Chapter 3: Malicious Activity

The df command will show you a system's current disk utilization. Both the top command and the ps command will show you information about processes, CPU, and memory utilization, whereas lsof is a multifunction tool for listing open files.

Perfmon, or Performance Monitor, provides the ability to gather detailed usage statistics for many items in Windows. Resmon, or Resource Monitor, monitors CPU, memory, and disk usage but does not provide information about things like USB host controllers and other detailed instrumentation. Statmon and winmon are not Windows built-in tools.

Flow data provides information about the source and destination IP address, protocol, and total data sent and would provide the detail needed. Syslog, WMI, and resmon data are all system log information and would not provide this information.

Network access control (NAC) can be set up to require authentication. Port security is limited to recognizing MAC addresses, making it less suited to preventing rogue devices. PRTG is a monitoring tool, and NTP is the Network Time Protocol.

A monitoring threshold is set to determine when an alarm or report action is taken. Thresholds are often set to specific values or percentages of capacity.

Chris is most likely reviewing a JSON file. HTML and XML typically use angle brackets (< and >) rather than curly brackets. Plain text does not use or require either.

Beaconing activity (sometimes called heartbeat traffic) occurs when traffic is sent to a botnet command-and-control system. The other terms are made up.