Security + Basics

0.0(0)
Studied by 0 people
call kaiCall Kai
Locked
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/96

encourage image

There's no tags or description

Looks like no tags are added yet.

Last updated 9:23 PM on 7/6/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai
Chat

No analytics yet

Send a link to your students to track their progress

97 Terms

1
New cards

OSI Model

  • Definition: A seven-layer framework that describes how data travels across a network.

  • Purpose: Standardizes network communication between devices and applications.

  • SOC Relevance: Helps identify where communication problems or attacks occur.

  • Common Attack/Abuse: Attacks can target different OSI layers.

  • Remember: Seven layers from Physical to Application.

2
New cards

TCP/IP

  • Definition: A suite of networking protocols used for communication over modern networks and the Internet.

  • Purpose: Provides the rules for addressing, transmitting, routing, and receiving data.

  • SOC Relevance: Most network traffic, logs, and investigations involve TCP/IP.

  • Common Attack/Abuse: IP spoofing, SYN floods, and session hijacking.

  • Remember: Foundation of modern networking.

3
New cards

TCP

  • Definition: A connection-oriented transport protocol that provides reliable data delivery.

  • Purpose: Ensures data arrives completely and in the correct order.

  • SOC Relevance: Used by many important services such as HTTPS, SSH, SMB, and RDP.

  • Common Attack/Abuse: SYN flood attacks and TCP session hijacking.

  • Remember: Reliable communication.

4
New cards

UDP

  • Definition: A connectionless transport protocol that sends data without guaranteeing delivery.

  • Purpose: Provides fast communication with minimal overhead.

  • SOC Relevance: Commonly used for DNS, streaming, and voice communications.

  • Common Attack/Abuse: UDP flood and amplification attacks.

  • Remember: Fast communication.

5
New cards

IPv4

  • Definition: A 32-bit addressing system used to identify devices on a network.

  • Purpose: Provides logical addresses for network communication.

  • SOC Relevance: Most enterprise environments still use IPv4 extensively.

  • Common Attack/Abuse: IP spoofing and network scanning.

  • Remember: Four decimal numbers separated by periods.

6
New cards

IPv6

  • Definition: A 128-bit addressing system designed to replace IPv4.

  • Purpose: Supports a much larger number of unique IP addresses.

  • SOC Relevance: Increasingly common in enterprise and cloud environments.

  • Common Attack/Abuse: Misconfigured IPv6 networks can bypass security controls.

  • Remember: Eight groups of hexadecimal values.

7
New cards

MAC Address

  • Definition: A unique hardware address assigned to a network interface.

  • Purpose: Identifies devices on a local network.

  • SOC Relevance: Used to identify devices within the same LAN.

  • Common Attack/Abuse: MAC spoofing.

  • Remember: Physical hardware address.

8
New cards

ARP

  • Definition: A protocol that maps IPv4 addresses to MAC addresses.

  • Purpose: Allows devices to locate one another on a local network.

  • SOC Relevance: Useful when investigating local network communications.

  • Common Attack/Abuse: ARP spoofing (ARP poisoning).

  • Remember: Resolves IP addresses to MAC addresses.

9
New cards

DNS

  • Definition: A service that translates domain names into IP addresses.

  • Purpose: Allows users to access resources using names instead of numeric addresses.

  • SOC Relevance: DNS logs often reveal malicious domains and command-and-control activity.

  • Common Attack/Abuse: DNS tunneling, cache poisoning, domain generation algorithms.

  • Remember: Port 53.

10
New cards

DHCP

  • Definition: A protocol that automatically assigns network configuration to devices.

  • Purpose: Dynamically provides IP addresses and network settings.

  • SOC Relevance: DHCP logs help identify which device was assigned an IP address.

  • Common Attack/Abuse: Rogue DHCP servers and DHCP starvation attacks.

  • Remember: Automatically assigns IP addresses.

11
New cards

NAT

  • Definition: A process that translates private IP addresses into public IP addresses.

  • Purpose: Conserves public IP addresses and hides internal networks.

  • SOC Relevance: Helps analysts understand why multiple devices share one public IP.

  • Common Attack/Abuse: Can obscure the true source of network traffic.

  • Remember: Private to public address translation.

12
New cards

VLAN

  • Definition: A logical network that separates devices into different broadcast domains.

  • Purpose: Improves network organization, performance, and security.

  • SOC Relevance: Limits communication between network segments.

  • Common Attack/Abuse: VLAN hopping.

  • Remember: Logical network segmentation.

13
New cards

VPN

  • Definition: An encrypted connection between a device and a remote network.

  • Purpose: Protects data while accessing networks over the Internet.

  • SOC Relevance: VPN logs are important during remote access investigations.

  • Common Attack/Abuse: Credential theft and session hijacking.

  • Remember: Secure remote access.

14
New cards

Proxy

  • Definition: A server that forwards requests between a client and another server.

  • Purpose: Filters, caches, or monitors network traffic.

  • SOC Relevance: Proxy logs help track user web activity.

  • Common Attack/Abuse: Attackers may use proxies to hide their location.

  • Remember: Acts as an intermediary.

15
New cards

Firewall

  • Definition: A security device or software that filters network traffic based on predefined rules.

  • Purpose: Allows or blocks traffic entering or leaving a network.

  • SOC Relevance: Firewall logs are a primary source during network investigations.

  • Common Attack/Abuse: Rule misconfigurations and firewall evasion techniques.

  • Remember: Controls network traffic.

16
New cards

IDS

  • Definition: An Intrusion Detection System monitors network or system activity for suspicious behavior.

  • Purpose: Detects potential security threats.

  • SOC Relevance: Generates alerts for analysts to investigate.

  • Common Attack/Abuse: Evasion through encrypted or fragmented traffic.

  • Remember: Detects suspicious activity.

17
New cards

IPS

  • Definition: An Intrusion Prevention System monitors and automatically blocks malicious activity.

  • Purpose: Prevents known attacks before they reach systems.

  • SOC Relevance: Helps stop attacks while generating investigation logs.

  • Common Attack/Abuse: Evasion through encrypted or obfuscated traffic.

  • Remember: Detects and blocks malicious activity.

18
New cards

HTTP

  • Definition: Hypertext Transfer Protocol used for transmitting web pages and web application data.

  • Purpose: Allows communication between web browsers and web servers.

  • SOC Relevance: Frequently analyzed during web traffic investigations.

  • Common Attack/Abuse: Man-in-the-Middle (unencrypted), session hijacking, web application attacks.

  • Remember: Port 80 and not encrypted.

19
New cards

HTTPS

  • Definition: Hypertext Transfer Protocol Secure that uses TLS to encrypt web traffic.

  • Purpose: Protects the confidentiality and integrity of web communications.

  • SOC Relevance: Most web traffic today uses HTTPS.

  • Common Attack/Abuse: SSL stripping, certificate abuse, malicious traffic hidden inside encrypted sessions.

  • Remember: Port 443 and encrypted with TLS.

20
New cards

FTP

  • Definition: File Transfer Protocol used to transfer files between computers.

  • Purpose: Uploads and downloads files across a network.

  • SOC Relevance: Legacy protocol still found in some environments.

  • Common Attack/Abuse: Credential theft because usernames and passwords are sent in plaintext.

  • Remember: Ports 20 and 21.

21
New cards

SFTP

  • Definition: SSH File Transfer Protocol used for secure file transfers.

  • Purpose: Transfers files through an encrypted SSH connection.

  • SOC Relevance: Common replacement for FTP.

  • Common Attack/Abuse: Stolen SSH credentials.

  • Remember: Port 22.

22
New cards

SSH

  • Definition: Secure Shell protocol for encrypted remote administration.

  • Purpose: Securely connects to remote systems.

  • SOC Relevance: Used by administrators to manage Linux and network devices.

  • Common Attack/Abuse: Brute-force attacks, stolen SSH keys.

  • Remember: Port 22.

23
New cards

Telnet

  • Definition: Remote access protocol that sends data in plaintext.

  • Purpose: Allows command-line access to remote systems.

  • SOC Relevance: Considered insecure and rarely used in modern environments.

  • Common Attack/Abuse: Credential interception.

  • Remember: Port 23.

24
New cards

SMTP

  • Definition: Simple Mail Transfer Protocol used to send email.

  • Purpose: Transfers outgoing email between clients and mail servers.

  • SOC Relevance: Important during phishing and email investigations.

  • Common Attack/Abuse: Email spoofing, phishing campaigns.

  • Remember: Port 25.

25
New cards

POP3

  • Definition: Post Office Protocol version 3 retrieves email from a mail server.

  • Purpose: Downloads email to a client device.

  • SOC Relevance: Seen in legacy email environments.

  • Common Attack/Abuse: Credential theft if encryption is not used.

  • Remember: Port 110.

26
New cards

IMAP

  • Definition: Internet Message Access Protocol retrieves and manages email stored on a mail server.

  • Purpose: Synchronizes email across multiple devices.

  • SOC Relevance: Common protocol used by modern email clients.

  • Common Attack/Abuse: Credential theft and unauthorized mailbox access.

  • Remember: Port 143.

27
New cards

DNS

  • Definition: Domain Name System translates domain names into IP addresses.

  • Purpose: Allows users to locate network resources using names instead of IP addresses.

  • SOC Relevance: DNS logs are commonly reviewed during investigations.

  • Common Attack/Abuse: DNS tunneling and cache poisoning.

  • Remember: Port 53.

28
New cards

LDAP

  • Definition: Lightweight Directory Access Protocol used to access and manage directory services.

  • Purpose: Retrieves user, group, and device information.

  • SOC Relevance: Commonly used with Active Directory authentication.

  • Common Attack/Abuse: LDAP injection and unauthorized directory enumeration.

  • Remember: Port 389.

29
New cards

LDAPS

  • Definition: LDAP secured with TLS encryption.

  • Purpose: Protects directory communications.

  • SOC Relevance: Preferred over standard LDAP.

  • Common Attack/Abuse: Certificate misconfiguration.

  • Remember: Port 636.

30
New cards

SMB

  • Definition: Server Message Block protocol used for file and printer sharing.

  • Purpose: Allows systems to share files and network resources.

  • SOC Relevance: Frequently involved in lateral movement and ransomware investigations.

  • Common Attack/Abuse: Pass-the-Hash, ransomware propagation, EternalBlue.

  • Remember: Port 445.

31
New cards

RDP

  • Definition: Remote Desktop Protocol provides graphical remote access to Windows systems.

  • Purpose: Allows users to remotely control a computer.

  • SOC Relevance: Common entry point during account compromise investigations.

  • Common Attack/Abuse: Brute-force attacks, credential theft.

  • Remember: Port 3389.

32
New cards

SNMP

  • Definition: Simple Network Management Protocol monitors and manages network devices.

  • Purpose: Collects status and performance information from devices.

  • SOC Relevance: Useful for monitoring routers, switches, and firewalls.

  • Common Attack/Abuse: Default community strings and unauthorized device enumeration.

  • Remember: Ports 161 and 162.

33
New cards

NTP

  • Definition: Network Time Protocol synchronizes system clocks.

  • Purpose: Keeps devices using the same accurate time.

  • SOC Relevance: Accurate timestamps are critical for incident investigations and log correlation.

  • Common Attack/Abuse: NTP amplification attacks.

  • Remember: Port 123.

34
New cards

Kerberos

  • Definition: A network authentication protocol that uses tickets to verify user identities.

  • Purpose: Provides secure authentication in Active Directory environments.

  • SOC Relevance: Commonly appears in Windows authentication logs.

  • Common Attack/Abuse: Kerberoasting, Golden Ticket, Silver Ticket.

  • Remember: Port 88.

35
New cards

DHCP

  • Definition: Dynamic Host Configuration Protocol automatically assigns IP addresses and network settings.

  • Purpose: Simplifies network configuration.

  • SOC Relevance: DHCP logs help identify which device used an IP address at a specific time.

  • Common Attack/Abuse: Rogue DHCP servers and DHCP starvation.

  • Remember: Ports 67 and 68.

36
New cards

Active Directory (AD)

  • Definition: A directory service developed by Microsoft that stores and manages users, computers, groups, and other network resources within a Windows domain.

  • Purpose: Centralizes authentication, authorization, and management of network resources.

  • SOC Relevance: Most enterprise environments use Active Directory, making it a common target during investigations.

  • Common Attack/Abuse: Credential theft, privilege escalation, Kerberoasting, Pass-the-Hash, Golden Ticket attacks.

  • Remember: The central identity management system for Windows domains.

37
New cards

Kerberos

  • Definition: A network authentication protocol that verifies identities using encrypted tickets.

  • Purpose: Securely authenticates users and services without repeatedly sending passwords.

  • SOC Relevance: Used as the default authentication protocol in Active Directory.

  • Common Attack/Abuse: Kerberoasting, Golden Ticket, Silver Ticket attacks.

  • Remember: Uses tickets, not passwords, after initial authentication.

38
New cards

NTLM

  • Definition: A legacy Microsoft authentication protocol that verifies user credentials.

  • Purpose: Provides authentication when Kerberos cannot be used.

  • SOC Relevance: Still appears in Windows environments and authentication logs.

  • Common Attack/Abuse: Pass-the-Hash, NTLM relay attacks.

  • Remember: Older and less secure than Kerberos.

39
New cards

LDAP

  • Definition: Lightweight Directory Access Protocol used to access and manage directory services.

  • Purpose: Allows applications and users to query and modify directory information.

  • SOC Relevance: Commonly used with Active Directory for user and group lookups.

  • Common Attack/Abuse: LDAP injection and unauthorized directory enumeration.

  • Remember: Standard protocol for directory services.

40
New cards

SAML

  • Definition: Security Assertion Markup Language is an XML-based authentication standard used for Single Sign-On (SSO).

  • Purpose: Allows users to authenticate once and access multiple applications.

  • SOC Relevance: Common in enterprise cloud applications and identity providers.

  • Common Attack/Abuse: Stolen or forged SAML assertions.

  • Remember: Used for Single Sign-On (SSO).

41
New cards

OAuth

  • Definition: An authorization framework that allows applications to access resources on a user's behalf without exposing the user's password.

  • Purpose: Grants limited access to protected resources using access tokens.

  • SOC Relevance: Frequently investigated when reviewing cloud application permissions.

  • Common Attack/Abuse: Token theft and malicious OAuth application consent.

  • Remember: Authorization, not authentication.

42
New cards

Multi-Factor Authentication (MFA)

  • Definition: A security method that requires two or more authentication factors to verify a user's identity.

  • Purpose: Reduces the risk of unauthorized access caused by stolen credentials.

  • SOC Relevance: One of the most effective defenses against account compromise.

  • Common Attack/Abuse: MFA fatigue attacks, SIM swapping, phishing proxies.

  • Remember: Something you know, have, or are.

43
New cards

Public Key Infrastructure (PKI)

  • Definition: A framework of hardware, software, policies, and procedures used to create, manage, distribute, and revoke digital certificates.

  • Purpose: Establishes trust and supports secure communications.

  • SOC Relevance: Used for HTTPS, VPNs, email encryption, and digital signatures.

  • Common Attack/Abuse: Certificate theft and compromised certificate authorities.

  • Remember: Manages digital trust.

44
New cards

Digital Certificate

  • Definition: An electronic credential that binds a public key to the identity of a person, device, or organization.

  • Purpose: Verifies identity and enables encrypted communication.

  • SOC Relevance: Used in HTTPS, VPNs, email security, and device authentication.

  • Common Attack/Abuse: Expired, forged, or stolen certificates.

  • Remember: Proves identity.

45
New cards

Certificate Authority (CA)

  • Definition: A trusted organization or system that issues and signs digital certificates.

  • Purpose: Confirms the identity of certificate owners.

  • SOC Relevance: Trust in secure communications depends on trusted CAs.

  • Common Attack/Abuse: Compromised or rogue certificate authorities issuing fraudulent certificates.

  • Remember: Trusted issuer of certificates.

46
New cards

Single Sign-On (SSO)

  • Definition: An authentication process that allows users to log in once and access multiple applications.

  • Purpose: Simplifies authentication and improves user experience.

  • SOC Relevance: Frequently used with SAML, OpenID Connect, and enterprise identity providers.

  • Common Attack/Abuse: Stolen SSO sessions and token theft.

  • Remember: One login, many applications.

47
New cards

Identity Provider (IdP)

  • Definition: A service that authenticates users and provides identity information to applications.

  • Purpose: Centralizes user authentication.

  • SOC Relevance: Common identity providers include Microsoft Entra ID, Okta, and Ping Identity.

  • Common Attack/Abuse: Credential theft, token theft, phishing attacks.

  • Remember: Verifies who the user is.

48
New cards

Service Provider (SP)

  • Definition: An application or service that relies on an Identity Provider to authenticate users.

  • Purpose: Provides services after receiving proof of authentication.

  • SOC Relevance: Enterprise cloud applications often function as Service Providers.

  • Common Attack/Abuse: Trust relationship abuse and session hijacking.

  • Remember: Provides the application or service.

49
New cards

Hash

  • Definition: A one-way mathematical function that converts data into a fixed-length value.

  • Purpose: Verifies data integrity and securely stores passwords.

  • SOC Relevance: Used to identify malware, verify file integrity, and store passwords.

  • Common Attack/Abuse: Rainbow table attacks against weak or unsalted hashes, hash collisions (rare).

  • Remember: Cannot be reversed.

50
New cards

Salt

  • Definition: Random data added to a password before hashing.

  • Purpose: Makes identical passwords produce different hashes and protects against rainbow table attacks.

  • SOC Relevance: Indicates whether password storage follows security best practices.

  • Common Attack/Abuse: Weak or missing salts make password cracking easier.

  • Remember: A salt is added before hashing.

51
New cards

AES (Advanced Encryption Standard)

  • Definition: A symmetric encryption algorithm used to encrypt data.

  • Purpose: Protects the confidentiality of data at rest and in transit.

  • SOC Relevance: Commonly used in HTTPS, VPNs, wireless networks, and disk encryption.

  • Common Attack/Abuse: Attackers usually target the encryption keys rather than AES itself.

  • Remember: Symmetric encryption standard.

52
New cards

RSA

  • Definition: An asymmetric encryption algorithm that uses a public and private key pair.

  • Purpose: Encrypts data, exchanges keys, and creates digital signatures.

  • SOC Relevance: Widely used in TLS, certificates, and secure communications.

  • Common Attack/Abuse: Private key theft or weak key sizes.

  • Remember: Public key encrypts, private key decrypts.

53
New cards

ECC (Elliptic Curve Cryptography)

  • Definition: An asymmetric encryption algorithm that provides strong security using smaller key sizes.

  • Purpose: Encrypts data and creates digital signatures efficiently.

  • SOC Relevance: Common in mobile devices, VPNs, and modern TLS implementations.

  • Common Attack/Abuse: Private key compromise.

  • Remember: Strong security with smaller keys.

54
New cards

SHA-256

  • Definition: A cryptographic hash function that produces a 256-bit hash value.

  • Purpose: Verifies file integrity and securely stores password hashes.

  • SOC Relevance: Used to identify malware and verify downloaded files.

  • Common Attack/Abuse: Brute-force attacks against weak passwords.

  • Remember: Produces a 256-bit hash.

55
New cards

SHA-512

  • Definition: A cryptographic hash function that produces a 512-bit hash value.

  • Purpose: Verifies integrity and securely stores sensitive data.

  • SOC Relevance: Used where stronger hashing is required.

  • Common Attack/Abuse: Password cracking against weak passwords.

  • Remember: Produces a 512-bit hash.

56
New cards

TLS (Transport Layer Security)

  • Definition: A cryptographic protocol that encrypts communications between devices.

  • Purpose: Protects data confidentiality and integrity during transmission.

  • SOC Relevance: Used by HTTPS, email, VPNs, and many secure applications.

  • Common Attack/Abuse: SSL stripping, certificate abuse, downgrade attacks.

  • Remember: Replaced SSL.

57
New cards

Digital Signature

  • Definition: A cryptographic value used to verify the authenticity and integrity of data.

  • Purpose: Confirms that data has not been altered and verifies the sender's identity.

  • SOC Relevance: Used to validate software, documents, and email.

  • Common Attack/Abuse: Stolen signing certificates and private keys.

  • Remember: Provides authentication, integrity, and non-repudiation.

58
New cards

Symmetric Encryption

  • Definition: An encryption method that uses the same key for encryption and decryption.

  • Purpose: Protects data quickly and efficiently.

  • SOC Relevance: Used for encrypting large amounts of data.

  • Common Attack/Abuse: Key theft or unauthorized key sharing.

  • Remember: One key.

59
New cards

Asymmetric Encryption

  • Definition: An encryption method that uses a public key and a private key.

  • Purpose: Enables secure communication and digital signatures.

  • SOC Relevance: Used for certificates, TLS, VPNs, and secure authentication.

  • Common Attack/Abuse: Private key compromise.

  • Remember: Two keys.

60
New cards

Encryption

  • Definition: The process of converting readable data into unreadable ciphertext using an encryption algorithm.

  • Purpose: Protects the confidentiality of information.

  • SOC Relevance: Used to secure sensitive files, communications, and databases.

  • Common Attack/Abuse: Key theft and weak encryption implementations.

  • Remember: Protects confidentiality.

61
New cards

Ciphertext

  • Definition: Data that has been encrypted into an unreadable format.

  • Purpose: Prevents unauthorized users from reading sensitive information.

  • SOC Relevance: Analysts may encounter encrypted files or communications during investigations.

  • Common Attack/Abuse: Attackers attempt to steal encryption keys rather than read ciphertext directly.

  • Remember: Encrypted data.

62
New cards

Plaintext

  • Definition: Readable, unencrypted data.

  • Purpose: Represents the original information before encryption or after decryption.

  • SOC Relevance: Sensitive plaintext data should never be transmitted over insecure channels.

  • Common Attack/Abuse: Data interception when transmitted without encryption.

  • Remember: Human-readable data.

63
New cards

Phishing

  • Definition: A social engineering attack that tricks users into revealing sensitive information or performing harmful actions.

  • Purpose: Steals credentials, financial information, or delivers malware.

  • SOC Relevance: One of the most common initial access methods investigated by SOC analysts.

  • Common Attack/Abuse: Fake login pages, malicious links, and infected attachments.

  • Remember: Broad attack targeting many users.

64
New cards

Spear Phishing

  • Definition: A phishing attack targeted at a specific individual or organization.

  • Purpose: Increases the chance of success by using personalized information.

  • SOC Relevance: Frequently used against employees with access to sensitive data.

  • Common Attack/Abuse: Business email compromise (BEC), credential theft.

  • Remember: Personalized phishing.

65
New cards

Whaling

  • Definition: A phishing attack specifically targeting high-profile individuals such as executives.

  • Purpose: Steals sensitive information or authorizes fraudulent transactions.

  • SOC Relevance: Often involved in Business Email Compromise investigations.

  • Common Attack/Abuse: CEO fraud, wire transfer scams.

  • Remember: Targets executives.

66
New cards

Smishing

  • Definition: A phishing attack delivered through SMS text messages.

  • Purpose: Tricks users into clicking malicious links or revealing information.

  • SOC Relevance: Increasingly common in credential theft campaigns.

  • Common Attack/Abuse: Fake delivery notifications, banking scams.

  • Remember: SMS phishing.

67
New cards

Vishing

  • Definition: A phishing attack conducted through phone calls or voice messages.

  • Purpose: Tricks victims into revealing sensitive information.

  • SOC Relevance: Often used to bypass technical security controls.

  • Common Attack/Abuse: Fake IT support, bank impersonation.

  • Remember: Voice phishing.

68
New cards

Password Spraying

  • Definition: An attack that attempts one common password against many user accounts.

  • Purpose: Avoids account lockout policies while trying to gain access.

  • SOC Relevance: Common authentication alert investigated in SOCs.

  • Common Attack/Abuse: Uses weak or commonly used passwords.

  • Remember: One password, many accounts.

69
New cards

Credential Stuffing

  • Definition: An attack that uses stolen username and password combinations from previous data breaches.

  • Purpose: Gains unauthorized access to accounts where users reused passwords.

  • SOC Relevance: Common in cloud and web application investigations.

  • Common Attack/Abuse: Automated login attempts using breached credentials.

  • Remember: Stolen credentials from another breach.

70
New cards

Brute Force Attack

  • Definition: An attack that repeatedly guesses passwords until the correct one is found.

  • Purpose: Gains unauthorized access to an account or system.

  • SOC Relevance: Often detected through multiple failed login attempts.

  • Common Attack/Abuse: Password guessing against RDP, VPN, SSH, and web logins.

  • Remember: Many guesses against one account.

71
New cards

Pass-the-Hash

  • Definition: An attack that authenticates using a stolen password hash instead of the actual password.

  • Purpose: Moves laterally through Windows environments.

  • SOC Relevance: Common technique during Active Directory compromises.

  • Common Attack/Abuse: Uses stolen NTLM hashes.

  • Remember: Hash instead of password.

72
New cards

SQL Injection (SQLi)

  • Definition: An attack that inserts malicious SQL commands into an application's database query.

  • Purpose: Reads, modifies, or deletes database information.

  • SOC Relevance: Common web application attack investigated by security teams.

  • Common Attack/Abuse: Database theft and authentication bypass.

  • Remember: Targets databases.

73
New cards

Cross-Site Scripting (XSS)

  • Definition: An attack that injects malicious JavaScript into a trusted website.

  • Purpose: Executes code in a victim's web browser.

  • SOC Relevance: Common vulnerability affecting web applications.

  • Common Attack/Abuse: Session cookie theft and website defacement.

  • Remember: Runs in the user's browser.

74
New cards

Cross-Site Request Forgery (CSRF)

  • Definition: An attack that tricks an authenticated user into submitting an unwanted request.

  • Purpose: Performs actions without the user's knowledge.

  • SOC Relevance: Targets authenticated web sessions.

  • Common Attack/Abuse: Changing passwords or transferring funds while the user is logged in.

  • Remember: Exploits user trust.

75
New cards

Command Injection

  • Definition: An attack that causes an application to execute unauthorized operating system commands.

  • Purpose: Allows attackers to control or compromise a server.

  • SOC Relevance: Can lead to remote code execution.

  • Common Attack/Abuse: Running system commands through vulnerable applications.

  • Remember: Executes operating system commands.

76
New cards

DNS Tunneling

  • Definition: A technique that uses DNS queries to transfer unauthorized data.

  • Purpose: Bypasses network security controls and communicates with attacker-controlled systems.

  • SOC Relevance: Common indicator of command-and-control activity.

  • Common Attack/Abuse: Data exfiltration and malware communication.

  • Remember: Abuse of DNS traffic.

77
New cards

Denial-of-Service (DoS)

  • Definition: An attack that overwhelms a system or service until it becomes unavailable.

  • Purpose: Disrupts normal operations.

  • SOC Relevance: Causes service outages and performance issues.

  • Common Attack/Abuse: SYN floods and UDP floods.

  • Remember: One attacker, one source.

78
New cards

Distributed Denial-of-Service (DDoS)

  • Definition: A denial-of-service attack launched from many compromised devices simultaneously.

  • Purpose: Overwhelms a target with massive amounts of traffic.

  • SOC Relevance: Common attack against public-facing websites.

  • Common Attack/Abuse: Botnet-driven flooding attacks.

  • Remember: Many attackers, one target.

79
New cards

Man-in-the-Middle (MitM)

  • Definition: An attack where an attacker secretly intercepts communications between two parties.

  • Purpose: Steals or modifies transmitted information.

  • SOC Relevance: Common on insecure wireless networks.

  • Common Attack/Abuse: ARP spoofing and rogue Wi-Fi access points.

  • Remember: Attacker sits between two devices.

80
New cards

Replay Attack

  • Definition: An attack that captures and retransmits legitimate authentication data.

  • Purpose: Gains unauthorized access without knowing the password.

  • SOC Relevance: Targets authentication protocols lacking replay protection.

  • Common Attack/Abuse: Reusing captured authentication tokens.

  • Remember: Reuses valid communications.

81
New cards

Privilege Escalation

  • Definition: An attack that gains higher levels of system permissions.

  • Purpose: Allows attackers to perform unauthorized actions.

  • SOC Relevance: Frequently follows initial compromise.

  • Common Attack/Abuse: Exploiting software vulnerabilities or misconfigurations.

  • Remember: Gains more permissions.

82
New cards

Lateral Movement

  • Definition: The process of moving from one compromised system to another within a network.

  • Purpose: Expands attacker access.

  • SOC Relevance: Common during ransomware and Active Directory attacks.

  • Common Attack/Abuse: Pass-the-Hash, stolen credentials, PsExec.

  • Remember: Moves across the network.

83
New cards

Virus

  • Definition: Malicious software that attaches itself to a legitimate file or program and spreads when the infected file is executed.

  • Purpose: Disrupts systems, damages data, or delivers additional malware.

  • SOC Relevance: Can be identified through antivirus, EDR, and file analysis.

  • Common Attack/Abuse: Infects executable files and spreads through user interaction.

  • Remember: Requires user action to spread.

84
New cards

Worm

  • Definition: Malicious software that spreads automatically across networks without user interaction.

  • Purpose: Rapidly infects vulnerable systems.

  • SOC Relevance: Can generate widespread network activity and multiple endpoint alerts.

  • Common Attack/Abuse: Exploits network vulnerabilities to self-propagate.

  • Remember: Spreads by itself.

85
New cards

Trojan

  • Definition: Malicious software disguised as legitimate software.

  • Purpose: Tricks users into installing malware.

  • SOC Relevance: Often used as the initial malware delivered through phishing.

  • Common Attack/Abuse: Downloads additional malware or provides unauthorized access.

  • Remember: Looks legitimate but is malicious.

86
New cards

Remote Access Trojan (RAT)

  • Definition: Malware that gives an attacker remote control of an infected system.

  • Purpose: Allows attackers to monitor, control, and steal data from a victim.

  • SOC Relevance: Often detected through unusual outbound connections or EDR alerts.

  • Common Attack/Abuse: Remote command execution, surveillance, data theft.

  • Remember: Remote control malware.

87
New cards

Rootkit

  • Definition: Malware designed to hide itself and other malicious activity from the operating system and security tools.

  • Purpose: Maintains persistent, hidden access.

  • SOC Relevance: Makes malware difficult to detect and remove.

  • Common Attack/Abuse: Hides files, processes, registry keys, or network connections.

  • Remember: Hides malicious activity.

88
New cards

Ransomware

  • Definition: Malware that encrypts files or systems and demands payment for their recovery.

  • Purpose: Extorts victims for financial gain.

  • SOC Relevance: One of the most common and damaging incidents handled by SOC teams.

  • Common Attack/Abuse: Encrypts data and may also steal information before encryption.

  • Remember: Encrypts files for ransom.

89
New cards

Spyware

  • Definition: Malware that secretly collects information about a user or system.

  • Purpose: Steals credentials, browsing history, or sensitive information.

  • SOC Relevance: May be detected through unusual outbound traffic or EDR alerts.

  • Common Attack/Abuse: Credential theft and user monitoring.

  • Remember: Secretly gathers information.

90
New cards

Adware

  • Definition: Software that displays unwanted advertisements to users.

  • Purpose: Generates advertising revenue for the attacker or developer.

  • SOC Relevance: May indicate unwanted software or bundled malware.

  • Common Attack/Abuse: Displays pop-ups, redirects browsers, tracks user activity.

  • Remember: Shows unwanted advertisements.

91
New cards

Logic Bomb

  • Definition: Malicious code that activates when a specific condition or event occurs.

  • Purpose: Delays malicious activity until triggered.

  • SOC Relevance: Difficult to detect before activation.

  • Common Attack/Abuse: Activates on a specific date, time, or user action.

  • Remember: Triggered by a condition.

92
New cards

Botnet

  • Definition: A network of compromised devices controlled by an attacker.

  • Purpose: Performs coordinated malicious activities.

  • SOC Relevance: Used in DDoS attacks, spam campaigns, and malware distribution.

  • Common Attack/Abuse: Distributed Denial-of-Service (DDoS), credential attacks, cryptocurrency mining.

  • Remember: Many infected devices under one attacker's control.

93
New cards

Keylogger

  • Definition: Malware that records keystrokes entered by a user.

  • Purpose: Steals usernames, passwords, and other sensitive information.

  • SOC Relevance: Often discovered during endpoint investigations.

  • Common Attack/Abuse: Credential theft.

  • Remember: Records everything typed.

94
New cards

Backdoor

  • Definition: A hidden method of bypassing normal authentication to access a system.

  • Purpose: Maintains unauthorized access after a compromise.

  • SOC Relevance: Common persistence mechanism used by attackers.

  • Common Attack/Abuse: Remote access and malware persistence.

  • Remember: Hidden access into a system.

95
New cards

Fileless Malware

  • Definition: Malware that operates primarily in memory without writing files to disk.

  • Purpose: Avoids traditional antivirus detection.

  • SOC Relevance: Frequently detected by EDR solutions through behavioral analysis.

  • Common Attack/Abuse: Uses PowerShell, WMI, or legitimate system tools.

  • Remember: Runs in memory.

96
New cards

Dropper

  • Definition: Malware designed to install or deliver additional malware onto a system.

  • Purpose: Bypasses security controls to deploy malicious payloads.

  • SOC Relevance: Often the first malware identified during an infection.

  • Common Attack/Abuse: Downloads ransomware, RATs, or spyware.

  • Remember: Delivers other malware.

97
New cards

Downloader

  • Definition: Malware whose primary function is to download additional malicious software.

  • Purpose: Retrieves payloads from attacker-controlled servers.

  • SOC Relevance: Often generates suspicious outbound network traffic.

  • Common Attack/Abuse: Downloads secondary malware after infection.

  • Remember: Downloads more malware.