pivot host to a specific target host and TCP port number. By running the command ssh -L 8000:10.10.10.100:80 victorimko@10.10.10.100, the attacker connects to the victim at 10.10.10.11 over SSH. logging in as the user victorimko. By specifying the -L argument, the attacker established a new listening port (8000) on his or her attacking system. When the attacker connects to local port 8000, the connection is forwarded through the SSH sesssion established with 10.10.10.11 to the 10.10.10.10.100 host on TCP port 80.

page 24 book 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the name of the log-wiping utility in Metasploit that purges all log data from the event logs?

A

For many years, Meterpreter has included the built-in clearev command to purge data from the Windows event logs, but it does so while leaving an audit event behind that indicates that the event log had been cleared.

page 74 book 5.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following tools uses a Hi-Lo strategy, splitting a file into pieces and scanning it repeaditly until the smallest data chunk is found that triggers a threat alert?

A

Defender Check

why?
DefenderCheck is a tool that helps attackers evade the endpoint security tools of victims. DefenderCheck takes a file and scans it on a local Windows 10 system using Windows Defender. If Windows Defender raises an alert for thr target file as malicious, DefnderCheck will split the file in two and scan each piece independently, discarding the chunk of the file that does not trigger the alert. In this way, DefenderCheck plays a strange version of Hi-Lo, repeadifly splitting the file and scanning over and over until it achieves the smallest possible chunk that still raises an alert.

page 11 book 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following locations in Linux contains the configuration for the system logger?

A

/etc

why?
On a UNIX system, the syslog procecss stores the logs for the system. The configuration for the system logger is found in the /etc/syslog.conf file. When a careful attacker takes over a system, he will look at this file to see where the system is configured to store its logs. These careful attacker will then modify the log files byh hand.

page 63 book 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following tools is generally used by threat actors to extract victim passwords from memory dump files?

A

Mimikatz

why?
Mimikatz can extract passwords from the LSASS process on a victim by supplying the Procdump memory dump file as an argument to sekulsa::minidump command.

This is a common technique used by adversaries to collect data that achieves the same attack goal while evading detection. It has the disadvantage of requiring a larger data trasnfer (the Procdump memory capture for LSASS is approx 50MB) but has found recent widespread use as an efffective alternative to running Mimikatz on the victim system locally.

page 105 book 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Ptunnel consists of which of the following two components

A

Client and proxy

why?
Ptunnel consists of two components. The Ptunnel client and the Ptunnel proxy. The Attacker configures the Ptunnel client to listen on a given TCP port on the localhost interface of the client machine. In adddition, the attacker must configure the Ptunnel proxy, which runs on an external machine, accessible via ping packets from the Ptunnel client. Finally, the attacker configures the Ptunnel client with a given ultimate destination address.

page 84 book 5.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What can the Ptunnel proxy use to authenticate the client

A

An MD5- based challenge response Authentication algorithm

why?
The Ptunnel proxy can be configured to authenticate the Ptunnel client using an MD5-based challenge/response authentication algorithm. Ptunnel does not currently support encryption;However, if the application using TCP-based connection encrypts the data (HTTPS or SSH) the attacker would have some degree of protection of the data.
page 84 book 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What Utility can be used to display the ARP cache on UNIX machines and Windows Systems?

A

arp on both UNIX and Windows

why?
Misconfigured ARP entries may indicate sniffing on a switched network. To check from your local machine on Win32; type arp -a. to check on Unix type arp-a or arp -e depending on the UNIX vendor

page 56 book 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following formats is more convenient for applying the ghostwriting evasion technique.

A

asm

why?
The first step for ghostwriting is to generate the binary the attacker wishes to manipulate, then convert the binary into raw format into asm source. While it may be possible to change a binary file in raw (binary) format, it is much easier to change it in asm source.

page 8 book 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

which protocol supports mapping IPv4 addresses to MAC Addresses

A

ARP

why?
When you send data across a LAN, it must be directed to the hardware address (MAC address) of the destination host. The MAC address of the Ethernet card is 48-bit globally unique address. Your machine must determine the MAC address corresponding to a given IP address. The ARP supports mapping IP addresses to MAC addresses.

page 35 book 5

17
Q

How does Bettercap sslstrip avoid having an SSL warning message alert a user that a certificate is bad?

A

It intercepts a redirect message and has the user’s browser use only HTTP with no certificate.

why?

In the Bettercap sslstrip attack, the client sends an HTTP request, as usual. The Bettercap passes this requirest onto the web server. The webserver attempts to send a redirect telling the browser to go to https://www.mybank.com. Bettercap intercepts this redirect in the response and tells the browser to continue using HTTP. The attacker then uses HTTPS to access the site. All traffic from the browser to the attacker is cleartext HTTP, and all traffic from the attacker to the website is SSL-Encrypted HTTPS. No warning messages are shown to the browser, because it never uses SSL.

page 48 book 5.

18
Q

The following ARP table for the the 192.168.1.14 – 0x9 interface was hard coded a month ago when the interface could connect to all addresses in the table. Today it cannot connect to 192.168.1.2, although the server is still up. What is most likely explanation for this failure?

A

The IP to MAC mapping for 192.168.1.2 has changed

why?

One area of defense that can help on sensitive networks (such as your DMZ) involves hard coding your ARP tables. In most systems, you can set your ARP tables at system boot to have only specific IP-to-MAC address mappings. These values cannot be overwritten by gratuitous ARPs. Unfortunately, such a configuration increases management overhead, because you have to update these ARP tables in each system if and when changes occur.

page 55 book 5.

19
Q

A Security consultant is trying to execute a custom executable from the System32 directory. However, the antivirus program on the target computer is preventing the custom code from running. What can the security consultant do to make the custom executable run?

A

Use a built in tool from Windows to invoke the executable

why?
The security consultant can use built in tool from windows to run the code. By starting malware through a trusted Windows built-in utility such as atbroker.exe , an attacker can frequently bypass endpoint protection.

page 15 book 5

20
Q

Which file contains information about currently logged in users?

A

utmp

why?
The utmp file stores information about all users currently logged in to the system. This file is consulted by the who command to print a list of users with actively logged in sessions on the system.

page 66 book 5.

21
Q

As Attackers adapt to new C2 and exfil techniques, traditional IDS becomes less effective at identifying threats, which of the following techniques can be used to detect C2 that is commonly missed by traditional IDS techniques?

A

Statistical anomaly analysis
why?
The Real Intelligence Threat Analytics (RITA) tool, designed by Active Countermeasures, is a free and open source solution to identify attacker C2 using statistical anomaly analysis. RITA does not rely on packet payload inspection to identify threats like traditional IDS platforms; instead, it looks for signs of network activity that correspond to the patterns employed by attacker C2 tools, both known and unknown.

22
Q

What does the following command do?

type 1 exe > YJEOZD.pdf:notepad.exe

A

it makes 1.exe a data stream attached to YJEOZD.pdf and names the data stream notepad.exe

why?
An attacker can create additional streams associated with any file or directory name on the system. The attacker can then use these streams to hide his or her sensitive information, such as attack tools or sniffer logs. Any file or directory on an NTFS partition can be used to hide such information. To create and interact with file streams, the type command built into Windows can be used.

page 71 book 5.

23
Q

The free Ptunnel tool runs on Linux and Windows and tunnels TCP traffic over which of the following?

A

ICMP echo packets

why?
instead of exfiltrating data via HTTP traffic, some attackers opt for other protocols. Numerous tools are readily available to carry traffic via covert channels using ICMP packets. Many networks allow outbound ICMP echo packets and their associated responses, making ping packets a useful way to tunnel traffic in a covert fashion. Ptunnel is one of the most flexible tools in this genre. Written by Daniel Stodle, this is a free tool runs on Linux or Windows, carrying TCP connection inside of ICMP echo and ICMP echo reply packets.

page 83 book 5.

24
Q

What can an attacker do with alternate data streams in an NTFS file system?

A

An attacker can hide multiple data streams in a single file without disrupting the size or operability of the original file.

Why?
One opportunity for an attacker to hide files on the NTFS and ReFS file systems. is to leverage alternate data streams (ADS) in supported file systems, ADS allow for a single file to have a default stream of data, while also supporting additional, independent data streams. The stream content follows the file as it is copied and moved to different partitions(but NOT when moved to a file system type that does not support ADS, such as FAT or ExFat) when a defender examines a file using the command prompt dir command, powershell Get-Childitem cmdlet, or from Windows Explorer, the default stream is the only visible stream indicator.

page 70 book 5.

25
Q

How does ghostwriting bypass endpoint security?

A

It modifies the code of an executable to change the signature of the program but not the important functionality

why? Ghostwriting is modifying the assembly of an exe in order to bypass antivirus. This is done via the insertion of “junk code”. Lines of code that modify the program but no lasting change to the way the program executes. (for example, inserting instructions that add two to a register then subtract two from the same register). The outcome is the same, but the added code changes the signature of the program.

page 7 book 5.

26
Q

What is an important step in implementing an ARP cache poisoning attack?

A

The attacker sends a gratuitous ARP message to the victim machine, mapping the IP address of the default gateway for the LAN to the attackers MAC address.

why?
Heres how the ARP spoofing technique works to create a machine in the middle (MITM) attack so that an attacker can sniff in a switched environment.

Step1: The attacker sets up IP forwarding so all packets sent to the attacker’s machine are redirected to the default gateway(router) for the LAN. The attackers machine, therefore, acts much like a router itself.

step2: The attacker sends a gratuitous ARP message to the victim machine, mapping the IP address of the default gateway for the LAN to the attackers MAC address, The Victims ARP cache is therefore, poisoned with false information.
step3: The victim sends traffic, but it is all transmitted to the attackers machine because of the ARP cache poisoning.

Step4: the attacker sniffs the info, using a sniffer.

Step5: the attackers machine forwards all the packets back through the switch to the default gateway.

page 38 book 5

27
Q

Which of the following behaviors is common to attacker C2 frameworks but not specific to different C2 tools?

A

Long connection duration between C2 and victim endpoint

Why?
The fundamental principle that drives the development of RITA is that attacker C2 does not behave like normal network activity. In a normal network there will be proprietary and standard based network protocols using a variety of different systems and ports, different total data transfer amounts and periods of long or bursty network activity. Comparatively, attacker C2 is different, often having one or more characteristics that are different than other legitimate network activity.

  • Long connection duration between C2 and the victim endpoint
  • Lots of consistent data sizes in packets used for heartbeat checking
  • Consistent Packet intervals (within a C2 sleep timer)
  • Consistent packer intervals within a jitter metric(skew)
  • A total session size or byte count consistency

page 92 book 5

28
Q

An Attacker has compromised a workstation on the corporate LAN and wishes to view and capture SSL traffic from the other uses on the LAN. What two software packages must the attacker run to create the infrastructure necessary to suceed in sniffing the SSL traffic

A

DNS spoofing and web proxy

why?
To intercept SSL traffic for capture and viewing, an attacker must redirect SSL traffic and maintain a connection to the real site. This is accompolished by using a DNS spoofing tool to send a response to a DNS query by utilizing a web proxy for the connection. The attacker can then send his own crafted certificate to the client and leverage social engineering or exploit the users trust/behavior to click through the warning.

Compromised CA is an incorrect answer, although a certificate from a compormised CA negates the browser warning, it does not support the initial attack vector. Ssslstrip is a tool used to rewrite HTTPs URLs to HTTP, but it requires the intercept infrastructure to be in place. SSH proxy is incorrect because it is a proxy for SSH (encrypted telnet) traffic, not SSL (web) traffic

page 44 book 5.

29
Q

How would an attacker benefit from using the command “sudo -l” on a compromised system?

A

Identifying opportunities for privilege escalation.

why?
One way to escalate privledges on a Linux or Unix system is to check the configuration of the sudo command. Sudo allows a user to run commands with the privileges’ of another user, often as root. An administrator can configure Sudo to allow a user to run any command as root or one or more specific commands as root. This is ideal since an administrator may want to grant user access to run a specific tool with extra privileges but not grant the user full root access for all commands. An Attacker can enumerate the privilege’s allocated to a user through Sudo by running sudo -l. Unfortunately, there are many opportunities to abuse selected-access Sudo commands to gain privilege access.

page 103 book 5.

30
Q

Real Intellifence Threat Analytics (RITA) detects known and yet undiscovered attacker C2. What is the input that should be passed to RITA?

A

Zeek Logging data

why?
real intelligence threat analytics (RITA) can be used for offline assessment of network activety (e.g it does not perform live netwrok monitoring) using the logging data generated by the Zeek network analysis framework. Rita provides the best results with logging data collected over 24 hours or more. RITA is an effective threat hunting tool to aid analysts in identifying and reacting to compromises within the network

page 91 book 5.

31
Q

why would an attacker digitally sign malware to evade endpoint security?

A

Endpoint security may allow malware execution if the digital signature is trusted.

why?
An attacker can digitally sign their malware. a number of instances where trusted digital signatures were used by attacker have been a big part of modern malware , from Stuxnet to Flame to Duqo.

page 13 book 5.

32
Q

What command is used to look at the DNS cache on a Windows Client?

A

ipconfig /displaydns

Why?
To look at the DNS cache on a Windows Client, run ipconfig /displaydns in a command prompt

page 56 book 5.

SEC504-Book 5 (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions