kenpat/comptia-a-plus-core2
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
comptia-a-plus-core2/notes/SEC-4-malware-security-tools.md

6.6 KiB
Raw Permalink Blame History

SEC-4: Malware and Security Tools

Status: not started

Domain:

  • 2.0 Security

Objective alignment:

  • 2.4 Malware and security tools

What You Need To Know

Malware questions usually ask you to identify the type of malware or choose the right security tool.

Do not memorize only definitions. Tie each malware type to its behavior.

Memory Trick

Use RATS-VCK-BFP:

  • Ransomware: ransom after encryption
  • Adware/PUP: ads or unwanted extras
  • Trojan: tricks you by pretending to be useful
  • Spyware/stalkerware: surveillance
  • Virus: needs execution and can replicate
  • Cryptominer: steals CPU/GPU cycles
  • Keylogger: captures keystrokes
  • Boot sector virus: starts before/with OS boot
  • Fileless malware: lives in memory
  • Persistent/rootkit: hides deep in the system

Malware Types

Trojan:

  • Pretends to be legitimate software.
  • Does not need to self-replicate.
  • Often opens the door for other malware.

Rootkit:

  • Hides deep in the OS, kernel, drivers, or boot process.
  • May not appear in normal tools like Task Manager.
  • Often requires special tools or reinstall/reimage.

Virus:

  • Replicates by infecting files or systems.
  • Usually needs a program to run.

Spyware:

  • Watches user activity.
  • May track browsing, personal data, or behavior.

Ransomware:

  • Encrypts or locks user data and demands payment.
  • Strong backup strategy is critical.

Keylogger:

  • Captures keystrokes.
  • Can steal passwords even when websites use encryption.

Cryptominer:

  • Uses CPU/GPU resources to mine cryptocurrency.
  • Clue: unexplained high CPU/GPU use, heat, fan noise.

Boot sector virus:

  • Infects boot code.
  • Starts before or during OS boot.
  • Secure Boot helps reduce this risk.

Fileless malware:

  • Runs from memory or trusted scripting tools.
  • Avoids writing a normal malware file to disk.

Stalkerware:

  • Surveillance software, often on mobile devices.
  • Tracks location, messages, microphone, camera, screenshots, or activity.

PUP:

  • Potentially Unwanted Program.
  • Often bundled with other installs.
  • May include adware, toolbars, or browser hijackers.

Security Tools

Windows Recovery Environment:

  • Used when Windows will not start normally or malware blocks normal repair.
  • Powerful and risky.
  • Last-resort style tool for boot repair, command prompt, service/device startup changes, or file replacement.

Antivirus/anti-malware:

  • Detects, blocks, quarantines, and removes malware.
  • Should use real-time protection and updated definitions.

EDR:

  • Endpoint Detection and Response.
  • Detects behavior, investigates endpoint threats, and can isolate/quarantine/respond.

MDR:

  • Managed Detection and Response.
  • Third-party managed service that monitors and responds to EDR/security events.

XDR:

  • Extended Detection and Response.
  • Correlates endpoint, network, cloud, and other security data.

Email security gateway:

  • Filters inbound/outbound email.
  • Blocks phishing, malware, spam, and suspicious attachments before reaching users.

Software firewall:

  • Monitors and controls local network communication.
  • Can stop malware from calling out.

Anti-phishing training:

  • Teaches users to identify phishing and social engineering.
  • Important because technology alone cannot stop every attack.

End-user education:

  • Broader security awareness: links, downloads, reporting, password hygiene, safe behavior.

OS reinstallation/reimage:

  • Most reliable way to remove severe or persistent malware.
  • Must ensure backups/images are clean.

Tool Matching Shortcut

  • Email threat before user sees it: email security gateway
  • Suspicious endpoint behavior: EDR
  • Outsourced endpoint monitoring: MDR
  • Endpoint plus network/cloud correlation: XDR
  • Local app calling out unexpectedly: software firewall
  • Persistent/rootkit/severe infection: reimage/reinstall
  • User keeps clicking bad links: anti-phishing training
  • Windows will not boot or malware blocks repair: Windows RE

Commands To Enter

Windows inspection commands:

windowsdefender:

What it does:

  • Opens Windows Security.
  • Use it to check Virus & threat protection.
taskmgr

What it does:

  • Opens Task Manager.
  • Use it to look for high CPU, memory, disk, or suspicious processes.
resmon

What it does:

  • Opens Resource Monitor.
  • Gives more detailed live CPU, memory, disk, and network activity.
eventvwr.msc

What it does:

  • Opens Event Viewer.
  • Use it to inspect logs for crashes, service issues, and security-related events.
netstat -ano

What it does:

  • Shows active connections/listening ports and process IDs.
  • Useful for spotting unexpected network connections.
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10

What it does:

  • Lists the top processes by CPU use in PowerShell.

Linux inspection commands:

top

What it does:

  • Shows live process/resource usage.
ps aux

What it does:

  • Lists running processes.
ss -tulpn

What it does:

  • Shows listening network sockets and associated processes when permissions allow.
journalctl -p err

What it does:

  • Shows systemd journal errors.

macOS, if available:

top
ps aux

What it does:

  • Shows running processes and resource usage.

Mini Lab

Goal:

  • Practice safe inspection and tool selection.

Windows:

  1. Open Windows Security with windowsdefender:.
  2. Check whether Virus & threat protection is enabled.
  3. Open Task Manager with taskmgr.
  4. Sort by CPU and memory.
  5. Open Resource Monitor with resmon.
  6. Run netstat -ano.
  7. Record:
    • Antivirus status:
    • Highest CPU process:
    • Any listening ports:
    • One unexpected thing you would investigate further:

Linux:

  1. Run top, then press q.
  2. Run ps aux.
  3. Run ss -tulpn.
  4. Run journalctl -p err.
  5. Record:
    • Highest CPU process:
    • One listening service:
    • One error log theme:

Tabletop scenarios:

  • Files are encrypted and a payment note appears.
  • Browser homepage changes and toolbars appear after installing free software.
  • CPU is high even when no apps are open.
  • A system keeps reinfecting after cleanup.
  • Users are receiving malicious attachments by email.

For each scenario, identify:

  • Malware type or likely issue
  • Best tool or response
  • What evidence you would collect

Quick Check Before Quiz

You are ready for the SEC-4 quiz when you can answer these without looking:

  • What malware encrypts user files for payment?
  • What malware captures keystrokes?
  • What malware hides deep in the OS?
  • What tool filters malicious email?
  • What is the difference between EDR, MDR, and XDR?
  • When is reimage/reinstall the right answer?