Sans For508

When compromising a system, malware authors strive to achieve persistence, that is, to allow for the malicious code to be run even after a reboot or other computer stoppage. What service-related persistence method modifies an existing unused service to run malicious code?

Service failure recovery

Auto-start keys

Service replacement

Service creation

Which of the following is a PowerShell cmdlet that provides an interactive remote shell on the target system?

Get-Alias

Get-Handle

Enter-PSSession

Invoke-Command

There are six steps commonly used as part of the incident handling process. Which step's goal is to do proper scoping by determining all the systems that have been compromised?

Identification

Preparation

Containment

Remediation

Which of the following tools uses PowerShell Remoting to run user contributed modules across hosts in an enterprise?

RemPwShell

Windows Remoting

Kansa

Plaso

What is the proportion of signed malware compared to unsigned malware?

Most malware is unsigned

Most malware is signed

All known malware is signed

All known malware is unsigned

What is one of the key pieces of information a hunt team require before initiating a threat hunt session?

A report about an active breach in your organization from an outside agency

Security appliance alert

Lessons learned from the incidence response team

Threat intelligence

Blocking malicious IP addresses belongs to which phase of the incident response process?

Eradication and remediation

Recovery

Containment and intelligence developing

Identification and Scoping

What are the three necessary components for an event consumer backdoor?

Event action, event filter, event consumer

Event filter, event action, binding

Event filter, event identifier, event consumer

Event filter, event consumer, binding

Which of the following is known as the malware paradox?

Encrypted malware cannot be detected

All infected machines must have malware

Malware can hide, but it must run

Signed malware will always be detected

What is the process by which an incident response team can ensure that an incident has been fully scoped?

Intrusion whack-a-mole

The six step incident response process

The incident response detection and intelligence loop

Real-time remediation

Which of the six stages in incident response involves the use of data decoys and full-scale network monitoring?

Recovery

Containment and intelligence development

Preparation

Identification and scoping

What is the Cyber Kill Chain?

A model of the sequence of ac tions taken by an adversary in hiding evidence of intrusion

A model of the sequence of actions taken by a defender to eliminate command and control networks

A model of the sequence of actions taken by a defender to disable an adversaries ability to attack

A model of the sequence of actions taken by an adversary in executing cyberattacks

What is the name of the scripting language included in Windows systems and useful for incident response?

Perl

PowerShell

Python

Javascript

One of the most frequently used ways of achieving malware persistence is through scheduled tasks using what command?

Sfc

Schtasks

DSMod

Which of the following programs is a good choice to begin looking for malware that loads on system boot on a live system?

Sigcheck

Pslist

Tlist

Autorunsc

What is one of the key differences between an organization that waits for an incident to occur versus one that actively seeks malicious activity in its environment?

The proactive organization begins its repsonse when notified by an outside agency

The proactive organization relies on vendor information in its response cycle

The reactive organization relies on alerts for notification of incidents

The reactive organization utlizes threat intelligence for awareness of malicious activity

What part of the incident response process requires a responder to observe an adversary's tactics, techniques, and procedures?

Remediation

Preparation

Intelligence development

Recovery

What standard can be used to describe indicators of compromise and share them effectively?

Cyber kill chain

Stix

Att&ck framework

Mitre

Which logon type does PowerShell use by default when connecting to remote systems?

Remote interactive (type 10) logon

Non-interactive (type 3) logon

Interactive (type 2) logon

Service (type 5) logon

What is the risk of moving into the eradication/remediation phase too quickly?

Valuable intelligence required for effective containment can be overlooked

The deadlines for completing the lessons learned phase would be moved up

The rapid turnaround would diminish the need for more funding for the IR team

The IR team may be required to skip over the recovery phase, as well to save time

Which of the following values is used to track the length of a unique user session?

Event ID

Account name

Logon ID

Security ID

What is important to remember when examining entries in the Amcache.hve hive for evidence of execution? Responses

Entries do not always indicate execution.

Entries do not track unassociated executables.

Entries may only contain the MD5 hash.

Entries do not always have the full path.

When looking through event logs, an investigator sees many events of type 4625 in short succession. What might this be indicative of?

Password guessing attack

Pass the hash attack

Privilege escalation attack

Port scanning attack

What particularly helpful information is recorded by RDP session reconnect and disconnect events (4778 and 4779)? Responses

IP address and host name of the target system being connected to

IP address and host name of the remote machine making the connection

A screen shot of the session

A recording of the session

Which of the following logs contains information about the destination hostname/IP of an outgoing RDP session? Responses

Remote Desktop Services-RDPCoreTS

TerminalServices-RemoteConnectionManager

TerminalServices-LocalSessionManager

TerminalServices-RDPClient

What can be concluded about the prefetch file C:\Windows\Prefetch\reg.exe-8AEAE788.pf with a creation date of 8/20/2021 14:01:14 and a modification date of 8/28/2021 17:47:58?

The program reg.exe was launched from a suspicious location in the system's temp folder based on the well-known hash 8AEAE788.

The first known execution of reg.exe on the system was on 8/20/21 at approximately 14:01:14 and the last execution was on 8/28/21 at approximately 17:47:58.

The first known execution of reg.exe on the system was on 8/20/21 at approximately 14:01:04 and the last execution was on 8/28/21 at approximately 17:47:48.

An anti-forensics tool has been used since the prefetch creation date is different from the modification date.

It seems like the LSASS process is failing on a Windows machine. Which of the following is severely affected by this? Responses

Security log

System log

Server log

Application log

Event ID 4648 records (runas) authentications using explicit (different) credentials. What characteristic of event ID 4648 is usually different from other authentication-generated log events?

They are typically recorded by the network share.

They are typically recorded by the target system.

They are typically recorded only by the domain controller.

They are typically recorded by the originating system.

When conducting prefetch file analysis and looking for applications that executed on a Windows 10 system, what is the maximum number of files an analyst should expect to find?

256

1024

128

Which Windows artifact, responsible for backwards compatibility, can be used to determine whether an application has executed?

ShimCache

LNK files

SysWoW64

Security logs

- From a lateral movement perspective, which of the following are the most interesting shares? Responses

Admin%, C%, and IPC%

$A, B$, and $LPC

Mount$, RPC$, and Sysvol$

Admin$, C$, and IPC$

What is the forensic importance of the hexadecimal bytes at the end of a prefetch (.pf) file's name? Responses

It is a hex timestamp of the first execution time of the executable.

It is a hash of the file's path and any command-line arguments.

It is the volume serial number of the disk on which it originated.

It is a hex timestamp of the last execution time of the executable.

What forensic artifact would be the most useful to an analyst seeking to identify administrative shares potentially mounted by attackers?

Destination logs for event ID 5140

Memory for mapped shares

LNK files

Shellbags

What information does Amcache.hve store about an executable file?

Number of executions

Last time of execution

The SHA-1 hash of the executable

The GUID of the application

Where are event logs stored in Windows 10 and 11?

%systemroot%\logs

%systemroot%\System32\winevt\logs

%AppData\Roaming\Microsoft\Windows

%systemroot%\System32\config

What is a threat hunter looking for when searching for the sequence of Windows Security Event Log event IDs 4624 and 4672 across the enterprise?

Brute-force password guessing

New account creation

Logon with administrator-level privileges

Account password change

What utility allows many Windows event log files to be opened simultaneously and even merged, greatly aiding with event correlation and reducing the amount of time needed to search?

Windows Event Explorer

Windows Event Viewer

Event Log Explorer

Windows Event Viewer Pro

Understanding the difference between Logon Events and Active Directory Account Logon Events can make a huge difference when troubleshooting authentication issues or breaches. What separates the two?

Logon Events are stored locally and on the domain controller.

Both are only stored on the domain controller for different purposes.

Logon Events are stored locally and Account Logon Events are typically stored on the domain controller.

Both are only stored locally for different purposes.

In a potential intruder or insider threat scenario, an analyst should enable functionality on and review what event log to identify users or accounts that may have accessed specific files of interest?

Custom logs

Application logs

Security logs

System logs

You discover that a crucial service has been stopped during an incident handling process. What should you analyze to determine when it was stopped and, possibly, by whom?

Registry details of this specific service

The NTFS filesystem details of this service

System event logs to discover more details

Application event logs to discover more details

Which of the following is the name of the Windows hibernation file created when a system has been placed into hibernation or power save mode?

Pagefile.sys

Hibernate.sys

Hiberfil.sys

Ram.sys

What Volatility plugin lists the security identifiers associated with a process in a memory image?

Windows.dllscan.DllScan

Windows.psscan.PsScan

Windows.dllfind.DllFind

Windows.getsids.GetSIDs

The F-Response Enterprise tool provides incident responders with extensive remote capabilities to conduct analysis and investigations against remote computers. What is one significant advantage provided by this tool?

The agent is vendor neutral and works with nearly any analysis tool.

The tool provides write access to all remote volumes.

The agent only requires a reboot when installed on 32-bit systems.

The number of examiners is limited to the incident response team.

Why is it important to analyze memory?

Modern attacks have moved to memory to avoid detection.

Memory is removable.

It allows you to see older historical data.

Disk-based artifacts are not helpful in finding malware.

Which tool uses a query language to allow remote access to forensic artifacts?

Velociraptor

Kansa

F-Response

KAPE

What memory structure holds a list of all currently running processes on a Windows system?

Kernel processor control region

Virtual address descriptors tree

Process environment block

Executive process block list

What Volatility 2 plugin allows for a Windows hibernation file to be converted permanently to a raw image?

Imagecopy

Procmemdump

Patcher

Vaddump

When attempting to identify malicious Windows processes, what technique can an analyst use to identify processes needing further investigation?

Identify parent processes that have multiple child processes.

Look at exited processes.

Look for multiple processes named svchost.exe.

Find common processes that were spawned by an unexpected parent process.

Which of the following data structures is used by the Windows kernel to track multiple executive process blocks?

Process environment block

Rotating list

Data blocks

Doubly linked list

A CISO is evaluating F-Response and Velociraptor for deployment to assist with incident response. What is a key difference between the two applications?

Velociraptor has an issue with latency, while F-Response does not.

F-Response is a remote access agent, while Velociraptor is a remote analysis agent.

F-Response does file querying, while Velociraptor does not.

Velociraptor is a remote access agent, while F-Response is a remote analysis agent.

Mutants (or mutexes) are used for what purpose in malware?

To maintain persistence

To indicate previous infection

Custom malware beaconing

Effective use of threading

What is an example of a suspicious network connection?

An RDP connection over port 3389 from an internal admin workstation to an internal domain server

An SMB connection from a workstation to a local domain server

A DNS request for the domain www.google.com

A process that is not a web browser communicating over port 443

What plugin provides the easiest means to see parent-child relationships between processes??

Windows.pslist.PsScan

Windows.psexec.PsExec

Windows.pstree.PsTree

Windows.pslist.PsList

When attempting to identify rogue processes with Volatility 3, what is the main advantage of windows.psscan.PsScan over windows.pslist.PsList?

Windows.psscan.PsScan focuses on processes in memory that were running to avoid overwhelming log sizes.

Windows.psscan.PsScan scans memory to find processes that have been unlinked from the EPROCESS list.

Windows.psscan.PsScan queries the EPROCESS list to find the parent for all processes.

Windows.psscan.PsScan performs much faster because it reads an existing list.

What is one of the features that makes KAPE forensically sound?

Ability to decrypt encrypted files

Built-in write blocker

Full autonomy

Full metadata preservation

An analyst who has completed FOR508 is handed a memory image to review for signs of an intrusion or malware. No other guidance is given. The analyst vaguely remembers a six-step analysis process recommended for situations such as these. What is the first step?

Identify rogue processes

Review network artifacts

Check for signs of a rootkit

Look for evidence of code injection

What process metadata allows you to determine whether the executable name matches the image name of the process?

Full path

Security IDs

Command line

Parent process

When performing forensic analysis on a system, which process should you look for to identify whether any CommandLineEventConsumers have been utilized during an incident?

Wmiprvse.exe

Svchost.exe

Scrcons.exe

Cmd.exe

To run a Volatility 2 plugin against a memory image, which parameter is required for the tool to know what operating system to expect?

--KDBG

�plugin

--profile

�image

Memory forensics should include not only the data stored in RAM, but which of the other following locations?

Volume Shadow Copies

Master File Table

Page file or SWAP space

Removable media

Which command-line tool would an analyst use to search the super timeline for the storage file that Plaso produces and extract the events from that file in chronological order?

Log2timeline.py

Jobparser

Pinfo.py

Psort.py

When using DensityScout to analyze files, what is the typical density for a packed file?

Between 0.1 and 0.9

Greater than 0.9

Less than 0.1

Less than 0

What command allows a forensic analyst to use log2timeline.py to obtain data from a physical device?

Log2timeline.py --storage-file /path-to/plaso.dump /mnt/device_mount

Log2timeline.py --storage-file /path-to/plaso.dump /dev/sdd

Log2timeline.py /path-to/plaso.dump /path-to/image.dd

Log2timeline.py /path-to/plaso.dump /dev/*

An investigator suspects a system was compromised using obfuscation packing to bypass the system defenses. Which of the following tools would enable the investigator to search for malware that uses obfuscation packing?

Sigcheck

Pescan

DensityScout

File

What is the Python-based back-end engine used when creating a super timeline?

Plaso

TagEngine

Granul

TSK

What open-source tool disassembles executables and relies on crowdsourced code patterns to determine a suspicious file's functionality?

Capa

YARA

DensityScout

Sigcheck

When performing timeline analysis on an NTFS filesystem, which of the following attributes is associated with the creation of a file?

Which tool allows multiple investigators to collaborate across timelines in real time, all while tagging, annotating, and enriching the data?

Splunk Timeline App

TimeLiner

Yara_match.py

Timesketch

Log2timeline has parsers for which major operating system families?

Windows and Linux only

Windows, Linux, and macOS

Windows only

Windows and macOS only

One of the options an analyst can select when running log2timeline is a time zone. What does the time zone represent?

The time zone that log2timeline should output

The time zone for the date range filter

The time zone of the analyst's system

The time zone of the system being investigated

What are the three core areas of knowledge necessary to properly interpret a Windows super timeline?

Program execution, account usage, and registry keys

Last login, logon types, and group membership

Filesystem metadata, Windows artifacts, and registry keys

File downloads, account usage, and browser usage

Which of the following tools in the Plaso suite allows an analyst to sort and process Plaso storage files?

Psort

Ppro

Pinfo

Pindex

In the timeline analysis process, where do you begin?

Determine timeline scope

Filter timeline

Narrow down pivot points

Determine best method to generate timeline

Which of the following describes the difference between the fls and log2timeline tools?

Fls extracts metadata from the filesystem only. log2timeline obtains information from file system metadata, registry values, and artifact timestamps.

Fls and log2timeline both pull metadata from the filesystem; the difference is that fls is a Windows-focused solution and log2timeline works with Windows, Apple, Solaris, and Linux.

Fls obtains information from file system metadata, registry values, and artifact timestamps. log2timeline extracts metadata from the filesystem only.

Fls produces an overwhelming amount of information; whereas log2timeline provides information focused on date and time range provided by the user.

What is a benefit of timeline analysis that makes anti-forensics on Microsoft operating systems difficult for an attacker?

Time-based artifacts have remained consistent through the different versions of Microsoft operating systems.

Microsoft operating systems do not allow users/attackers to modify timestamps.

Timestamps on Microsoft operating systems are all located in one place.

Too many timestamp entries are made for an attacker to effectively modify them all.

What is the purpose of an analyst using the filter file option in conjunction with the log2timeline.py command?

Bypassing the storage module, directly storing events according to the filter file options

Defining what Volume Shadow Snapshots need to be analyzed

Limiting the total number of files and directories log2timeline.py needs to traverse to extract the data from a device or image file

Increasing the total number of files and directories log2timeline.py needs to traverse to extract the data from a device or image file

Against which file would the following YARA rule indicate a match?

rule FOR508_TestRule {

meta:

description = "YARA rule test"

strings:

$s0 = "bpython27.dll"

$s1 = "LogonUI.exe"

condition:

uint16(0) == 0x5a4d and filesize < 3500KB and all of them

}

A portable executable file, 1024 KB in size, containing at least one of the strings bpython27.dll or LogonUI.exe.

Any file named either bpython27.dll or LogonUI.exe that is 2.5 MB in size, with the first two bytes being 0x5A4D.

Any file named either bpython27.dll or LogonUI.exe that is 4 MB in size containing the string "YARA rule test".

A portable executable file, 1024 KB in size, containing the strings bpython27.dll and LogonUI.exe.

You are analyzing timestamps on a system with two volumes: a FAT32 C: volume that contains a file called fat.txt and an NTFS D: volume. Someone moves the fat.txt file from C:\ to D:\directory_name via the cut-and-paste method. What will happen to the D:\directory_name\fat.txt file timestamps?

The modified timestamp remains intact. The created timestamp also remains intact.

The modified timestamp is updated to the current date and time. The created timestamp remains intact.

The modified timestamp remains intact. The created timestamp is updated to the current date and time.

The modified timestamp and created timestamp are both updated to the current date and time.

What is the first pivot-point analysts typically use when starting a timeline investigation?

Name of a file

Attacker lateral movement activity

Process activity

Time of the incident

Which of the following can be found within the plaso.dump file?

Information gathered by running the psort.py command

Information on all switches and parameters of the log2timeline.py command

Information on what artifacts were filtered out of the target timeline

A list of all plug-ins/parsers that were run to extract the data

What is the correct signature value of an MFT entry's $DATA attribute?

0x00

0x01

0x08

0x80

Where does the alternate data stream name reside?

$DATA attribute

$INDEX_ROOT attribute

$STANDARD_INFORMATION attribute

$FILE_NAME attribute

What is the Master File Table?

The file metadata change log for NTFS

A data structure that tracks unallocated clusters

The metadata catalog for NTFS

The location of all file content

In what order are MFT entry addresses generally assigned to newly created files?

Sequential

Random

Pseudorandom

Unknown

What evidence of a deleted file often exists even after a data wiping solution has been used?

The file can be found in the Recycle Bin.

The filename will still be in the MFT record.

$UsnJrnl artifacts can still be recovered.

The file content can still be carved.

What Linux command line tool enables an analyst to list all available shadow snapshots in a disk image?

Vshadowinfo

Vssadmin

Vshadowmount

Mount

What is the ScopeSnapshots feature in Windows 8 and newer?

It allows the user to specify which files to exclude from volume snapshots.

It instructs volume snapshots to only monitor files for a specific length of time.

It instructs volume snapshots to only monitor files in the boot volume that are relevant for system restore.

It allows the user to specify which files to include in volume snapshots.

Where does the parent directory information of a file reside in NTFS?

Directory files

$STANDARD_INFORMATION attribute

$DATA attributes

$FILE_NAME attribute

A directory listing index ($I30) can consist of which of the following?

$INDEX_ROOT and $INDEX_INFORMATION

$INDEX_ROOT and $INDEX_ALLOCATION

$INDEX_DATA and $INDEX_ROOT

$STANDARD_INFORMATION and $INDEX_DATA

While analyzing a Windows 10 machine, an analyst notices that several malicious text documents are showing the ZoneID=3 attribute. What is the significance of this artifact?

This is a unique ID from Onion websites.

The documents reside on the computer and not on a network share.

The documents came from a thumb drive.

The documents were downloaded from the Internet.

Which NTFS system file stores low-level transactional logs for NTFS resiliency and consistency?

$UsnJrnl

$LogFile

$Secure

$Bitmap

What happens when a file is deleted by the filesystem?

The file's clusters are wiped.

The file is moved to the Recycle Bin.

A single bit in the MFT record flags is changed.

The file's MFT entry is wiped.

Is it possible to recover deleted keys, values, and timestamps from the Windows Registry?

No; the registry has a proprietary file format.

No; keys and values can be recovered, but not timestamps.

Yes.

Yes, but only from volume shadow copies.

Where can you find a file's allocation status?

$FILE_NAME

MFT entry header

$STANDARD_INFORMATION

$DATA

What size files have their content resident in the $DATA attribute inside the MFT?

~1024 bytes or more

~1024 bytes or less

~700 bytes or more

~700 bytes or less

Which two files perform tracking of the journaling functions of NTFS?

$Volume and $Bitmap

$AttrDef and $MFT

$Log and $Jrnl

$LogFile and $UsnJrnl

What libvshadow command-line tool can expose Volume Shadow Copies as raw disk images for further analysis?

Vhdtool

Vmstat

Vshadowmount

Vshadowinfo

An analyst reviewing the $LogFile file identifies the combination of DeleteIndexEntryAllocation and AddIndexEntryAllocation. What does this pattern indicate?

File/directory creation

File/directory rename or move

File data modification

File/directory deletion

Which of the following techniques can be used to identify whether timestamp backdating may have occurred on a file?

Compare the $FILE_NAME creation time to the timestamp stored in $STANDARD_INFORMATION.

Use istat to compare $FILE_NAME times to the system timestamp.

Identify the timestamp stored in $STANDARD_INFORMATION.

Identify the timestamp stored in $FILE_NAME.

What is the purpose of the $UsnJrnl NTFS system file?

To store high-level summary information about file and directory changes

To track security descriptors for all files within a volume

To track user activity, including executed applications and file accesses

To store low-level transactions to ensure system resiliency

{"name":"Sans For508", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"When compromising a system, malware authors strive to achieve persistence, that is, to allow for the malicious code to be run even after a reboot or other computer stoppage. What service-related persistence method modifies an existing unused service to run malicious code?, Which of the following is a PowerShell cmdlet that provides an interactive remote shell on the target system?, There are six steps commonly used as part of the incident handling process. Which step's goal is to do proper scoping by determining all the systems that have been compromised?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}