Get the Preplance app for a seamless learning experience. Practice offline, get daily streaks, and stay ahead with real-time interview updates.
Get it on
Google Play
4.9/5 Rating on Store
System Security · Question Set
Malware & Forensics interview questions for placements and exams.
Questions
14
Included in this set
Subject
System Security
Explore more sets
Difficulty
Mixed
Level of this set
Go through each question and its explanation. Use this set as a focused practice pack for System Security.
Volatile data disappears first. Capture the most short-lived items early. That preserves evidence that would be gone by the time you power off or image the drive.
Quick set: mem dump → netstat → process list → selective disk grabs
For complete preparation, combine this set with full subject-wise practice for System Security. You can also explore other subjects and sets from the links below.
Web shells provide stealthy persistence on web servers. They blend with normal traffic and can survive short rebuilds if stored in shared content. Hunt for odd file paths, recent changes, and suspicious parameters.
Example: /var/www/html/.cache/assets/.img.php?cmd=id
Ransomware locks data by encrypting it and pressures the victim to pay for decryption. The core impact is loss of availability and potential data loss. Good backups, segmentation, and fast detection reduce damage.
Common note file: README.txt with payment instructions
Fileless techniques avoid writing obvious binaries to disk. They live in memory, use scripts, and leverage trusted tools like PowerShell or WMI. Disk-based antivirus may miss them, so telemetry and behavior rules are key.
Example: powershell -enc <base64> launched by Office process
IOCs are concrete signs that something bad likely happened. Hashes, domains, IPs, mutex names, and file paths are common. Pair them with behavior to avoid false positives.
sha256: d2a5... observed in C:\Windows\Temp\svc.exe
A sandbox executes a sample in a controlled VM or container. You watch file, registry, process, and network activity without risking production systems. It speeds triage and supports safer signature creation.
Observed: drops %APPDATA%\svc.dll; beacons to hxxp://example[.]com/api
Static analysis includes strings, headers, and control-flow. Dynamic analysis executes the sample to see live process, file, and network actions. Mature investigations mix both to cross-check findings.
strings sample.bin | findstr http
Kernel-mode code can intercept system calls and alter what tools see. That allows stealth, persistence, and powerful tampering. Detection relies on attestation, golden images, and low-level telemetry.
Symptom: ps shows no process but port 4444 is listening
Good records make evidence defensible. You track acquisition, transfers, tools, hashes, and storage. If challenged, you can prove the data is original and untampered.
Record: time, handler, device id, hash (SHA-256), action, location
Memory holds live secrets that never touch disk. You can see running processes, injected code, command lines, network sockets, decrypted payloads, and sometimes keys or tokens. Fileless techniques and in-memory implants leave few disk traces. A timely RAM capture can reveal the full execution chain and shorten the hunt. After that, a clean disk image provides persistence details and timeline. Together, they tell the complete story.
Windows: winpmem.exe --format raw --output mem.raw
Start with a clear time anchor, like the first alert. Pull endpoint logs, EDR telemetry, Windows Event Logs, Sysmon, Linux audit logs, web server logs, DNS, VPN, and proxy records. Normalize timestamps to one zone. Sequence key events: initial access, privilege change, lateral movement, data staging, exfil. Fill gaps with file system metadata and registry or config changes. A solid timeline reveals scope, helps with containment, and validates eradication.
Sort by time: log_source, user, host, action, indicator, result
YARA rules use text, hex, and logic to match families or traits. You can scan endpoints and memory to find variants, even if hashes change. This speeds threat hunting and scoping.
rule sample { strings: $s = "rundll32" nocase condition: $s }Packers compress or wrap code to hide strings and structure. Unpacking at runtime reveals the real payload. Analysts rely on behavior, emulation, and memory dumps to see through the layer.
Symptom: high entropy sections; suspicious unpacking loops
Isolate affected hosts at the switch or EDR while keeping a control channel. Snapshot VMs and capture memory from key systems. Reset exposed credentials and disable risky accounts. Identify patient zero and lateral paths. Rebuild from known-good images, patch aggressively, and restore data from clean backups. Keep heightened monitoring during the first week after recovery. Finally, review gaps in detection, hardening, and user training so the environment comes back stronger.
Playbook: isolate → capture → credentials → eradicate → rebuild → monitor → lessons