[CERTMaster] SMiShing - a phishing technique that uses SMS text communications as the attack vector. May include a link to a fake website    asking a user to log in.  Spam - unsolicited messages, like email, are sent in bulk to users for advertisements or to deliver malware SPIM - a spam (or mass unsolicited messages) but over instant messaging or Internet messaging services Phising - a type of email-based social engineering attack. The attacker sends an email from a supposedly reputable source, such    as a bank, to try to elicit private information from the victim.  Spear phishing ​​​​​​​- refers to a phishing scam where the attacker has some information that makes an individual target more likely     to be fooled by the attack. The attacker might know the details that help convince the target that the communication is genuine.  Vishing ​​​​​​​- A phising attack conducted through a voice channel (telephone or VoIP, for instance). Someone may attempt to     represent a bank and ask the target to verify information over the phone.  Hoax attack ​​​​​​​- an email alert or web pop-up will claim to have identified some sort of security problem, such as a virus infection, and offer a tool to fix the problem. The tool, of course, will be some sort of Trojan application.  Typosquatting ​​​​​​​-  Scarcity and urgency ​​​​​​​- creating a false sense of urgency can disturb people's ordinary decision-making process. The social     engineer can try to pressure his or her target by demanding a quick response.  Consensus/Social Proof ​​​​​​​- an attacker fools users into believing that a malicious website is legitimate by posting fake reviews. The     victims believe the reviews and place their trust in the website.  Familiarity/liking ​​​​​​​- one of the basic tools of an attacker is to be likeable and to present the requests they make as completely     reasonable and unobjectionable. Authority ​​​​​​​- Social engineers can try to intimidate their target by pretending to be someone else, such as someone of authority, or     superior rank or expertise. Pharming  ​​​​​​​- Whaling ​​​​​​​- an attack directed specifically against upper levels of management  Trust ​​​​​​​- to be convincing (or to establish trust). Usually depends on the attacker obtaining privileged information. An impersonation    attack is more effective if the attacker knows the information about the employee.  Dumpster Diving ​​​​​​​- Tailgating and Lunchtime Attacks  ​​​​​​​- Tailgating is getting unauthorized access to a building by following someone. A lunchtime     attack refers to an attack on a user who leaves a workstation unattended while logged on.  Spyware- a program that monitors user activity and sends the information to someone else. This can occur with or without the user's    knowledge​ Rogueware ​​​​​​​-  a fake antivirus web pop-up that claims to have detected viruses on the computer and prompts the user to initiate a full    scan, which installs the attacker's Trojan.     [CLC website] Social Engineering Attacks:  Impersonation & Hoaxing Tailgating and Piggybacking Shoulder Surfing Dumpster Diving Phising, Spear phising, and Whaling Watering Hole Attacks (Social Networks) Vishing and Smishing Hijacking and Related Attacks: Click Jacking  Session Hijacking  URL Hijacking  Typosquatting  Driver Manipulation Attacks:  Shimming dfsa Refactoring

[CERTMaster] logic bomb- a malicious program or script set to run under particular circumstances or in response to a     defined event, such as the admin's account becoming disabled.  a worm - a type of virus that spreads through memory and network connections, rather than infecting files.     Also defined as memore-resident viruses that replicate over network resources. **Note: the primary     effect of a worm infestation is to rapidly consume network bandwidth as the worm replicates.  Remote access trojan (RAT) - functions as a backdoor and allows the attacker to access the PC, upload files,     and install software on it. **Also referred to as Rat backdoor applications - see CLC definition for more Mine - a scripted trap that runs in the event an account gets deleted or disabled. Anti-virus software is unlikely     to detect this kind of malicious script or program, so the security specialist would not be able to discover the     script during an investigation. The security specialist would uncover the mine once it gets executed and     causes damage.  Rootkit - a backdoor malware that changes core system files and programming interfaces so that local shell     processes no longer reveal their presence.  Trojan -  a malicious program hidden within an innocuous-seeming piece of software. Usually, the     Trojan tries to compromise the security of the target computer. Adware - this software type can have a negative impact on performance & can include accepting a long     license agreement.  Crypto-malware -  a class of ransomware that attempts to encrypt data files. The user will be unable to access     the files without obtaining the private encryption key, held by the attacker.  Spyware- a program that monitors user activity and sends the information to someone else. This can occur with or without the user's knowledge Smurf Attack -  the adversary spoofs the victim's IP address and pings the broadcast address of a third-party     network. Each host directs its echo responses to the victim server.  DDoS attack- a DoS launched from multiple, compromised computers. Handlers compromise multiple zombie    (agent) PC's with DoS tools (bots), forming a botnet. mass-mail spam attack -  Trojan Horse Malware -  Skimming - using a counterfeit card reader to capture card details, which can then program a duplicate Password spraying - a horizontal brute-force online attack. This means that the attacker chooses one     or more common passwords (for example, "password" or 123456) and tries to use them in conjunction with    multiple usernames.  Card cloning - refers to making one or more copies of an existing card.  Malicious charging - an attacker can place a malicious plug or charging cable in public locations to gain access to     a device connected to it.  Birthday attack - a type of brute force attack aimed at exploiting collisions in hash functions. A collision is where    a function produces the same hash value for 2 different plaintexts.  How to protect against birthday attacks:  Encryption algorithms demonstrating collision avoidance Pass-the-Hash attack - If an attacker obtains the hash of a user's password, it is possible to authenticate with     the hash, without cracking it. Man-in-the-Middle (MitM) - a form of eaves dropping in which the attacker makes an independent connection     between two victims and steals information to use fraudently.  a downgrade attack - can facilitate a MitM by requesting that the serves use a lower specification protocol with    weaker ciphers and key  lengths.    Computer Bots - those computers that the attacker has infected with a backdoor exploit with a connection to     the C2 host or network. These bots can work individually or in unison. Command & Control (C2 or C&C) - a host or network that can manage and control the various bots remotely.     a rainbow table attack - a password attack that allows an attacker to use a set of plaintext passwords and     their hashes to crack passwords.  **passwords not "Salted" with a random value make the ciphertext vulnerable to this type of attack.             Dictionary attack - when software enumerates values in a dictionary wordlist. Enforcing password complexity     makes passwords difficult to guess and copromise. Varying the characters in the password makes it more     resistant to these attacks.  A hybrid password - will target against naively strong passwords. The password cracking algorithm tests     dictionary words and names in combination with numeric prefixes and/or suffixes.   Potentially Unwanted Program (PUP) - also called potentially unwanted applications (PUA). Software installed    alongside a package or from a computer store that the user did not request virus - Malware that is not necessarily hidden and very noticeable by virus scanners. These usually come in the     form of (.exe) or Dynamic-link Library (DLL) files.     [CLC website: Types of Malware] Viruses worms trojans RATS - remote access trojans Common Vulnerabilites: national vulnerability database: nvd.nist.gov  Ransomeware Cryptomalware Bots and Botnets Backdoors Rootkits Logic Bombs Keyloggers Stegomalware Polymorphic Packers

[CERTMaster] SYN flood attack -cause resource exhaustion on the host's processing requests, consuming CPU cycles, and memory. This delays the processing of legitimate traffic and could potentially crash the host system completely A DoS attack causes a service at a given host to fail or to become unavailable to legitimate users. DoS attacks focus on overloading a service by using up CPU, system RAM, disk space, or network bandwidth (resource exhaustion). A more powerful TCP SYN flood attack is a DRDoS or amplification attack, where the adversary spoofs the victim's IP address and attempts to open connections with multiple servers. Packet filtering is a Layer 3 firewall technology that compares packet headers against ACLs to determine which network traffic to accept. Memory leaks in the OS kernel are extremely serious. A memory leak may itself be a sign of a malicious or corrupted process.  DLL injection is not a vulnerability, but of the way the operating system allows one process to attach to another, and then force it to load a malicious link library. If the pointer that references an object at a memory location was set to a null value by a malicious process, then this can create a null pointer exception, causing instability and crashes. A pointer is a reference to an object in memory. Attempting to access that memory address is called dereferencing. An integer is a positive or negative whole number. Race conditions occur when the outcome from execution processes is dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended. A TOCTTOU vulnerability will take advantage of this timing to modify data before finally using it; occurs when multiple threads are attempting to write at the same memory location. Attackers have used race conditions as an anti-virus evasion technique. An integer is a positive or negative whole number. Refactoring means the code performs the same function by using different methods. Refactoring means that the antivirus software may no longer identify the malware by its signature.   A race condition is a software vulnerability that occurs when the execution processes are dependent on the timing of certain events, and those events fail to execute in the order and timing intended. Overflow - Many improper input handling attacks, described as an overflow type, occurs when the attacker submits input that is larger than the variables assigned by the application to store. To exploit a buffer overflow vulnerability, the attacker passes data that deliberately overfills the buffer (an area of memory) that the application reserves to store the expected data. An integer overflow attack causes the target software to calculate a value that exceeds the upper and lower bounds. Injection - Many improper input handling attacks, described as an injection type, occurs when the attacker embeds code within the input or appends code to it that executes when the server processes the submission. Command Injection SQL Injection attack inserts an SQL query as part of user input, which allows an attacker to extract or insert information into the database or execute arbitrary code Secure socket layer (SSL) stripping is an On-path attack using ARP poisoning that redirects clients to an HTTPS site in an unsafe way when attempting an HTTP connection. A birthday attack is a type of brute force attack aimed at exploiting collisions in hash functions. This type of attack can forge a digital signature. A downgrade attack facilitates a Man-in-the-Middle (MitM) attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths.   Dynamic Link Library Injection (DLL) is a software vulnerability that can occur when a Windows-based application attempts to force another running application to load a dynamic-link library (DLL) in memory, that could cause the victim application to experience instability or leak sensitive information. Directory traversal is an application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory. XML injection is fundamentally the same thing but targeted against web servers using XML applications rather than SQL. Clickjacking occurs when the attacker inserts an invisible layer into a trusted web page that can intercept or redirect input without the user realizing it.  Application programming interface (API) intrusion occurs when an attacker takes advantage of unsecure communication with application services to perform denial of service attacks using multiple API calls, for example. A resource exhaustion attack overloads resources like CPU time, memory, or disk capacity using distributed denial of service (DDoS) requests.   Pass-the-hash-attack occurs when the attacker steals hashed credentials and uses them to authenticate to the network. Using once-only session tokens or timestamping sessions prevents this type of attack. replay attack consists of intercepting a key or password hash, then reusing it to gain access to a resource. Using once-only session tokens or timestamping sessions prevents this type of attack.   Key Discovery - API calls use keys, made up of alphanumeric characters, to authorize requests to the web application. These keys are exposed over an unsecure connection such as HTTP. An attacker can use the key to perform other API calls. Improper error handling - Default application settings may expose more information than necessary when errors occur. Exposing such information over an HTTP connection may provide insight of the environment to the attacker. Denial of Service (DoS) can occur when the application is bombarded with spurious calls. Reconfiguring default web settings to throttle or limit calls can prevent this.   A command injection attack runs OS shell commands from the browser and allows commands to operate outside of the server's directory root, allowing commands to run as the web "guest" user. Shimming is when an attacker uses a code library or database to intercept and redirect calls to enable legacy mode functionality on a system in order to misuse. A shim is a code library that intercepts and redirects calls to enable legacy mode on a system. The shim database represents a way that malware with local administrator privileges can run on reboot (persistence).   Server Side Request forgery (SSRF) abuses the functionality and services of backend servers to read and update internal resources. This can expose, for example, database information, even without an authenticated session; causes the server application to process an arbitrary request that targets another service, either on the same host or another. A client-side (or cross-site) request forgery is an attack that forces a user to execute unwanted actions to a web server that the user is currently authenticated to. Cross-site request forgery (XSRF) is a malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser. This is successful if the server does not check if the user actually made the request. Cross-Site Scripting (XSS) is a malicious script hosted on the attacker's site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site. Reflected Cross-Site Scripting (XSS) is a server-side input validation exploit that injects a script into a website. Once the victim visits the infected website, the malicious code executes in the user's browser. Stored (or persistent) Cross-Site Scripting (XSS) is a server-side script attack that inserts code into a back-end database used by the trusted site. Document Object Model (DOM) Cross-Site Scripting (XSS) exploits vulnerabilities in client-side scripts to modify the content and layout of a web page.   A lightweight directory access protocol (LDAP) injection occurs when an attacker exploits a client’s unauthenticated access to submit LDAP queries that could create or delete accounts, even change authorizations and privileges. LDAP uses port 389.     [CLC website] Application and Service Attacks: Zero Day attacks  Spoofing DoS and DDoS attacks Man-In-The-Middle attacks  ARP Poisoning  Buffer Overflow Attacks  Injection Attacks  Priveledge Escalation  Reflection and Amplification  DNS poisoning  Domain Hijacking  Man-in-the-browser Cross-site Scripting and Request Forgery Replay Attacks  Pass the Hash Attacks

[CERTMaster] IV attacks  deauthentication attack  NFC (vulnerable to eavesdropping and M-I-T-M attacks) PowerShell Script = Invoke-Command Roque access point (AP) On-path attack  [CLC] Cryptographic Attacks:  Birthday, Known Plaintext, and Cipher Attacks  Online VS. Offline Attacks Collisions Downgrade Attacks  Brute-force and Dictionary Attacks  Brute Force tools Downgrade Attacks Wireless Attacks:  Replay attacks  Initialization Vector Weaknesses Evil Twins and Rogue Apps  Jamming  Bluejacking and Bluesnarfing  WPS attacks  Disassociation Attacks  RFID and Near Field Communication (NFC)

[CERTMaster] Hacktivists sophistication  State actors  private sharing center  advanced persistent threats (APT)   Hacktivists use cyber weapons to promote an agenda, steal confidential information, perform DoS attacks, or deface websites. For example, environmental and animal advocacy groups may target companies in a wide range of industries. Advanced Persistent Threats (APTs) are cyber nation state adversaries that have developed cybersecurity expertise and use cyber weapons to compromise network security and achieve military and commercial goals.   Insider threats are employees who harbor grievances or perpetrate fraud. For example, an insider threat might plan and execute a campaign to modify invoices and divert funds. Hackers are individuals who have the skills to gain access to computer systems through unauthorized or unapproved means. The term is sometimes associated with illegal or malicious system intrusion. Known threats, such as viruses or rootkits, Trojans, botnets, and DDoS, or specific software vulnerabilities, are relatively straightforward to identify and scan for these types of threats with automated software. DNS harvesting uses Open Source Intelligence (OSINT) to gather information about a domain (subdomains, hosting provider, administrative contacts, and so on). When performing host discovery on an internetwork (a network of routed IP subnets), the attacker will want to discover how the routers connect the subnets, and whether any misconfigured gateways between subnets exist. The ping command can detect the presence of a host on a particular IP address or one that responds to a particular host name. Users can apply a simple script to perform a ping sweep. Black hat hackers have malicious intent. These hackers have limited resources, especially when working alone. A white hat hacker always seeks authorization to perform penetration testing of private and proprietary systems. Companies usually contract these hackers to test their security systems. Gray hat hackers seek out vulnerabilities in a product or network without seeking approval. They do not exploit the vulnerabilities but seek voluntary compensation (bug bounty) after informing companies about such vulnerabilities. A script kiddie is someone who uses hacker tools without necessarily understanding how they work and no specific target. This person works to gain attention or prove technical abilities. A competitor may use cyber espionage to gain inside information to beat the competition or tear them down. In this case, a competitor will carry out such attacks without permission.   A wireless attack vector can involve spoofing a trusted resource, such as an access point, and use it to perform credential harvesting. The harvested credentials can then access the legitimate network. A direct access attack vector involves a physical or local attack to a target system or network. The threat actor can exploit an unlocked workstation or steal a device, for example. E-mail as an attack vector involves attaching malicious files and using social engineering to persuade or trick the user into opening the attachment. A company is temporarily transmitting plaintext Application Programming Interface (API) keys to migrate data to an off-prem environment using a web application. The destination platform is Microsoft Azure. This temporary solution makes it open to which attack vector? (A) Cloud services such as Microsoft Azure or Amazon Web Services (AWS) use API keys to communicate with cloud services to perform tasks, such as migrate data off-prem or to the cloud

[CERTMaster] Data exfiltration Vendor support for Wi-Fi access points (APs) note: a problem with the system kernel affects the Operating system default configurations of devices have minimal security [CLC] Race conditions  System Vulnerabilites  Improper input and Error Handling  Misconfiguration  Resource Exhaustion  Untrained Users Improperly Configured Accounts  Vulnerable Business Processes Weak Cipher Suite and Implementations  Memory and Buffer Vulnerability  System Sprawl and Undocumented Assets Architecture and Design Weaknesses New Threats and Zero-day attacks  Improper certificate and Key management

[CERTMaster] log aggregation credentialed scan non credentialed scan appropriate data inputs: Windows 10 hosts DLP systems Vulnerability scanners configuration review  False positive (Caused by passive & port scanning) Intelligence fusion Nikto (a web application scanner that scans for SQL injection exploits) [CLC: software tools for security assessment ] protocol analyzerz network scanners wireless scanners/cracker  password crackers  vulnerability scanners  configuration compliance scanners exploitation frameworks  data sanitization tools  steganography tools  honeypots  backup utilities  banner grabbing  passive vs. active  other command line tools: ping netstat  tracert nslookup/dig =dns tools  arp =IP addresses  ipconfig/ ip/ifconfig tcpdumb nmap netcat

[CertMaster] Open Source Intelligence (OSINT) uses web search tools, social media, and sites that scan for vulnerabilities in Internet-connected devices and services. It is part of the reconnaissance phase. Involves little physical work to accomplish the task. Footprinting uses tools, such as Network Mapper (Nmap), which can scan hosts on a wired or wireless connection. Most of these types of scans require an active network connection with the target(s). means scanning for hosts, IP ranges, and routes between networks to map out the structure of the target network. War flying is war driving, but in the air with a drone or unmanned aerial vehicle (UAV). This maps the location and type of wireless networks operated by the target. UAVs can drop infected Universal Serial Bus (USB) media with the expectation that someone on campus will use it. This is a social engineering technique different from war driving or flying. black box pen test, the consultant has no privileged info. about the network, its security systems, and its configuration. Black box tests are useful for simulating the behavior of an external threat. gray box pen test, the consultant has some information, which resembles the knowledge of junior or non-IT staff, to model types of insider threats.  During a white box pen test, the consultant has complete access to information about the network. Sometimes the consultant will conduct this type of test, as a follow-up to a black box test, to fully evaluate flaws discovered during the black box test. ​​​​​​​Ideally, testers should perform pen tests in a sandbox environment that accurately simulates the production environment. The purple team members act as facilitators during a purple team exercise. This type of exercise involves collaboration between red and blue teams during breaks throughout the exercise. The white team is responsible for setting the rules of engagement and monitors the penetration testing exercise. The blue team is one of two competing teams in a penetration testing exercise. The blue team performs the defensive role by operating, monitoring and alerting controls. The red team is one of two competing teams in a penetration testing exercise. The red team performs the offensive role to try to infiltrate the targetS STEP 1: Initial exploitation - an exploit gains access to the target's network, via phishing email and payload, or by obtaining credentials via social engineering. This phase comes before establishing persistence. STEP 2: Persistence -followed by further reconnaissance (internal), occurs when the pen tester attempts to map out the internal network and discover the services running on it and accounts configured to access it. STEP 3: Action on objectives is the very last step of a penetration test after establishing a pivot point and escalating privileges. This step is basically data exfiltration. pivot point  ​​​​​​​   [CLC ] PENETRATION TESTING CONCEPTS Active Vs. Passive Reconnaissance Pivot initial exploitation persistence escalation of priviledge black vs. gray vs. white box testing  VULNERABILITY SCANNING CONCEPTS Pen testing vs. vulnerability scanning  Passively testing security controls  identifying vulnerability  identifying lack of security controls  identifying common misconfigurations  intrusive vs. nonintrusive  credentialed vs. noncredentialed  false positives