Which class of Windows artifacts are commonly used as persistence indicators for malware triage?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

Which class of Windows artifacts are commonly used as persistence indicators for malware triage?

Explanation:
Persistence in Windows is achieved by artifacts that automatically start with the system or a user session. The class that includes registry autostart entries, services, and startup folders is the primary set attackers use to ensure malware re-launches after reboots or logons. These mechanisms are purpose-built for persistence: registry Run keys (and similar entries), services configured to start automatically, and startup folders that execute programs on user login. In malware triage, these are among the most informative indicators because they directly show what is set to run automatically and how the malware survives restarts. They are also practical to inspect: you can query Run keys in the registry, list services and their startup types, and examine startup directories for unusual entries. User documents are data the malware might exfiltrate or hide in, not artifacts that cause automatic execution on startup. The printer queue is unrelated to persistence; it governs print job handling and doesn’t provide a mechanism for malware to re-launch after reboot.

Persistence in Windows is achieved by artifacts that automatically start with the system or a user session. The class that includes registry autostart entries, services, and startup folders is the primary set attackers use to ensure malware re-launches after reboots or logons. These mechanisms are purpose-built for persistence: registry Run keys (and similar entries), services configured to start automatically, and startup folders that execute programs on user login. In malware triage, these are among the most informative indicators because they directly show what is set to run automatically and how the malware survives restarts. They are also practical to inspect: you can query Run keys in the registry, list services and their startup types, and examine startup directories for unusual entries.

User documents are data the malware might exfiltrate or hide in, not artifacts that cause automatic execution on startup. The printer queue is unrelated to persistence; it governs print job handling and doesn’t provide a mechanism for malware to re-launch after reboot.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy