Please see attached file. For last six questions. Write it in your own words or if you are using any source please site it and. Put each citation under each questions.

QUESTION 1

Created by Victor Alvarez at VirusTotal, a _________ is a rule set to identify malware inside of strings or binary files. the standard will take three parameters: metadata, strings, and conditions.

QUESTION 2

The ___________ is a conceptual model that measures the utility of threat intelligence by identifying areas and costs to an adversary that require they expend to replace discovered tools, techniques, and procedures used in their cyber operations.

QUESTION 3

What is the Berkley Packet Filter we would use if we wanted to see only traffic from a computer with IP address 192.168.0.1 communicating over ports 20, 21, 139, or 445?

Write you answer here.

QUESTION 4

_____is a technique used to inspect the content (application data) in the innermost payload of a network packet.

QUESTION 5

_____is the most well-known network discovery tool, which can scan a range of IP addresses and, when combined with the GUI version, will display a visual of the network.

QUESTION 6

_____ is the penetration testing method where you are not provided any information about the organization’s network, systems, or configurations.

QUESTION 7

The first 3 octets/6 characters in a network card's MAC address represent the manufacturer’s _______

QUESTION 8

Symantec in their June 2017 publication, “living off the land”, identified that attackers are taking advantage of powerful task and network automation and configuration management software called __________, which minimizes an attacker’s footprint since it uses preinstalled tools on the victim’s computer to support its cyber operation.

QUESTION 9

A rootkit modifies the Windows task manager’s doubly-linked process list. This suggests that the rootkit is running in ______ mode.

QUESTION 10

______ type of encryption do malware authors employ when packing their malware, requiring the attacker to provide the key as one of the parameters to unpack its malware?

QUESTION 11

Which of the following entries should be disabled in the msconfig screen capture below since it is almost certainly malicious?

Please see attached file. For last six questions. Write it in your own words or if you are using any source please site it and. Put each citation under each questions. 1

In blank enter which Startup item? ________

QUESTION 12

The current value set in the registry key below is almost certainly malicious.

Please see attached file. For last six questions. Write it in your own words or if you are using any source please site it and. Put each citation under each questions. 2

True

False

QUESTION 13

The Diamond Model of Intrusion Analysis helps cyber threat analysts and network defenders understand certain cyber threat groups and their playbook.

True

False

QUESTION 14

An attacker who steals an organization’s user’s password hash can use it, without decrypting it, to authenticate to other systems on the network through what’s considered to be a “pass-the-hash” attack.

True

False

QUESTION 15

The Ntuser.dat file loads registry information for the current user logged onto a system in the HKEY_CURRENT_USER (HKCU) registry hive.

True

False

QUESTION 16

Forensic analysis of memory allows cyber security researchers to examine malware, which otherwise might not be accessible due to file packing and other anti-forensic techniques the malware author employed.

True

False

QUESTION 17

What is most likely being displayed in the image below?

a. Base64 encoded text Please see attached file. For last six questions. Write it in your own words or if you are using any source please site it and. Put each citation under each questions. 3

b. Randomly generated ASCII strings

c. Encrypted text

d. A software executable

QUESTION 18

Which of the following tool(s) are not used as part of behavioral analysis?

TCPView

Metasploit

PowerShell

WireShark

Process Explorer

QUESTION 19

An attacker compromises the Washington Post's web server and proceeds to modify the homepage slightly by inserting a 1x1 pixel iframe that directs all website visitors to a webpage of his choosing that then installs malware on the visitors' computers. The attacker did this explicitly because he knows that US policymakers frequent the website. This would be an example of a ___________ attack.

Man-in-the-middle

Remote Code Execution

Waterholing

Replay

QUESTION 20

While reviewing data in your SIEM, you detected the following string "VGhpcyBtZXNzYWdlIGlzIGJhc2U2NCBlbmNvZGVkLg==". What can we infer based off of this payload?

An attacker has employed a ROT-13 shift to the payload

It is Base64 encoded

The payload is double encrypted

The sub-string "BtZXNzYWdl" is a known indicator of compromise

QUESTION 21

Port scanning is considered what form of an attack?

		Illegal and highly prosecutable
		Information gathering
		Denial of Service
		Exploitation

QUESTION 22

One of Susan’s attacks during a penetration test involved inserting false ARP data into a system’s ARP cache. When that system attempted to send traffic belonging to what it thought was a legitimate system, it instead sent the traffic to Susan’s system. What is this attack called?

		ARP buffer blasting
		DNS poisoning
		Denial of ARP attack
		ARP cache poisoning
QUESTION 23 Which of the following is/are indicator(s) of compromise? Yara signature IP address Command and Control Domain Malware hash value QUESTION 24 Which of the following item(s) is not potentially discoverable through static malware analysis for sophisticated malware? Software compile times Decryption keys Hard-coded IP addresses Embedded exploits Hard-coded domains QUESTION 25 Which Event IDs would indicate that there was a successful logon attempted by a user with administrative privileges 4668 4672 4634 4624 QUESTION 26 Describe what an advanced persistent threat (APT) is, how the term was derived i.e. what it originally meant, what it currently means, and an example, including the APT name, company that identified the APT, the actor the company believes is behind the activity, and who the APT targeted and what tools, techniques, and procedures they used during their operations. QUESTION 27 An organization’s SOC analyst, through examination of the company’s SIEM, discovers what she believes is Chinese-state sponsored espionage activity on the company’s network. Management agrees with her initial findings given the forensic artifacts she presents are characteristics of malware, but management is unclear on why the analyst thought it was Chinese-state sponsored. You have been brought in as a consultant to help determine 1) whether the systems have been compromised and 2) whether the analyst’s assertion has valid grounds to believe it is Chinese state-sponsored. What steps would you take to answer these questions given that you have been provided a MD5 hashes, two call back domains, and an email that is believed to have been used to conduct a spearphishing attack associated with the corresponding MD5 hash. What other threat intelligence can be generated from this information and how would that help shape your assessment? QUESTION 28 Your boss has come to you, a strong performing junior security analyst, with a newly released FireEye report on APT 29, known as "Hammer Toss". He claims that your company's business profile fits into the bucket described in the report to be targeted by APT 29, which allegedly has ties to the Russian Government. He presents you with the following graphic and indicators of compromise from the report and asks you to write a YARA signature to identify if your systems have been compromised and to prevent potential future compromise. Please write a YARA signature based on the following information. The malware can be identified by MD5 hash value d3109c83e07dd5d7fe032dc80c581d08 or SHA1 hash value 42e6da9a08802b5ce5d1f754d4567665637b47bc HammerToss uses the following PowerShell command on a victim's system: Powershell.exe -ExecutionPolicy /bypass -WindowStyle hidden –encodedCommand The uploader HammerToss uses the following preconfigured to use a hard-coded URL for its command and control: hxxps://www.twitter.com/1abBob52b HammerToss uses a hashtag, in this case #101docto to indicate that the encrypted data begins at an offset of 101 bytes in command and control image file and that the characters "docto" should be added to the encryption key to decrypt the data.

QUESTION 29

What can be factually said about the following VirusTotal submission and what can be inferred based off of this data (SHA-256 == 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525)?

Please see attached file. For last six questions. Write it in your own words or if you are using any source please site it and. Put each citation under each questions. 5

Please see attached file. For last six questions. Write it in your own words or if you are using any source please site it and. Put each citation under each questions. 6

Please see attached file. For last six questions. Write it in your own words or if you are using any source please site it and. Put each citation under each questions. 7

QUESTION 30

APT 34 uses the following series of commands strung together in a batch file that it runs on a victim’s computer. Explain what each of these commands does and how the results would benefit APT 34 ?

whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group "domain admins" /domain 2>&1 & net group "Exchange Trusted Subsystem" /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1