N&S X Homework 2
A Windows system administrator contacts you concerning a Linux system that might be the target of an attack. The administrator only has a passing familiarity with the Linux OS. Which Linux log(s) are the equivalent of the Windows Security event log? (Choose all that apply.)
/var/log/auth.log /var/log/secure
A Linux system on your network was compromised. You isolate it and begin a forensic investigation into the source of the compromise. During your investigation, you find that the attacker connected to the system via SSH. Which of the following logs is of will NOT help in discovering the origin of the compromise?
/var/log/httpd/error_log
You just received an alert notification from your HIDS that one of your DMZ Linux systems used as a customer portal may have been compromised. Because the attack is in progress, you hope to recover certain logs before the attacker has the opportunity to wipe them. Upon further inspection, you detect that the attacker is currently logged in via SSH. Which log file should you quickly copy to another system for inspection?
/var/log/secure, because it contains successful and failed login attempts and their origins
Attackers who target Active Directory installations usually want to elevate their access, create new users, delete users, or exploit Kerberos. To help monitor Active Directory and any changes that might take place, you can employ an Active Directory analysis tool to check account changes and other object attributes. Which of the following tools has the capability to analyze Active Directory and its objects?
AD Explorer
A user runs tracert on their workstation and tells you that all responses are timing out after two hops. Which is the best possible explanation for this behavior?
An attacker is eavesdropping on network traffic.
You and your team are conducting forensics on an incident involving at least one web server. You have isolated the system and are now examining the available remaining logs. The logs provide a trail for you to follow in identifying the attacker. However, during the investigation, one of your team members reminds the group that the attacker's origin might be misleading. What is the most likely explanation of how the attacker's origin could be misleading?
Attackers often hide their IP addresses by using VPN and proxy connections.
A Windows user reports unusual mouse and keyboard behavior and general sluggishness after working with a computer for several minutes. Which of the following tools can help you determine whether there is malware configured to execute when the computer boots?
Autoruns.exe
Users have called in from all parts of your company to complain about a general sluggishness on the network when accessing websites and applications outside of the local network. Which course of action do you take in order to find out the cause of the response slowness?
Capture network traffic and analyze it
For incident response and forensics, logs are invaluable to an investigator. The problem is that smart attackers use log wipers to cover their tracks on multiple systems to hide their identities and origins, and in some cases, their lurking persistence. Which Linux log implementation increases the ease of forensic investigation, the security of systems, and difficulty for attackers in covering their tracks?
Centralized syslog server
You suspect that an attacker has breached your network, but you need to investigate further to find out the attacker's method of entry. You do not know what attack vector(s) may have been used. For an over-the-network attack, on which two devices would you check logs first? (Choose two options.)
Firewall DS/IPS
You are a security administrator for a company where employees commonly use their own personal mobile devices for normal business operations. After a serious cybersecurity breach, you narrow down suspects to a specific employee and petition the telecommunications provider for information on that customer. Which customer information will the telecommunications company likely provide? (Choose all that apply.)
IP address and session history Call records Geolocation history SMS and MMS records
You suspect a rogue computer is lurking somewhere within your local area network, but you are uncertain where it is attached. One of your security team members suggests using the CAM table to locate the computer. How does a CAM table locate the rogue computer?
Maps MAC addresses to switch ports
You need to determine if there is a rogue computer on the company's network. You view the ARP cache using the arp-a command on a Windows client attached to the network. Which of the following could indicate that a rogue computer compromised the Windows client?
Multiple IP addresses map to the same MAC address.
A user notifies the help desk that his computer takes 15 minutes to be useable when booting up from a powered off state. He reports that there are no Windows updates taking place and that the computer booted up in under three minutes a few weeks ago. The user wants to know if IT has done anything to his system to make it slower. The user reports that he has not installed any new software in the past several months. You suspect malware is present on the system. How should you proceed to determine if his computer has been infected?
Open the Startup folder and check for unauthorized programs
Several users on your network have complained about computer responsiveness, failing connections to common websites, and some corporate application failures. Based on this pattern of complaints, you suspect a widespread malware infection. After determining the scope of the problem and isolating compromised systems, you are required to determine if any data was breached. Which log files should you investigate to determine if this malware has exfiltrated data?
DNS logs
A user reports that his computer runs slowly, even when no applications are running. You take a closer look and ensure there are no active application processes. You then execute the netstat command on the user's computer and notice several similar entries to the following. (Note: in this output, 111.111.111.111 is representative of any remote IP address). tcp4 0 0 192.168.1.99.60369 111.111.111.111.25275 ESTABLISHED tcp4 0 0 192.168.1.99.60362 111.111.111.111.80 ESTABLISHED tcp4 0 0 192.168.1.99.60359 111.111.111.111.443 ESTABLISHED tcp4 0 0 192.168.1.99.60346 111.111.111.111.443 ESTABLISHED tcp4 0 0 192.168.1.99.60342 111.111.111.111.443 ESTABLISHED tcp4 0 0 192.168.1.99.60334 111.111.111.111.31685 ESTABLISHED
The user's computer has been compromised by malware and is connected to the remote IP addresses for data exfiltration.
You receive a notification from your upstream Internet provider that unauthorized connections are originating from one of your systems. The ISP technician attaches the following log excerpt: 15:26:16.821245 IP 192.168.1.10.59987 > 111.111.111.111.ssh: UDP, length 1 15:26:16.821248 IP 192.168.1.10.59987 > 111.111.111.111.ssh: UDP, length 1 15:26:16.821251 IP 192.168.1.10.59987 > 111.111.111.111.ssh: UDP, length 1 15:26:16.821253 IP 192.168.1.10.59987 > 111.111.111.111.ssh: UDP, length 1 You need to determine whether this log demonstrates a security incident or a false positive, and which action should take. Which determination should you make?
This is an incident. You should disconnect the system from the network and notify the ISP of your action.
Security analysts use data from a variety of sources when tracking anomalies on a network. They use tools such as packet sniffers and data flow analyzers to check inbound and outbound network traffic on switches, routers, firewalls, proxy servers and other network devices. Which of the following traffic patterns would most likely identify a possible attack?
Tunneling
After much frustration with freeware tools, you were unable to locate and remove malware on a user's Windows machine. You need a utility to explore and modify the contents of suspected executables and libraries. It should also have the following capabilities: Resource editor Digital signature viewer Disassembler Which utility should you purchase for these advanced functions?
PE Explorer
The majority of forensic investigation has focused on persistent storage like hard drives and USB devices, known as dead-box analysis. Volatile memory analysis, however, can retrieve valuable on running processes, registry handles, cryptographic keys and memory-resident worms and rootkits. Tools that analyze volatile memory must consume very little memory and handle constantly changing data. Which of the following tools are used to analyze volatile memory? (Choose all that apply.)
PMDump Volatility FTK Imager
You suspect that a malicious program has infected your users' Windows workstations, but anti-malware programs have not found anything. Based on user descriptions, you believe the malware may be running as a low-level component or driver. Which tool should you use to investigate any unusual application settings?
Registry Editor
As part of your standard documentation, you have taken snapshots of baseline information for your servers and stored that information on a secure, air-gapped external hard drive. You notice during a routine system health check that three of your web servers have experienced an outage, which could indicate a DDoS attack. Which data source should you compare to your baseline information to determine why web servers are not responding in a timely manner?
Routing table
You attempt to locate a computer that has launched attacks against another company's website. You were alerted to the attacks because the administrator from that company contacted you to investigate. You discover that the origin of the attacks is a rogue computer on your own network. The computer is not part of the domain, nor was it installed by the IT department. Which tool did you use to locate the rogue computer?
Wireshark
You suspect that your DMZ systems are under a DDoS attack. You need to move quickly to capture packets and analyze them for common DDoS patterns. Which of the following tools should you use?
Wireshark
You believe that a Linux machine has been unwittingly communicating with an attacker's machine. Which command- line statement should you run to view the MAC and IP addresses of the hosts with which the machine has recently communicated?
arp -an
You have experienced a devastating network attack against a DMZ Linux-based web server. As part of your forensics investigation, you want to create a copy of the disk and examine it further on a non-production system while the IT services personnel reimage the server and put it back into production. Which command do you use to make an exact copy of the original disk?
dd
You suspect that a rootkit is installed on a user's Windows workstation. Which command-line statement will display all hidden files and folders in a directory?
dir /ah
Excessive bandwidth consumption from a single system is often a symptom of a malware infection. High bandwidth usage across an entire network suggests a multiple-system attack. Which of the following tools can you use to measure bandwidth usage to determine if multiple systems are under attack?
iPerf
You received a high-priority ticket that a growing amount of network traffic is originating from a single Linux system. This high bandwidth consumption is causing issues across the entire network. The network engineer wants you to investigate. Which utility do you use to investigate the amount of traffic sent to and from the system in question?
ifconfig
Several users contacted the help desk to report that they cannot connect to their normal Internet sites. Instead, their browsers redirect them to blacklisted sites. You suspect that these users' workstations might be bypassing the company's DNS server. Which built-in command should you run to verify your suspicion?
ipconfig
You have been asked to join a forensics investigation already in progress for a Linux system assumed to be compromised. The other investigators are searching for rootkits and other malware. You decide to get a list of everyone who has logged into the system to determine the scope of accounts that may have been compromised. Which command should you use?
lastlog
There are malware programs that fill up hard disk space in order to crash the system or make it impossible to log in and use the system. You suspect such an infection is present on a user's computer because /var is being consumed at a high rate, and the standard log files are not the cause. To find the malicious files and remove them, which utilities do you use? (Choose all that apply.)
ls rm du df
You are asked to take part in an ongoing incident involving a malware infection on a Linux server. Which command(s) would NOT be useful in determining the system's resource consumption? (Choose all that apply.)
ls who
You have responded to a request from a developer who has experienced an unusually high amount of CPU and memory consumption on his primary Linux development system. The developer has identified a suspicious process that consumes over 50 percent of the CPU.
lsof
A coworker finds a Windows computer with a USB thumb drive inserted into one of its slots, but reports that the screen does not resemble Windows. Upon further investigation, you find that an attacker has infiltrated your offices and booted from the USB key into a Linux system. Fortunately, the system is open and displaying a root prompt. Which list of commands will help you establish what is happening on this computer?
lsof, who, ifconfig, ps, netstat
The /var/log/auth.log is filled with dozens of these entries: Mar 2 02:34:02 server1 sshd[28436]: Did not receive identification string from 192.168.33.50 Mar 2 02:34:08 server1 sshd[28439]: Did not receive identification string from 192.168.33.50 Mar 2 02:34:13 server1 sshd[28442]: Did not receive identification string from 192.168.33.50 Mar 2 02:34:19 server1 sshd[28445]: Did not receive identification string from 192.168.33.50 Mar 2 02:34:24 server1 sshd[28448]: Did not receive identification string from 192.168.33.50 What do these entries indicate?
server1 is under an SSH brute force attack.
Your security colleague suggests that you use tcpdump on your Linux systems to help her assess a current problem on the network. Why does she suggest tcpdump rather than a more robust alternative? (Choose all that apply.)
tcpdump is available for all Linux distributions. tcpdump is a quick and simple method to capture network packets.
You have been asked to train a new security administrator on first response forensics. Your role in this exercise is to play the part of the attacker on the red team. The recruit will be on the blue team. You have breached the Linux system and are copying a large number of files to a remote system. Which command should the recruit execute to determine who is logged on and what they are doing?
w
You believe that an attacker is currently logged into a Linux server. Which command should you issue to determine the logged-on user account?
who
You receive a Windows 7 computer that you believe to be running malware installed as a Windows service. Which GUI tool can filter out all Microsoft services, so that you can see only the services from other manufacturers?
System Configuration
One of your apache web servers has been the target of recent exploits, but these vulnerabilities have since been patched. Which log file(s) should you initially examine to determine the origin of the attacks and the vulnerabilities they attempted to exploit? (Choose all that apply.)
//var/log/httpd/error_log /var/log/httpd/access_log
Windows server applications that frequently crash or become unresponsive could be evidence of buffer overflows or other DoS attacks intended to disrupt business operations. Where should an administrator look for these types of messages in the Windows event log?
App Hang messages in the Application event log
Your company recently dismissed a system administrator who you caught stealing confidential data and uploading it to a cloud-based storage site. Which of the following activities are key indicators of insider exfiltration?
Excessive bandwidth usage Off hours usage
To gain more insight into activities performed on your network hosts, you can enable and configure application monitoring through logging. Application logs are useful for forensics, activity auditing, and compliance. Which of the following application logs should you enable for forensics investigations on user workstations? (Choose all that apply.)
HIPS Antivirus Browser
A user reports that he has removed a virus multiple times and rebooted after each removal. You search through his computer's registry to find any hidden entries that would lead to such a persistent recurrence of an infection. Which registry entry is the MOST likely location for such a threat?
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
You want to quickly scan your network and tentatively identify all systems and their operating systems. Which application do you select for this task?
Nmap
You suspect that a Windows computer is infected with malware, but your investigation did not turn up any obvious startup applications. This leads you to believe that a legitimate application might have been altered to load malicious DLL files into memory. Which utility should you use to find malicious DLL files loaded by a running application?
Process Explorer
You suspect that a web server has been compromised as part of an advanced persistent threat (APT) attack. To verify this suspicion, you need to determine whether malicious software has been downloaded somewhere within the private company network. Which log should you investigate first?
Proxy logs
You are working on a compromised Windows machine. You generate a HijackThis log that has the following entry: O23 - Service: Malw@rRAT - Unknown owner - C:\Program Files (x86)\Malw@r\ bin\RATServer.exe Which native tool can you use to determine how this Windows service is configured?
Services
A users' Windows 10 workstation boots up slowly and the hard drive light is constantly blinking. Which tool should you use to investigate the increased disk activity?
Task Manager
Multiple users on your network have received suspicious email messages and called you to investigate. You need to locate the email server's IP address and contact its server administrator to investigate further. Which piece of forensic evidence will lead you to the email server and its administrator?
The X-originating IP address
During a routine software audit, a system administrator noticed that one of the secretary's computers had Wireshark, Nmap, and TSK installed. The computer also had dozens of .pcap files, reconnaissance notes, and approximately 75 GB of human resources documents, classified documents, and email files. After questioning the secretary and his manager, you determine that he could not have been the actor in this scenario. From what you and the system administrator found on this computer and from your interviews, which likely conclusions can you draw? (Choose all that apply).
The actor is possibly a malicious insider. This computer and possibly others have been compromised. Data has likely been exfiltrated from the company.
A system administrator asks you to assist her on an investigation into a possible attack on a company server on which several PHP applications reside. She has looked at system and httpd logs but has found little to go on. Which logs should you direct her to further investigate?
WAF logs
The network administrator tells you that a hacker attempted to gain access from outside the network using the aircrack-ng tool. You need to investigate the appropriate logs to determine the extent of the attack. On which device should you review the logs?
WAP
A Linux developer reports to the security team that his system is low on memory. The system is taking hours to compile programs. It has been rebooted multiple times, but the problem persists. Which utility should you use to check his system for programs with large memory footprints, which are potentially malware?
top
Linux, by default, comes with several lightweight forensics applications for examining memory, CPU, disk usage, and network bandwidth. For memory usage, many Linux administrators depend heavily on the free command because it shows total memory available, total memory used, unused memory, and memory used by temporary files. The free command has some limitations, however. Which command should be used in tandem to confirm excessive memory usage?
top
