Section 1.3: Malware-ology Flashcards

1
Q

What is the Malware Paradox?

A

That malware can hide, but it must run.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the three compromise types?

A

Active malware, Dormant malware (not active or cleaned), and Living off the Land.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Define Endpoint Detection and Response (EDR)?

A

It is a security solution that combines real-time continuous monitoring and collection of endpoint data by set rules.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Name some common malware names.

A

svchost.exe, iexplore.exe, explorer.exe, lsass.exe, win.exe, and winlogon.exe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Name some common malware locations.

A

Temp, AppData, $Recycle.Bin, ProgramData, Windows, System32, WinSxS, System Volumne Information, Program Files, and Program Files (x86).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the purpose of LOLBAS Project (Living off the Land Binaries and Scripts)?

A

It helps categorize attacker use cases for legitimate Windows binaries.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What legitimate binaries can help adversaries do stealthy file downloading?

A

Bitsadmin.exe and Certutil.exe. They are abused to decode obfuscated payloads in order to avoid host-based security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When a binary or DLL has a colon, what is that an indication of?

A

It is an indication of an alternative data stream.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

List common defense evasion techniques attackers use to avoid detection.

A

Service Hijacking/replacement, Process injection, Filename/Service hijacking, Alternate data streams, Webshells/beacons, Firmware, DLL injections, A/V bypass, Frequent Compilation, Binary padding, Packing/armoring, Dormant malware, Signing code, Anti-forensics/timestomping, Rootkits, and Fileless malware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Why are code-signing private keys attractive to adversaries?

A

If stolen, they can sign their malware and can give easy access to operating systems that allow certain publishers. EX: Adobe, Opera browser.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Who is likely to have signed code?

A

Nation-State threat actors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which publishers are likely to be legitimate?

A

Microsoft, Apple, and Google. These can be automatically ignored.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly