• Virus: Requires host file to execute; self-replicates by infecting other files; spreads via removable media/email
• Worm: Standalone, self-propagates over network; exploits vulnerabilities; no user interaction needed (e.g., EternalBlue)
• Trojan: Disguised as legitimate software; creates backdoor; does not self-replicate
• PUP/PUA: Potentially Unwanted Program/Application; adware, browser toolbars; often bundled with installers
• Fileless Malware / LoTL: Resides in memory only; uses legitimate system tools (PowerShell, WMI, PsExec) to avoid disk detection; Living off the Land
• Spyware/Adware: Monitors user activity (keystrokes, screenshots) or injects advertisements; Keylogger records credentials
• Backdoor/RAT: Remote Access Trojan; covert channel for attacker control; often installed after initial breach
• C2 (Command & Control): Communication channel between malware and attacker (DNS tunneling, HTTPS beaconing, covert channels); indicators: regular beacon intervals, DGA domains
• Botnet: Army of compromised hosts (zombies) controlled via C2; used for DDoS, spam, cryptomining
• Ransomware: Encrypts data, demands payment; Crypto-malware variant specifically targets cryptocurrency wallets
• Cryptojacking: Unauthorized use of CPU/GPU for mining; stealthy resource consumption, slower performance, high electric bills
• Rootkit: Hides malware presence (processes, files, registry); kernel-mode (deep) vs user-mode
• Firmware Rootkit: Infects BIOS/UEFI, drives, or network card firmware; survives OS reinstallation
• Logic Bomb: Triggered by specific condition (date/time, file deletion); dormant until event
• Persistence Mechanisms: Registry run keys (HKLM\Software\Microsoft\Windows\CurrentVersion\Run), Scheduled Tasks (cron jobs), WMI Event Subscriptions, Startup folders, DLL hijacking
• IOCs (Indicators of Compromise): Artifacts of intrusion (file hashes, IP addresses, registry keys, mutex names)
• TTPs (Tactics, Techniques, and Procedures): Behavioral patterns of threat actors (how they operate)
• MITRE ATT&CK: Framework mapping adversary TTPs to specific techniques (e.g., T1003 Credential Dumping, T1059 Command-Line Interface)
• Process Analysis: Unexpected parent/child relationships (e.g., word.exe spawning powershell.exe), unsigned binaries, high CPU/memory usage by unknown processes
• Resource Use: Spikes in network bandwidth (exfiltration), disk I/O (encryption), battery drain (cryptojacking)
• RFID/NFC Cloning: Copying access cards via proximity readers; Skimming: Stealing card data via malicious readers (ATM/gas pump overlays)
• CSRF (Cross-Site Request Forgery): Forces authenticated user to execute unwanted actions (bank transfer) via malicious link; victim’s browser sends cookies automatically
• SSRF (Server-Side Request Forgery): Server makes requests to internal resources (metadata APIs, internal apps) based on attacker-supplied URL
• Persistent XSS: Malicious script stored on server (DB, comment field); executes for all viewers
• SQL Injection: Manipulating queries to extract/destroy data; LDAP Injection targets directory queries for auth bypass
• Directory Traversal: ../ sequences to escape web root; Canonicalization Attack: exploiting path parsing differences (Unicode, double encoding)
• Command Injection: Executing OS commands via vulnerable app input (; | && chaining)
• SYN Flood: Exhausting server resources with half-open TCP connections (SYN packets, no ACK); DoS
• Reflected DDoS: Spoofing victim IP to reflector servers (DNS, NTP, Memcached); amplifies traffic toward target
• On-Path / MitM: Intercepting traffic between two parties; ARP Poisoning (spoofing MAC-IP mappings on LAN) enables MitM on local segment
• DNS Poisoning: Corrupting DNS resolver cache (redirect traffic); Hosts File Poisoning: Local DNS client cache tampering (C:\Windows\System32\drivers\etc\hosts)
• WiFi Key Recovery: KRACK (Key Reinstallation Attack) against WPA2; forces nonce reuse to decrypt traffic
• Offline Hash Cracking: Stealing password hashes (SAM database, NTDS.dit), cracking locally with GPUs/Rainbow Tables
• Pass-the-Hash (PtH): Reusing captured NTLM hash without cracking plaintext; exploits single-sign-on in legacy Windows auth
• Legacy Auth Risks: NTLM (vulnerable to relay), RC4 (weak stream cipher in Kerberos); downgrade attacks force weaker encryption
• Pass-the-Ticket (PtT): Reusing stolen Kerberos TGT (Golden Ticket) or service ticket (Silver Ticket); lateral movement without credentials
• Credential Dumping: Extracting from LSASS (Local Security Authority Subsystem Service) memory using tools like Mimikatz; clear-text passwords and hashes
• Lateral Movement: PsExec (remote execution via SMB/Admin$), PowerShell Remoting (WinRM), WMI, RDP jump boxes
• Collision Attack: Finding two inputs producing same hash; forges digital signatures (SHA-1 deprecated, MD5 broken); undermines non-repudiation