100% satisfaction guarantee Immediately available after payment Both online and in PDF No strings attached
logo-home
GCFA flash cards Questions and Answers graded A+ $12.99   Add to cart

Exam (elaborations)

GCFA flash cards Questions and Answers graded A+

 9 views  0 purchase
  • Course
  • RHFAC
  • Institution
  • RHFAC

GCFA flash cards Questions and Answers graded A+ how do you defend against cached credentials? limit number of cached logon accounts on microsoft/windowsnt/currentversion/winlogon (cachedlogonscount value enforce password length domain protected users security group what is lsa secre...

[Show more]

Preview 4 out of 36  pages

  • August 18, 2024
  • 36
  • 2024/2025
  • Exam (elaborations)
  • Questions & answers
  • RHFAC
  • RHFAC
avatar-seller
Pogba119
GCFA flash cards Questions and
Answers graded A+

how do you defend against cached credentials? - answer limit number of cached
logon accounts on microsoft/windowsnt/currentversion/winlogon (cachedlogonscount
value

enforce password length

domain protected users security group

what is lsa secrets - answer credentials stored in registry for things like email service
accounts and vpn passwords and autologin credentials (passwords are plaintext)

how to guard against lsa secrets attacks - answer do not employ services or
scheduled tasks requiring privileged accounts on low trust systems

reduce services that require domain accounts to execute

group managed service accounts

kerberos tickets are normally valid for how many hours - answer 10

what is a pass the ticket attack - answer steal the ticket from memory and pass or
import on other systems

what is an overpass the hash attack - answer use nt hash to request a service ticket
for the same account

what is kerberoasting attack - answer request service ticket for highly privileged
service and crack the nt hash (this can be used in tandem with lsasecrets attack using
service password to authenticate the ticket)

was is a golden ticket attack - answer kerberos TGT for any account with no
expiration. survives a full password reset

what is a silver ticket attack - answer all access pass for a single service or computer

what is a skeleton key - answer patch LSASS on domain controller to add backdoor
password that works for any domain account

,how do you defeat ticket attacks - answer credential guard (domain protected users
group win8+)

remote credential guard (win 10+) for windows 8 restricted admin

long and complex passwords for service accounts to prevent kerberoasting

change krbtgt regularly

how do you mitigate pass the ticket - answer credential guard

how do you mitigate overpass the hash (use nt hash to request a service ticket for the
same account) - answer credential guard, protected users group, disable rc4
authentication

how do you mitigate kerberoasting - answer long and complex passwords

how do you mitigate golden ticket attack - answer protect domain admin accounts
and change krbtgt passwords regularly

how do you mitigate silver ticket attacks - answer regularly update computer account
passwords

how do you mitigate skeleton key attacks - answer protect domain admin accounts,
smart card usage for privilege accounts

where is windows ntds.dit located (holds all ad domain service database and lm/nt in
domain. encrypted but easy to defeat. - answer located in \windows\ntds on dc. file is
locked so either need admin or volume shadow copy service.

what is the prefetch - answer pre loads pages (for performance) they are
compressed since windows 10. it shows what ran, when it ran, and how many times.
Also commonly found in unallocated space.

what is a prefetch hash based off of: - answer where it ran from and command line
invocation arguments

how many of last executions are stored in the prefetch for windows 8 and 10 - answer
last 8 times executed with times

what is PECmd look like - answer pecmd -f e:\c:\windows\prefectch\prefetchfile.pf

how does the prefetch work - answer does not change creation time. reads original
prefetch entry or prefetch entry before it then writes to new cluster location. 1-2 2-3 in
unallocated space.

,how can an adversary kill a prefetch - answer use sdelete or a file overwriter (catch
is the wiper shows is in use and creates own residue so you might not be able to delete
wipers prefetch) Also only wiped current prefetch not previous iterations

where are 32 bit programs executed from - answer SYSWOW64 **

where are 64 bit programs executed from - answer system32

what is a rule for a 32 bit child process - answer must also be 32 bit process
becuase its parent ivoke is 32 bit

What does AppCompatCache track? (shimcache) - answer a files last modification
date, file path, and if it executed (files are re shimmed if the application is moved
renamed or time stomped)

what is the location of the shim cache (1024 entries) - answer system\
currentcontrolset\control\sessionmanager\appcompatcache\appcompatcache

when are files shimmed - answer when it touches file system, when it first runs, and
when it is browsed on a usb or network share for a .exe

what is some confusing parts of the shim cache - answer the shim entries show
modified time not actual shimmed time. They are shimmed in order of run though. Files
are only shimmed on reboot...

What is the Amcache location? - answer C:\windows\appcompat\programs\
amcache.hve

What does the amcache contain? - answer Executed programs full path,
files $Standard_info,
Last modification time, and the volume the executeable was run from (programs first
run time=last mod time of key)

also contains a sha-1 hash of executable

what is wsmprovhost.exe an indicator of? - answer remote desktop

what is wmiprvse.exe an indicator of - answer remote wmi commands

what is net.exe and net1.exe - answer used to map network shares

what can sorting in the shim cache by modification time show us (after a reboot) -
answer if .exe had the same modification date they were probably renamed (same
file)

, Where is system registry hive file located in a windows environment - answer
windows\system32\config

where is the ntuser.dat - answer c:\users\

where are the event logs on a windows 10 system - answer system32\winevt\logs

logs for earlier systems its system32\config (xp, server 03)

What does the security event log record - answer user authentication and logon

user behavior and actions

file/folder/share access

security settings modifications

what process updates the security log - answer only LSASS (third party applications
cannot insert events)

what are recorded categories in security event log - answer

What is 4624 - answer successful logon

What is logon code type 2 - answer logon via console (keyboard, kvm etc)

what is logon code type 3 - answer network logon

what is logon type 4 - answer Batch logon (used by scheduled task)

what is logon type 5 - answer windows service logon

what is logon type 7 - answer credentials used to lock or unlock screen : rdp session
reconnect

what is logon type 8 - answer network logon sending credentials via cleartext

what is logon code type 9 - answer different credentials used than logged on user -
runas / netonly

what is logon code type 10 - answer remote interactive logon (RDP)

what is logon code type 11 - answer cached credentials used to logon

what is logon code type 12 - answer cached remote interactive (similar to 10)

The benefits of buying summaries with Stuvia:

Guaranteed quality through customer reviews

Guaranteed quality through customer reviews

Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.

Quick and easy check-out

Quick and easy check-out

You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.

Focus on what matters

Focus on what matters

Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!

Frequently asked questions

What do I get when I buy this document?

You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.

Satisfaction guarantee: how does it work?

Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.

Who am I buying these notes from?

Stuvia is a marketplace, so you are not buying this document from us, but from seller Pogba119. Stuvia facilitates payment to the seller.

Will I be stuck with a subscription?

No, you only buy these notes for $12.99. You're not tied to anything after your purchase.

Can Stuvia be trusted?

4.6 stars on Google & Trustpilot (+1000 reviews)

75632 documents were sold in the last 30 days

Founded in 2010, the go-to place to buy study notes for 14 years now

Start selling
$12.99
  • (0)
  Add to cart