[CERTMaster]
- logic bomb- a malicious program or script set to run under particular circumstances or in response to a
defined event, such as the admin's account becoming disabled.
- a worm - a type of virus that spreads through memory and network connections, rather than infecting files.
Also defined as memore-resident viruses that replicate over network resources. **Note: the primary
effect of a worm infestation is to rapidly consume network bandwidth as the worm replicates.
- Remote access trojan (RAT) - functions as a backdoor and allows the attacker to access the PC, upload files,
and install software on it. **Also referred to as Rat backdoor applications - see CLC definition for more
- Mine - a scripted trap that runs in the event an account gets deleted or disabled. Anti-virus software is unlikely
to detect this kind of malicious script or program, so the security specialist would not be able to discover the
script during an investigation. The security specialist would uncover the mine once it gets executed and
causes damage.
- Rootkit - a backdoor malware that changes core system files and programming interfaces so that local shell
processes no longer reveal their presence.
- Trojan - a malicious program hidden within an innocuous-seeming piece of software. Usually, the
Trojan tries to compromise the security of the target computer.
- Adware - this software type can have a negative impact on performance & can include accepting a long
license agreement.
- Crypto-malware - a class of ransomware that attempts to encrypt data files. The user will be unable to access
the files without obtaining the private encryption key, held by the attacker.
- Spyware- a program that monitors user activity and sends the information to someone else. This can occur with
or without the user's knowledge
- Smurf Attack - the adversary spoofs the victim's IP address and pings the broadcast address of a third-party
network. Each host directs its echo responses to the victim server.
DDoS attack- a DoS launched from multiple, compromised computers. Handlers compromise multiple zombie
(agent) PC's with DoS tools (bots), forming a botnet.
mass-mail spam attack -
Trojan Horse Malware -
Skimming - using a counterfeit card reader to capture card details, which can then program a duplicate
Password spraying - a horizontal brute-force online attack. This means that the attacker chooses one
or more common passwords (for example, "password" or 123456) and tries to use them in conjunction with
multiple usernames.
Card cloning - refers to making one or more copies of an existing card.
Malicious charging - an attacker can place a malicious plug or charging cable in public locations to gain access to
a device connected to it.
Birthday attack - a type of brute force attack aimed at exploiting collisions in hash functions. A collision is where
a function produces the same hash value for 2 different plaintexts.
How to protect against birthday attacks:
- Encryption algorithms
- demonstrating collision avoidance
Pass-the-Hash attack - If an attacker obtains the hash of a user's password, it is possible to authenticate with
the hash, without cracking it.
Man-in-the-Middle (MitM) - a form of eaves dropping in which the attacker makes an independent connection
between two victims and steals information to use fraudently.
a downgrade attack - can facilitate a MitM by requesting that the serves use a lower specification protocol with
weaker ciphers and key lengths.
Computer Bots - those computers that the attacker has infected with a backdoor exploit with a connection to
the C2 host or network. These bots can work individually or in unison.
Command & Control (C2 or C&C) - a host or network that can manage and control the various bots remotely.
a rainbow table attack - a password attack that allows an attacker to use a set of plaintext passwords and
their hashes to crack passwords. **passwords not "Salted" with a random value make the ciphertext
vulnerable to this type of attack.
Dictionary attack - when software enumerates values in a dictionary wordlist. Enforcing password complexity
makes passwords difficult to guess and copromise. Varying the characters in the password makes it more
resistant to these attacks.
A hybrid password - will target against naively strong passwords. The password cracking algorithm tests
dictionary words and names in combination with numeric prefixes and/or suffixes.
Potentially Unwanted Program (PUP) - also called potentially unwanted applications (PUA). Software installed
alongside a package or from a computer store that the user did not request
virus - Malware that is not necessarily hidden and very noticeable by virus scanners. These usually come in the
form of (.exe) or Dynamic-link Library (DLL) files.
[CLC website: Types of Malware]
- Viruses
- worms
- trojans
- RATS - remote access trojans
- Common Vulnerabilites:
- national vulnerability database: nvd.nist.gov
- Ransomeware
- Cryptomalware
- Bots and Botnets
- Backdoors
- Rootkits
- Logic Bombs
- Keyloggers
- Stegomalware
- Polymorphic Packers
[CERTMaster]
- SYN flood attack -cause resource exhaustion on the host's processing requests, consuming CPU cycles, and memory. This delays the processing of legitimate traffic and could potentially crash the host system completely
- A DoS attack causes a service at a given host to fail or to become unavailable to legitimate users. DoS attacks focus on overloading a service by using up CPU, system RAM, disk space, or network bandwidth (resource exhaustion).
- A more powerful TCP SYN flood attack is a DRDoS or amplification attack, where the adversary spoofs the victim's IP address and attempts to open connections with multiple servers.
- Packet filtering is a Layer 3 firewall technology that compares packet headers against ACLs to determine which network traffic to accept.
- Memory leaks in the OS kernel are extremely serious. A memory leak may itself be a sign of a malicious or corrupted process.
- DLL injection is not a vulnerability, but of the way the operating system allows one process to attach to another, and then force it to load a malicious link library.
- If the pointer that references an object at a memory location was set to a null value by a malicious process, then this can create a null pointer exception, causing instability and crashes.
- A pointer is a reference to an object in memory. Attempting to access that memory address is called dereferencing. An integer is a positive or negative whole number.
- Race conditions occur when the outcome from execution processes is dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended. A TOCTTOU vulnerability will take advantage of this timing to modify data before finally using it; occurs when multiple threads are attempting to write at the same memory location. Attackers have used race conditions as an anti-virus evasion technique. An integer is a positive or negative whole number.
- Refactoring means the code performs the same function by using different methods. Refactoring means that the antivirus software may no longer identify the malware by its signature.
- A race condition is a software vulnerability that occurs when the execution processes are dependent on the timing of certain events, and those events fail to execute in the order and timing intended.
- Overflow - Many improper input handling attacks, described as an overflow type, occurs when the attacker submits input that is larger than the variables assigned by the application to store.
- To exploit a buffer overflow vulnerability, the attacker passes data that deliberately overfills the buffer (an area of memory) that the application reserves to store the expected data.
- An integer overflow attack causes the target software to calculate a value that exceeds the upper and lower bounds.
- Injection - Many improper input handling attacks, described as an injection type, occurs when the attacker embeds code within the input or appends code to it that executes when the server processes the submission.
- Command Injection
- SQL Injection attack inserts an SQL query as part of user input, which allows an attacker to extract or insert information into the database or execute arbitrary code
- Secure socket layer (SSL) stripping is an On-path attack using ARP poisoning that redirects clients to an HTTPS site in an unsafe way when attempting an HTTP connection.
- A birthday attack is a type of brute force attack aimed at exploiting collisions in hash functions. This type of attack can forge a digital signature.
- A downgrade attack facilitates a Man-in-the-Middle (MitM) attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths.
- Dynamic Link Library Injection (DLL) is a software vulnerability that can occur when a Windows-based application attempts to force another running application to load a dynamic-link library (DLL) in memory, that could cause the victim application to experience instability or leak sensitive information.
- Directory traversal is an application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.
- XML injection is fundamentally the same thing but targeted against web servers using XML applications rather than SQL.
- Clickjacking occurs when the attacker inserts an invisible layer into a trusted web page that can intercept or redirect input without the user realizing it.
- Application programming interface (API) intrusion occurs when an attacker takes advantage of unsecure communication with application services to perform denial of service attacks using multiple API calls, for example.
- A resource exhaustion attack overloads resources like CPU time, memory, or disk capacity using distributed denial of service (DDoS) requests.
- Pass-the-hash-attack occurs when the attacker steals hashed credentials and uses them to authenticate to the network. Using once-only session tokens or timestamping sessions prevents this type of attack.
- replay attack consists of intercepting a key or password hash, then reusing it to gain access to a resource. Using once-only session tokens or timestamping sessions prevents this type of attack.
- Key Discovery - API calls use keys, made up of alphanumeric characters, to authorize requests to the web application. These keys are exposed over an unsecure connection such as HTTP. An attacker can use the key to perform other API calls.
- Improper error handling - Default application settings may expose more information than necessary when errors occur. Exposing such information over an HTTP connection may provide insight of the environment to the attacker.
- Denial of Service (DoS) can occur when the application is bombarded with spurious calls. Reconfiguring default web settings to throttle or limit calls can prevent this.
- A command injection attack runs OS shell commands from the browser and allows commands to operate outside of the server's directory root, allowing commands to run as the web "guest" user.
- Shimming is when an attacker uses a code library or database to intercept and redirect calls to enable legacy mode functionality on a system in order to misuse.
- A shim is a code library that intercepts and redirects calls to enable legacy mode on a system. The shim database represents a way that malware with local administrator privileges can run on reboot (persistence).
- Server Side Request forgery (SSRF) abuses the functionality and services of backend servers to read and update internal resources. This can expose, for example, database information, even without an authenticated session; causes the server application to process an arbitrary request that targets another service, either on the same host or another.
- A client-side (or cross-site) request forgery is an attack that forces a user to execute unwanted actions to a web server that the user is currently authenticated to.
- Cross-site request forgery (XSRF) is a malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser. This is successful if the server does not check if the user actually made the request.
- Cross-Site Scripting (XSS) is a malicious script hosted on the attacker's site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site.
- Reflected Cross-Site Scripting (XSS) is a server-side input validation exploit that injects a script into a website. Once the victim visits the infected website, the malicious code executes in the user's browser.
- Stored (or persistent) Cross-Site Scripting (XSS) is a server-side script attack that inserts code into a back-end database used by the trusted site.
- Document Object Model (DOM) Cross-Site Scripting (XSS) exploits vulnerabilities in client-side scripts to modify the content and layout of a web page.
-
A lightweight directory access protocol (LDAP) injection occurs when an attacker exploits a client’s unauthenticated access to submit LDAP queries that could create or delete accounts, even change authorizations and privileges. LDAP uses port 389.
[CLC website]
Application and Service Attacks:
- Zero Day attacks
- Spoofing
- DoS and DDoS attacks
- Man-In-The-Middle attacks
- ARP Poisoning
- Buffer Overflow Attacks
- Injection Attacks
- Priveledge Escalation
- Reflection and Amplification
- DNS poisoning
- Domain Hijacking
- Man-in-the-browser
- Cross-site Scripting and Request Forgery
- Replay Attacks
- Pass the Hash Attacks
