Chapter 3

Question 1

Indicator of Compromise (IoC)

Answer 1

A digital clue or artifact, such as unusual network activity or unauthorized system changes, that signals a potential security breach or malicious activity.

Question 2

Endpoint Detection Response (EDR)

Answer 2

Designed to monitor and protect endpoints (Like PCs, phones, and servers) from threats such as malware, ransomware and other attacks.

-Continuous Monitoring
-Threat Detection
-Response Capabilities
-Investigation Support

Question 3

What are common Indicators of Compromise (IOCs) for ransomware?

Answer 3

1. Unusual File Behavior:
   
   • Files renamed with strange extensions (e.g., .locky, .crypt, or .encrypted).
   • Inability to open files or sudden appearance of ransom notes.
2. High Resource Usage:
   
   • Unexpected spikes in CPU or disk activity due to encryption processes.
3. Unauthorized Privilege Escalation:
   
   • Changes to user permissions or accounts with admin-level access created without authorization.
4. Altered System Configuration:
   
   • Changes to Group Policy, registry keys, or scheduled tasks enabling persistence or spreading.
5. Suspicious Network Activity:
   
   • Outbound traffic to known Command and Control (C2) servers.
   • Sudden data exfiltration to unknown IPs or domains.
6. Log File Anomalies:
   
   • Missing or corrupted logs that hide ransomware activity.
7. Unusual Pop-Ups or Alerts:
   
   • Messages demanding payment in cryptocurrency to regain file access.

Question 4

IoC for Trojans

Answer 4

-Signatures for the specific malware applications or downloadable files.
-Command and Control system hostnames and IP addresses.
-Folders or files created on target devices.

Question 5

What are common Indicators of Compromise (IOCs) for worms?

Answer 5

Unusual Network Activity:
- High network traffic spikes or scanning behavior.
- Outbound traffic to unknown IPs or ports.

Unauthorized Files/Processes:
- Unexpected executables or unknown processes using high resources.

Registry/Configuration Changes:
- Changes to system files or disabling firewalls/security tools.
- Startup program modifications (e.g., Windows registry).

Mass Emails or Communication Attempts:
- Abnormal outgoing emails or multiple delivery failures.

Performance Issues:
- Slow system performance due to resource-heavy worm processes.

Log File Anomalies:
-Warnings/errors in system/network logs.

Question 6

IoC of Spyware

Answer 6

• Remote access & Remote-control-related indicators.
• Known software file fingerprints
• Malicious processes, often disguised as system processes.
• Injection attacks against browsers.

To know its Spyware, you must understand its use and motivations rather than just its behavior.

Question 7

What are common Indicators of Compromise (IOCs) for keyloggers?

Answer 7

1. Unusual Software Behavior:
   
   • Unexpected or unrecognized applications running in the background.
   • Increased CPU or memory usage from unknown processes.
2. Unauthorized Files:
   
   • Presence of suspicious files with extensions like .dll, .exe, or .dat.
   • Hidden files in system directories.
3. Altered System Logs:
   
   • Missing or manipulated log entries to cover keylogger activity.
4. Unexpected Network Activity:
   
   • Outbound traffic to unfamiliar IP addresses (data exfiltration).
   • Unusual attempts to connect to remote servers.
5. Changes to System Settings:
   
   • Modifications to registry keys or startup configurations enabling persistence.
6. Behavioral Clues:
   
   • Lag or delays when typing due to keystroke processing.
   • Sudden pop-ups or errors indicating interference with normal keyboard operations.

Question 8

Remote Access Trojan (RAT)

Answer 8

Provides attackers with remote access to systems

-EDR tools or antimalware are used to detect RAT like behavior.

Question 9

Bots

Answer 9

In its malicious form, a bot is a computer that’s compromised and begin controlled remotely.

Question 10

Botnets

Answer 10

Group of systems that are under central command.

Question 11

Logic Bombs

Answer 11

Functions, or code, placed inside other programs that will activate when set conditions are met.

IoCs: Code analysis, Code review, Logic in the application

Question 12

Rootkits

Answer 12

Malware that is designed to allow attackers to access a system through a backdoor.

IOCs: File hashes & Signatures, command and control domains, IP addresses, and systems. Behavior based identification: creations of services, configuration changes, file access, and command invocation. Opening parts or creation of reverse proxy tunnels.