# SEC-4: Malware and Security Tools Status: not started Domain: - 2.0 Security Objective alignment: - 2.4 Malware and security tools ## What You Need To Know Malware questions usually ask you to identify the type of malware or choose the right security tool. Do not memorize only definitions. Tie each malware type to its behavior. ## Memory Trick Use **RATS-VCK-BFP**: - **R**ansomware: ransom after encryption - **A**dware/PUP: ads or unwanted extras - **T**rojan: tricks you by pretending to be useful - **S**pyware/stalkerware: surveillance - **V**irus: needs execution and can replicate - **C**ryptominer: steals CPU/GPU cycles - **K**eylogger: captures keystrokes - **B**oot sector virus: starts before/with OS boot - **F**ileless malware: lives in memory - **P**ersistent/rootkit: hides deep in the system ## Malware Types Trojan: - Pretends to be legitimate software. - Does not need to self-replicate. - Often opens the door for other malware. Rootkit: - Hides deep in the OS, kernel, drivers, or boot process. - May not appear in normal tools like Task Manager. - Often requires special tools or reinstall/reimage. Virus: - Replicates by infecting files or systems. - Usually needs a program to run. Spyware: - Watches user activity. - May track browsing, personal data, or behavior. Ransomware: - Encrypts or locks user data and demands payment. - Strong backup strategy is critical. Keylogger: - Captures keystrokes. - Can steal passwords even when websites use encryption. Cryptominer: - Uses CPU/GPU resources to mine cryptocurrency. - Clue: unexplained high CPU/GPU use, heat, fan noise. Boot sector virus: - Infects boot code. - Starts before or during OS boot. - Secure Boot helps reduce this risk. Fileless malware: - Runs from memory or trusted scripting tools. - Avoids writing a normal malware file to disk. Stalkerware: - Surveillance software, often on mobile devices. - Tracks location, messages, microphone, camera, screenshots, or activity. PUP: - Potentially Unwanted Program. - Often bundled with other installs. - May include adware, toolbars, or browser hijackers. ## Security Tools Windows Recovery Environment: - Used when Windows will not start normally or malware blocks normal repair. - Powerful and risky. - Last-resort style tool for boot repair, command prompt, service/device startup changes, or file replacement. Antivirus/anti-malware: - Detects, blocks, quarantines, and removes malware. - Should use real-time protection and updated definitions. EDR: - Endpoint Detection and Response. - Detects behavior, investigates endpoint threats, and can isolate/quarantine/respond. MDR: - Managed Detection and Response. - Third-party managed service that monitors and responds to EDR/security events. XDR: - Extended Detection and Response. - Correlates endpoint, network, cloud, and other security data. Email security gateway: - Filters inbound/outbound email. - Blocks phishing, malware, spam, and suspicious attachments before reaching users. Software firewall: - Monitors and controls local network communication. - Can stop malware from calling out. Anti-phishing training: - Teaches users to identify phishing and social engineering. - Important because technology alone cannot stop every attack. End-user education: - Broader security awareness: links, downloads, reporting, password hygiene, safe behavior. OS reinstallation/reimage: - Most reliable way to remove severe or persistent malware. - Must ensure backups/images are clean. ## Tool Matching Shortcut - Email threat before user sees it: **email security gateway** - Suspicious endpoint behavior: **EDR** - Outsourced endpoint monitoring: **MDR** - Endpoint plus network/cloud correlation: **XDR** - Local app calling out unexpectedly: **software firewall** - Persistent/rootkit/severe infection: **reimage/reinstall** - User keeps clicking bad links: **anti-phishing training** - Windows will not boot or malware blocks repair: **Windows RE** ## Commands To Enter Windows inspection commands: ```powershell windowsdefender: ``` What it does: - Opens Windows Security. - Use it to check Virus & threat protection. ```powershell taskmgr ``` What it does: - Opens Task Manager. - Use it to look for high CPU, memory, disk, or suspicious processes. ```powershell resmon ``` What it does: - Opens Resource Monitor. - Gives more detailed live CPU, memory, disk, and network activity. ```powershell eventvwr.msc ``` What it does: - Opens Event Viewer. - Use it to inspect logs for crashes, service issues, and security-related events. ```powershell netstat -ano ``` What it does: - Shows active connections/listening ports and process IDs. - Useful for spotting unexpected network connections. ```powershell Get-Process | Sort-Object CPU -Descending | Select-Object -First 10 ``` What it does: - Lists the top processes by CPU use in PowerShell. Linux inspection commands: ```bash top ``` What it does: - Shows live process/resource usage. ```bash ps aux ``` What it does: - Lists running processes. ```bash ss -tulpn ``` What it does: - Shows listening network sockets and associated processes when permissions allow. ```bash journalctl -p err ``` What it does: - Shows systemd journal errors. macOS, if available: ```bash top ps aux ``` What it does: - Shows running processes and resource usage. ## Mini Lab Goal: - Practice safe inspection and tool selection. Windows: 1. Open Windows Security with `windowsdefender:`. 2. Check whether Virus & threat protection is enabled. 3. Open Task Manager with `taskmgr`. 4. Sort by CPU and memory. 5. Open Resource Monitor with `resmon`. 6. Run `netstat -ano`. 7. Record: - Antivirus status: - Highest CPU process: - Any listening ports: - One unexpected thing you would investigate further: Linux: 1. Run `top`, then press `q`. 2. Run `ps aux`. 3. Run `ss -tulpn`. 4. Run `journalctl -p err`. 5. Record: - Highest CPU process: - One listening service: - One error log theme: Tabletop scenarios: - Files are encrypted and a payment note appears. - Browser homepage changes and toolbars appear after installing free software. - CPU is high even when no apps are open. - A system keeps reinfecting after cleanup. - Users are receiving malicious attachments by email. For each scenario, identify: - Malware type or likely issue - Best tool or response - What evidence you would collect ## Quick Check Before Quiz You are ready for the SEC-4 quiz when you can answer these without looking: - What malware encrypts user files for payment? - What malware captures keystrokes? - What malware hides deep in the OS? - What tool filters malicious email? - What is the difference between EDR, MDR, and XDR? - When is reimage/reinstall the right answer?