WEEK 4

Questions and Answers

Which security systems does the attacker expect to encounter? (Choose three.)

• Intrusion Prevention Systems (IPS) that analyze traffic in real time
• Network Access Control (NAC) solutions that restrict unauthorized devices (correct)
• Legacy antivirus systems that rely on signature-based detection (correct)
• AI-based threat detection and protection platform. (correct)
• Web Application Firewalls (WAF) that filter and monitor HTTP traffic

Which of the following are categories of Endpoint bypass techniques? (Choose three.)

• Encrypting network traffic to prevent detection by firewalls
• Leveraging permitted tools to run malware (correct)
• Modifying the malware to evade signature analysis (correct)
• Encoding the malware to make it look legitimate (correct)
• Disabling security updates to weaken endpoint defenses
• Using multi-factor authentication to bypass security policies

What is the MITRE ATT&CK code for Defense Evasion?

• TA006
• TA003
• TA004
• TA005 (correct)

How can an attacker use OSINT in the context of endpoint security?

To discover the type of endpoint security on a victim’s machine (A)

How can an attacker modify malware to bypass endpoint security?

By installing the endpoint security locally on an offline system and using it to test the malicious code (A)

What does it imply if malicious code successfully evades endpoint security locally?

It is likely to evade the endpoint security of the victim’s system as well (C)

DefenderCheck is written by __________ and available at __________.

Written by Matt Hand and available on GitHub (A)

What does DefenderCheck do for the attacker?

Helps the attacker evade signature-based detection and automates the whole process (B)

What is the primary function of DefenderCheck?

To scan a file locally using Windows Defender (C)

What happens when DefenderCheck detects a malicious file?

It splits the file into two pieces and scans each independently (B)

How does DefenderCheck narrow down the malicious part of the file?

By splitting the file repeatedly into smaller chunks and scanning until the smallest chunk triggers the alert (C)

When DefenderCheck Splits the file into two pieces and scans each independently, what does it mean?

Discarding the chunk that does not trigger the alert. (A)

What happens to the chunk of the file that does not trigger an alert in DefenderCheck?

It is discarded (B)

How does DefenderCheck approach scanning Mimikatz?

It repeatedly splits the file until it identifies a chunk that no longer triggers an alert (B)

What is revealed by the hex dump of the Mimikatz executable?

UTF-16 strings in binary, including phrases like "doLocal" and "module not found" (B)

After identifying a chunk of the Mimikatz executable that no longer triggers an alert, what is the next step for the attacker?

To modify the identified chunk using a hex editor or by modifying the source code (D)

What is the goal when modifying the identified chunk of the Mimikatz executable?

To retain the functionality of Mimikatz while evading detection by Windows Defender (B)

What will the attacker continue to do after modifying the executable in order to evade Windows Defender?

They will repeat the scanning process with Windows Defender until the modified version passes without triggering an alert (C)

What does an attacker do when they create a program around their malicious code and use an intermediate wrapping library?

It allows the malicious code to bypass security checks and execute undetected (A)

Which of the following programming languages are commonly used for code wrapping and obfuscation? Choose the right choice

Python (A), Rust (B), Golang (C)

How do code wrapping and obfuscation affect signature-based analysis systems?

They work well against signature-based analysis systems (B)

How do code wrapping and obfuscation affect behavioral anomaly analysis systems?

They work well at evading behavioral anomaly analysis (C)

What does the IronPython library allow a developer to do?

Write a Python script and encode it as a variable in a C# program (C)

To run a python script developers use python interpreter T or F

True (A)

What does IronPython allow regarding the execution of Python code in a C# program?

It executes the Python code when the C# program is executed, without needing a separate Python interpreter (A)

How does embedding an obfuscated Metasploit payload into a C# program help the attacker evade detection?

The use of IronPython allows the malicious code to bypass endpoint detection tools by hiding inside libraries (B)

Why would an attacker use Microsoft Visual Studio to build a new executable after embedding the obfuscated payload?

To convert the Python script into a C# application and hide the malicious code (B)

Leveraging permitted tools (Application Allow List) is know as the whitelist T or F

True (A)

What is the purpose of an Application Allow List (Whitelist)?

To block all applications by default and only allow approved applications to execute (B)

How does an Application Allow List identify approved applications?

By validating the application's hash, file name, directory location, or program signature against a trusted whitelist (A)

How do vendors update the detection capabilities of Application Allow Lists?

when new bypass techniques are identified (B)

What is the main benefit of using an Application Allow List?

It prevents unauthorized programs, including malware, from executing on the system (C)

Which built-in feature is available on Windows 10 Enterprise Edition and recent versions of Windows Server?

AppLocker (A)

What is the typical first step when configuring AppLocker for whitelisting?

Use the learning mode to identify which executable files users launch (D)

What does AppLocker on Windows do before enabling blocking mode?

It tests the policies of whitelisting (A)

Which of the following are third-party tools available for endpoint protection?

Defendpoint (C), Kaspersky (A), Dell Authority Management Suite (D)

What is the purpose of Living Off the Land (LOL) in cyberattacks?

It is used by attackers when faced with limited options for executing the attack on a compromised system (B)

What do attackers do when they encounter an application allow list on a system?

They change their techniques to accomplish their goals based on what is allowed on the system (B)

What does the application allow list do in relation to the LOL technique?

It allows attackers to use alternative programs that are already on the system to achieve their goals (C)

Why might an attacker prefer the Living Off the Land technique?

It avoids the need for third-party tools (A)

What does the LOLBAS project maintain?

A list of built-in utilities that attackers can use to exfiltrate on a compromised system (C)

How do attackers bypass application allow lists beyond Living Off the Land (LOL) techniques?

By executing malware through non-standard or unusual execution methods (B)

What service does AppLocker use to check execution of applications?

Application Identity Service (B)

Why is it possible to bypass AppLocker despite its restrictions?

AppLocker does not check the code executed by an authorized application (A)

When does AppLocker check if an application is allowed to execute? (Choose 3)

When a new process is created (B), When a DLL is loaded (C), When a script is executed (@)

How do attackers often bypass application allow lists?

By executing code through but unusual means (B)

What are key features of an effective Endpoint Detection and Response (EDR) platform? (Choose 4)

Application Allow List (B), Threat hunting (C), Logging (@), Monitoring systems (@)

What is an effective defense against endpoint bypass?

Careful execution of whitelisting control with AppLocker or 3rd party tools (C)

What is the purpose of threat hunting in an EDR system?

To actively search for execution failures and signs of attacker activity (B)

What security technique is used for Logging and monitoring?

User and Entity Behavior Analysis (UEBA) (B)

What might indicate suspicious activity in a UEBA system?

A user running installutil.exe when they have never done so before (B)

What might indicate suspicious activity in a UEBA system?

A user running installutil.exe when they have never done so before (C)

Threat hunting to identify the execution failures while attackers work on bypass T or F

True (A)

What do Advanced Evasion Techniques (AETs) typically aim to bypass?

Network security systems, IDS/IPS, and other security measures (B)

What do Advanced Evasion Techniques (AETs) typically aim to bypass in order to gain unauthorized access or deliver malicious payloads ?

network security systems (A), Other security measures (B), intrusion detection and prevention systems (IDS/IPS) (@)

How do AETs make malicious traffic or payloads difficult to detect?

By disguising them using evasion mechanisms (B)

Which of the following techniques are commonly used in network attacks? (Choose 4)

Utilizing encryption to hide the true nature of the attack (B), Fragmenting or obfuscating data (D), Manipulating packet headers (@), Exploiting protocol ambiguities (@)

What is the main goal of the process hollowing technique?

To make legitimate process run the malicious payload (D)

What is process hollowing in malware attacks?

A legitimate process is started by malware in a suspended state, and its memory is unmapped to contain the malicious payload (D)

What is a real-life example of malware that uses the process hollowing technique?

TrickBot (B)

Which of the following tools are used to execute process hollowing?

CreateRemoteThread, NtUnmapViewofSection (B)

What is the main purpose of API unhooking?

To intercept API calls between two applications by another application (D)

What are hooks in the context of Windows development?

A mechanism that allows developers to intercept events, messages, and API calls (A)

These hooks don’t point to the procedures associated with it. T or F

False (B)

Which APT group used the malware tool UNAPIMON for API unhooking?

APT41 (Earth Freybug) (C)

How does API unhooking help malware evade detection by EDR systems?

By preventing child processes from being monitored (B)

Which tool is an example of API unhooking in malware?

AMSI Write Raid (Github) (D)

AMSI bypass (Antimalware Scan Interface Bypass) is an interface created by Microsoft, between a user and another user. T or F

False (B)

What are the main purposes of the Windows’ Antimalware Scan Interface (AMSI)? (Choose 3)

To scan applications for evidence of malware (A), To scan user-generated data for evidence of malware (B), To scan services for evidence of malware (D)

How do attackers typically bypass AMSI?

By disabling AMSI to avoid script scanning in PowerShell (B)

What is the real-life example of malware that utilized AMSI bypass?

Agent Tesla (C)

What kind of activities did the Agent Tesla malware perform without being detected by antivirus software?

Credential theft (B)

Which tool is an example of a method used to bypass AMSI?

SysWhispers2 (Github) (B)

Agent Tesla disabled AMSI to execute its malicious activities avoid being intercepted by antivirus software. T or F

True (A)

What is the purpose of Sysmon (System Monitor) in defending against process injection and API unhooking?

To detect suspicious API calls by setting specific event rules (C)

What can be used for defending against Process Injection and API Unhooking?

Sysmon (System Monitor) (A)

Which API calls should be specifically monitored to detect process injection and API unhooking activities? (Choose 3)

NtUnmapViewOfSection (C), CreateRemoteThread (D), VirtualAllocEx (@)

Which API calls should be specifically monitored to detect process injection and API unhooking activities?

NtUnmapViewOfSection, CreateRemoteThread, VirtualAllocEx (B)

Which tool is an example of a defense mechanism for defending against process injection and API unhooking?

Sysinternals Suite (Procmon, Sysmon) (A)

How can you enable Script Block Logging in PowerShell?

Set-ExecutionPolicy AllSigned (A)

Which Windows Event IDs should be monitored for AMSI bypass attempts?

Event ID 4103, 4104 (D)

Which of the following tools can be used to detect AMSI bypass attempts? (Choose 2, same tool)

AMSI Bypass Detector (GitHub) (A), AMSI Bypass Detector (Microsoft Defender ATP) (B)

Which actions should be taken to enhance defense against AMSI bypass and malicious PowerShell scripts? (Choose 2)

Enable Script Block Logging in PowerShell (A), Monitor Windows Event ID 4103, 4104 for suspicious activity (B)

Which of the following built-in LOLBAS tools should be restricted to prevent misuse in attacks? (Choose 3)

InstallUtil.exe (A), mshta.exe (B), rundll32.exe (C)

Why should we implement Applocker/SRP rules in a system?

To allow only signed and necessary system utilities (B)

Which tool can be used for auditing LOLBAS (Living Off the Land Binary and Script) on a system?

LOLBAS audit tool (GitHub) (A)

Which of the following actions should be taken to defend against the misuse of built-in LOLBAS tools? (Choose 2)

Implement Applocker/SRP rules (A), Restrict execution of built-in LOLBAS tools (C)

What is an important practice to Regularly update the allow list?

To ensure the trusted applications are not outdated (A)

What is an effective method to detect suspicious use of allowed applications?

Monitoring the process and network activities (B)

What is the main goal of reducing the attack surface on a system?

To reduce the number of potential entry points for attackers (B)

Which of the following actions can help in reducing the attack surface of a system?

Minimizing the number of running services and applications (D)

Flashcards

Capital of France (example flashcard)

Paris

Study Notes

PAGE 116.

PAGE 118.

PAGE 119.

PAGE 132.