SANS FOUNDATION SEC275 FINAL PAPER 2026
FULL QUESTIONS AND CORRECT ANSWERS
GRADED A+
◉ netstat. Answer: Command used on Linux and Windows (-a -b -o) for
listening to ports to see if an attacker is attempting to connect. Used to
find IoCs
◉ PID. Answer: Process ID
◉ Runlevels. Answer: In UNIX and Linux systems, runlevels indicate
the type of state the
system is in, from 0 (halted), 1 (single user safe mode), 2-5 (multi-user
normal modes) 6 (rebooting). Lower runlevels indicate
maintenance conditions with fewer services running, higher runlevels
are normal
operating conditions.
◉ systemd. Answer: A relatively new software framework used on
Linux systems that provides a system initialization process and system
management functions.
,◉ Startup Folder. Answer: Contains a list of programs that open
automatically when you boot a computer. Simplest way of getting
malware on a user's Windows computer
◉ Rootkits. Answer: software tools used by an attacker to hide actions
or presence of other types of malicious software. Also designed to allow
the attacker back in the system at a later date
◉ Yara. Answer: signature detection tool - the gold standard for
detecting IoCs. It scans a system and compares results with the rules in a
database. It will flag a match as a possible IOC
◉ ARP cache. Answer: A table used to maintain a correlation
between each MAC address and its
corresponding IP address. Meaning any computers that the compromised
computer communicates with will have ARP cache entries.
◉ Mimikatz. Answer: A penetration testing tool used to access RAM to
extract password hashes or plaintext passwords. Often these are valid for
other systems on the network. Can also use hashcat
◉ Man-in-the-middle (MITM) attack. Answer: An attack that relies on
intercepted transmissions. It can take one of several forms, but in all
cases a person redirects or captures secure data traffic while in transit.
, Goal is to intercept password hashes to be able to log into important
systems and file servers. Crack hashes using hashcat
◉ ARP spoofing. Answer: More commonly known as ARP poisoning,
this involves the MAC (Media Access Control) address of the data being
faked by an attacker via the ARP protocol
◉ PsExec. Answer: Designed for network admins to be able to run
PowerShell commands remotely on multiple systems at once
◉ 3 ways to detect exfiltration over HTTPS. Answer: 1. Consider where
the HTTPS traffic is going
2. Set up a network device to use as a proxy and all clients connect
through the proxy
3. Set up a proxy and enable SSL interception on it (configured to trust a
custom SSL certificate)
◉ SMTP Exfiltration. Answer: sending an email through the SMTP
server that the company runs that is hidden within the regular traffic
◉ IRC (Internet Relay Chat). Answer: older chat protocol (plaintext and
no encryption) used a lot in the tech community. Sees a lot of malware
as a command and control channel. Major weakness is that it's an
unusual vector and not often seen in corporate networks.
FULL QUESTIONS AND CORRECT ANSWERS
GRADED A+
◉ netstat. Answer: Command used on Linux and Windows (-a -b -o) for
listening to ports to see if an attacker is attempting to connect. Used to
find IoCs
◉ PID. Answer: Process ID
◉ Runlevels. Answer: In UNIX and Linux systems, runlevels indicate
the type of state the
system is in, from 0 (halted), 1 (single user safe mode), 2-5 (multi-user
normal modes) 6 (rebooting). Lower runlevels indicate
maintenance conditions with fewer services running, higher runlevels
are normal
operating conditions.
◉ systemd. Answer: A relatively new software framework used on
Linux systems that provides a system initialization process and system
management functions.
,◉ Startup Folder. Answer: Contains a list of programs that open
automatically when you boot a computer. Simplest way of getting
malware on a user's Windows computer
◉ Rootkits. Answer: software tools used by an attacker to hide actions
or presence of other types of malicious software. Also designed to allow
the attacker back in the system at a later date
◉ Yara. Answer: signature detection tool - the gold standard for
detecting IoCs. It scans a system and compares results with the rules in a
database. It will flag a match as a possible IOC
◉ ARP cache. Answer: A table used to maintain a correlation
between each MAC address and its
corresponding IP address. Meaning any computers that the compromised
computer communicates with will have ARP cache entries.
◉ Mimikatz. Answer: A penetration testing tool used to access RAM to
extract password hashes or plaintext passwords. Often these are valid for
other systems on the network. Can also use hashcat
◉ Man-in-the-middle (MITM) attack. Answer: An attack that relies on
intercepted transmissions. It can take one of several forms, but in all
cases a person redirects or captures secure data traffic while in transit.
, Goal is to intercept password hashes to be able to log into important
systems and file servers. Crack hashes using hashcat
◉ ARP spoofing. Answer: More commonly known as ARP poisoning,
this involves the MAC (Media Access Control) address of the data being
faked by an attacker via the ARP protocol
◉ PsExec. Answer: Designed for network admins to be able to run
PowerShell commands remotely on multiple systems at once
◉ 3 ways to detect exfiltration over HTTPS. Answer: 1. Consider where
the HTTPS traffic is going
2. Set up a network device to use as a proxy and all clients connect
through the proxy
3. Set up a proxy and enable SSL interception on it (configured to trust a
custom SSL certificate)
◉ SMTP Exfiltration. Answer: sending an email through the SMTP
server that the company runs that is hidden within the regular traffic
◉ IRC (Internet Relay Chat). Answer: older chat protocol (plaintext and
no encryption) used a lot in the tech community. Sees a lot of malware
as a command and control channel. Major weakness is that it's an
unusual vector and not often seen in corporate networks.
