13 Malware Indicators
Mini Quiz Answers

Question 1: A security analyst notices unusual PowerShell commands executing in memory on a finance workstation. The commands result in more code being downloaded and executed. Anti-malware scans do not detect any malicious files present on the hard drive. Traditional antivirus scans show no detections. What best describes this attack technique?

Question 1 Explanation: Living off the land describes malware that uses legitimate system tools like PowerShell and WMI to execute attacks without leaving files on disk.

Polymorphic virus changes its code to evade detection but typically infects files on disk, which would be caught by antivirus.

Trojans usually install files on the system to maintain access, which would be detected during scans.

Firmware rootkits infects BIOS/UEFI firmware, not PowerShell commands in memory.

Question 2: An accounting department reports that all their critical files have had their file extensions renamed to ".HACKED". They can no longer view the contents of the files. A note appears in a .txt file demanding payment in Bitcoin within 72 hours to unlock the files. Performance monitoring shows extreme disk activity during the overnight hours. Which threat classification matches these indicators?

Question 2 Explanation: Cryptojacking uses CPU resources for mining cryptocurrency but does not encrypt files or demand ransom.

Spyware monitors user activity and steals data but does not rename files or demand payment.

Ransomware encrypts files, renames them with new extensions like ".HACKED", and displays ransom notes demanding Bitcoin payment, which matches all described indicators.

Botnet creates a network of compromised devices for coordinated attacks but does not typically encrypt files for ransom.

Question 3: Multiple users contact the IT help desk complaining that they are experiencing incredibly slow connections to internal files and resources. In some cases, internal websites do not load at all. Other users are having problems logging into their accounts. Which type of attack is most likely taking place?

Question 3 Explanation: Trojan malware disguises itself as legitimate software but typically does not cause widespread network slowdowns.

Denial of Service attacks overwhelm network resources, servers, or authentication systems, causing slow connections, website failures, and login problems for multiple users.

Account compromise affects individual user access but does not explain slow connections for multiple users.

Ransomware encrypts files but does not necessarily cause network slowdowns or prevent logins.

Question 4: After investigating a breach, analysts find that a malicious program automatically restarts every time the operating system launches by adding a configuration setting called "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". Which persistence mechanism is the attacker using?

Question 4 Explanation: WMI event subscriptions create persistence through Windows Management Instrumentation events, not registry run keys.

DLL hijacking forces programs to load malicious DLLs.

Registry keys in the HKLM\Software\Microsoft\Windows\CurrentVersion\Run location automatically launch programs when Windows starts, which is the described persistence mechanism.

Scheduled tasks run programs at specific times but are configured through Task Scheduler, not this specific registry path.

Question 5: A network administrator discovers a malware infection on the company's network. The malware has gained NT AUTHORITY/SYSTEM-level privileges. It is also deleting log files in an apparent attempt to avoid being discovered. What type of malware is the network administrator dealing with?

Question 5 Explanation: Polymorphic virus changes its code signature to evade detection but does not necessarily delete logs.

Worm malware self-propagates across networks but does not specifically hide its presence or target log files.

Keylogger records keystrokes to steal credentials but does not typically delete log files.

Rootkit malware hides its presence from operating system and security tools, often runs with SYSTEM-level privileges, and deletes log files to avoid detection, matching all described behaviors.

Question 6: A website allows users to post comments that are displayed to all visitors. An attacker submits a comment containing malicious JavaScript that steals session cookies from anyone who views the page. The script executes automatically for every visitor. Which attack is occurring?

Question 6 Explanation: CSRF forces authenticated users to perform unwanted actions on websites they trust, not steal cookies from page viewers.

SSRF makes servers request internal resources, not attack page visitors.

XSS or Cross-Site Scripting injects malicious JavaScript into web pages that execute in visitors' browsers, stealing session cookies from anyone who views the infected page.

SQLi attacks databases through malicious queries, not client-side script execution.

Question 7: An organization notices that when a staff member tries to access a legitimate banking website, they are redirected to a malicious IP address controlled by attackers. The local DNS file on the employee's Windows workstation shows unauthorized entries mapping legitimate domains to malicious IP addresses. What best describes this attack?

Question 7 Explanation: DNS poisoning corrupts DNS resolver cache, not the local hosts file.

SYN flood exhausts server resources with connection requests, not redirection.

Hosts file poisoning modifies the local hosts file to redirect legitimate domain requests to malicious IP addresses, bypassing normal DNS resolution.

Reflected DDoS amplifies traffic toward targets, not local file modification.

Question 8: A developer's workstation shows consistently high CPU usage at 95% even when no applications are running. The system fan runs constantly, battery drains rapidly, and electricity costs have increased. Which threat is most likely consuming the system resources?

Question 8 Explanation: Ransomware encrypts files and displays ransom notes, but does not maintain constant high CPU usage when idle (only during encryption).

Cryptojacking hijacks CPU resources to mine cryptocurrency, causing consistently high CPU usage, fan operation, battery drain, and increased electricity costs even when no applications are visibly running.

Spyware monitors user activity but typically does not consume 95% CPU continuously.

Worm malware spreads across networks but does not necessarily consume constant high CPU resources.

Question 9: Which of the following best describes an industry-standard framework that maps adversary TTPs to real-world techniques?

Question 9 Explanation: MITRE ATT&CK is the industry-standard framework that maps adversary Tactics, Techniques, and Procedures to real-world attack methods.

ISO/IEC 27001 is an information security management standard, not a TTP mapping framework.

NIST CSF is a cybersecurity framework for managing risk, not specifically mapping adversary techniques.

Cyber Kill Chain describes attack stages but does not map specific techniques to tactics.

Question 10: An employee installs a popular video game on their company workstation. The game works normally but is also bundled with an application that creates pop-up advertisements on the employee's screen, advertising various products. The bundled application does not appear to be malicious. What is the BEST description for this situation?