Gemini Notes

What is the significance of Excel (excel.exe) spawning cmd.exe or powershell.exe?

It is a high-severity True Positive indicating an Initial Access or Execution exploit. Legitimate Office applications have no business reasons to spawn administrative shells; this points to malicious macros or XLL add-in files.

What does an attacker mean to achieve by utilizing '-ExecutionPolicy Bypass' and '-WindowStyle Hidden' in PowerShell?

A Stager Download. 'Bypass' circumvents local execution restrictions for unsigned scripts, while 'Hidden' masks the process window from the victim's view to preserve stealth.

If an EDR shows a file downloading via System.Net.WebClient into 'C:\Users\Public\' and running via 'Start-Process', what is the attack phase?

Initial Access / Execution. Globally writable directories like C:\Users\Public are abused to drop and execute second-stage payloads because they bypass basic user privilege restrictions.

What is the 4-step blueprint for ANY Incident Response triage answer?

1. Triage: Verify artifacts, hashes (OSINT/VirusTotal), and process lineage to determine True/False Positive.

2. 2. Scope: Check the XDR console to see if the hash/IP has interacted with any other corporate endpoints.

3. 3. Containment: Network isolate the host via the EDR agent and terminate the malicious process tree.

4. 4. Eradication: Delete persistence keys (Registry), block C2 IPs at the firewall, and force user credential resets.

What is Network Beaconing?

When malware on an infected asset checks in with an attacker's Command & Control (C2) server at rigid, automated intervals (e.g., exactly every 60 seconds) to request new instructions.

What is DNS Tunneling?

A network evasion technique where attackers encode malicious data inside legitimate DNS queries (e.g., subdomain names) to bypass standard firewall filters that must allow outbound DNS resolution.

Why is a service account logging into interactive RDP (Logon Type 10) from a Marketing workstation a critical alert?

Service accounts (svc-) are restricted to non-interactive, programmatic automation. Interactive logons from low-privilege network segments indicate Compromised Credentials and active Lateral Movement.

What is the intent of the command: 'net user administrator /active:yes'?

Privilege Escalation and Persistence. It forces the built-in local administrator account active, creating an alternative backdoor for the attacker even if the primary compromised account's password is changed.

Define 'Blast Radius' in a SOC environment.

The potential structural and business impact of an uncontained security incident. Asset type (e.g., Domain Controller vs. Employee Laptop) and Identity Level (e.g., Domain Admin vs. Regular User) dictate the blast radius and triage priority.

Why does an active Domain Controller connecting over Port 445 (SMB) to multiple internal workstations take 1st Priority over a trapped laptop virus?

Port 445 is used for lateral movement. A Domain Controller scanning internal assets over SMB paired with high CPU signals a live, automated Ransomware deployment capable of encrypting the entire enterprise in minutes.

What does the process lsass.exe do, and why do attackers target it?

Local Security Authority Subsystem Service. It manages user logins and stores active security tokens/credentials in RAM. Attackers target it for Credential Dumping (using tools like Mimikatz or ProcDump) to steal passwords directly from volatile memory.

What is a Pass-the-Hash (PtH) attack?

Identity attack where an offender bypasses password verification by feeding a stolen cryptographic NTLM or Kerberos hash directly into authentication tools to log laterally into other network servers.

How do you identify Pass-the-Hash in Windows Event Logs?

Look for an influx of Windows Event ID 4624 (Successful Logon) specifying Logon Type 3 (Network Logon) using the NTLM authentication package rather than Kerberos.

What are the 4 Pillars of Cynet’s 'Sensor Fusion' XDR Architecture?

1. Endpoint Security (EPP/EDR): Process lineage, file hashes.

2. Network Security (NDR): Malicious traffic, beacons, scanning.

3. User/Identity Security (UBA): User behavioral anomalies, credential abuse.

4. SaaS/Cloud Security (CLAW): M365/AWS cloud logging integration.

What are the primary Windows Event IDs for identity and process auditing?

Event ID 4625: Failed Logon (Brute Force indicator)

Event ID 4624: Successful Logon (Check Logon Types 2, 3, 10

Event ID 4688: Process Creation (Builds process ancestry trees)

Event ID 4720: User Account Created (Persistence backdoor indicator).

If an internet-facing IIS web server process (w3wp.exe) spawns cmd.exe, what occurred?

A Web Shell execution. The attacker exploited a vulnerability or uploaded a malicious script to interact directly with the underlying host's OS via the web server daemon.

What is the command 'vssadmin.exe delete shadows /all /quiet' trying to do?

Pre-Ransomware Sabotage. It silently destroys the operating system's Volume Shadow Copies (backups) to ensure the victim cannot easily restore their files for free once encryption begins.

What is the command 'net share admin$ /delete' trying to do?

Defense Evasion. Deleting administrative shares blinds security teams, preventing IR responders from easily connecting remotely to the endpoint to remediate it.

What are the specific IAT functions that point to an active Process Injection capability?

The coexistence of VirtualAlloc/VirtualAllocEx (carving secret space in RAM), WriteProcessMemory (writing payload to that space), and CreateRemoteThread (forcing a clean process to run the injected code).

What does a static binary entropy score of 7.8 to 8.0 mean?

High file randomness indicating that the binary payload is heavily encrypted or compressed (Packed) to evade static signature antivirus scanners.

If static triage shows section names like .UPX0 and .UPX1, what does this tell you?

The binary is compressed using the open-source UPX packer. Upon execution, an unpacking stub will extract the real malware directly into memory via LoadLibraryA and GetProcAddress.

What is Path Masquerading?

A defensive evasion trick where a malicious file uses a legitimate Windows name but executes from an incorrect directory (e.g., a file named lsass.exe or svchost.exe running from C:\Users\Public\ instead of C:\Windows\System32).

If Adobe Reader (Acrobat.exe) spawns cmd.exe, what is the root cause?

A weaponized PDF document utilizing an embedded script or software vulnerability to force remote code execution.

What is Windows Logon Type 2? | Interactive logon. The user physically logged into the computer using the local keyboard and monitor.

What is Windows Logon Type 3? | Network logon. A connection to resources from a remote machine (e.g., network shares, IIS authentication, or Pass-the-Hash lateral movement).

What is Windows Logon Type 5? | Service logon. A background system service started by the Windows Service Control Manager using an automated service account.

What is Windows Logon Type 10? | RemoteInteractive logon. A remote desktop connection using RDP or Terminal Services.

What is Windows Logon Type 11? | CachedInteractive logon. A local login using locally cached credentials because the computer cannot contact the corporate Domain Controller.