CCTC Test Prep

Ace your homework & exams now with Quizwiz!

gpresult

Displays the Resultant Set of Policy (RSoP) information for a remote user and computer.

regedit.exe

GUI used to edit registry values.

Parent process to explorer.exe

userinit.exe

Bootmgr: reads BCD and calls

winload.exe/winresume.exe or .efi

registry hive

A group of keys, subkeys, and values in the registry that has a set of supporting files that contain backups of its data.

situational awareness

A method of gaining an understanding of the current operating environment on the target machine.

botnet

A network of infected machines of a botnet.

Potential data at rest issues in Cloud environments.

A potential risk of virtualization.

DS Tools

A set of command line tools that began shipping natively with Windows Server 2003 to manage Group Policy Objects.

MBR (Master Boot Record)

A special type of boot sector at the very begging of the partitioned computer mass storage device. Consists of 512 bytes holding the information on how the logical partitions, containing file systems, are organized on the medium. Contains executable code to function as a loader for the installed operating system. Usually referred to as the boot loader.

multi-threading

A technique that allows a single set of code to be used by several processors at different stages of execution.

running thread

A thread currently running on a processor.

transition thread

A thread ready for execution, but paging is needed to bring the thread back into main memory.

waiting thread

A thread waiting for an event to take place.

Site

AD object that represents a collection of IP subnets, and usually constituting a physical LAN.

enumeration

Acquiring forensically relevant information of a local machine. Used in the process of baselining.

Schema

Active directory component that defines objects that can created in Active Directory.

host-based security product

Security product that runs on the local machine, OS dependent, version dependent, system firewalls, process monitoring, kernel calls, directory monitoring, application whitelisting, etc.

auditing settings

Settings contained in the System Access Control List of an object.

raw socket

Socket that has access to the underlying transport provider. No protocol, just raw communication, poses a security threat.

datagram socket

Socket that uses UDP.

EFI/UEFI (Extensible/Unified Extensbile Firmware Interface)

Software interface between the operating system and platform firmware. Replaces the Basic Input/Output System (BIOS) Firmware.

wininit.exe

Starts Service Control Manager (SCM), Local Security Authority Subsystem (LSASS), Local Session Manager (LSM).

Service Control Manager (SCM)

Starts, stops, and interacts with Windows service processes. Started at system boot, it maintains the database of installed services, enumerates installed services, and allows remote procedure call (RPC) so that service configuration and service control programs can manipulate services on remote machines.

procmon

SysInternals GUI based tool to view, monitor, and filter processes running on a machine.

psgetsid

SysInternals allows you to translate SIDs to their display name and vice versa.

psloggedon

SysInternals tool that displays the locally logged on users and users logged on via resources for either the local computer, or a remote one.

accesschk

SysInternals tool to check an access control list (ACL) for a file.

pslist

SysInternals tool to list processes on a local or remote Windows NT/2000 system.

psinfo

SysInternals tool to show basic system info for a local or remote Windows NT/2000 system.

autoruns

SysInternals tool to show what programs are configures to run during system bootup or login.

logonsessions

SysInternals tools to list the currently active logon sessions.

handle

SysInternals utility to display information about open handles for any process in the system. (See which programs have a file open or to see the object types and names of all the handles of a program.)

sigcheck

Sysinternal tool that shows file version, timestamp, manifest, and digital signature details.

Kernel Mode

Runs in a single virtual address space, not isolated from other processes. Protected from the user to allow the OS to run.

User Mode

Runs in private virtual address space, applications are isolated, one crash will not cause another process to crash.

batch file (.bat)

Script file extension for Windows Command Line Interface.

wmic environment list brief

Windows Management Instrumentation command-line command to display system environment settings.

wmic nicconfig list full

Windows Management Instrumentation command-line command to view all network adapter management information.

namespace

Windows Management Instrumentation is organized into namespaces (folders that correlate products/technology)

terminated thread

Finished execution of a thread, thread is heading for deallocation.

cmdlet

Follows a "verb-noun" pattern, unique to Powershell to execute different commands.

wf.msc

GUI control panel utility to modify windows firewall settings.

Local Security Policy

GUI utility to view Advanced Audit Policy Configuration settings

eventvwr

GUI utility to view/analyze event logs.

RID of 501

Guest Account

Powershell

Object-oriented tool for Windows built on the .NET framework.

socket

One endpoint of a two-way communication link between two programs running on a network.

mailslot

One-way Interprocess Communication method. Max single message size of 424 bytes, acts as a file kept in memory.

mailslot

One-way interprocess communication using SMB over UDP 138.

Ensures the hardware is operational

POST

Preparation

Packing List, update tools, training, documentation, SOP, Network Diagrams, Incident Response Teams

adware

Paid for ads to infect users as they visit a website.

property

Part of a Powershell object that contains data.

method

Part of a Powershell object that contains functions of the object.

bot herder

Person in control of a botnet.

|

Pipes output of one command to input of another command.

handle

Pointer to an object representing a system resource such as a file or thread. Tracked in the Object Manager, allows each process to access the resource these objects represent. Allows Windows to track access control lists (ACLs) for resources.

POST

Power On Self Test

get-member

Powershell cmdlet to get properties and methods of an object.

Get-Acl

Powershell cmdlet to get the access control list (ACL) information for a file.

Get/Set-NetFireWallRule

Powershell cmdlet to get/set Windows Firewall settings.

format-table or format-list

Powershell cmdlet to override default cmdlet output. Usually pip cmdlet output into these cmdlets.

Get-EventLog

Powershell cmdlet to view Event Logs.

get-execution policy

Powershell command to display the current execution policy.

(get-process).name

Powershell command to print the name of every running process.

get-help <cmdlet> -examples

Powershell command to show examples for a cmdlet.

page fault

This occurs when a thread references an invalid page in the page table.

SMB Version 3 - introduced with Server 2012

This version of SMB uses AES for encryption.

initialized thread

Thread is being created in this state.

deferred ready thread

Thread selected to run but not yet executed.

ready thread

Thread waiting for execution, in the priority pool.

wmic computersystem list brief

Windows Management Instrumentation command-line command to display all computer system management information.

host name resolution

1. Name on localhost? 2. Name in the cache? 3. Name in the hosts file? 4. Query DNS server.

P.I.C.I.E.R.

1. Preparation 2. Identification 3. Containment 4. Investigation 5. Eradication 6. Recovery

Registers, Cache

1st in the order of volatility.

Routing Table, ARP Cache, Process Table, Kernel Statistics, Memory

2nd in the order of volatility.

Temporary File Systems

3rd in the order of volatility.

Disk and other Storage Media

4th in the order of volatility.

Remote Logging and Monitoring Data that is Relevant to the System in Question

5th in the order of volatility.

Physical Configuration, Network Topology

6th in the order of volatility.

Archival Media

7th in the order of volatility.

tcpview

A Windows program that will show detailed listings of all TCP and UDP endpoints on the system.

object

A data structure that contains properties and methods.

page

A distinct chunk of memory allocated to a process.

class

A general term for grouped objects.

DSADD

Add specific types of objects to the directory.

RID of 500

Admin Account

script

Allows for completion of repetitive tasks by the command line.

NTOSKRNL.exe

Also known as the kernel image, provides the kernel and executive layers of the Windows NT kernel space. Contains the cache manager, the executive, the kernel, the security reference monitor, the memory manager, and the scheduler.

Event

Any observable occurrence in a system or network.

botnet client

Application to allow an attacker remote administration/command and control of a botnet.

Local Security Authority (LSA)

Applications can use this service to authenticate and log users on to the local system.

Remote Procedure Call (RPC)

Applications load a .dll containing stub procedures for remote functions to allow configuration/viewing of a remote machine.

Domain Controller (DC)

Authenticates domain logon for users.

Security Account Manager (SAM)

Authenticates locally on Windows for local logon.

get-help <cmdlet>

Basic cmdlet help syntax

thread

Basic unit to which the OS allocates processor time.

RID of 1000

Beginning of User Accounts

firewall

Block network traffic based on an established set of rules.

ransomware

Blocks access to local machine resources, usually encrypts files and demands payment from the victim.

NTLDR (NT Loader)

Boot loader for all releases of Windows NT, launched by the volume boot record, requires boot.ini, ntldr, and NTDETECT.COM. Starts NTOSKRNL.exe and HAL.dll

Secure Attention Sequence (SAS)

CTRL+ALT+DEL - tells the system you want to authenticate. The kernel detects the key combination and initiates the trusted login process.

Group Policy Object (GPO)

Collection of setting that define policies controlling a group of users or computers.

CIM

Common Information Model for Windows. Cross-platform, cross-compatibility.

Hypervisor

Component that creates and runs virtual machines.

Process Validity

Comprised of valid Process ID (PID), Name, Process Age, Priority Level, and Handles.

endpoint

Consists of an IP address and a port number.

SACL

Defines which secure object interaction will be audited and logged.

signature based detection

Detection based on a database of previously identified attack signatures.

heuristic based detection

Detection based on developing a baseline of the system, then looks for anomalous activity, potential to catch 0-day attacks.

Identification

Determine if we're working with an adverse event or an incident.

Investigation

Determine the priority, scope, and root cause of an incident.

Recovery

Determine when to bring the system back into production and how long we monitor the system for any signs of abnormal activity.

DSGET

Display the selected properties of a specific object in the directory.

worm

Does not require user interaction to replicate.

Components of an NTFS File

Each file in this type of format contains these: Security Identifiers (SIDs) Discretionary Access Control List (DACL) System Access Control List (SACL)

baseline

Establishing what is considered normal on a local machine. Enumeration can accomplish this.

customlog event log

Event log that contains events logged by applications that create a custom log.

application event log

Event log that contains events logged by applications.

system event log

Event log that contains events logged by system components such as the failure of a driver or other system component to load during startup.

security event log

Event log that contains events such as valid and invalid logon attempts, as well as events related to resource use such as creating, opening or deleting files or other objects.

Incident

Event that violates an organization's security or privacy policies.

Adverse Event

Event with a negative consequence.

dynamic analysis

Examining malware while it is running.

static analysis

Examining malware without executing it.

&&

Execute command only if the previous command executes successfully.

& or ;

Execute second command after the execution of the previous command.

||

Execute the second command only if the first fails to execute.

SMSS (Session Manager Subsystem)

Executed during startup, this is the first user-mode process started by the kernel that starts: csrss.exe, winlogon.exe. Creates environment variables and virtual memory paging files.

forensically relevant keys

HKLM\Run, HKLM\RunOnce, HKU\Run, HKLM\Tasks, HKLM\SERVICES, HKLM\USBSTOR, HKU\TypedUrls, HKLM\Profiles, HKLM\BCD00000000, HKLM\SAM\SAMs

UEFI

Hardware configuration tool intended to replace the BIOS.

registry

Hierarchical database of critical system configuration. Configuration and control mechanism for the Windows Operation system. Contains system-wide and per-user settings.

Executive Summary

High-level summary of the report.

Operational Notes

Highly detailed notes that will feed into your report depending whether the report is an executive summary or a technical summary. Includes time stamps, programs/tools used, outputs.

HKEY_CURRENT_CONFIG (HKCC)

Hive Key contains current hardware profile, information that is gathered at runtime.

HKEY_CLASSES_ROOT (HKCR)

Hive Key contains file association and COM objects, backwards compatibility, and file extension information.

HKEY_LOCAL_MACHINE (HKLM)

Hive Key contains system related information, Security Account Manager (SAM), critical boot/kernel functions, 3rd party software, hardware, Boot Configuration Data (BCD.dat)

HKEY_USERS (HKU)

Hive Key that contains all accounts on a machine, the root key contains the ntuser.dat hives for ALL users.

HKEY_CURRENT_USER (HKCU)

Hive Key that contains the current user's settings.

Relative Distinguished Name (RDN)

Hostname or computer name.

VBR (Volume Boot Record)

In Windows 7+, loaded by the MBR, is a boot loader to start the bootmgr.

Information Assurance (IA)

Includes the protection of the integrity, availability, authenticity, non-repudiation, and confidentiality of user data.

zombie

Individual machine within a botnet.

explorer.exe

Last phase in the boot process

Containment

Limit damaged caused to systems and prevent any further damage from occurring.

User Account Control (UAC)

Limits the privileges of user run applications to prevent the modification of system files, resources, or settings. Requesting elevated privileges requires explicit acknowledgment from the user.

winload.exe

Loads NTOSKRNL.exe, load dependencies, loads device drives, occurs after the bootmgr on a fresh restart/boot.

Userinit.exe

Loads user profile, runs startup programs, starts explorer.exe

Technical Summary

Low-level summary of all technical intricacies in a report.

backdoor

Malicious program that allows illegitimate access to a machine.

remote access tool (RAT)

Malicious program that provides remote command and control of a machine.

rootkit

Malicious program to hide and remain persistent on a remote machine.

trojan

Malware hidden within another legitimate program.

Windows Management Instrumentation

Microsoft's implementation of the Common Information Model (CMI)

DSMOD

Modify existing objects in the directory.

network security products

Monitors network traffic, can be inline or passive, Intrusion Detection Systems, Intrusion Prevention Systems, Web/Application Proxy

spyware

Monitors the behavior of a user.

blended attack

Multiple infection/transmission methods used together.

UDP port 137 for name registration and resolution services UDP port 138 for datagram services - connectionless TCP port 139 for session service - connection oriented

NETBIOS provides 3 services (ports). What are they and what are they used for?

Run, RunOnce, Services, APPINIT_DLL, Shell Extension (Startup Folder), Scripts

Name 5 registry keys utilized as a persistence mechanism.

standby thread

Next thread to run, only one processor per system.

Windows Resource Protection

Previously Windows File Protection (WFP), protects system files and resources. Protected Resources can only be modified by the Windows Module Installer service (trustedinstaller.exe)

Server Message Block

Primary remote file-access protocol on Windows Clients and Servers, also known as Common Internet File System (CIFS)

Windows Firewall Components

Private Public Work/Domain

new/created process

Process state in which initial execution of the process and its threads begin.

waiting process

Process state in which the process can't continue execution until some event occurs (like an I/O read/write)

terminated/exit process

Process state in which the process is being terminated due to a halt or abort.

running process

Process state in which the process is currently being executed.

ready process

Process state in which the process is ready to execute when given the opportunity.

GINA (Graphical Identification and Authentication)

Provides customizable user identification and authentication procedures. Most common use of GINA is to communicate with an external device such as a smart-card reader. Activates the user shell after Winlogon secure attention sequence (SAS) is executed.

HAL.dll (Hardware Abstraction Layer)

Provides services primarily tot he Windows executive and kernel and kernel mode device drivers. Device drivers for devices in kernel mode directly call routines in the HAL to access I/O ports and registers for their devices.

CSRSS (Client/Server Runtime SubSystem)

Provides the user mode side of the Win32 subsystem, responsible for process/thread creation without compromising the kernel.

DSQUERY

Query the directory according to specific criteria.

most commonly used data types

REG_SZ REG_BINARY REG_DWORD REG_LINK REG_MULTI_SZ REG_QWORD

MDMP Process

Receipt of Mission Mission Analysis COA Development COA Analysis COA Comparison COA Approval Conduct Mission AAR/ Lessons Learned

Security Reference Monitor

Receives the system audit policy from the LSASS. This monitor generates auditing messages when an object is accessed and sends the messages to LSASS. LSASS logs these transactions in the Event Logger.

keylogger

Records keyboard usage of a machine.

>>

Redirect input and create/append location.

>

Redirect input and create/overwrite location.

Eradication

Remove the infection.

bootmgr

Replaces NTLDR, reads Boot Configuration Data and displays the operating system choice screen. Calls winload.exe for a fresh boot or winresume.exe if waking from hibernation.

virus

Requires user interaction to replicate.

LSASS (Local Security Authority Subsystem Service)

Responsible for enforcing the security policy on the system. Verifies users logging on, handles password changes, and creates access tokens. Writes to the Windows Security Log.

situational awareness targets

Running Processes Active Users Network Configuration Network Communications Logging Scheduled Jobs Aliases

Winlogon.exe

The component of Windows that is responsible for handling the secure attention sequence (SAS), loading the user profile on logon, and optionally locking the computer when a screensaver is running. Prior to Windows Vista, provides functions for GINA to apply the security of the newly logged-on user to the initial user processes GINA spawns.

Body

The report itself. Introduction, Methods, Findings, Conclusion

nslookup

This command is used to query DNS servers or name resolution.

overcommitted

This occurs on an operating system when processes/threads attempt to use more physical memory than available

malicious mobile code

Transmitted from remote host to local host, executed without user instruction.

stream socket

Uses TCP, provides a bidirectional, reliable, sequenced, and unduplicated flow of data with no record boundaries.

Security Accounts Manager (SAM)

Validates local logon.

LDAP

Verifies authenticity of the active directory.

Volatility

Volatility is a measure of how perishable electronically stored data is when electrical power is turned off or fails.

LSASS.exe, MSGINA, SCM, logonUI

What 4 processes does Winlogon start?

SMB 2.1 added MTU size, and SMB 3 uses AES encryption

What are the key differences between SMB Version 2.1 and Version 3.

asinvoker highestavailable requireadministrator

What are the three types of execution levels in a file's manifest?

net user

Windows Command Line command allows administrators to manage user accounts.

net localgroup

Windows Command Line command allows you to add, display and modify local groups.

tasklist /v

Windows Command Line command displays a list of currently running processes on either a local or remote machine. (Displays verbose task information.)

schtasks

Windows Command Line command that will display scheduled tasks.

netsh advfirewall

Windows Command Line command to configure Windows firewall settings.

reg add <path> /v <key> /d <data>

Windows Command Line command to create a new registry key.

reg delete <path>

Windows Command Line command to delete a registry key.

arp -a

Windows Command Line command to display Layer 2 information about hosts on the Local Network.

nbtstat

Windows Command Line command to display NetBIOS over TCP/IP protocol statistics.

ipconfig /all

Windows Command Line command to display all network configuration information.

netstat -anbo

Windows Command Line command to display current TCP/IP network connections, ports, executables involved, owning process IDs, and IP addresses.

tasklist /svc

Windows Command Line command to display services hosted in each process.

echo

Windows Command Line command to echo input to stdout.

reg

Windows Command Line command to edit registry information.

findstr

Windows Command Line command to find a specific string within a specific path or file.

where

Windows Command Line command to find executables within the PATH environment variable.

reg add <path> /v <key> /d <data> /f

Windows Command Line command to modify a registry key.

type

Windows Command Line command to output contents of a file to stdout.

date /t

Windows Command Line command to output the system date.

time /t

Windows Command Line command to output the system time.

hostname

Windows Command Line command to print the name of the current host.

reg query

Windows Command Line command to query a registry key.

dir /ah

Windows Command Line command to show hidden files in a directory.

arp

Windows Command Line command to view MAC addressing info.

wevtutil

Windows Command Line command to view Windows Event Logs.

set

Windows Command Line command to view all current environment variables.

icacls

Windows Command Line command to view and configure access control lists (ACLs) for a file.

auditpol

Windows Command Line command to view and modify local machine audit policies.

dir

Windows Command Line command to view contents of a directory.

netstat

Windows Command Line command to view network statistics.

route

Windows Command Line command to view the routing table.

systeminfo

Windows Command Line tool to display operating system configuration information for a local or remote machine.

net use

Windows Command Line tool to map a remote drive.

sc queryex

Windows Command Line utility and subsequent command to query extended statuses for services.

mpssvc.dll

Windows Firewall .dll hosted in HKLM\SYSTEM\CurrentControlSet\services\MpsSvc

WMIC

Windows Management Instrumentation Command-Line (Windows Specific)

wmic service list brief

Windows Management Instrumentation command-line command for service application management.

wmic process list brief

Windows Management Instrumentation command-line command that lists processes available for management.

wmic useraccount list brief

Windows Management Instrumentation command-line command that lists user accounts on the local machine.

wmic ntdomain

Windows Management Instrumentation command-line command to display NT domain management information.

wmic nteventlog list brief

Windows Management Instrumentation command-line command to display all NT eventlog file management information.

TCP 445

Windows supports file and printer sharing traffic by using the SMB protocol directly hosted over this port.

active directory logical structure

domains organizational units trees and forest

physical structure

sites domain controllers member servers


Related study sets

Maternity Ch. 8 Violence against women

View Set

International Business Chapter 5

View Set

Topic 8: adherence/non-adherence to treatment

View Set

CHAPTER 7: Physical and Cognitive Development in Early Childhood (Textbook)

View Set