Chapter 7: Host-Based Attacks

You are building a PowerShell script that includes creating a file, writing content into the file, and then display the file contents on the screen. Which of the following PowerShell cmdlets will you need to use to perform these tasks?

- Add-Content - New-Item - Get-Content

Which of the following are the general types of persistence IoCs? (Select two.)

- An unauthorized scheduled task - Change or anomaly in the registry

The problem with identifying beaconing intrusion by an attacker is that many legitimate applications also perform beaconing. Which of the following are legitimate applications that perform beaconing? (Select three.)

- Cluster services - NTP servers - Automatic update systems

Hosts in a C&C network are difficult to pin down because they frequently change DNS names and IP addresses. Which of the following techniques is commonly used to make these frequent changes? (Select two.)

- Domain generation algorithms (DGAs) - Fast flux DNS

A security analyst is investigating a spear-phishing attack targeting their organization. They need to identify the key techniques the attacker used to deceive the victims into taking action. Which of the following techniques is MOST likely associated with this attack? (Select two.)

- Impersonation - Embedded links

Which of the following are common indicators that an attacker has gained access to make unauthorized changes to the system? (Select two.)

- Installing new programs - Opening new network ports

The following are several common Linux commands with a brief description on the right. Drag a command on the left to its appropriate description on the right.

- Retrieves content from an HTTP server: wget - Displays the contents of a directory: ls - Displays the content of a file: cat - Copies a file or directory: cp - Creates an empty file: touch

Which of the following can be implemented to help automate monitoring for privilege escalation changes? (Select two.)

- SOAR - SIEM

A cybersecurity specialist is checking a link to a news article within a colleague's email. The email appears to be genuine, but the link is deliberately obscured. The specialist suspects that the link may be part of a social engineering attack that aims to exploit the organization's security vulnerabilities. What is the role of obfuscated links in social engineering attacks and their impact on IT security operations? (Select three.)

- Social engineering attacks often use obfuscated links to redirect users to malicious websites that install malware or steal login credentials. - Social engineering attacks rely on human interaction to trick individuals into revealing sensitive information or performing actions that compromise network security. - Obfuscated links are hyperlinks intentionally obscured to hide the true destination of the link, often used in phishing attacks.

Which of the following are the MOST likely indicators that a foundational Windows process file has been the target of an attack and is infected? (Select two.)

- The process file is running in a location other than the System32 folder. - There are multiple versions of the process file.

File system and registry changes can indicate or suggest a security breach, or attack has occurred. An attacker may change critical system configuration stored in system files or registry keys to change or disable essential security settings or store malware and scripts. Which of the following are signs that might indicate a security breach or attack on a file system? (Select two.)

- The removal of temp files or deleting log entries. - The creation of new files or folders in unexpected locations or with unusual names.

Which of the following indicate that the email highlighted below may be suspicious? (Select two.)

- There are several spelling mistakes in the email. - The link in the email is to an IP address; it is not to Microsoft's website.

Malware and attackers will typically use one location to stage data for exfiltration (data theft) on a device. These areas are typically compressed and encrypted, so they are easy to move and hard to detect. Which of the following are often used as staging areas on a Windows device? (Select two.)

- User profile folders - Log files

You have just finished creating a game script in nano that allows a user to try and guess a number (fixed variable) that you have provided. The script looks like the following: #!/bin/bashmynum=25 while :doecho "Enter a number or <CTRL+C> to quit"read num1if [ $num1 -gt $mynum ]; thenecho "Your number is bigger"echoelif [ $num1 -lt $mynum ]; thenecho "Your number is smaller"echoelseecho "We picked the same number!"echofidone Based on this script, select the correct answer to the following quest

- Which of the following scripting tools did you use to make sure the user is able to repeat the game without leaving the script and starting it again?: While Loop - What is the command line in the script that sets your number to compare against the numbers provided by the user?: mynum=25

Which of the following BEST describes a beaconing intrusion?

A command issued to a botnet pool to verify that a bot is still alive.

You are monitoring network activity and find that a user appears to be logging into the network and downloading files, even though you know that user is on vacation. Which kind of attack have you MOST likely experienced?

A horizontal privilege escalation attack

A software development company has concerns about the potential risks associated with insecure design in one of its new applications. Which of the following controls should a security expert recommend to mitigate these risks?

Adopting a security development life cycle (SDLC) approach

Mobile device attacks can be devastating to the device and the data stored on it. Which of the following common attacks allows the attacker to steal data or money from the victim?

Agent Smith

A company has a web application that allows users to submit comments on a blog post. The application accepts comments of up to 200 characters and stores them in a fixed-sized temporary memory space without sanitizing input. An attacker takes advantage of this vulnerability by submitting a comment much longer than 200 characters. The attacker's comment contains malicious code designed to overwrite adjacent memory and execute arbitrary commands on the server. What type of attack is this?

Buffer overflow

Which of the following MOST accurately describes the hardening process for a device?

The process of putting an operating system or application in a secure configuration.

What is the overall purpose (during hardening) of limiting a system only to run the protocols and services required for legitimate use and no more?

To minimize the attack surface on a device

ou suspect that an https://www.newcompany.org/merchandise/jackets URL being used by some company employees has been masked to avoid pattern matching or simple visual inspection detection methods. Further investigation reveals that colons and slashes have been replaced with their URL encoded (hexadecimal) equivalents, %3A represents a colon (:) and %2F represents a period (.). You see the following: https%3A%2F%2Fwww.newcompany.org%2Fmerchandise%2Fjackets Which of the following URL obfuscation

URL encoding

While looking at user logs you notice a user has been accessing items they should not have rights to. After speaking to the user, you believe your system may have experienced an attack. Which type of attack has the system MOST likely experienced?

Vertical privilege escalation

Your network has been subject to a variety of network attacks and you are currently monitoring the user logs for suspicious activity, yet further attacks are still occurring. Which additional step could you take to increase network security?

You could regularly scan your system for vulnerabilities.

You suspect an attacker has been securing sensitive files on a Windows host device for exfiltration. You also know that any interaction with the file system by the attacker will leave a trail of metadata that can be followed to determine if an attack or malware infection has occurred. You decide to start by using the Window dir command to find any hidden files or folders the attacker may be storing on the Windows host. Which of the following commands would you use to find these hidden files or folders?

dir /AH

A team of software developers at a large corporation need to exchange data between multiple systems. The data needs to be easily readable and writable by both systems and able to handle complex data structures. Which of the following data interchange formats would be the most appropriate for the software developers to use in this scenario?

eXtensible Markup Language (XML)

You want to display the following text on a command line from a shell script: Watermelons cost $6.99 today only! Which of the following commands would you use to make sure the text is displayed?

echo "Watermelons cost $6.99 today only!"

Which of the following ps commands can you use in a Linux system to display the attributes of all processes running for all users in the system?

ps -e

Which command is used to allow a string to be copied in the code but can be exploited to carry out overflow attacks?

strcpy

Which of the following tools can you use on a Linux host device to determine if any abnormal activity is occurring with the device processor?

top command

You are examining a company executive's laptop after they complained that someone was leaking confidential information to the internet. You type Ctrl+Alt+Shift+K and the following interface pops up. What has happened to the executive's machine?

Someone has installed a keylogger on it.

Which method of malware analysis includes matching signatures, analyzing code without executing it, disassembly, and string searching?

Static analysis

File fingerprinting, scanning, string searches, and disassembly are all used to identify malware. When these techniques are used, what is the identifying information called?

Malware signature

Which of the following beaconing intrusion communication channels allow an attacker to embed control messages inside metadata?

Media files

A security analyst is investigating a server issue where the memory utilization is consistently high. What is MOST likely the cause of the high memory consumption?

Memory leaks

Which of the following are tactics social engineers might use?

Moral obligation, ignorance, and threatening

A user might enter a password and then be prompted to enter a security code that's sent to his or her mobile device. Which of the following is this an example of?

Multi-factor authentication

As a sales representative for your company, you are in an airline lounge waiting for your next flight. To make the best use of your time, you decide to connect to the internet from your tablet to do some additional research about the company you will be contacting. You search for and connect to a Wi-Fi access point with the same name as the access point provided by the airline. However, it does not require a passcode, which the airline has instructed you to use to make the connection. You suspe

Network

You are in the process of hardening several Windows servers in your network that could potentially be attacked. Which of the following attack vectors would you focus on if you disabled an interface card that is no longer used?

Network interfaces

You are in the process of hardening several Windows servers in your network that could potentially be attacked. Which of the following attack vectors would you be focusing on if you are installing self-encrypting drives so that all data at rest is always stored securely?

Persistent storage

What is the MOST important consideration for sandboxing activities when performing malware analysis?

Physical or logical isolation of the sandbox host from the main network

Using a fictitious scenario to persuade someone to perform an action or give information they aren't authorized to share is called which of the following?

Pretexting

A penetration tester is attempting to gain unauthorized access to a company's internal systems. They have identified a vulnerability in a low-privileged user account that the tester can exploit. Which of the following actions should the penetration tester focus on to achieve their objective of compromising sensitive systems within the network?

Privilege escalation

A software development company is building a custom application for a client that will collect and analyze large amounts of data to identify patterns and make predictions. The client has specified that the application must use a programming language with many libraries and tools for machine learning. Which programming language should the software developer use?

Python

Ron, a hacker, wants to gain access to a prestigious law firm he has been watching for a while. He has been going through the law firm's official website and social media. He's also been doing some dumpster diving outside the firm's office. Which phase of the social engineering process is Ron in?

Research phase

A defense contractor discovered that a competitor duplicated some of their products. While the contractor is afraid of losing revenue, the more significant concern is how the competitor was able to duplicate the product. What term describes how this situation occurred?

Reverse engineering

Mary has been receiving text messages that contain links to malicious websites. Which type of attack is Mary a victim of?

SMiShing

A software developer at a technology company needs to store and exchange data between two systems. The data needs to be easily readable and writable by both systems, and it needs to be lightweight and efficient to transmit over the network. Which of the following data interchange formats should the developer use?

JavaScript Object Notation (JSON)

Which of the following is a good way to prevent privilege escalation attacks?

Limit privileges.

You are in the process of hardening several Windows servers in your network that could potentially be attacked. Which of the following attack vectors would you be focusing on if you are establishing a cycle for each device to keep up to date with new security threats and responses for the particular software products being used?

Maintenance

Which of the following mobile security concerns is characterized by malicious code that specifically targets mobile devices?

Malicious websites

You suspect that an attacker has been using beaconing intrusion in your network, and you want to detect that type of activity. Which of the following is a common method for detecting beaconing activity in a network?

Capturing metadata about all the sessions established or attempted and analyzing it for patterns that constitute suspicious activity.

Command and control (C&C) refers to an infrastructure of hosts with which attackers direct, distribute, and control malware. C&C is made possible primarily through which of the following?

Coordinated botnets

You are helping your manager with their computer. You need your manager to enter their username and password into the system. The manager enters the username and password while you are watching him. You explain to your manager that it is not a good idea to allow anyone to watch you type in usernames or passwords. Which type of social engineering attack are you referring to?

Shoulder surfing

Which of the following beaconing intrusion communication channels use commands (messages) that are usually embedded into request or response queries?

Domain Name System (DNS)

As a security analyst for a large financial advisory corporation, you have been monitoring several host devices and have noticed an abnormal increase in processor usage. You believe that an attacker might be using these hosts to gain access to sensitive customer information. What should you do before such attacks occur to help identify and investigate this type of abnormal activity?

Establish a baseline of normal CPU usage for all host devices.

You are monitoring the memory usage of a Windows server in your network and suspect that an attacker may be using the server to gain access to secure information stored on the network. You decide to analyze the server memory content further by creating a memory dump on a removable drive. Which of the following tools can you use to create the memory dump?

FTK Imager

Which of the following malware analysis techniques identifies unique malware programs by generating a hash for that program?

Fingerprinting

Which of the following works together by calling on each other, passing data to each other, and returning values in a program?

Function

Which of the following beaconing intrusion communication channel attacks can be mitigated by intercepting and decrypting traffic at the edge of a network and forwarding only legitimate traffic?

HTTP and HTTPS

Which overflow attacks target the memory area that stores images or files?

Heap

A company has just experienced a ransomware attack resulting from employees' credentials being used by a remote attacker after being compromised by technical means. The incident response team needs to provide recommendations in the incident report for improving the organization's cybersecurity posture. Which of the following recommendations would be the MOST effective?

Implementing multi-factor authentication

A hacker finds a vulnerability in a web server within a target bank. By sending specially crafted input to the HTTP service, the hacker exceeds the program's variable capacity for bank account total and causes the web server to increase the total value of the hacker's bank account. What type of attack is this?

Integer overflow

Which of the following beaconing intrusion communication channels provides an easy method for attackers to send commands to zombie systems?

Internet Relay Chat (IRC)

An attacker has made a sales phone call to a target, and is currently performing an interview, allowing the target to do the talking while the attacker mostly listens. What is the next phase that the attacker will take to find out more information from the target?

Interrogation

Which of the following beaconing intrusion communication channels allow attackers to issue commands through the platforms' messaging capability?

Social media