Initial Core 2 study project

notes/SEC-4-malware-security-tools.md

@@ -0,0 +1,275 @@
+# SEC-4: Malware and Security Tools
+
+Status: not started
+
+Domain:
+- 2.0 Security
+
+Objective alignment:
+- 2.4 Malware and security tools
+
+## What You Need To Know
+
+Malware questions usually ask you to identify the type of malware or choose the right security tool.
+
+Do not memorize only definitions. Tie each malware type to its behavior.
+
+## Memory Trick
+
+Use **RATS-VCK-BFP**:
+
+- **R**ansomware: ransom after encryption
+- **A**dware/PUP: ads or unwanted extras
+- **T**rojan: tricks you by pretending to be useful
+- **S**pyware/stalkerware: surveillance
+- **V**irus: needs execution and can replicate
+- **C**ryptominer: steals CPU/GPU cycles
+- **K**eylogger: captures keystrokes
+- **B**oot sector virus: starts before/with OS boot
+- **F**ileless malware: lives in memory
+- **P**ersistent/rootkit: hides deep in the system
+
+## Malware Types
+
+Trojan:
+- Pretends to be legitimate software.
+- Does not need to self-replicate.
+- Often opens the door for other malware.
+
+Rootkit:
+- Hides deep in the OS, kernel, drivers, or boot process.
+- May not appear in normal tools like Task Manager.
+- Often requires special tools or reinstall/reimage.
+
+Virus:
+- Replicates by infecting files or systems.
+- Usually needs a program to run.
+
+Spyware:
+- Watches user activity.
+- May track browsing, personal data, or behavior.
+
+Ransomware:
+- Encrypts or locks user data and demands payment.
+- Strong backup strategy is critical.
+
+Keylogger:
+- Captures keystrokes.
+- Can steal passwords even when websites use encryption.
+
+Cryptominer:
+- Uses CPU/GPU resources to mine cryptocurrency.
+- Clue: unexplained high CPU/GPU use, heat, fan noise.
+
+Boot sector virus:
+- Infects boot code.
+- Starts before or during OS boot.
+- Secure Boot helps reduce this risk.
+
+Fileless malware:
+- Runs from memory or trusted scripting tools.
+- Avoids writing a normal malware file to disk.
+
+Stalkerware:
+- Surveillance software, often on mobile devices.
+- Tracks location, messages, microphone, camera, screenshots, or activity.
+
+PUP:
+- Potentially Unwanted Program.
+- Often bundled with other installs.
+- May include adware, toolbars, or browser hijackers.
+
+## Security Tools
+
+Windows Recovery Environment:
+- Used when Windows will not start normally or malware blocks normal repair.
+- Powerful and risky.
+- Last-resort style tool for boot repair, command prompt, service/device startup changes, or file replacement.
+
+Antivirus/anti-malware:
+- Detects, blocks, quarantines, and removes malware.
+- Should use real-time protection and updated definitions.
+
+EDR:
+- Endpoint Detection and Response.
+- Detects behavior, investigates endpoint threats, and can isolate/quarantine/respond.
+
+MDR:
+- Managed Detection and Response.
+- Third-party managed service that monitors and responds to EDR/security events.
+
+XDR:
+- Extended Detection and Response.
+- Correlates endpoint, network, cloud, and other security data.
+
+Email security gateway:
+- Filters inbound/outbound email.
+- Blocks phishing, malware, spam, and suspicious attachments before reaching users.
+
+Software firewall:
+- Monitors and controls local network communication.
+- Can stop malware from calling out.
+
+Anti-phishing training:
+- Teaches users to identify phishing and social engineering.
+- Important because technology alone cannot stop every attack.
+
+End-user education:
+- Broader security awareness: links, downloads, reporting, password hygiene, safe behavior.
+
+OS reinstallation/reimage:
+- Most reliable way to remove severe or persistent malware.
+- Must ensure backups/images are clean.
+
+## Tool Matching Shortcut
+
+- Email threat before user sees it: **email security gateway**
+- Suspicious endpoint behavior: **EDR**
+- Outsourced endpoint monitoring: **MDR**
+- Endpoint plus network/cloud correlation: **XDR**
+- Local app calling out unexpectedly: **software firewall**
+- Persistent/rootkit/severe infection: **reimage/reinstall**
+- User keeps clicking bad links: **anti-phishing training**
+- Windows will not boot or malware blocks repair: **Windows RE**
+
+## Commands To Enter
+
+Windows inspection commands:
+
+```powershell
+windowsdefender:
+```
+
+What it does:
+- Opens Windows Security.
+- Use it to check Virus & threat protection.
+
+```powershell
+taskmgr
+```
+
+What it does:
+- Opens Task Manager.
+- Use it to look for high CPU, memory, disk, or suspicious processes.
+
+```powershell
+resmon
+```
+
+What it does:
+- Opens Resource Monitor.
+- Gives more detailed live CPU, memory, disk, and network activity.
+
+```powershell
+eventvwr.msc
+```
+
+What it does:
+- Opens Event Viewer.
+- Use it to inspect logs for crashes, service issues, and security-related events.
+
+```powershell
+netstat -ano
+```
+
+What it does:
+- Shows active connections/listening ports and process IDs.
+- Useful for spotting unexpected network connections.
+
+```powershell
+Get-Process | Sort-Object CPU -Descending | Select-Object -First 10
+```
+
+What it does:
+- Lists the top processes by CPU use in PowerShell.
+
+Linux inspection commands:
+
+```bash
+top
+```
+
+What it does:
+- Shows live process/resource usage.
+
+```bash
+ps aux
+```
+
+What it does:
+- Lists running processes.
+
+```bash
+ss -tulpn
+```
+
+What it does:
+- Shows listening network sockets and associated processes when permissions allow.
+
+```bash
+journalctl -p err
+```
+
+What it does:
+- Shows systemd journal errors.
+
+macOS, if available:
+
+```bash
+top
+ps aux
+```
+
+What it does:
+- Shows running processes and resource usage.
+
+## Mini Lab
+
+Goal:
+- Practice safe inspection and tool selection.
+
+Windows:
+1. Open Windows Security with `windowsdefender:`.
+2. Check whether Virus & threat protection is enabled.
+3. Open Task Manager with `taskmgr`.
+4. Sort by CPU and memory.
+5. Open Resource Monitor with `resmon`.
+6. Run `netstat -ano`.
+7. Record:
+   - Antivirus status:
+   - Highest CPU process:
+   - Any listening ports:
+   - One unexpected thing you would investigate further:
+
+Linux:
+1. Run `top`, then press `q`.
+2. Run `ps aux`.
+3. Run `ss -tulpn`.
+4. Run `journalctl -p err`.
+5. Record:
+   - Highest CPU process:
+   - One listening service:
+   - One error log theme:
+
+Tabletop scenarios:
+- Files are encrypted and a payment note appears.
+- Browser homepage changes and toolbars appear after installing free software.
+- CPU is high even when no apps are open.
+- A system keeps reinfecting after cleanup.
+- Users are receiving malicious attachments by email.
+
+For each scenario, identify:
+- Malware type or likely issue
+- Best tool or response
+- What evidence you would collect
+
+## Quick Check Before Quiz
+
+You are ready for the SEC-4 quiz when you can answer these without looking:
+- What malware encrypts user files for payment?
+- What malware captures keystrokes?
+- What malware hides deep in the OS?
+- What tool filters malicious email?
+- What is the difference between EDR, MDR, and XDR?
+- When is reimage/reinstall the right answer?
+