Section 1: Enterprise Incident Response & Threat Hunting

What does PICERL stand for?

Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned.

Why should you scope an incident before eradication?

To understand the full compromise and avoid leaving attacker footholds behind, which can lead to a "whack-a-mole" scenario.

What is a hypothesis-driven hunt?

A proactive hunt based on a theory about attacker behavior, often informed by Cyber Threat Intelligence (CTI).

What is the difference between an IOC and a TTP?

An IOC is a specific, static indicator (like a hash or IP); a TTP is a broader behavioral pattern of an adversary.

What is living-off-the-land?

Abusing legitimate, pre-installed system tools (like PowerShell, WMI, or schtasks) to perform malicious actions.

What is high file entropy a clue for?

High entropy (a score close to 8) suggests the file contains compressed or encrypted data, a common sign of packed malware.

What is filename homoglyph abuse?

Using visually similar Unicode characters (e.g., a Cyrillic 'а' for an ASCII 'a') to disguise malicious file names.

Name two common ASEPs (AutoStart Extension Points) used for persistence.

Registry Run Keys and the Startup folder.

How are scheduled tasks (schtasks.exe) used for persistence?

They provide reliable, automated execution that can be triggered by time, a specific event, or user logon.

What is WMI persistence?

Using WMI event filters and consumers to create a trigger-based backdoor that executes malicious code.

What is process masquerading?

Making malware look like a legitimate process by giving it a familiar name or placing it in a familiar location.