Access to clear text repository such as an Excel spreadsheet or access to a password hash repository.
What is a capture attack?
Capture of a plain text password or hashed password using either a Man-in-the-Middle attack or a Packet Capture
Packet Capture requires access to network traffic using a sniffer
MiTM requires access to a communication channel
What kind of control is impacted by a skimmer?
Physical
What are the names of some USB Attacks?
Malicious flash drive
USB Connection
USB Cable
How is a malicious flash drive used to attack?
Malware distribution
What is a usb attack via usb connection or cable?
The USB Device/cable (respectively) firmware is repgrogrammed.
How can you unintentionally distribute malware via USB drive?
You insert a clean drive into an infected computer, it gets infected and then you insert into a clean computer.
What is often paired with USB flash drive attacks?
social engineering.
What is juicejacking?
Juicejacking is when a charging port doubles as a data connection. The data jack can be used to install malware or copy sensitive data from a smart phone, tablet, or other computer device.
What is BadUSB?
BadUSB is a technique to modify embedded firmware which gives USB devices new, covert capabilities. For example:
• A USB device reprogrammed to act as a keyboard that covertly types malicious commands into connected computers
• A USB device reprogrammed to act as a network card that causes connected computers to connect to malicious sites
Can USB data jacks be used to steal data?
Yes.
What is usb harpoon?
USBHarpoon is used to reprogram a USB charging cable
• Once the cable is plugged in, it turns into a peripheral device capable of typing and launching commands, enabling hackers to transfer malware on your PC and compromise a computer in just a few seconds
What do exploit kits usually target?
Vulnerabilities in users browsers.
Exploit kits are usually found written in what form?
PHP Scripts
What is a wi-fi enabled harpoon?
Malicious USB charging cable that includes an embedded Wi-Fi microcontroller for remote wireless connectivity
Are macro (virus) platform dependent?
No, they are platform independent.
What are the three components of a rootkit?
Dropper, loader, and rootkit itself.
What are the four authentication factors?
Biometric
Knowledge
Possession
Password
Most used authentication factor?
Password
What is the name of the attack that reuses captured credentials?
Pass the hash
What are the size limits for the input and output of a hashed password?
Input can be any length, the output is fixed.
Physical attacks are commonly used to do what?
Bypass or weaken technical controls
What are some physical attacks?
attack weapon such as a skimmer
physical components such as cables and ports
rogue device like an ap
established wired or wireless connection to take control of the device
The process of creating fake credit cards using skimmed information is called?
Cloning
Common IoCs for worms like Raspberry Robin include:
Known malicious files
Downloads of additional components from remote systems
Command and control contact to remote systems
Malicious behaviors using system commands for injection and other activities, including use of cmd.exe, msiexec.exe, and others
Hands-on-keyboard attacker activity
Mitigating strategies for worms include?
Starts with networking. Firewalls, IPS devices, network segmentation, and similar controls serve as the first layer of defense.
Configuring services
What are common examples of spyware IoC's?
Remote-access and remote-control-related indicators
Known software file fingerprints
Malicious processes, often disguised as system processes
Injection attacks against browsers
How can spyware be used as a recon tool?
Gather information on a system or an individual.
Why do various forms of spyware exist?
Each form does something different.
Mitigation practices for spyware focus on
awareness, control of the software that is allowed on devices and systems, and antispyware capabilities built into antimalware tools.
Bloatware
an all-encompassing term used to describe unwanted applications installed on systems by manufacturers. They may be part of a commercial relationship the manufacturer has, they may be programs the manufacturer themselves provide, or they may come later and be part of installer packages for other applications.
What are the varieties of viruses?
Memory-resident viruses, which remain in memory while the system of the device is running
Non-memory-resident viruses, which execute, spread, and then shut down
Boot sector viruses, which reside inside the boot sector of a drive or storage media
Macro viruses, which use macros or code inside word processing software or other tools to spread
Email viruses that spread via email either as email attachments or as part of the email itself using flaws inside email clients
How does having a registry entry for a virus cause problems after removal?
The registry may have an entry that instructs the computer to download and execute the code again
What is a standard practice when it comes to erradicating viruses off of a computer.
Wipe and reinstall.
What are the IoC's for viruses?
Look at the threat feeds for details.
File hashes and signatures
Exfiltration activity to command and control systems
Process names
Known reference URLs
Best defense against a keylogger?
Anti-malware tools, patch management
and 2FA
IoC's for logic bombs?
None. You have to look at the code.
What techniques are commonly used to analyze malware:
Online analysis tools like VirusTotal can be used to check whether the malware is a known tool and to see what it is identified as by multiple AV tools.
Sandbox tools can be used to analyze malware behavior in a protected environment.
Manual code analysis is common, particularly with scripts and interpreted code like Python and Perl.
Malware can be analyzed using tools like strings to look for recoverable artifacts that may be useful for the analysis
Common IoCs for rootkits include:
File hashes and signatures
Command and control domains, IP addresses, and systems
Behavior-based identification like the creation of services, executables, configuration changes, file access, and command invocation
Opening ports or creation of reverse proxy tunnels
Ryan wants to prevent logic bombs created by insider threats from impacting his organization. What technique will most effectively limit the likelihood of logic bombs being put in place?
C. Logic bombs are embedded in code, so Ryan's organization would get the most benefit from a code review process for any code that goes into production. Antivirus and EDR are unlikely to detect logic bombs created by staff in Ryan's organization.
Yasmine believes that her organization may be dealing with an advanced rootkit and wants to write IoC definitions for it. Which of the following is not likely to be a useful IoC for a rootkit?
C. Rootkits are intended to be stealthy, and a pop-up demanding ransom works against that purpose. File hashes, command and control details, and behavior-based identifiers are all useful IoCs likely to be relevant to a rootkit.
Nathan works at a school and notices that one of his staff appears to have logged in and changed grades for a single student to higher grades, even in classes that staff member is not responsible for. When asked, the staff member says that they did not perform the action. Which of the following is the most likely way that a student could have gotten access to the staff member's password?
D. Nathan should check the staff member's computer for a keylogger, which would have captured their username and password. A student could have then used the staff member's credentials to make the changes described. A rootkit would be used to retain access, spyware gathers a variety of data but is not specifically aimed at capturing keystrokes like this, and logic bombs have specific events or triggers that cause them to take action.
Amanda notices traffic between her systems and a known malicious host on TCP port 6667. What type of traffic is she most likely detecting?
A. Amanda has most likely discovered a botnet's command and control channel, and the system or systems she is monitoring are probably using IRC as the command and control channel. Spyware is likely to simply send data to a central server via HTTP/HTTPS, worms spread by attacking vulnerable services, and a hijacked web browser would probably operate on common HTTP or HTTPS ports (80/443).
Mike discovers that attackers have left software that allows them to have remote access to systems on a computer in his company's network. How should he describe or classify this malware?
D. Remote access to a system is typically provided by a backdoor. Backdoors may also appear in firmware or even in hardware. None of the other items listed provide remote access by default, although they may have a backdoor as part of a more capable malware package.
What is the primary impact of bloatware?
A. Bloatware is typically not a significant security threat, but it consumes resources like disk space, CPU, and memory. Unfortunately, some bloatware can be vulnerable and may not get regularly patched, meaning it's both useless and a potential risk!
What type of malware is used to gather information about a user's browsing habits and system?
B. Spyware is specifically designed to gather information about users and systems and to send that data back to a central collector. Trojans pretend to be useful software and include malicious components, bloatware is preinstalled software that isn't needed, and rootkits are used to conceal malicious software and retain a foothold on compromised systems.
Matt uploads a malware sample to a third-party malware scanning site that uses multiple antimalware and antivirus engines to scan the sample. He receives multiple different answers for what the malware package is. What has occurred?
D. One of the challenges security practitioners can face when attempting to identify malware is that different antivirus and antimalware vendors will name malware packages and families differently. This means that Matt may need to look at different names to figure out what he is dealing with.
Nancy is concerned that there is a software keylogger on the system she's investigating. What best describes data that may have been stolen?
A. While keyloggers often focus on keyboard input, other types of input may also be captured, meaning Nancy should worry about any user input that occurred while the keylogger was installed. Keyloggers typically do not target files on systems, although if Nancy finds a keylogger, she may want to check for other malware packages with additional capabilities.
A system in Elaine's company has suddenly displayed a message demanding payment in Bitcoin and claiming that the data from the system has been encrypted. What type of malware has Elaine likely encountered?
C. Ransomware demands payment to be made while typically using encryption to make data inaccessible. Worms, viruses, and rootkits are not defined by behavior like this.
Rick believes that a system he is responsible for has been compromised with malware that uses a rootkit to obtain and retain access to the system. When he runs an antimalware tool's scanner, the system doesn't show any malware. If he has other data that indicates the system is infected, what should his next step be if he wants to determine what malware may be on the system?
B. Rootkits are designed to hide from antimalware scanners and can often defeat locally run scans. Mounting the drive in another system in read-only mode or booting from a USB drive and scanning using a trusted, known good operating system can be an effective way to determine what malware is on a potentially infected system.
A recently terminated developer from Jaya's organization has contacted the organization claiming that they left code in an application that they wrote that will delete files and bring the application down if they are not employed by the company. What type of malware is this?
B. Jaya's former employee is describing a logic bomb, malicious code that will cause harm when a trigger or specific action occurs. In this case, the former employee is claiming that the trigger is them not being employed at the company. Jaya will need to assess all of the code that the employee wrote to determine if a logic bomb exists. Ransomware is a type of malicious software that typically uses encryption to extort a ransom. Extortionware is not a commonly used term. Trojans appear to be useful or desirable software but contain malicious code.
Selah wants to ensure that malware is completely removed from a system. What should she do to ensure this?
A. In most malware infection scenarios, wiping the drive and reinstalling from known good media is the best option available. If the malware has tools that can infect the system BIOS/UEFI, even this may not be sufficient, but BIOS/UEFI resident malware is relatively uncommon. Multiple antivirus and antimalware tools, even if they are set to delete malware, may still fail against unknown or advanced malware packages. Destroying systems is uncommon, expensive, and unlikely to be acceptable to most organizations as a means of dealing with a malware infection.
What is the key difference between a worm and a virus?
C. The key difference between worms and viruses is how they spread. Worms spread themselves, whereas viruses rely on human interaction.
Ben wants to analyze Python code that he believes may be malicious code written by an employee of his organization. What can he do to determine if the code is malicious?
A. Python is an interpreted rather than a compiled language, so Ben doesn't need to use a decompiler. Instead, his best bet is to open the file and review the code to see what it does. Since it was written by an employee, it is unlikely that it will match an existing known malicious package, which means antivirus and antimalware tools and sites will be useless.
Which of the following defenses is most likely to prevent Trojan installation?
A. Trojans are often found in application stores where they appear to be innocuous but desirable applications or are listed in confusingly similar ways to legitimate applications. Many organizations choose to lock down the ability to acquire applications from app stores to prevent this type of issue. Since Trojans do not self-spread and rely on user action, patching typically won't prevent them. While users may try to transfer files via USB, this isn't the most common means for modern Trojans to spread.
Jason's security team reports that a recent WordPress vulnerability seems to have been exploited by malware and that their organization's entire WordPress service cluster has been infected. What type of malware is most likely involved if a vulnerability in the software was exploited over the network?
D. Worms often spread via networks, taking advantage of vulnerabilities to install themselves on targeted systems and then to propagate further. Trojans require human interaction to install software that appears desirable. Logic bombs are embedded in code and perform actions when triggers like a date or event occur. Rootkits are used to hide malware and to conceal attacker's actions.
Hui's organization recently purchased new Windows computers from an office supply store. The systems have a number of unwanted programs on them that load at startup that were installed by the manufacturer. What type of software is this?
C. Unwanted, typically preinstalled programs are known as bloatware. They take up space and resources without providing value, and many organizations either uninstall them or install clean operating system images to avoid them. There is no indication of malicious activity in the question, so these are most likely not viruses, Trojans, or spyware.
What type of malware connects to a command and control system, allowing attackers to manage, control, and update it remotely?
D. Bots connect to command and control (C&C) systems, allowing them to be updated, controlled, and managed remotely. Worms spread via vulnerabilities, and drones and vampires aren't common terms for malware.
Randy believes that a system that he is responsible for was infected after a user picked up a USB drive and plugged it in. The user claims that they only opened one file on the drive to see who might own it. What type of malware is most likely involved?
C. Randy knows that viruses spread through user interaction with files on thumb drives. A worm would spread itself, a Trojan would look like a useful or desirable file, and there is no indication of spyware in the question.
