Monday, December 30, 2019
In threat hunting, what China based APT group was exposed and dismantled by U.S. based security organization Mandiant?
In threat hunting, what China based APT group was exposed and dismantled by U.S. based security organization Mandiant?
- APT 3
- APT18
- APT 1
- APT 12
EXPLANATION
2004, Mandiant has investigated computer security breaches at hundreds of organizations around the world. The majority of these security breaches are attributed to advanced threat actors referred to as the “Advanced Persistent Threat” (APT). We first published details about the APT in our January 2010 M-Trends report. As we stated in the report, our position was that “The Chinese government may authorize this activity, but there’s no way to determine the extent of its involvement.” Now, three years later, we have the evidence required to change our assessment. The details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them.3Mandiant continues to track dozens of APT groups around the world; however, this report is focused on the most prolific of these groups. We refer to this group as “APT1” and it is one of more than 20 APT groups with origins in China. APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From our observations, it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen. The scale and impact of APT1’s operations compelled us to write this report.The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted. Though our visibility of APT1’s activities is incomplete, we have analyzed the group’s intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1’s attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures). In an effort to underscore there are actual individuals behind the keyboard, Mandiant is revealing three personas we have attributed to APT1. These operators, like soldiers, may merely be following orders given to them by others.Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originaWhat allows you to move the cursor on a screen?
What allows you to move the cursor on a screen?
- This one time, at band camp
- Mouse
- A series of well organised sausagerolls performing a electronic coup
- The feeling when you just know youve forgotten something but cant remember what.
EXPLANATION
If your machine is equipped with arrow keys, try these now. You should be able to move the cursor freely about the screen by using combinations of the up, down, right, and left arrow keys.
...
Moving With Arrow Keys
...
Moving With Arrow Keys
- To move left, press h .
- To move right, press l .
- To move down, press j .
- To move up, press k .
You can simply press Shift-right-arrow, and then start typing. In contrast, to these combination shift-arrow commands which move the cursor to the beginning and end of lines, the Ctrl-left-arrow and Ctrl-right-arrow keys move the screen image 20 spaces in the opposite direction to the arrow, without moving the cursor.
What is the command to resync a workstation's time to the NTP server?
What is the command to resync a workstation's time to the NTP server?
EXPLANATION
Run "cmd.exe" as administrator. w32tm /resync. Visually check that the seconds in the "Date and Time" control panel are ticking at the same time as your authoritative clock(s).Which of these is NOT an OSI network layer?
Which of these is NOT an OSI network layer?
- The Security Layer
- The Transport Layer
- The Application Layer
- The Physical Layer
EXPLANATION
The Open System Interconnection (OSI) model defines a networking framework to implement protocols in seven layers.
...
The 7 Layers of the OSI
...
The 7 Layers of the OSI
- Layer 1 - Physical.
- Layer 2 - Data Link.
- Layer 3 - Network.
- Layer 4 - Transport.
- Layer 5 - Session.
- Layer 6 - Presentation.
- Layer 7 - Application.
An admin is investigating an unusual amount of traffic originating from a 2016 Server to the internet. The first event log was ID 1102. The outbound traffic is traversing over ports commonly associated with DNS. These symptoms are known as what?
An admin is investigating an unusual amount of traffic originating from a 2016 Server to the internet. The first event log was ID 1102. The outbound traffic is traversing over ports commonly associated with DNS. These symptoms are known as what?
- Vulnerability
- Threat
- Risk
- Indicator of Comprimise (IoC)
EXPLANATION
Yet another event type worth monitoring is related to event log clearing. Checking for event ID 104 in the System log whether it is cleared, while searching for 1102 in the Audit log does the same. But clearing the application log puts nothing in the application event log?
Although the application log clear does not result in a log clear entry in the actual application log, it does write an entry to the system log which was previously mentioned. Is clearing event logs considered a normal activity? Granted, the act may not always result from malicious intent, but it should be considered enough of a non-standard event that it warrants closer examination. When log clears are performed in conjunction with other events, it is clearly a great way to cover your tracks if you were previously creating services, making firewall rules changes, etc. In some cases, if a system is functioning on an island without log forwarding or any other outside communication, this singular event might be your only indication of a much larger issue. But wait... There are several ways to clear out the log files. Let us examine several of them to see how they work and ensure our monitoring will detect them. Obviously using the Windows native method of clearing event logs (Figure 9) is going to generate the event IDs we are looking for above. Event ID 104 is created just as expected when clearing out the System log.
What is a node?
What is a node?
- A node refers to a point or joint where a connection takes place
- is combined with an IP address in order to identify two parts:
- It refers to a direct connection between two computers on a network.
- is the process of breaking down information into smaller manageable chunks before it is transmitted
EXPLANATION
A node is a device or data point in a larger network.A node can be a couple of different things depending on whether the conversation is about computer science or networking.
In networking a node is either a connection point, a redistribution point, or a communication endpoint. In computer science, nodes are devices or data points on a large network, devices such a PC, phone, or printer are considers nodes.
In general, a node has a programmed or engineered capability that enables it to recognise, process, or forward transmissions to other nodes.
Which is the most frequent IT problem?
Which is the most frequent IT problem?
- Virus in user computer
- Computer froze
- User forgot his password
- Data loss
EXPLANATION
- I'm unable to log in! ...
- “I've got the dreaded blue screen of death!” ...
- “I deleted some important files!” ...
- “I just closed my document without saving!” ...
- “My computer is running too slowly!” ...
- “My computer just shut down unexpectedly!” ...
- “I can't print anything!”
Which of the following is a valid IPv6 link-local address?
Which of the following is a valid IPv6 link-local address?
- fe80::f557:9caf:86ce:855e
- fg80::8a2e:0370:7334
- 169.254.1.1
- fe80:0000:0000:5d18:0000:6977:a3cf:e46d
EXPLANATION
ipv6 unicast-routing interface gigabitethernet 0/0/0 ipv6 address 2001:DB8:c18:1::/64 eui-64 Device# show ipv6 interface gigabitethernet 0/0/0 Gigabitethernet0/0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::F557:9CAF:86CE:855E Global unicast address(es): 2001:DB8:C18:1:260:3EFF:FE47:1530, subnet is 2001:DB8:C18:1::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF47:1530 FF02::9 MTU is 1500 bytes ICMP error messages limited to one every 500 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses.
A type of cryptographic network protocol for secure data communication
A type of cryptographic network protocol for secure data communication
- TFTP
- TELNET
- SSH
- RDP
EXPLANATION
Secure Shell (SSH) was invented in the year 1995, which is a cryptographic network security protocol used for securing data communication over a network.
It permits command-line login remotely as well as the execution of
specific tasks remotely. Various functionalities of FTP are incorporated
in SSH.
What is the most preferred tool to configure a Server Core and what are the important ones to configure?
What is the most preferred tool to configure a Server Core and what are the important ones to configure?
- PowerShell
- CMD
- Sconfig
- WinrRM
EXPLANATION
Server Core doesn't have a UI, you need to use Windows PowerShell cmdlets, command line tools, or remote tools to perform basic administration tasks. The following sections outline the PowerShell cmdlets and commands used for basic tasks. You can also use Windows Admin Center, a unified management portal currently in public preview, to administer your installation.
Which Windows+R command needs to be entered to Disable Ctrl-Alt-Del at Logon Screen
Which Windows+R command needs to be entered to Disable Ctrl-Alt-Del at Logon Screen
Which statement is INCORRECT about penetration testing?
Which statement is INCORRECT about penetration testing?
- It is an unintentional attack?
- Pen testing does discover security flaws/weaknesses?
- Pen testing is used for security assessments?
- Pen testing improves the security of the system?
EXPLANATION
A pentest is an intentional attack on a system using the pen testing skills to improve the defense strategy.
Unintentional, insider-originated security breaches are the result of
simple negligence, inattention, or lack of education. Unintentional
mistakes such as a system administrator errors, operator errors and
programming errors for example, are common.
What does SSID stand for?
What does SSID stand for?
- Secure Service Identifier
- Security Set Identifier
- Service Security Identifier
- Service Set Identifier
EXPLANATION
The SSID (Service Set IDentifier) is the name of a wireless network.
The SSID (Service Set IDentifier) is the name of a wireless network.
If a router can create more than one network, then each can have its
own name/SSID. Whether each should have its own name is a debatable issue, but not a security one.
You should change the default SSID(s), for a couple reasons, one technical one not.
Using a default or common SSID, can make it easier for bad guys to crack the WPA2 encryption. The network name is part of the encryption algorithm, and password cracking dictionaries (rainbow tables) include common SSIDs. Thus, a popular SSID makes the hacker’s job easier.
On a totally different level, you don't appear to be technically clueless. Anyone who has not changed the default network name is immediately pegged as a non-techie whose defenses are likely to be poor. There might as well be a "hack me" sign on the network.
I have seen others argue that changing an SSID that has the vendor name in it is good for security, as it hides the company that made your router. It does not. The identity of the hardware vendor is advertised for the world to see in the MAC address that the router broadcasts. Even if you change a default SSID of "Linksys" to "Netgear", anyone with a Wi-Fi survey app such as WiFi Analyzer on Android can tell that the router was made by Linksys.
You should change the default SSID(s), for a couple reasons, one technical one not.
Using a default or common SSID, can make it easier for bad guys to crack the WPA2 encryption. The network name is part of the encryption algorithm, and password cracking dictionaries (rainbow tables) include common SSIDs. Thus, a popular SSID makes the hacker’s job easier.
On a totally different level, you don't appear to be technically clueless. Anyone who has not changed the default network name is immediately pegged as a non-techie whose defenses are likely to be poor. There might as well be a "hack me" sign on the network.
I have seen others argue that changing an SSID that has the vendor name in it is good for security, as it hides the company that made your router. It does not. The identity of the hardware vendor is advertised for the world to see in the MAC address that the router broadcasts. Even if you change a default SSID of "Linksys" to "Netgear", anyone with a Wi-Fi survey app such as WiFi Analyzer on Android can tell that the router was made by Linksys.
Which is NOT a transport layer vulnerability?
Which is NOT a transport layer vulnerability?
- Unauthorized network access
- The vulnerability that allows "fingerprints" and other enumeration of host information
- Mishandling of undefined, poorly defined
- Overloading transport-layer mechanisms
EXPLANATION
The different vulnerabilities of the Transport layer are mishandling of
undefined, poorly defined,
Vulnerability that allow “fingerprinting” & other enumeration of host information, Overloading of transport-layer mechanisms etc. Unauthorized network access is an example of physical layer vulnerability.
Vulnerability that allow “fingerprinting” & other enumeration of host information, Overloading of transport-layer mechanisms etc. Unauthorized network access is an example of physical layer vulnerability.
In Windows 10, what are Active Hours
In Windows 10, what are Active Hours
- The number of hours Windows has been active.
- Windows will not auto-update during this time.
- Windows will not auto-reboot during this time.
- PC will not hibernate during this time.
EXPLANATION
Active Hours is a new update-related feature of the upcoming Anniversary Update for Windows 10
that is already available in the latest Insider Build. The main idea
behind the feature is to make operating system updates less annoying by
preventing automatic restarts of the system during active hours
What Protocol Does the Open-Source VNC Remote Desktop Application Use?
What Protocol Does the Open-Source VNC Remote Desktop Application Use?
- Remote Desktop Protocol (RDP)
- Open Source Screen Share (OSSS)
- Virtual Network Connect (VNC)
- Remote Frame Buffer (RFB)
EXPLANATION
RFB (“remote framebuffer”) is an open simple protocol for remote access to graphical user interfaces. Because it works at the framebuffer level it is applicable to all windowing systems and applications, including Microsoft Windows, macOS and the X Window System. RFB is the protocol used in Virtual Network Computing (VNC) and its derivatives.Software | Protocols | Free for commercial use |
---|---|---|
TightVNC | RFB (VNC) | Yes |
Timbuktu | Proprietary | Yes |
TurboVNC | RFB (VNC) | Yes |
UltraVNC | RFB (VNC) | Yes |
What command do you use if you have 2 stacked 48 port Enterasys/Extreme B5 switches and you wish to set port 41 on the second switch to vlan 4?
What command do you use if you have 2 stacked 48 port Enterasys/Extreme B5 switches and you wish to set port 41 on the second switch to vlan 4?
- set port vlan ge.2.41 4
- set port vlan ge.1.41 4
- set vlan ge.2.41 4
- set port vlan 4 ge.2.41
EXPLANATION
When utilizing this command the structure is set up as {set port vlan}
then the port(s) on the switch you wish to set, in this case switch 2
port 41 so ge.2.41 followed by the vlan you want to set the port to, in
this case 4 (further commands can follow this if needed, but in this
example it was not) For a more detailed look at the procedure you can go
to https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-Configure-VLAN-on-EOS-Switches
How to Configure VLAN on EOS Switches
Information |
Title | How to Configure VLAN on EOS Switches |
---|
Objective |
|
---|
Environment |
|
---|
Procedure |
|
---|
What kind of information about your e-mail environment is not stored in DNS?
What kind of information about your e-mail environment is not stored in DNS?
- SPF record
- Certificate expiration date
- MX
- DKIM selector
EXPLANATION
DNS servers create a DNS record to provide important information about a domain or hostname, particularly its current IP address. The most common DNS record types are:- Address Mapping record (A Record)—also known as a DNS host record, stores a hostname and its corresponding IPv4 address.
- IP Version 6 Address record (AAAA Record)—stores a hostname and its corresponding IPv6 address.
- Canonical Name record (CNAME Record)—can be used to alias a hostname to another hostname. When a DNS client requests a record that contains a CNAME, which points to another hostname, the DNS resolution process is repeated with the new hostname.
- Mail exchanger record (MX Record)—specifies an SMTP email server for the domain, used to route outgoing emails to an email server.
- Name Server records (NS Record)—specifies that a DNS Zone, such as “example.com” is delegated to a specific Authoritative Name Server, and provides the address of the name server.
- Reverse-lookup Pointer records (PTR Record)—allows a DNS resolver to provide an IP address and receive a hostname (reverse DNS lookup).
- Certificate record (CERT Record)—stores encryption certificates—PKIX, SPKI, PGP, and so on.
- Service Location (SRV Record)—a service location record, like MX but for other communication protocols.
- Text Record (TXT Record)—typically carries machine-readable data such as opportunistic encryption, sender policy framework, DKIM, DMARC, etc.
- Start of Authority (SOA Record)—this record appears at the beginning of a DNS zone file, and indicates the Authoritative Name Server for the current DNS zone, contact details for the domain administrator, domain serial number, and information on how frequently DNS information for this zone should be refreshed.
CHAP stands for?
CHAP stands for?
- Circuit Hardware authentication protocol
- Circuit Handshake authentication protocol
- Challenge Handshake authentication protocol
- Challenge Hardware authentication protocol
EXPLANATION
CHAP.
Short for Challenge Handshake Authentication Protocol, a type of
authentication in which the authentication agent (typically a network
server)
sends the client program a random value that is used only once
and an ID value. Both the sender and peer share a predefined secret.
What Command in "Command Prompt" is used to check hard disk issues
What Command in "Command Prompt" is used to check hard disk issues
- net stop wuauserv
- chkdsk c:\
- dir
- sfc /scannow
EXPLANATION
Short for "check disk," the chkdsk command is a Command Prompt command used to check a specified disk and repair or recover data on the drive if necessary. Chkdsk also marks any damaged or malfunctioning sectors on the hard drive or disk as "bad" and recovers any information still intact.
C:\WINDOWS\system32>chkdsk
The type of the file system is NTFS.
WARNING! /F parameter not specified.
Running CHKDSK in read-only mode.
Stage 1: Examining basic file system structure ...
450816 file records processed.
File verification completed.
8733 large file records processed.
0 bad file records processed.
Stage 2: Examining file name linkage ...
650 reparse records processed.
Progress: 495796 of 585112 done; Stage: 84%; Total: 76%; ETA: 0:00:06 .
The type of the file system is NTFS.
WARNING! /F parameter not specified.
Running CHKDSK in read-only mode.
Stage 1: Examining basic file system structure ...
450816 file records processed.
File verification completed.
8733 large file records processed.
0 bad file records processed.
Stage 2: Examining file name linkage ...
650 reparse records processed.
Progress: 495796 of 585112 done; Stage: 84%; Total: 76%; ETA: 0:00:06 .
On an class C IPv4 network, which of these IPs is used for broadcast traffic
On an class C IPv4 network, which of these IPs is used for broadcast traffic
EXPLANATION
It is very similar to the
network broadcast we just talked about but varies slightly in the sense
that its IP broadcast is not set to 255.255.255.255 , but is set to the
subnet broadcast address. For example, my home network is a Class C
network : 192.168.0.0 with a subnetmask of 255.255.255.0 or, if you like
to keep it simple, : 192.168.0.0/24.
This means that the
available valid hosts for this network are from 192.168.0.1 to
192.168.0.254. In this Class C network, as in every other network, there
are 2 addresses which I can't use. The first one is preserved to
identify the network (192.168.0.0) and the second one for the subnet
broadcast (192.168.0.255).
What command would you use in Linux to get the current system time?
What command would you use in Linux to get the current system time?
- get-time
- get-date
- date
- datetime
EXPLANATION
date command is used to display the system date and time. date command is also used to set date and time of the system.
By default the date command displays the date in the time zone on which unix/linux operating system is configured. You must be the super-user (root) to change the date and time.
How to ping a port
How to ping a port
- Ping ():Port
- tcping
- non of above
- ping :port
EXPLANATION
tcping is a tool that
allows to verify reachability of TCP port. ... Unlike standard ping,
fping or hping,
this tool uses simple TCP connection to verify if port
is listening and is agnostic of application protocols etc. Each check
will simply open a connection and if successful it will immediately
close it.
https://www.techlanda.com/2016/01/how-to-ping-port.html
Which of the following dvPort binding types have been removed in vSphere 5
Which of the following dvPort binding types have been removed in vSphere 5
- Ephemeral Binding
- Dynamic Binding
- Lateral Binding
- Static Binding
EXPLANATION
From: http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-networking-guide.pdf
Select Static binding to assign a port to a virtual machine when thevirtual machine connects to the distributed port group. This option is not
available when the vSphere Client is connected directly to ESXi.
Select Dynamic binding to assign a port to a virtual machine the first
time the virtual machine powers on after it is connected to the distributed
port group. Dynamic binding is depricated in ESXi 5.0.
Select Ephemeral for no port binding. This option is not available when
the vSphere Client is connected directly to ESXi.
Port binding type, along with all other vDS and port group configuration, ... The port is disconnected only when the virtual machine is removed from the port group. ... For example, if you have 300 virtual machines and 100 ports, but never ... and an ESXi 5.x host can support up to 256 ephemeral port groups
Which of the follow is not a standard method in the US for connecting telephone calls?
Which of the follow is not a standard method in the US for connecting telephone calls?
- Analog/POTS
- SIP/VOIP
- E1/BRI
- T1/PRI
EXPLANATION
Analog or Plain Old Telephone Service (POTS) are your standard (essentially) one line in per call telephone lines. These were fairly inefficient for larger organizations due to the sheer volume of calls needed and the number of physical lines that would be needed to accomplish many concurrent calls, for example a call center needing the ability to work with 45 concurrent calls would need essentially 45 Analog lines (although, later uses of the lines could incorporate some usage of more than one call per physical line), which is both costly and takes up a large volume of real-estate (space).In order to make multiple concurrent calls across one physical medium, the US telecommunications industry began to use T1 or PRI lines - which could support up to 23 concurrent calls over one "line" (or circuit). So, for that same business to make approximately 45 concurrent calls, only *2* circuits would be required.
As demands increased yet again and higher-speed backbone connections became available, VoIP (Voice over Internet Protocol) or SIP trunks have become the de-facto standard for high-usage / high-volume (and even low-volume) environments. The concurrent call limit per SIP or VoIP trunk is essentially limitless, bound *in-theory* only by the amount of bandwidth available to the destination/origin.
BRI circuits are essentially the same (or extremely similar) to the North American/US T1/PRI circuits, however, they are only found overseas/in European countries and NOT in the US.
*This question and the answers, including this explanation, are a simplification of many PSTN and Telecommunications terms and technologies. Additional details and information can be found by searching Wikipedia, as well as other scholarly resources, for the aforementioned terms,
SOURCE
https://en.wikipedia.org/wiki/Public_switched_telephone_networkStandard-use 3.5" hard disk drives for non-enterprise use generally include spin rates that include all except the following
Standard-use 3.5" hard disk drives for non-enterprise use generally include spin rates that include all except the following
- 10,000 RPM (10k)
- 5400 RPM (5.4k)
- 15,000 RPM (15k)
- 7200 RPM (7.2k)
EXPLANATION
RPM specification, platters need to spin faster to increase
performance in a hard drive. This results in moving the data bits past
the read/write head faster, which results in higher data rates. Hard
drives have been engineered with spin rates as low as 1,200 RPM and as
high as 15K RPM. But today’s most common RPM rates, in both laptop and
desktop PCs, are between 5,400 and 7,200 RPM.
Given two
identically designed hard drives with the same areal densities, a 7,200
RPM drive will deliver data about 33% faster than the 5,400 RPM drive.
Consequently, this specification is important when evaluating the
expected performance of a hard drive or when comparing different HDD
models.