100+ Free SAL2 Practice Questions

Explanation: The pattern of many failed logins followed by one success is the hallmark of a successful brute-force attack. The immediate execution of 'net localgroup administrators' (enumerate admin group) and 'whoami /all' (enumerate current privileges) are textbook post-exploitation discovery commands used to understand the compromised account's privilege level and plan next steps.

Explanation: Windows Security Event ID 4688 (A new process has been created) records process creation events including the parent process, executable path, and — when process command-line auditing is enabled — the full command-line arguments. This makes it the primary artifact for reconstructing process execution history during DFIR investigations.

Explanation: DNS tunneling encodes data inside DNS query strings (often as base64 in TXT or NULL record lookups). Long, high-entropy subdomains queried at a regular rate indicate a tool like iodine, dnscat2, or a custom C2 implant. The parent domain acts as the attacker's authoritative DNS server, receiving the tunneled data. TXT records specifically are favored because they can carry arbitrary text payloads.

Explanation: IEX (Invoke-Expression) combined with DownloadString is a classic fileless malware technique. T1059.001 covers PowerShell execution; T1105 (Ingress Tool Transfer) covers downloading tools from a remote server. The encoded command attempts to evade detection by encoding the payload in base64, then downloading and executing a remote script without writing to disk. This combination is used by many threat actors and commodity malware loaders.

Explanation: Using 'stats dc(ComputerName) as host_count by user' counts distinct (dc) destination hosts per user. Filtering 'where host_count > 3' identifies accounts touching many systems — a key lateral movement indicator. EventCode 4624 captures successful logons. This pattern catches Pass-the-Hash, SMB lateral movement, and WMI/PsExec-style propagation across the network.

Explanation: '-enc' (or '-EncodedCommand') is the PowerShell parameter used to execute base64-encoded commands, a common obfuscation technique. Searching for process.name: powershell.exe AND process.command_line: *-enc* in KQL will surface all PowerShell invocations using encoded commands. Wildcards (*) match any characters before and after '-enc', catching variations like '-encodedcommand' or '-EnC'.

Explanation: OpenProcess + VirtualAllocEx + WriteProcessMemory + CreateRemoteThread is the classic sequence for reflective or shellcode process injection. The attacker opens a remote process, allocates memory in it, writes malicious code, then creates a remote thread to execute the injected payload. This technique is used to evade detection by running malicious code within trusted processes like svchost.exe or explorer.exe.

Explanation: The Windows Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ for the current user, or %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\ for all users) causes any placed executable or shortcut to run automatically at logon. This is MITRE ATT&CK T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), a common persistence mechanism used by malware.

Explanation: Detecting LSASS dumping with procdump requires matching the process image (procdump.exe) and its command-line argument specifying lsass as the target process. In practice, Sigma rules for this technique check the CommandLine field for '-ma lsass' or 'lsass.exe' combined with the process image being procdump, or check for the TargetImage/TargetProcess being lsass.exe in Sysmon Event ID 10 (ProcessAccess) events.

Explanation: rundll32.exe spawned by winword.exe (Microsoft Word) making external network connections is a classic indicator of a malicious macro (VBA/Office macro) that uses rundll32 to execute a DLL payload. This is a common living-off-the-land binary (LOLBin) technique — rundll32 is a trusted Windows binary, making it harder for basic AV to block. The parent-child relationship winword → rundll32 → network connection is a high-fidelity detection rule in many SOC environments.