Module 12 - System Behavior Analysis
Call Kai
Learn
Practice Test
Spaced Repetition
Match
Flashcards
Knowt Play1/106
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai |
|---|
No analytics yet
Send a link to your students to track their progress
107 Terms
During runtime, a malware might interact with various system components, such as _________________________
Registry, file and folders, windows processes and services, and device drivers.
During runtime, a malware might _____________________
Update/delete registry keys or create malicious Windows services/processes to accomplish what it is designed to do.
After running the malware, investigators can ____________________________
Analyze the changes in registry, processes, or services by comparing the result with the baseline image and by using various forensic tools.
Investigators can also examine the _______________________
API calls made by the malware and monitor event logs to see the changes on the system properties performed by the malware.
System Behavior Analysis: Monitoring Registry Artifacts: What stores OS and program configuration details, such as settings and options?
Windows registry
System Behavior Analysis: Monitoring Registry Artifacts: If the malware is a program, ______________.
The registry stores its functionality
System Behavior Analysis: Monitoring Registry Artifacts: Malware manipulates the registry to _________________________
Ensure that it runs automatically whenever a computer or device boots or a user logs in
System Behavior Analysis: Monitoring Registry Artifacts: True or False: Forensic investigators can execute the malware on a Windows forensic workstation and observe how it interacts with the system registry files, particularly the registry keys and values that are created, modified, or deleted by it.
True
System Behavior Analysis: Monitoring Registry Artifacts: Investigators can look into specific registry locations while performing a runtime analysis of the malware to learn more about its functionality. Monitoring _____________can be quite useful as those are the most common locations targeted by malware.
AutoStart registry keys
Windows AutoStart Registry Keys: The AutoStart keys within the Windows registry, ______________________________________________________________
Which allow programs to be executed automatically upon system reboot or user login, are the most common locations targeted by malware to achieve persistence on any compromised machine.
Windows AutoStart Registry Keys: Some of the Windows AutoStart registry keys targeted by malicious
programs involve _______________
Run/RunOnce Keys
Windows AutoStart Registry Keys: Malware often modifies Run/RunOnce registry keys to continue running on the system whenever the user logs in. Which of the following are one of those registry keys?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Windows AutoStart Registry Keys: Malware often modifies Run/RunOnce registry keys to continue running on the system whenever the user logs in. Which of the following are one of those registry keys?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Windows AutoStart Registry Keys: Of the Windows AutoStart registry keys such as the Run/RunOnce keys, a malicious program can also modify wich of the following system-related keys?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows AutoStart Registry Keys: Of the Windows AutoStart registry keys such as the Run/RunOnce keys, a malicious program can also modify wich of the following system-related keys?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Windows AutoStart Registry Keys: Of the Windows AutoStart registry keys such as the Run/RunOnce keys, a malicious program can also modify wich of the following system-related keys?
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Startup Keys: Malware authors also try to place their malicious executable file within the _______________________________________________________________________
Startup directory of the compromised system and create a shortcut entry on the location pointed by the Startup subkey which is set to execute the service automatically on each logon/reboot
Startup Keys: Which of the following startup locations are found both at the user level and system level?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, Common Startup
Startup Keys: Which of the following startup locations are found both at the user level and system level?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, Common Startup
Startup Keys: Which of the following startup locations are found both at the user level and system level?
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, Startup
Startup Keys: Which of the following startup locations are found both at the user level and system level?
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, Startup
Analyzing Windows AutoStart Registry Keys: After the malware is executed on a Windows forensic workstation, investigators can examine _____________________ via tools like ____________ to see if it follows any persistence mechanism.
AutoStart registry locations; Regripper
Analyzing Windows AutoStart Registry Keys: What is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis?
RegRipper
System Behavior Analysis: Monitoring Processes: Some malware also use ____________________ to inject themselves into
various processes (such as explorer.exe or web browsers).
PEs (Portable Executable)
System Behavior Analysis: Monitoring Processes: Investigators should perform _____________ as it will help them understand the processes initiated and taken over by a malware after execution.
Process monitoring
System Behavior Analysis: Monitoring Processes: True or False: They should also observe the child processes, associated handles, loaded libraries, and functions to define the nature of a file or program, gather information about processes running before execution of the malware, and compare them to the processes running after execution. This method will reduce the time taken to analyze the processes and help in easy identification of all processes started by the malware.
True
System Behavior Analysis: Monitoring Processes: What is a monitoring tool for Windows that shows realtime file system, registry, and process/thread activity and combines the features of two Sysinternals utilities, Filemon and Regmon, and adds enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more.
Process Monitor
System Behavior Analysis: Monitoring Processes: What uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.
Process Monitor
Process Monitor includes monitoring and filtering capabilities, which includes which of the following?
More data captured for operation input and output parameters
Process Monitor includes monitoring and filtering capabilities, which includes which of the following?
Non-destructive filters allow you to set filters without losing data
Process Monitor includes monitoring and filtering capabilities, which includes which of the following?
Capture of thread stacks for each operation makes it possible in many cases to identify the root cause of an operation
Process Monitor includes monitoring and filtering capabilities, which includes which of the following?
Reliable capture of process details, including image path, command line, and user and session IDs
Process Monitor includes monitoring and filtering capabilities, which includes which of the following?
Configurable and moveable columns for any event property
Process Monitor includes monitoring and filtering capabilities, which includes which of the following?
Filters can be set for any data field, including fields not configured as columns
Process Monitor includes monitoring and filtering capabilities, which includes which of the following?
Advanced logging architecture scales to tens of millions of captured events and gigabytes of log data
Process Monitor includes monitoring and filtering capabilities, which includes which of the following?
Process tree tool shows the relationship between all processes referenced in a trace
Process Monitor includes monitoring and filtering capabilities, which includes which of the following?
Native log format preserves all data for loading in a different Process Monitor instance
Process Monitor includes monitoring and filtering capabilities, which includes which of the following?
Process tooltip for easy viewing of process image information
Process Monitor includes monitoring and filtering capabilities, which includes which of the following?
Detail tooltip allows convenient access to formatted data that does not fit in the column
Process Monitor includes monitoring and filtering capabilities, which includes which of the following?
Cancellable search
Process Monitor includes monitoring and filtering capabilities, which includes which of the following?
Boot time logging of all operations
System Behavior Analysis: Monitoring Windows Services: Attackers design malware and other malicious code in such a way that they install and run on a computer device in the form of a _________
Service
System Behavior Analysis: Monitoring Windows Services: A malware might spawn Windows services that allow attackers remote control to the victim machine and pass malicious instructions or apply rootkit techniques to manipulate __________________________________ and avoid detection.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services registry keys
System Behavior Analysis: Monitoring Windows Services: True or False: As many Windows services run in the background to support processes and applications, the malicious services are invisible even when performing harmful activities on the system and can function even without any intervention or input.
True
System Behavior Analysis: Monitoring Windows Services: Malicious services run as a ______________________, which provides more access than the user accounts which makes them more dangerous than a common malware and executable code.
SYSTEM account or other privileged accounts
System Behavior Analysis: Monitoring Windows Services: True or False: Attackers also try to trick users and investigators alike by naming the malicious services with names similar to that of genuine Windows services to avoid detection.
True
System Behavior Analysis: Monitoring Windows Services: Investigators need to trace the malicious services initiated by a malware during runtime analysis using tools that can detect changes in _________
Services
System Behavior Analysis: Monitoring Windows Services: What is a small tool that simplifies all common tasks related to Windows services and can create services (both Win32 and Legacy Driver) without restarting Windows, delete existing services, and change service configuration?
Windows Service Manager (SrvMan)
System Behavior Analysis: Monitoring Windows Services: What are the features of Windows Service Manager (SrvMan)?
Allows creation of drivers and Win32 services without restarting
System Behavior Analysis: Monitoring Windows Services: What are the features of Windows Service Manager (SrvMan)?
Supports both GUI and command Line
System Behavior Analysis: Monitoring Windows Services: What are the features of Windows Service Manager (SrvMan)?
Supports all modern 32-bit and 64-bit versions of Windows
System Behavior Analysis: Monitoring Windows Services: What are the features of Windows Service Manager (SrvMan)?
Allows running of arbitrary Win32 applications as services
System Behavior Analysis: Monitoring Windows Services: What are the features of Windows Service Manager (SrvMan)?
Allows installing & running legacy driver services in a single command line call
System Behavior Analysis: Monitoring Windows Services: You can use SrvMan's command line interface to perform the which of the following tasks?
Creating Services
System Behavior Analysis: Monitoring Windows Services: You can use SrvMan's command line interface to perform the which of the following tasks?
Deleting services
System Behavior Analysis: Monitoring Windows Services: You can use SrvMan's command line interface to perform the which of the following tasks?
Starting/stoppping/restarting services
System Behavior Analysis: Monitoring Windows Services: You can use SrvMan's command line interface to perform the which of the following tasks?
Testing legacy driver
System Behavior Analysis: Monitoring Startup Programs: True or False: Various Trojans and malware can alter the system settings and add themselves to the startup menu to perform malicious activities continuously whenever the system starts. Therefore, investigators must monitor startup programs thoroughly while detecting trojans
True
System Behavior Analysis: Monitoring Startup Programs: What are steps to manually detect hidden malware?
Check startup program entries in the registry
System Behavior Analysis: Monitoring Startup Programs: What are steps to manually detect hidden malware?
Check automatically loaded drivers: C:\Windows\System32\drivers
System Behavior Analysis: Monitoring Startup Programs: What are steps to manually detect hidden malware?
Check boot.ini or bcd (bootmgr) entries
System Behavior Analysis: Monitoring Startup Programs: What are steps to manually detect hidden malware?
Check Startup Windows services: Run —>Type services.msc —> Sort by Startup Type
System Behavior Analysis: Monitoring Startup Programs: What are steps to manually detect hidden malware?
Check startup folders
System Behavior Analysis: Monitoring Startup Programs: Check boot.ini or bcd (bootmgr) entries using command prompt. Open command prompt as an administrator, type __________, and press enter button to view all boot manager entries.
bcdedit
System Behavior Analysis: Monitoring Startup Programs: To find the startup process, investigators can check the ______________ for viewing services that start automatically when the system boots.
Windows Services list
System Behavior Analysis: Monitoring Startup Programs: To check the Windows services, investigators can navigate to Run, type _____________________________
services.msc and sort by Startup Type.
System Behavior Analysis: Monitoring Startup Programs: What stores the applications or shortcuts of applications that autostart when the system boots?
Startup folders
System Behavior Analysis: Monitoring Startup Programs: To check the startup applications, search the following locations on Windows 10:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\
(UserName)\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup
System Behavior Analysis: Monitoring Startup Programs: Another method to access startup folders can be done through which of the following?
1. Press the Windows and r buttons simultaneously to open the Runbox
2. Type shell:startup in the box and click OK button to navigate to the startup folder
Startup Programs Monitoring Tool: Autoruns for Windows: What utility shows what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer, and media players?
Autoruns for Windows
Startup Programs Monitoring Tool: Autoruns for Windows: Run __________ and it shows you the currently configured AutoStart applications as well as the entire list of registry and file system locations available for AutoStart configuration.
Autoruns
Startup Programs Monitoring Tool: Autoruns for Windows: What displays programs that are configured to run automatically during user login or system boot and can help detect suspicious startup programs and processes?
Autoruns for Windows
Startup Programs Monitoring Tool: Autoruns for Windows: What is the command-line version of Autoruns?
Autorunsc
System Behavior Analysis: Monitoring Windows Event Logs: The analysis of event logs, which store a detailed record of all the activities performed on the Windows OS based on auditing policies executed, can provide forensic investigators with ________________________
Valuable information while looking for signs of a malware attack on a specific system
System Behavior Analysis: Monitoring Windows Event Logs: Event logs can be found in the _________________________ folder in all Windows OS editions and are stored with _________- extension
C:\Windows\System32\winevt\Logs; .etvx
System Behavior Analysis: Monitoring Windows Event Logs: After executing the malware on the Windows forensic workstation, investigators can monitor the events triggered by its activities via Windows’ built-in utility ____________
Event Viewer
System Behavior Analysis: Monitoring API Calls: What are parts of the Windows OS that allow external applications to access operating system information such as file systems, threads, errors, registry, kernel, buttons, mouse pointer, network services, web, and the internet?
Application programming interfaces (APIs)
System Behavior Analysis: Monitoring API Calls: True or False: Malware programs also make use of these APIs to access the operating system information.
True
System Behavior Analysis: Monitoring API Calls: Investigators need to gather the APIs related to malware programs and analyze them to reveal its interaction with the operating system, as well as the activities it has been performing on the system. They can use tools like ___________ to perform the analysis.
API Monitor
System Behavior Analysis: Monitoring API Calls: What tool is a free software that lets you monitor, and control API calls made by applications and services and helps in viewing how applications and services work, or for tracking problems in applications.
API Monitor
System Behavior Analysis: Monitoring API Calls: In API Monitor, what window displays information about the API call and includes the Thread ID and the name of the DLL that made the API call, the syntax-highlighted API call with all parameters, and the return value? If the API call fails, information about the error is also displayed.
Summary View with Syntax Highlighting
System Behavior Analysis: Monitoring API Calls: In API Monitor, what allows for 13,000 APIs from almost 200 DLLs and over 17,000 methods from 1,300+ COM Interfaces (Shell, web Browser, DirectShow, DirectSound, DirectX, Direct2D, DirectWrite, Windows Imaging Component, Debugger Engine, MAPI, etc)?
API Definitions & COM Interfaces
System Behavior Analysis: Monitoring API Calls: In APA Monitor, what API Monitor can decode and display 2000 different structures and unions, 1000+ enumerated data types, and 800+ flags. Buffers and arrays within structures can also be viewed?
Structures, Unions, Enums and Flags
System Behavior Analysis: Monitoring API Calls: In API Monitor, what can display both input and output buffers to allow for an amount of data to be displayed is automatically calculated from other arguments to the API or from the API return value? The maximum amount of data to be captured is configurable.
Buffer View
System Behavior Analysis: Monitoring API Calls: In API Monitor, what shows the hierarchy of API calls?
Call Tree
System Behavior Analysis: Monitoring API Calls: In API Monitor, what can be displayed in a userfriendly format?
Decode Parameters and Return Values
System Behavior Analysis: Monitoring Device Drivers: Malware gets installed along with the device drivers ___________________ and use them as a shield to avoid detection.
Downloaded from untrusted sources
System Behavior Analysis: Monitoring Device Drivers: You must scan for suspicious device drivers and verify if they are genuine and downloaded from the publisher's original site. To view device drivers on a Windows machine, navigate to ________________________________
Run, type msinfo32, go to Software Environment, and click System Drivers
Device Driver Monitoring Tool: DriverView: What utility displays a list of all device drivers currently loaded on the system? For each driver in the list, additional information, such as the load address of the driver, description, version, product name, and the company that created the driver, is displayed.
DriverView
System Behavior Analysis: Monitoring Files and Folders: True or False: Malware can also modify the system files and folders to save some information on them. Investigators should be able to find the files and folders which a malware creates and analyze them to collect any important information stored in them. These files and folders may also contain hidden program code or malicious strings that the malware will schedule for execution at a specific time.
True
System Behavior Analysis: Monitoring Files and Folders: File Signature Verification, also called ___________, is an inbuilt Microsoft utility in Windows 10/8/7. It checks the integrity of critical files that have been digitally signed by Microsoft. It thus can help investigators find unsigned drivers.
Sigverif
System Behavior Analysis: Monitoring Files and Folders: What is a command prompt utility that generates and verifies hash values of files using MD5 or SHA-1 algorithms?
The File Checksum Integrity Verifier (FCIV) utility
System Behavior Analysis: Monitoring Files and Folders: What are the features of the File Checksum Integrity Verifier (FCIV) utility?
Supports MD5 or SHA1 hash algorithms (The default is MD5)
System Behavior Analysis: Monitoring Files and Folders: What are the features of the File Checksum Integrity Verifier (FCIV) utility?
Can output hash values to the console, or store the hash value and file name in an XML file
System Behavior Analysis: Monitoring Files and Folders: What are the features of the File Checksum Integrity Verifier (FCIV) utility?
Can recursively generate hash values for all files in a directory and in all subdirectories (for example, fciv.exe c:Ä -r)
System Behavior Analysis: Monitoring Files and Folders: What are the features of the File Checksum Integrity Verifier (FCIV) utility?
Supplies an exception list to specify files or directories to hash
System Behavior Analysis: Monitoring Files and Folders: What are the features of the File Checksum Integrity Verifier (FCIV) utility?
Can store hash values for a file with or without the full path of the file
System Behavior Analysis: Monitoring Files and Folders: What is a tool for assessing IT configurations and detecting, analyzing, and reporting any change activity across IT infrastructure and can monitor servers, desktops, directory servers, hypervisors, databases, middleware applications, and network devices?
Tripwire Enterprise
System Behavior Analysis: Monitoring Files and Folders: What captures a baseline of server file systems, desktop file systems, directory servers, databases, virtual systems, middleware applications, and network device configurations in a known good state?
Tripwire Enterprise
System Behavior Analysis: Monitoring Files and Folders: What undertakes ongoing integrity checks and then compares the current states against these baselines to detect changes and while doing this, it collects information essential to the reconciliation of detected changes?
Tripwire Enterprise
