Exam Prep

Question 1

CeWL

Answer 1

website data collector can harvest emails
Web crawl and worklist generation using CeWL = collects web pages and common docs
cewl.rb -m 8 -w file.xtx —meta_file meat.txt -e –email_file email.tst domain.com

Question 2

Nikto

Answer 2

Nikto is a cmd vulnerability scanner

Question 3

Wappalyzer

Answer 3

Wappalyzer is a website profiler to determine how a site is built

Question 4

ZAP

Answer 4

ZAP is a web app security scanner

Question 5

Merterpreter payload

Answer 5

Merterpreter payload injects into a running process, can load new modules into memory of the process to change its functionality, communication to the host is encrypted. Does not interact with hard drive by default and does not require an executable.

Question 6

Redirecting Cookie?

Answer 6

Redirecting cookie leads to session hijacking

Question 7

Vloatility

Answer 7

Vloatility netscan looks in memory for listening sockets
svscan is Volatility plugin

Question 8

Name res order

Answer 8

DNS, then LLMNR, then NBT-NS (Netbois)

Question 9

BeEf

Answer 9

Browser exploit = BeEf
BeEF hook.js can simulate a fake browser update

Question 10

Msfvenom

Answer 10

Msfvenom is part of metasploit to create malicious files

Question 11

RITA

Answer 11

RITA identifies C2 attacks using network anomalies

Question 12

Responder.py

Answer 12

Responder.py is a script to capture creds using SMB

Question 13

4732

Answer 13

4732 = account added to local group

Question 14

4688

Answer 14

4688 = start of a new process

Question 15

4634

Answer 15

4634 = log off

Question 16

4768

Answer 16

4768 = kerb token request

Question 17

Subfinder

Answer 17

Subfinder = passive sub domain finder

Question 18

Harvester

Answer 18

The harvester is similar to Subfinder (sub dom finder), broader scope, and can be active/passive

Question 19

Can PSID and PID be the same?

Answer 19

PSID and PID should not be the same

Question 20

Netcat port scan command

Answer 20

nc -v -w3 -z is a port scan

Question 21

netstat o

Answer 21

netstat o shows the process ID

Question 22

Password Stuffing

Answer 22

password stuffing starts with password leaks

Question 23

Describe a SID

Answer 23

The SID has:
A revision level, 1
An identifier authority, 5 (NT Authority)
A domain identifier, 21-1004336348-1177238915-682003330
A relative identifier, 500
S-1-5-21-1004336348-1177238915-682003330-500

Question 24

AWS Bucket Tools (3)

Answer 24

GCPbucketBrute does not have the ability to list or download the contents of public Google Compute buckets. Gsutil is a Python application used to perform a wide range of bucket and object management tasks including uploading and downloading content. Bucket_finder enumerates AWS S3 buckets and ntdsutil is used to extract the ntds.dit and system registry hives from a Window domain controller.

Question 25

skew

Answer 25

skew = interval

Question 26

Why identify empty LanMan Hash?

Answer 26

Running Hashcat is a process that can take several hours or several days, depending on the resources of the system being used. If the LANMAN password hashes contain the string aad3b435b51404eeaad3b435b51404ee, they are empty. There is no need to run Hashcat against the LANMAN hash type.

Question 27

SQL injection

Answer 27

SQL injection attackers start by adding string quotation characters to the user data to see how the system reacts when the data is submitted (i.e., ‘,”, and`).

Question 28

Enumerating blobs - 2 things needed

Answer 28

Enumerating blobs = Account and Container names

Question 29

nmap -A

Answer 29

Nmap has a powerful option called -A. This option enables OS detection, version detection, script scanning, and traceroute. It gives you far more information than a simple syn or TCP connect scan.

Question 30

netstat vs sc vs net view

Answer 30

Netstat -nap will show local ports, PID, and program name on a Linux/Unix host. Sc query will list local services on a Windows host. Net view will get a list of shares from a Windows host.

Question 31

RITA score 1 vs. near 1

Answer 31

Some C2 backdoors have a very strong heartbeat. This is where a backdoor will constantly reconnect to get commands from an attacker at a specific interval. The interval consistency of the heartbeat is the RITA Score, where a value of 1 is a perfect timing repetition for connections between the victim and the server for the duration of the capture period. RITA uses the characteristic of beaconing to identify threats in several ways. One reliable detection mechanism is the presence of a Score value near or at 1. In this case the source IP 10.20.234.50 is likely the victim of an attack and running a C2 backdoor with intermittent (not continuous) beaconing.

Question 32

PICERL

Answer 32

PICERL Preparation, Identification, Containment, Eradication (undoing), Recovery (resumption), and Lessons Learned

Question 33

Dynamic Approach to Incident Response (DAIR)

Answer 33

Dynamic Approach to Incident Response (DAIR) Preparation, Detection and Verification-Triage (waypoints) leads to a loop of scoping, containment, eradication, recovery, and remediation before incident wrap-up. Red Wheel. Waypoints, outcomes, and activities

Question 34

DFIR

Answer 34

DFIR - Digital Forensics and Incident Response

Question 35

Detection

Answer 35

Detection = First decision is always verification, mentions DFIR - Digital Forensics and Incident Response, possible response when looking at logs is inconclusive.

Question 36

Containment

Answer 36

Containment = spot attack, requires proper scoping, isolation, patching, etc. Short-term fix

Question 37

Eradication, Recovery, Remediation

Answer 37

Eradication (undoing) = restoring from backup, assessment
Recovery (resume ops)
Remediation = root cause, monitor, fixing the cause (long term)

Question 38

PS command to get process starting with power

Answer 38

get-process ‘power*’ | select-object *

Question 39

get-CimInstance

Answer 39

get-CimInstance - Class Win32_Process //Provides more info like parent process and execution command

Question 40

EncodedCommand

Answer 40

Watch for processes started using -EncodedCommand = CyberChef can be used for decoding

Question 41

Types of encoding

Answer 41

Common encoding are base64, URL encoding, UTF-8, UTF 16 little and big endian

Question 42

PS for listening TCP ports

Answer 42

get-NetTCPConnection -State Listen
Local address “::” means listening on all interfaces configured with IPv6 (or 0.0.0.0 for IPV4)
127.0.0.1 is loopback meaning local-only
Look fop notepad or other local service with outbound (anything other than listening) on port 80 for exam

Question 43

PS to find services

Answer 43

get-service (or get-CimInstance - Class Win32_Process) //find services

Question 44

PS for registry

Answer 44

get-childItem ‘reg key path’ or get-itemProperty ‘reg key path’

Question 45

PS for local users & groups

Answer 45

get-LocalUser or Get-LocalGroup or get-LocalGroupMember Administrators

Question 46

PS for scheduled tasks

Answer 46

get-ScheduledTask and export-SchedueldTask and get-scheduledTaskInfo

Question 47

ps for Windws events

Answer 47

get-WinEvent -LogName System | where-object -Propeerty Id -EQ 7045

Question 48

Sysinternal tools

Answer 48

Sysinternals = processExplorer, autoruns, sysmon, procMon, TCPview, and procDump

Question 49

TCPDump

Answer 49

TCPDump for packet capture or WinDump on Windows
tcpdump -i interface
tcpdump -i interface -w file
tcpdump -r file -n //Don’t resolve host, can be -nnr
tcpdump -r file -n -A //Don’t resolve host and show human readable ASCII

Question 50

BFP

Answer 50

Berkely Packet Filters (BFP) for tcpdump = primitives and operators

Question 51

Web Proxy tools

Answer 51

Squid, Blue Coat, Forefront TMG

Question 52

Dumping memory passwords

Answer 52

First collect memory with WinPmem run as admin
Then analyze with Volatility (python framework) with platform.class.PluginName
vol -q -f win10.0.22000.556.raw windows.pslist.PsList

Question 53

List processes using vol

Answer 53

PsList = lists processes
PsTree = shows parent tree

Question 54

List network connections

Answer 54

NetScan = network connections

Question 55

CMdLine

Answer 55

CMdLine = process command line

Question 56

2 online malware analysis tools

Answer 56

Virus Total and Hybrid Analysis

Question 57

Compare registry settings

Answer 57

RegShot - compares registry

Question 58

Core Analysis

Answer 58

Core analysis: IDA Pro and optional Hes-Rays decoder, Ghidra by NSA, FOR610, SEC660, SEC760

Question 59

ATT&CK

Answer 59

ATT&CK Adversarial Tactics, Techniques, and Common Knowledge

Question 60

Web search as a discovery tool, Web-based recon

Answer 60

Search engine results, using site: modifier

Question 61

DNS interrogation tools

Answer 61

DNS interrogation with Dig or NSlookup

Question 62

Using dig

Answer 62

dig ANY domain.com
dig @nsztml.digi.ninja AXFR domain.com //DNS zone transfer

Question 63

Brute force AXFR

Answer 63

Brute force AXFR using nmap with dns-brute script

Question 64

Using Certificate transparency

Answer 64

Certificate transparency for example crt.sh/?q=domain.com

Question 65

SubFinder

Answer 65

Project discovery Subfinder from https://projectdiscovery.io cn run subdom enumeration
subfinder -d domain.com

Question 66

ExifTool

Answer 66

Perl script to extract Windows file metadata, example exiftool file.pdf

Question 67

PowerShell can learn about an Azure hosted domain

Answer 67

AADInternals

Question 68

Recon As Outsider

Answer 68

Invoke-AADIntReconAsOutsider -Domain domain.com | Format-Table

Question 69

DeHashed

Answer 69

DeHashed provides plaintext passwords and PI Ias a service (deper form of HIBP)

Question 70

Showdan

Answer 70

Showdan is an advanced domain search, indexing service banners

Question 71

robots.txt

Answer 71

Disallow search using robots.txt //examples below are pages not indexed //Use high level directories rather than sensitive names
Disallow: /registration
Disallow: /admin.php
Disallow: /app

Question 72

nmap

Answer 72

NMAP is used to discover the network topology (network mapping and port scanning), run as root for best results

Question 73

Sweeping using nmap

Answer 73

Sweeping looks for active hosts using ICMP echo request to an IP range (log the replies)
Nmap sweeps before port scanning by default, skip using -Pn
Sends TCP SYNC to 443 and TPC ACK to 80 (must be root to ACK to 80)
sudo nmap -sn 192.168.1.1-254 //-sn only does discovery. no port scan

Question 74

TCP and UDP port range

Answer 74

TCP and UDP have ports 65,536 each greater than 0

Question 75

SYN ACK vs. RST ACK

Answer 75

SYN ACK = OPEN and RST ACK = CLOSED
Reports open, closed, or filtered (no response)

Question 76

nmap switches

Answer 76

-sS = Conventional TCP and -sU = UDP
-sV = Version scan
-oA to specify target host
Nmap SNE (Scripting Engine) Scripts =
-sC = Use default scripts
–script sctiptName (or All) //accepts wildcards

Question 77

Find service providers

Answer 77

Use builtwith.com to summarize service providers
Cloud providers publish IP ranges

Question 78

Masscan

Answer 78

Masscan is fire-and forget, better for massive IP ranges
masscan 192.168.1.1/24 -p 22,25,80,443,3389

Question 79

TLS-Scan

Answer 79

Identify TLS servers on TCP 443 and try to request certificates for recon using OpenSSL (one at a time) or TLS-Scan
TLS-Scan (Linux) rolls through a list of IPs listening to 443 (TLS Servers) to gather info from certs

Question 80

EyeWitness

Answer 80

EyeWitness takes website screenshots, run using python
python3 /opt/eyewitness/EyeWitness.py –web -f urllist.txt –prepend-https

Question 81

SMB

Answer 81

SMB can be scanned and appears as normal TCP 445 traffic
SMBV1 started with XP, SMBV3 with Win8 and SMB3.3.3 with Win10/Win2016
Didn’t support encryption until SMB3 with lates including pre-auth verification
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Block SMB over 445 and TCP/UDP 135 and 139 on firewalls

Question 82

Query SMB shares (3)

Answer 82

get-cminstance -class win32_share -ComputerName hostorIP
net.exe view \192.168.1.1 /all //can work on non-windows
SMBeagle can be used to search through SMB shares.

Question 83

SMBeagle

Answer 83

SMBeagle can be used to search through SMB shares.
smbeagle -c results.csv -n 192.168.1.0/24 -uksmith p pass123 -q
SMB also has many CVEs if SMB is not patched.
No backoff delay for password guessing

Question 84

Copernic Desktop Search

Answer 84

Copernic Desktop Search also indexes SMB files and does keywork search and OCR

Question 85

Samba

Answer 85

Samba smbclient for File Share Access lest you access and browse shares from CMD is you have credentials, even download and upload files
Samba rpcclient (Linux) has over 100 commands over authenticated SMB

Question 86

Enumerate SMB session

Answer 86

Identify sessions using get-SmbSession and close-SmbSession
The net.exe command is also available like net view, net share, net session, net use

Question 87

Hayabusa

Answer 87

Hayabusa applies sigma to Windows event logs, Velociraptor

Question 87

Sigma

Answer 87

Sigma - related to snort, SIEM, Yara, YAML

Question 88

THC Hydra

Answer 88

THC Hydra is an online password guessing tool
hydra -L users -P passwords ssh://3.231.163.70

Question 89

Password spray

Answer 89

Password spray is a small number of passwords against a large number of accounts

Question 90

PACK

Answer 90

PACK = Password Analysis and Cracking Kit

Question 91

Credential Stuffing

Answer 91

Credential Stuffing = using leaked passwords to attempt success or improved guessing

Question 92

MSOLSPray & FireProx

Answer 92

MSOLSPray is a PowerShell module/command that uses AADSTS response codes for informed password spray
Using AWS API Gateway and AAD Smart Lockout for distribution and anonymity
FireProx is a python tool for creating AWS API Gateway instances can be used to automate a platform for MOLSpray

Question 93

MSASweep

Answer 93

Using valid account to find MFA and CA gaps using MSASweep

Question 94

get-MsolUSer

Answer 94

get-MsolUSer is PowerShell to inspect individual M365 user license settings for verification

Question 95

Lanman & NT Hash

Answer 95

LANMAN = no larger that 7 bytes, split, all caps padded to 14 bytes, based on DES
NT Hash keeps case, can use long passwords, but has no salt, based on MD4, meaning same password = same hash

Question 96

NTDSUTIL

Answer 96

NTDSUTIL can be used to get NTDS.dit and SYSTEM registry hive (used for encryption of the file)
They gather both, use activate instance ntdsutil command followed by ifm to create a backup that can be exfilled.
Then a script like secretsdump.py can be used to extract the hashes (decrypt)

Question 97

Obtain hashes from Windows client

Answer 97

To obtain hashes from Windows client OS:
1. Use Meterpreter hashdump command against lsass.exe (FROM MEMORY), runs as lsass by running ps -S lsass.exeto get the PD and then migrate into the PID (impersonate)
2. is Mimikatz

Question 98

Break down Windows hash

Answer 98

Windows hashes show as username:userid:LANMAN:NTHASH
Empty hashes are useless and are identifiable, possibly a collection issue or disabled account
Example: tom:1002:aad3b435b…..:31d6cfe0d……
Keys being aad_b___b and d_cfe_d

Question 99

Identify Linux hash type

Answer 99

Early Linux is DES with no salt (/etc/password), now stronger like MD5 (/etc/shadow/)
Look for 2nd colon delimited field in shadow
No $ is DES, $1 is MD5, $2 Blowfish, $5 SHA256, and $6 SHA512

Question 100

Hash Rounding

Answer 100

Hash Rounding = increased complexity. MD5 uses 1000, SHA uses 5000

Question 101

Avoid GPU cracking

Answer 101

Password Based Key Derivation Function (PBKDF2) to avoid GPU-based password cracking
Also Scrypt, Argon2, Yescrypt

Question 102

Password Cracking

Answer 102

Password Cracking = offline decryption (brute force guessing)
Hashcat is main cracking tool

Question 103

Hashcat

Answer 103

Hashcat is main cracking tool
-a 0 = wordlist (default)
-a 1 = wordlist with append
-a 3 = pattern
-a 6 = worklist with mask
-a 7 = prepend mask
Specify -m to define the hash typr or it will try to atuo detect
Test the hash type without cracking using –identify
hashcat -m 1000 -1 0 hashes.txt words.txt
Mask uses ?<filter> like ?l for lower case, ?u for upper, ?d for number, and ?s for special
Hashcat passwords are sent t the potfile haschcat.potfile
You can display cracked with --show, uncreacjed with --left, and user info with --user
Hashcat can also use word permutation rules (-r best64.rule)</filter>

Question 104

PAM

Answer 104

UNIX has PLuggable Authentication Modules (PAM) for password complexity

Question 105

Cloud storage URLs

Answer 105

Insecure Cloud Storage
https://s3.amazonaws.com/bucketname
https://www.googleapis.co,/storage/v1/b/bucketname
https://accountname.blob.core.windows.net/Containername

Question 106

Bucket Finder

Answer 106

Bucket Finder that looks for open AWS buckets

Question 107

CGPBucketBrute

Answer 107

CGPBucketBrute for Google is python = to download from a google bucket use gsutil from Google

Question 108

Basic Blob Finder

Answer 108

Basic Blob Finder is also python for Azure blobs

Question 109

Netcat

Answer 109

Netcat reads and writes data across networks (has variants)
Client mode starts a connection to a specific port, send input to network and response to output
Messages are sent to standard error stderr
Listen mode waits for a connection on a specific port (option -l)
Listener to client;
listener: nc -1 -p port < filename
client: nc listenerIP port > filename
Push file from client to listener
listener: nc -1 -p port > filename
client: nc listenerIP port < filename
WATCH the <> closely

Question 110

Netcat port scanning:

Answer 110

nc -v -w3 -z targetIP start-endPort
Netcat backdoor shell examples (-e is execute):
nc -l -p port -e cmd.exe
nc -l -p port -e /bin/sh
For listening, -l is listedn once and -L on windows will restart

Question 111

Netcat relay

Answer 111

Netcat relay used to hop systems, requires named pipe on pivot system (mkfifo pipname on Linux)

Question 112

Metasploit Framework, modules, and interfaces

Answer 112

Metasploit Framework - collection of tools, runs on Linux, select exploit and payload to run on target
Four modules types: exploits. payloads, aux modules, and post exploit modules
Interfaces are console, command, web, and GUI (Armitage)
Search is an important command

Question 113

Merterpreter

Answer 113

Merterpreter is a general=purpose Metasploit payload for gaining access

Question 114

Protect Linux

Answer 114

Use SeLinux or AppArmor to protect Linux, patch, use EDR, filter outbound traffic, hunt for long URLs

Question 115

Drive-by vs. Watering Hole

Answer 115

Drive-by or client-side is attacking normal web browsing, called watering hole if targeted
Watering hole may involve Windows files with marcos or fake installers

Question 116

MsfVenom

Answer 116

Metasploit also has MsfVenom that convers any payload into a standalone file (related to templating)
MsVenom -X can embed payload into legitimate executable

Question 117

Msfconsole

Answer 117

Msfconsole is used to prepare a reverse TCP connection (listener)

Question 118

Browser Exploitation Framework (BeEf)

Answer 118

Browser Exploitation Framework (BeEf) used for browser exploits, XSS attacks, and social engineering like fake flash update
BeEf runs as sudo on Linux, collection of browser attack tools

Question 119

Command Injection

Answer 119

Command Injection = web app sends user input to a command shell and attacker can try to appends a 2nd command using ; on Linux or & on Windows. Can arrive sa HPPT Get or Post. Any system that accepts user input. Attack against a server.
Might involve -h, ; , & , echo, or ‘injected’, manipulating value following id= as example, or a command like ping

Question 120

Cross-Site Scripting XSS

Answer 120

Cross-Site Scripting XSS is an attack against users, attacks vulnerability in server input or output, changing what is displayed to the user, could tell the client browser to run code or redirect the cookie location, often JavaScript or HTML

Question 121

Stored vs. Reflected XSS

Answer 121

Stored XSS Attack = uploads or stores malicious code on server, drive-by (opportunistic)
Reflected XSS Attack = uses vulnerability in URL of a page (GET-based), sends URL to victim

Question 122

Identify XSS vulnerability

Answer 122

XSS demonstrated as page running

alert('XSS');

Test for XSS vulnerability by fuzzing input like <hr> tag or ‘’;!–“<xss>=&{()} will return alert('XSS') if bad or something close to the input text if safe</xss>

Question 123

Prevent XSS

Answer 123

Encode meta character output using (& or &) and limit cookie with HTTPOnly tag
Servers set Content Security Policy (CSP) header

Question 124

SQL Injection

Answer 124

SQL Injection exploits input validation to set or retrieve unintended info from DB
Test using ‘ “ ` % %% – /* //) ; for example blake’ OR ‘a’=’a
Tautology is always true condition retunes all records like a=a
Tripping an error code can also reveal info about the server or files.
UNION followed by a new Select is commonly used once vulnerability is verified

Question 125

SQL Injection tools

Answer 125

Automated options include a python script called sqlmap, Burp Suite Pro, Acunetix Web Vulnerability Scanner
Testing can be risky, could delete data, backup before

Question 126

sqlmap

Answer 126

1. Always us a valid, non-error-generating URL
2. Always put the URL in quotes
   Possible EXAM question:
   sqlmap -u https://msn.com //invalid without quotes
   Also followed by –dbs = enumerate databases and -D dbName –tables to list tables followed by –colums or –dump (display)

Question 127

Cloud DB vulnerable to SQL attack

Answer 127

Cloud database remain vulnerable to SQL injection attacks, does not escape, no Object Relational Mapping (ORM) system

Question 128

SSFR

Answer 128

Server-Side Request Forgery (SSRF) allows attacker to change what is requests from a server to disclose Instance Metadata (IMDS), protected files on the host, URL calls file location, change the file to local path like file:////etc/shadow
Can be evaluated using curl
Access IMDS using virtual server address = curl http://169.254.169.10/latest/user-data
AWS IMDSv1 has a known SSRF vuln used for credential extraction
Some like Azure mitigate using special header requirement

Question 129

Endpoint Security Bypass

Answer 129

Endpoint Security Bypass = evading signature detection, encoding, using permitted tools

Question 130

DefenderCheck

Answer 130

DefenderCheck splits file into pieces until it cannot be detected (high/low strategy)

Question 131

Code wrapping

Answer 131

Code wrapping to build legitimate code around malware, possibly using IronPython, often layering among multiple languages

Question 132

LOTL Example using sysinternals

Answer 132

Example provided was using sysinternals procdump to get LSASS dump to use with Mimikatz on another system
.\procdump.exe -accepteula -ma lsass.exe lsass dump

Question 133

Bypass AppLocker

Answer 133

Applocker can be bypassed by unusual execution method like InstallUtil /U shellcode.exe (.Net Install Utility)

Question 134

On Linux search for SETUID files

Answer 134

On Linux search for SETUID files= find / -perm -4000 -uid 0

Question 135

Pivoting

Answer 135

Pivoting, often setting up a proxy on one system to reach another
Merterpreter has portfwd and route that can establish a proxy
Merterpreter doesn’t have port scanner but can use apr_scanner or Metasploit has nmap, db_nmap, and auxiliary scanner modules.
Identify the next hop systems and port scan.
Lateral movement is exploiting targets through pivots

Question 136

Linux port forwarding

Answer 136

On Linux this could be SSH port forwarding using SSH -L port1:IP:port2
Linux can also use netcat named pipes discussed earlier

Question 137

Windows pivoting

Answer 137

Windows can use netsh interface portproxy but requires admin

Question 138

Hijacking

Answer 138

Hijacking attacks (impersonation), exploiting weak protocols, like local MTM, broadcasting service requests and injecting responses

Question 139

Responder

Answer 139

Responder is a python script to exploit (Hijacking) LLMNR, can be used to get NTLMv2 auth hash from network response

Question 140

After pivoting comes…

Answer 140

Next is persistence to regain access, avoid detection, preserve privileges, and reestablish access at will

Question 141

Prevent Hijacking

Answer 141

Disable; LLMNR and NBT-NS, disable mDNS, and SMB lower than 3.1.1

Question 142

Persistence method

Answer 142

One options is to create a new user account
merterpreter> execute -f ‘net user /add accessmgmt password123”
merterpreter> execute -f ‘net localgroup administators /add accessmgmt”
Metasploit and others offer various persistence options like a persistent service
WIM can subscribe to events
Also discusses golden ticket attack
Web shells could provide persistence, mod to web page or file

Question 143

Persist with event subscriptions

Answer 143

WIM can subscribe to events and execute code like scheduled tasks using mofcomp.exe and can listen on a port for a specific IP as an event trigger. Merterpreter watched for Sec logon failed event 4625 by default.

Question 144

Cloud persistence

Answer 144

Cloud persistence could be new resources like VM function, container, new access keys, cloud accounts

Question 145

Identify autoruns

Answer 145

Look for autoruns, events 4624, 4634, 4672, 4732, 4648, 4688, 4697, registry startup, use get-ciminstance to detect event subscribers

Question 146

RITA

Answer 146

Real Intelligence Threat Analytics (RITA) uses statistical data over time for hunting, used for offline assessment, ingests Zeek logs
Look for long connection durations, consistent packet size, interval, jitter, etc.