Home » Cyber Security – Certificate IV » VU23225 Investigate Windows security features » Detailed Report on “VU23225 Investigate Windows Security Features – Lesson 03

Detailed Report on “VU23225 Investigate Windows Security Features – Lesson 03”

Overview

The document titled “VU23225 Investigate Windows Security Features – Lesson 03” focuses on various aspects of malware, including methods of infection, techniques to avoid detection, methods of maintaining persistence, and tools for detection. The content aims to provide a comprehensive understanding of malware and its impact on Windows systems.

1. Objectives

The lesson sets out the following objectives:

  • Describe the methods threat actors use to infect a Windows host.
  • Describe techniques used to avoid malware detection on a Windows host.
  • Describe how malware can maintain persistence even after detection and removal.
  • Describe tools to detect malware attacks.

2. Common Malware Vectors

This section discusses the pathways through which malware enters systems, compromising the security and integrity of Windows environments.

Email-Based Attacks:

  • Phishing Emails: Deceptive messages designed to trick users into revealing sensitive information.
  • Malicious Attachments and Links: Malware disguised as legitimate file attachments or links leading to malicious websites.

Social Engineering Attacks:

  • Malicious Macros: Hidden within document files, executing malicious code when enabled.
  • Fake Software Installers: Counterfeit software distributed through unofficial websites or malicious ads.

Web-Based Attacks:

  • Drive-by Downloads: Automatic malware downloads from compromised or malicious websites.
  • Malicious Websites: Intentionally designed or compromised sites to deliver malware.

Removable Media Attacks:

  • USB-Based Attacks: Malware placed on USB drives, relying on social engineering to get users to plug them in.
  • inf-Based Attacks: Exploits the Autorun feature in Windows to execute malware.

Software Vulnerabilities:

  • Outdated Software: Contains known vulnerabilities that can be exploited.
  • Zero-Day Exploits: Target unknown vulnerabilities without available patches.

3. Malware Hiding Techniques

Common techniques used by malware to evade detection and infiltrate systems:

  • Fileless Malware: Resides solely in memory, using legitimate system tools.
  • Rootkits: Gain administrative control and hide their presence by modifying OS core files.
  • Stealth Techniques: Use code obfuscation, encryption, and polymorphism to avoid detection.
  • DLL Injection: Injects malicious code into legitimate processes.
  • Process Hollowing: Replaces code of a legitimate process with malicious code.
  • Code Injection: Injects malicious code into legitimate processes.
  • Steganography: Embeds malicious code within harmless files like images or documents.
  • Malicious Macros: Embedded in Office documents, tricking users to enable macros.
  • File Masking: Changes file extensions or icons to resemble harmless files.
  • Network Traffic Manipulation: Alters traffic patterns or uses encryption to hide communication with C&C servers.

4. Malware Persistence

Methods malware uses to maintain its presence on an infected system:

  • Registry Modification: Changes Windows registry to auto-launch malware on boot.
  • Startup Folder: Places itself in the startup folder to execute on login.
  • Service Installation: Installs as a service to run independently of user sessions.
  • Rootkit Installation: Hides malware and its activities from detection.
  • Boot Sector Infection: Infects the master boot record or boot sector to execute malware early in the boot process.
  • File System Manipulation: Replaces critical system files or creates hidden copies.
  • Network-based Persistence: Establishes backdoors or new user accounts with admin privileges.
  • Task Scheduler: Creates or modifies scheduled tasks to ensure malware execution at regular intervals or specific triggers.

5. Tools to Detect Malware

Tools and methods to detect malware attacks on Windows systems:

Anti-Virus / Anti-Malware Solutions:

  • Windows Defender: Built-in solution with real-time protection.
  • Malwarebytes: Third-party tool known for detecting and removing stubborn malware.
  • Norton Security, Trend Micro Antivirus, ESET NOD32, McAfee Total Protection, Bitdefender, Kaspersky, Avast: Various solutions offering real-time scanning, threat detection, and removal capabilities.

Endpoint Monitoring Tools:

  • Microsoft Endpoint Tools (Windows Event Viewer, Sysmon): Tools for monitoring and managing events and system activities.
  • Velociraptor: Open-source framework for endpoint monitoring and digital forensics.
  • Fleet Device Management: System monitoring tool focusing on compliance and incident response.
  • osquery: Tool for querying OS infrastructure with SQL-like syntax.
  • OSSEC, Wazuh: Host-based intrusion detection systems offering real-time log analysis and threat detection.

Sysinternals Suite:

  • Autoruns, Process Explorer, Process Monitor, TCPView, Sigcheck, Sysmon: Advanced tools for diagnosing, troubleshooting, and identifying malware.

SIEM Solutions:

  • Splunk Enterprise Security, IBM QRadar, Elastic Security, Security Onion, AlienVault USM, AlienVault OSSIM: Comprehensive platforms for monitoring, analyzing, and responding to security events.

Conclusion

The document provides a thorough overview of how malware can infect Windows systems, evade detection, and maintain persistence. It also highlights various tools and solutions available to detect and mitigate these threats, emphasizing the importance of keeping systems updated, using reputable security software, and educating users about social engineering risks.

 

Scroll to Top