For All Things Network-Related
This type of scan pings devices to find which are active on a network
What is a ping sweep
An unusual process running as SYSTEM with no apparent origin could indicate this.
What is a malicious process or rootkit
When apps start communicating with known bad IP addresses, this term describes the behavior.
What is command-and-control communication
A USB drive is “accidentally” dropped near the company parking lot. An employee picks it up and plugs it in. This classic bait tactic is known as what?
What is baiting
You find a scheduled task to launch PowerShell every 3 hours. What might this indicate?
What is persistence via scheduled task
You notice a device repeatedly trying to reach an external IP without authorization. It's likely doing this behavior.
What is beaconing
This escalation technique tricks the OS into giving unauthorized admin access.
What is privilege escalation
A new account appears in your CRM logs—created without permission. What attack technique is likely?
What is unauthorized account creation or insider threat
A link that looks like a company login page but leads elsewhere is called this.
What is a spoofed or phishing link
This part of Windows often holds keys that determine startup behavior and app settings.
What is the Windows Registry
A network admin sees a sudden traffic spike from one system after hours. This could be a sign of what?
What is data exfiltration or a compromised host
A system freezing up with high CPU usage and no clear reason might be the result of what?
What is resource hijacking or possible malware activity
Your logs reveal a command-line tool being launched by a Word document. What might this indicate?
What is macro-based malware or fileless malware
An attacker physically follows someone into a secure office building by pretending to have forgotten their badge. This is an example of what?
What is a tailgating
A script disguised as a Windows update and run automatically might be this type of threat.
What is a disguised backdoor or malware implant
These unauthorized systems may connect to your network, often with malicious intent.
What are rogue devices
You find a renamed executable in a temp directory. It might be this kind of tool.
What is a living-off-the-land binary (LOLBIN) or malware dropper
This kind of alert might fire if an application suddenly begins encrypting large volumes of files.
What is ransomware behavior
Someone calls pretending to be from payroll to get personal info. That’s this kind of attack.
What is vishing (voice phishing)
A misconfigured group policy can lead to these unintended consequences.
What is unintended privilege or access control issues
A beaconing host is usually doing what?
What is attempting to maintain contact with a command-and-control server
These files often contain records of unusual or malicious host activity.
What are log files or security event logs
A legitimate app being used maliciously is known as what kind of threat?
What is a living-off-the-land attack or abuse of legitimate tools
The term for when someone is tricked into performing a compromising action via fake trust.
What is social engineering
These Windows artifacts can reveal unauthorized persistence mechanisms.
What are scheduled tasks or registry run keys