275 lines
6.6 KiB
Markdown
275 lines
6.6 KiB
Markdown
# SEC-4: Malware and Security Tools
|
|
|
|
Status: not started
|
|
|
|
Domain:
|
|
- 2.0 Security
|
|
|
|
Objective alignment:
|
|
- 2.4 Malware and security tools
|
|
|
|
## What You Need To Know
|
|
|
|
Malware questions usually ask you to identify the type of malware or choose the right security tool.
|
|
|
|
Do not memorize only definitions. Tie each malware type to its behavior.
|
|
|
|
## Memory Trick
|
|
|
|
Use **RATS-VCK-BFP**:
|
|
|
|
- **R**ansomware: ransom after encryption
|
|
- **A**dware/PUP: ads or unwanted extras
|
|
- **T**rojan: tricks you by pretending to be useful
|
|
- **S**pyware/stalkerware: surveillance
|
|
- **V**irus: needs execution and can replicate
|
|
- **C**ryptominer: steals CPU/GPU cycles
|
|
- **K**eylogger: captures keystrokes
|
|
- **B**oot sector virus: starts before/with OS boot
|
|
- **F**ileless malware: lives in memory
|
|
- **P**ersistent/rootkit: hides deep in the system
|
|
|
|
## Malware Types
|
|
|
|
Trojan:
|
|
- Pretends to be legitimate software.
|
|
- Does not need to self-replicate.
|
|
- Often opens the door for other malware.
|
|
|
|
Rootkit:
|
|
- Hides deep in the OS, kernel, drivers, or boot process.
|
|
- May not appear in normal tools like Task Manager.
|
|
- Often requires special tools or reinstall/reimage.
|
|
|
|
Virus:
|
|
- Replicates by infecting files or systems.
|
|
- Usually needs a program to run.
|
|
|
|
Spyware:
|
|
- Watches user activity.
|
|
- May track browsing, personal data, or behavior.
|
|
|
|
Ransomware:
|
|
- Encrypts or locks user data and demands payment.
|
|
- Strong backup strategy is critical.
|
|
|
|
Keylogger:
|
|
- Captures keystrokes.
|
|
- Can steal passwords even when websites use encryption.
|
|
|
|
Cryptominer:
|
|
- Uses CPU/GPU resources to mine cryptocurrency.
|
|
- Clue: unexplained high CPU/GPU use, heat, fan noise.
|
|
|
|
Boot sector virus:
|
|
- Infects boot code.
|
|
- Starts before or during OS boot.
|
|
- Secure Boot helps reduce this risk.
|
|
|
|
Fileless malware:
|
|
- Runs from memory or trusted scripting tools.
|
|
- Avoids writing a normal malware file to disk.
|
|
|
|
Stalkerware:
|
|
- Surveillance software, often on mobile devices.
|
|
- Tracks location, messages, microphone, camera, screenshots, or activity.
|
|
|
|
PUP:
|
|
- Potentially Unwanted Program.
|
|
- Often bundled with other installs.
|
|
- May include adware, toolbars, or browser hijackers.
|
|
|
|
## Security Tools
|
|
|
|
Windows Recovery Environment:
|
|
- Used when Windows will not start normally or malware blocks normal repair.
|
|
- Powerful and risky.
|
|
- Last-resort style tool for boot repair, command prompt, service/device startup changes, or file replacement.
|
|
|
|
Antivirus/anti-malware:
|
|
- Detects, blocks, quarantines, and removes malware.
|
|
- Should use real-time protection and updated definitions.
|
|
|
|
EDR:
|
|
- Endpoint Detection and Response.
|
|
- Detects behavior, investigates endpoint threats, and can isolate/quarantine/respond.
|
|
|
|
MDR:
|
|
- Managed Detection and Response.
|
|
- Third-party managed service that monitors and responds to EDR/security events.
|
|
|
|
XDR:
|
|
- Extended Detection and Response.
|
|
- Correlates endpoint, network, cloud, and other security data.
|
|
|
|
Email security gateway:
|
|
- Filters inbound/outbound email.
|
|
- Blocks phishing, malware, spam, and suspicious attachments before reaching users.
|
|
|
|
Software firewall:
|
|
- Monitors and controls local network communication.
|
|
- Can stop malware from calling out.
|
|
|
|
Anti-phishing training:
|
|
- Teaches users to identify phishing and social engineering.
|
|
- Important because technology alone cannot stop every attack.
|
|
|
|
End-user education:
|
|
- Broader security awareness: links, downloads, reporting, password hygiene, safe behavior.
|
|
|
|
OS reinstallation/reimage:
|
|
- Most reliable way to remove severe or persistent malware.
|
|
- Must ensure backups/images are clean.
|
|
|
|
## Tool Matching Shortcut
|
|
|
|
- Email threat before user sees it: **email security gateway**
|
|
- Suspicious endpoint behavior: **EDR**
|
|
- Outsourced endpoint monitoring: **MDR**
|
|
- Endpoint plus network/cloud correlation: **XDR**
|
|
- Local app calling out unexpectedly: **software firewall**
|
|
- Persistent/rootkit/severe infection: **reimage/reinstall**
|
|
- User keeps clicking bad links: **anti-phishing training**
|
|
- Windows will not boot or malware blocks repair: **Windows RE**
|
|
|
|
## Commands To Enter
|
|
|
|
Windows inspection commands:
|
|
|
|
```powershell
|
|
windowsdefender:
|
|
```
|
|
|
|
What it does:
|
|
- Opens Windows Security.
|
|
- Use it to check Virus & threat protection.
|
|
|
|
```powershell
|
|
taskmgr
|
|
```
|
|
|
|
What it does:
|
|
- Opens Task Manager.
|
|
- Use it to look for high CPU, memory, disk, or suspicious processes.
|
|
|
|
```powershell
|
|
resmon
|
|
```
|
|
|
|
What it does:
|
|
- Opens Resource Monitor.
|
|
- Gives more detailed live CPU, memory, disk, and network activity.
|
|
|
|
```powershell
|
|
eventvwr.msc
|
|
```
|
|
|
|
What it does:
|
|
- Opens Event Viewer.
|
|
- Use it to inspect logs for crashes, service issues, and security-related events.
|
|
|
|
```powershell
|
|
netstat -ano
|
|
```
|
|
|
|
What it does:
|
|
- Shows active connections/listening ports and process IDs.
|
|
- Useful for spotting unexpected network connections.
|
|
|
|
```powershell
|
|
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10
|
|
```
|
|
|
|
What it does:
|
|
- Lists the top processes by CPU use in PowerShell.
|
|
|
|
Linux inspection commands:
|
|
|
|
```bash
|
|
top
|
|
```
|
|
|
|
What it does:
|
|
- Shows live process/resource usage.
|
|
|
|
```bash
|
|
ps aux
|
|
```
|
|
|
|
What it does:
|
|
- Lists running processes.
|
|
|
|
```bash
|
|
ss -tulpn
|
|
```
|
|
|
|
What it does:
|
|
- Shows listening network sockets and associated processes when permissions allow.
|
|
|
|
```bash
|
|
journalctl -p err
|
|
```
|
|
|
|
What it does:
|
|
- Shows systemd journal errors.
|
|
|
|
macOS, if available:
|
|
|
|
```bash
|
|
top
|
|
ps aux
|
|
```
|
|
|
|
What it does:
|
|
- Shows running processes and resource usage.
|
|
|
|
## Mini Lab
|
|
|
|
Goal:
|
|
- Practice safe inspection and tool selection.
|
|
|
|
Windows:
|
|
1. Open Windows Security with `windowsdefender:`.
|
|
2. Check whether Virus & threat protection is enabled.
|
|
3. Open Task Manager with `taskmgr`.
|
|
4. Sort by CPU and memory.
|
|
5. Open Resource Monitor with `resmon`.
|
|
6. Run `netstat -ano`.
|
|
7. Record:
|
|
- Antivirus status:
|
|
- Highest CPU process:
|
|
- Any listening ports:
|
|
- One unexpected thing you would investigate further:
|
|
|
|
Linux:
|
|
1. Run `top`, then press `q`.
|
|
2. Run `ps aux`.
|
|
3. Run `ss -tulpn`.
|
|
4. Run `journalctl -p err`.
|
|
5. Record:
|
|
- Highest CPU process:
|
|
- One listening service:
|
|
- One error log theme:
|
|
|
|
Tabletop scenarios:
|
|
- Files are encrypted and a payment note appears.
|
|
- Browser homepage changes and toolbars appear after installing free software.
|
|
- CPU is high even when no apps are open.
|
|
- A system keeps reinfecting after cleanup.
|
|
- Users are receiving malicious attachments by email.
|
|
|
|
For each scenario, identify:
|
|
- Malware type or likely issue
|
|
- Best tool or response
|
|
- What evidence you would collect
|
|
|
|
## Quick Check Before Quiz
|
|
|
|
You are ready for the SEC-4 quiz when you can answer these without looking:
|
|
- What malware encrypts user files for payment?
|
|
- What malware captures keystrokes?
|
|
- What malware hides deep in the OS?
|
|
- What tool filters malicious email?
|
|
- What is the difference between EDR, MDR, and XDR?
|
|
- When is reimage/reinstall the right answer?
|
|
|