Chapter 3: Malicious Activity

The df command will show you a system's current disk utilization. Both the top command and the ps command will show you information about processes, CPU, and memory utilization, whereas lsof is a multifunction tool for listing open files.

Perfmon, or Performance Monitor, provides the ability to gather detailed usage statistics for many items in Windows. Resmon, or Resource Monitor, monitors CPU, memory, and disk usage but does not provide information about things like USB host controllers and other detailed instrumentation. Statmon and winmon are not Windows built-in tools.

Flow data provides information about the source and destination IP address, protocol, and total data sent and would provide the detail needed. Syslog, WMI, and resmon data are all system log information and would not provide this information.

Network access control (NAC) can be set up to require authentication. Port security is limited to recognizing MAC addresses, making it less suited to preventing rogue devices. PRTG is a monitoring tool, and NTP is the Network Time Protocol.

A monitoring threshold is set to determine when an alarm or report action is taken. Thresholds are often set to specific values or percentages of capacity.

Chris is most likely reviewing a JSON file. HTML and XML typically use angle brackets (< and >) rather than curly brackets. Plain text does not use or require either.

Beaconing activity (sometimes called heartbeat traffic) occurs when traffic is sent to a botnet command-and-control system. The other terms are made up.

Cameron should compare the hashes of the known-good original and the new file to see if they match. The files are not described as encrypted, so decrypting them won't help. Strings can show text in binary files but won't compare the files. File size and creation date are not guarantees of a file being the same.

Hardware vendor ID codes are part of MAC addresses and can be checked for devices that have not had their MAC address changed. It is possible to change MAC addresses, so relying on only the MAC address is not recommended, but it can be useful to help identify what a rogue device might be.

Locating a rogue AP is often best done by performing a physical survey and triangulating the likely location of the device by checking its signal strength. If the AP is plugged into the organization's network, nmap may be able to find it, but connecting to it is unlikely to provide its location (or be safe!). NAC would help prevent the rogue device from connecting to an organizational network but won't help locate it.