Part A: Phishing Email and External Drive 

Part B: Phishing Email

Part A: Syn, Syn-Ack, and Ack

Part B: To establish connection (Connection-oriented)

Attackers hide behind legitimate programs/ tools. They live off your existing legit programs to perform the attack. PowerShell is a very good example of living off the land where bad actors use it to write malicious scripts or commands to compromise your system to achieve their own objectives.

ENCODING – is changing data from one format to another format to make the data usable. It is not a better way to secure data. It ensures availability in terms of the CIA

ENCRYPTION – Using a key system to secure data by changing a readable text into a non-readable format. Encryption is a two-way function where you can encrypt and decrypt. It changes Plain Text or Clear Text to Cypher Text or Unreadable Text. Encryption uses a two-way function to ensure confidentiality in terms of the CIA Triad. The purpose of encryption is to hide data.

HASHING – Unique calculated algorithm of a file that uses a one-way function to ensure the integrity or reputation of a file. In terms of the CIA, hashing ensures Integrity.

IDS – Intrusion Detection System (System put in place to detect intrusions and send you the alert but will not take action to stop or prevent the attack. It is a system that requires the analyst to further investigate to prevent the attack or escalate it to a top tier for further investigation or action)

IPS – Intrusion Prevention System (System that does detect alerts and takes action to block, stop, terminate, or prevent the intrusion or attack. It will automatically act immediately when it detects an intrusion)

It is an attack whereby the DNS resolves the domain name to the wrong IP address of the attacker to lead you to the attacker’s website.

Beaconing is when the malware communicates with a C2 server asking for instructions or to exfiltrate collected data. It takes place at the 6^th stage of the attack life cycle or intrusion kill chain which is Command and control.

Vulnerability – Is the weakness or flaw in the system or gap in the protection effort of a system.

Threat – Is the attacker or threat actor exploiting the vulnerability, flaw, or weakness in the system

Risk – Is the potential loss or impact if that vulnerability is exploited by the risk.

Part A: Http Status Codes

Part B:

Status Code 200: Successfully Connected

Status Code 300: Redirects

Status Code 400: Client-side error

Status Code 500: Server-side error

Event Code 4624 means Successful Sign-in

Event Code 4625 means Failed Sign-in

CIA – Confidentiality, Integrity, Availability

Encryption ensures confidentiality

Hashing ensures integrity

Redundancy and Back-ups ensure availability

Fileless attack unlike traditional malware is a type of malicious software that uses legitimate programs to infect a computer. It does not rely on files, so it does not leave footprint, making it difficult to detect and remove. To avoid suspicion, fileless malware gets into the inner or hidden space of trusted, whitelisted applications like PowerShell and Windows script host executables such as wscript.exe and cscript.exe or the operating system to initiate malicious processes. These attacks abuse the trust model used by security applications to not monitor whitelisted programs. One way to defend against fileless infections is simply keeping your software up to date and to have EDR tools to detect irregular activity from PowerShell since traditional Anti-virus are not able to detect because it operates in memory. Without being stored in a file or installed directly on a machine, fileless infections go straight into memory and the malicious content never touches the hard drive.

1. Include the 5 Ws – Who, When, Where, What and Why

2. Include details of the incident and Artifacts

3. Include all your IOCs

First, compress the data to make it smaller. Second, encrypt the data to hide it or make it confidential then send it. The reason why you encrypt the data first is to gain more compression ratio, because compression or zipping is looking for common strings of characters to reduce to the minimum number of characters possible. And the most common character in a file document is the white spaces or blank spaces. So, when they compress the data, it gets rid of the white spaces to get a good compression ratio which is lacking with encrypted text or cipher text.