SEC504 (GCIH) Book 1 Practice Questions

What tool is used to record the state of the registry before and after malware is executed on an analysis system? A. Regshot B. Wireshark C. Ollydbg D. Regripper

A. Regshot Regshot takes and compares a snapshot of the registry and, optionally, the filesystem. It provides a high-level summary of the changes, showing the registry keys that were added, removed, and modified. Book 1 Page 94

During memory forensics, an analyst executes a Volatility plug-in that generates the following output. What command did the analyst execute? PID PPID ImageFileName CreateTime 4 0 System 2022-03-28 11:10:44 * 344 4 smss.exe 2022-03-28 11:10:44 A. windows.pstree.PsTree B. windows.netscan.NetScan C. windows.cmdline.CmdLine D. windows.pslist.PsList

A. windows.pstree.PsTree The windows.pstree.PsTree plugin creates a visual representation (in text) of the parent-child relationships for running processes. To interpret the relationship, a child process will be indented one more than its parent process. Book 1 Page 79

Why is performing memory analysis on RAM images a staple of investigations? A. Speed—evidence from a RAM image will match disk content. B. RAM provides more consistent images than disk. C. Valuable information may exist in RAM that may not be found on disk. D. It is easier to look for historical information in RAM than on disk.

C. Valuable information may exist in RAM that may not be found on disk. Memory forensics that is investigating images of RAM has become a staple of many digital investigations. This is because of the huge amount of valuable information that resides in RAM and not on disk. Book 1 Page 76

Who should make the decision of when to put a system back into production? A. Business B. Systems administrator C. Security D. Data owner

A. Business The decision of when to put a system back into production has to be made by the business team. As a handler, you can give the owner advice and offer help, but it is their call. This is a business decision, so you may be overruled as an incident responder. Book 1 Page 31

When identifying differences between two files, use fc.exe from a Windows command prompt. Which PowerShell cmdlet can be used for the same functionality from a PowerShell prompt? A. Compare-Object B. Measure-Command C. Get-Counter D. Get-Unique

A. Compare-Object Compare-Object compares two sets of objects; i.e. it can compare the content within two files where one object is the reference set and one is the difference set. It identifies any differences found between the two. fc.exe is the legacy command that performs similar functionality from a Windows command prompt. Book 1 Page 60

To navigate Windows registry keys, you can use the PowerShell cmdlet Get-ChildItem. What PowerShell cmdlet can be used to enumerate the values in a registry key? A. Get-ItemProperty B. Get-LocalGroup C. Get-WinEvent D. Get-ChilditemProperty

A. Get-ItemProperty To enumerate the values in a registry key, use the Get-ItemProperty cmdlet. Book 1 Page 52

Generative AI is valuable in augmenting incident response; however, there are several reasons to be cautious. What are the reasons to be cautious? A. Incorrect results, information disclosure, privacy, AI hallucination B. Skill erosion, diminished oversight, job loss, reduced flexibility C. Implementation cost, regular upkeep, expert staff, hidden charges D. AI bias, misinterpretation, continuous training, dependence

A. Incorrect results, information disclosure, privacy, AI hallucination Analysts can leverage generative artificial intelligence (AI) to accelerate analysis tasks in incident response. This is a rapidly evolving field, with disruptive technologies including ChatGPT and Bard helping to accelerate analysis and response tasks. Many organizations have expressed concerns about AI technology such as incorrect results from AI, information disclosure threats, privacy concerns, and AI hallucination concerns, which have led to some organizations banning AI platforms altogether. Book 1 Page 103

What are the phases of incident handling, in order, in the classic six-step incident response process? A. Preparation, identification, containment, eradication, recovery, and lessons learned B. Preparation, containment, eradication, recovery, retaliation, and lessons learned C. Preparation, identification, containment, eradication, recovery, and prosecution D. Preparation, identification, recovery, encapsulation, eradication, and lessons learned

A. Preparation, identification, containment, eradication, recovery, and lessons learned The six phases of the classic incident response model (often called PICERL) are preparation, identification, containment, eradication, recovery, and lessons learned. The first, preparation, refers to everything an organization does before the incident occurs. The incident then must be identified. Once an incident has been identified, the compromised systems need to be contained. Eradication refers to undoing the damage done by the threat actors. Recovery refers to the steps taken to get business systems back up and running. Lessons learned is when the final report is written and the vulnerabilities the threat actors exploited are fixed. Book 1 Page 21

A web proxy is used by an organization to filter out sites that are inappropriate. What added benefit of web proxy usage assists the organization with incident response analysis? A. Reverse engineer programs B. Identify anomalous or suspicious requests C. Base64 encode and decode data D. Identify a new or unrecognized process

B. Identify anomalous or suspicious requests Recording web site visits and web application use through a web proxy creates a valuable resource for incident response analysis. Investigators can use proxy logs to build thorough profiles of user activity and identify anomalous and suspicious traffic. In some cases, if configured to do so, proxy logs can even show web requests for encrypted sessions. Book 1 Page 71

What step should always be taken first during an incident? A. Choosing which systems to rebuild B. Verifying whether an incident occurred C. Identifying which systems are unpatched D. Determining which threat intelligence feeds to query

B. Verifying whether an incident occurred The first step that must be taken during an incident is verification: Is there actually an incident, or is it a false positive? Sometimes, this question can be answered easily, such as when a website is defaced. Other times, it may be more costly, requiring a full-blown forensic examination. Once you verify that an incident has occurred, it is also a good idea to start triaging. Book 1 Page 26

An investigator identifies the following POST request. Which log recorded the activity?1583050850.951 185 192.168.40.123 TCP_MISS/200 1856 POSThttps://update.googleapis.com/service/update2? -ORIGINAL_DST/172.219.10.153 text/xml A. Regshot event log B. Proxy access log C. Switch access log D. Windows event log

B. Proxy access log Access logs are used to record individual requests through a Squid proxy. They are text files with a user-definable format. The default format is quite verbose, but it is worth noting that even though the URLs will often be shown, depending on how the proxy and clients are configured, you may or may not see the URL for HTTPS requests. The proxy and client used to generate the example were configured to allow interception of encrypted traffic. Book 1 Page 72

What is one of the activities performed during the eradication phase? A. Apply filters to routers and firewalls B. Restore systems from trusted backups C. Scan the enterprise for known IOCs D. Prepare the IR team

B. Restore systems from trusted backups Restoring systems from trusted backups (assuming backups are available) is one of the activities performed in the eradication phase. Eradication is about undoing what a threat actor has already done. It differs from containment, in that containment is about stopping the threat actor's operations inside an organization; eradication is about removing what they have done. Book 1 Page 30

Which Sysinternals tool can be used to collect detailed event information for system monitoring and analysis? A. Process Monitor B. Sysmon C. Procdump D. Autoruns

B. Sysmon Sysmon is a service and driver that can be configured to collect detailed event information. This is valuable when combined with an event monitoring tool such as a SIEM or Windows Event Collection. Book 1 Page 61

What is one of the activities performed during the containment phase? A. Restoring systems from trusted backups B. Performing a vulnerability assessment C. Applying filters to network devices D. Dealing with fraudulent transactions

C. Applying filters to network devices Applying filters to routers and firewalls is one of the activities performed in the containment phase. With containment, the goal is to stop the threat actor from continuing their operations inside a compromised network. Book 1 Page 29

Which of these tools is available online to run a malware specimen through a sandbox to record activities performed by the malware in a virtual environment? A. VirusTotal B. SandBoxer C. Hybrid Analysis D. Domain Tools

C. Hybrid Analysis Hybrid Analysis allows you to upload a malware specimen and choose a virtual machine environment in which to run the specimen. Hybrid Analysis records how the malware behaves within the virtualized environment. Book 1 Page 89

During the remediation phase of incident response, you remove a file from your infected web server. What are the two most important things to do to prevent being compromised again? A. Review and update host-based firewall rules B. Apply patches and harden the system C. Identify and fix the root cause of the attack D. Restore the host data from backups

C. Identify and fix the root cause of the attack Remediation is all about fixing the underlying cause of the incident. Short-term actions are usually considered containment, although with many of the outcomes, activities may overlap. For example, if an organization is compromised due to having a weak password, one easy containment option is to change the password. However, you must ask the question, why was a weak password allowed? Was policy not being enforced properly? Or, was the policy properly enforced but so weak in design that it allowed weak passwords? -- Book 1 Page 32

During incident response, an analyst notices that the following PowerShell cmdlet was issued. What details are disclosed with this cmdlet? Export-ScheduledTask -TaskName 'AvastUpdatre' A. The last time the scheduled task ran B. A list of scheduled tasks on the system C. The scheduled task command line D. The status of the last executed task

C. The scheduled task command line Like other PowerShell cmdlets, Get-ScheduledTask does not provide all the details an analyst might want to see about a scheduled task, such as the command that is executed or the command-line arguments that are supplied to the command. To get these additional details, an analyst can export the scheduled task in XML format using the Export-ScheduledTask cmdlet. Book 1 Page 54

If you believe your system has been the victim of a rootkit attack, what is the most cost-effective form of eradication? A. Reboot the system and look for a solution in the BIOS/CMOS B. Destroy the system and systems with rootkits can never be remediated C. Wipe the disk, reformat the drive, reload the operating system, and restore the data from a trusted backup D. Patch the OS, verify all updates are installed and reboot the compromised system

C. Wipe the disk, reformat the drive, reload the operating system, and restore the data from a trusted backup Businesses sometimes run into problems by not having recovery procedures. Especially when dealing with a rootkit, one of the most efficient ways to recover is to wipe the disk, reformat the drive, reload the operating system, and restore the data from a trusted backup. You cannot do this without procedures and backups. Book 1 Page 25

What command will display ASCII and Unicode strings within a malware sample? A. cat B. findstr C. strings D. Get-Strings

C. strings The Sysinternals strings utility allows you view embedded strings in a file. By default, the Sysinternals version of strings displays both ASCII and Unicode strings. While both the Linux and Sysinternals strings commands can display ASCII and Unicode strings, the Linux version requires additional arguments to display Unicode strings and does not display them by default. The Sysinternals strings command shows both ASCII and Unicode strings by default. Book 1 Page 91

During memory forensics, an analyst executes a Volatility plug-in that generates the following output. What command did the analyst execute? PID PPID ImageFileName CreateTime4 0 System 2022-03-28 11:10:44.000000344 4 smss.exe 2022-03-28 11:10:44.000000 A. windows.pstree.PsTree B. windows.netscan.NetScan C. windows.pslist.PsList D. windows.cmdline.CmdLine

C. windows.pslist.PsList The windows.pslist.PsList plugin lists processes, similar to how the operating system would do so using live analysis tools (Get-Process, for example). The generated output will display several fields, including the image filename of the running process, the process ID (PID), the parent process ID (PPID), the time the process was started, and sometimes the time the process terminated. Because of the structure of the Windows executive process (EPROCESS) block used to represent a process in memory, process filenames are often truncated to 14 characters. Book 1 Page 78

In a packet capture, an analyst observes that a system sent a frequent, small, outbound communication to a known bad IP over a seven-day span. What type of behavior is possibly occurring? A. Ack scan B. Traceroute C. Fragmentation D. Beaconing

D. Beaconing There are several indicators to identify suspicious network traffic. Examples include lots of activity during non-business hours, long-running HTTP and HTTPS sessions, and beaconing traffic, which is small, outbound communication occurring somewhat regularly and frequently. Book 1 Page 49

An analyst wants to use an LLM such as ChatGPT to understand the following source code left behind by an attacker. How would the analyst start the prompt to accomplish this task? $ cat /var/www/html/wp-includes/FkhDUPZ.php <?php$b6bb6=explode("1l","stsixe_yek_yarra1lcexe_lruc1ltilps_gerp1ldomhc1lstegf1lteg_ini1lemitotrts1lecalper_gerp1lrid_pmet_teg_sys1 A. Write a Summary ... B. Explain this Code ... C. Write a Script ... D. Deobfuscate this Code ...

D. Deobfuscate this Code ... In addition to explaining source code, ChatGPT also has powerful capabilities for deobfuscating code. For this prompt, the analyst can tell ChatGPT to play the role of an incident response analyst and supply the obfuscated PHP source code with a clear delimiter. Book 1 Page 110

During an incident response, you notice that the following PowerShell cmdlet was issued. What was being done?Get-LocalGroupMember Administrators A. The list of user accounts in the LocalGroup and Administrators group was being displayed. B. Information was being displayed for the LocalGroup and Administrators user accounts. C. The LocalGroup was being added to the Administrators group. D. The list of user accounts in the administrators group was being displayed.

D. The list of user accounts in the administrators group was being displayed. The PowerShell cmdlet "Get-LocalGroupMember Administrators" shows which accounts are in the administrator's group. Book 1 Page 53

Which type of system is more commonly used to investigate malware? A. Production system B. Day-to-day host C. Thick client D. Virtual machine

D. Virtual machine Whenever you investigate malware, no matter the reason, you must always make sure to follow good security practices. You do not want malware to accidentally spread into your corporate network or be the reason why your organization ends up on the front page of the news or the Internet Storm Center. First and foremost, never ever investigate malware directly on the host system you use for day-to-day operations. There is too much risk of something escaping from your system. Ideally, you should investigate malware on an air-gapped system that you wipe after each use, although this is not really practical for most organizations, especially in the middle of an incident.Instead, it is much more common to use a virtual machine for investigating malware. In this scenario, you want to use host-only networking or the equivalent. Since a virtual machine is not true physical separation, you still need to follow good security practices for the host. Book 1 Page 90

An analyst is reviewing an IoC left behind by an attacker and wants to use an LLM such as ChatGPT to identify all hosts in the domain that have the IoC. How would the analyst start the prompt to accomplish this task? A. Write a Summary ... B. Explain this Code ... C. Deobfuscate this Code ... D. Write a Script ...

D. Write a Script ... An incident response team needs to find a new indicator of compromise, or IoC (such as the attacker running osk.exe), across all Windows 10 systems in the organization to identify other possible compromises. This is a great job for a PowerShell script, using PowerShell remoting support to interrogate the AppLocker event log information that records the name of all programs executed. You can tell ChatGPT to create code that will complete this task. Book 1 Page 114

An analyst needs to create a CISO report about a complex vulnerability paper within 30 minutes and wants to use an LLM such as ChatGPT to fast-track the process. With what prompt would the analyst accomplish this task? A. Write a Summary ... B. Summarize this Code ... C. Write a Script ... D. Deobfuscate this Code ...

In the prompt, direct ChatGPT to analyze a writing sample inside a triple quote block, supplying text written from a previous project as an example of a writing style. Then, direct ChatGPT to recognize this writing style as My Style. Next, tell ChatGPT to review the paper the CISO is waiting for a summary on, identified by the link to the paper itself. Now, tell ChatGPT to summarize the results in no more than 100 words using My Style. ChatGPT's response is quick, accurate, and somewhat more personable and casual than the output might be without the influence of My Style. Book 1 Page 118

An analyst wants to use an LLM such as ChatGPT to understand the following source code left behind by an attacker. How would the analyst start the prompt to accomplish this task? byte[] shellcode = new byte[] { "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42\x08\x8b\x72\x20\x8b\ x12...\x55\xff\xd7" }; A. Write a Summary ... B. Explain this Code ... C. Deobfuscate this Code ... D. Write a Script ...

B. Explain this Code Reviewing the source code left behind by an attacker can provide useful insight to apply when using the incident for scoping to identify other compromised systems. However, not every incident response analyst will understand every programming language that can be used by attackers. This is one area where generative AI systems and, in particular, ChatGPT, excel, providing the option to share the source code or an excerpt of the source code and ask the LLM to summarize the content. Book 1 Page 105

What are two basic approaches commonly employed when investigating malware? A. Running a penetration test and running a vulnerability scan B. Monitoring the environment and examining code C. Performing a risk assessment and confirming a possible exploit type D. Taking the environment offline and restoring from backups

B. Monitoring the environment and examining code There are two basic approaches commonly employed when investigating malware. The first is to monitor how the malware specimen interacts with the environment, by using tools that monitor the environment themselves. This is sometimes called behavioral analysis. The other common approach is to directly examine the malware's code in tools like debuggers and disassemblers. Book 1 Page 88