Lesson 13: Analyze Indicators of Malicious Activity

Viruses

A type of malware that attaches itself to a file or program and spreads when you run it.

Worms

A type of malware that spreads on its own across networks, without needing you to run or open anything.

Trojan

A fake, harmless-looking program that tricks you into installing it, then secretly harms your computer or steals information.

Potentially Unwanted Programs (PUPs)

Programs that aren’t clearly harmful, but you probably didn’t ask for them, and they often do things like show ads or slow down your computer.

Multipartite

A type of virus that attacks in more than one way

Polymorphic

A type of malware that keeps changing how it looks so antivirus programs have a hard time spotting it.

Fileless Malware

A type of malware that runs in memory without saving files to the disk, making it harder to detect and remove.

Persistence Via the Registry

When malware adds itself to the Windows Registry so it automatically runs every time the computer starts.

Advanced Persistent Threat (APT)

A hacker’s ability to get into a network and stay there secretly to keep control and steal data over time.

Advanced Volatile Threat (AVT)

Runs only in memory (RAM), so it disappears after a restart and is harder to find than regular malware.

Low Observable Characteristics (LOC)

Ways attackers stay hidden, using quiet, sneaky methods so security tools don’t notice them.

Spyware

A program that secretly watches what you do on your device and sends that information to someone else

Adware

Software that watches what you and shows you ads based on that information

Keyloggers

Spyware that secretly records what you type to steal your private information.

Remote Access Trojan (RAT)

A type of malware that lets a hacker take control of your computer through a hidden connection.

Rootkit

Malware that hides by changing deep parts of your system, so you can’t see it or remove it easily.

Ransomware

A broad term for any malware that blocks access to your system or data and demands a ransom.

Crypto-malware

A specific type of ransomware that encrypts your files (using cryptography) and demands payment to decrypt them.

Cryptomining/cryptojacking

A virus that steals your computer’s power to make digital money for someone else.

Logic Bomb

A malicious program that is set to run under particular circumstances or in response to a defined event.

Tactics, Techniques, Procedures (TTPs)

Describes what attackers do, how they do it, and the exact tools or steps they use during a cyberattack.

Indicators of Compromise (IOC)

A sign that an asset or network has been attacked or is currently under attack.

Resource Consumption

When a computer uses more power or memory than usual, which might mean malware is running in the background.

Distributed Denial of Service Attacks (DDoS)

An attack where hackers use many infected devices to overload a website or service, so real users can’t access it.

On-path Attacks

An attack where the threat actor makes an independent connection between two victims and is able to read and possibly modify traffic

DNS Poisoning

When hackers trick your computer into going to a fake website by changing the internet address behind a real domain name.

DNS-based On-path Attacks

When a hacker intercepts your request for a website and sends you to a fake one instead

DNS Client Cache Poisoning

When a hacker tricks your computer into remembering the wrong address for a website

Rogue Access Points

Unauthorized Wi-Fi that’s added to a network, sometimes by mistake or to secretly spy on users.

Evil Twin

A type of rogue access point that is intentionally set up to mimic a legitimate network, with the goal of tricking users into connecting so their data can be intercepted or stolen.

Brute Force Attack

A type of password attack where an attacker uses an automated tool to exhaustively try every possible combination of letters, numbers, and symbols to guess or crack a password.

Dictionary Attack

When a hacker tries passwords from a list of common ones to see if any unlock the account.

Password Spraying

When a hacker uses a few common passwords on lots of accounts to try and break into one without getting blocked.

Credential Replay Attacks

When a hacker uses a stolen login token to pretend to be someone else and access their account.

Downgrade Attacks

Makes a server or client use a lower specification protocol with weaker ciphers and key lengths.

Collision Attacks

When a weak hash function lets two different pieces of data create the same digital fingerprint

Birthday Attacks

A way hackers use brute force to find two things with the same hash

Replay Attack

When a hacker captures login info and uses it again to sneak back into a system.

Client-side Request Forgery (CSRF)/Cross-site Request Forgery (XSRF)

A hacker tricks your browser into doing something you didn’t intend

Server-side Request Forgery (SSRF)

When a hacker tricks a server into sending a request to another place that the hacker normally wouldn’t be allowed to reach.

Persistent Cross Site Scripting (XSS)

When a hacker stores bad code on a website, and it runs in other users' browsers when they visit that page.

SQL Injection

When a hacker adds fake commands to a website’s database, letting them steal, delete, or change information.

Directory Traversal

When a hacker uses special file paths to reach hidden or protected files on a website’s server.

Command Injection

When a hacker uses a website’s input to run system commands on the server, which can lead to full control of the system.

Uniform Resource Locator (URL)

The address of something on the internet

URL Principal Methods:

• GET: Retrieve source

• POST: Send data to server for processing by requested resource

• PUT: Create or replace resource

Percent Encoding

Changes special characters into code-like symbols (like %20 for a space) so they don’t break a URL.