Malware Taxonomy · C2 Infrastructure · Registry Persistence · Pass-the-Hash · YARA · Memory Forensics
Study with Practice Tests →The final GCIH topic covers the full attacker lifecycle after initial access — how malware operates, how attackers stay in your environment, and how they move laterally to reach their objectives.
Eleven distinct malware types — viruses, worms, trojans, RATs, rootkits, ransomware, keyloggers, backdoors, botnets, droppers, and spyware — each with a unique delivery model and behavioral signature. Know which requires a host file and which self-replicates.
Command and Control (C2) channels let attackers communicate with compromised hosts. Key mechanisms: HTTPS beaconing with jitter, DNS tunneling, DGA (Domain Generation Algorithm), and domain fronting via CDNs. Cobalt Strike and Sliver are common frameworks.
Registry Run keys, Startup folders, Scheduled Tasks, Services, DLL Hijacking, WMI Subscriptions, COM Hijacking, and LOLBins are all tested. Autoruns (Sysinternals) is the gold-standard tool for enumerating all persistence locations on a Windows system.
Cron jobs, systemd services, .bashrc/.bash_profile injection, SSH authorized_keys, SUID binaries, LD_PRELOAD hijacking, and /etc/ld.so.preload are the primary Linux persistence mechanisms. Each provides a distinct execution trigger and detection method.
Pass-the-Hash uses NTLM hashes directly — no cracking needed. Pass-the-Ticket and Golden/Silver Tickets abuse Kerberos. Kerberoasting extracts and cracks service ticket hashes offline. Remote execution via PsExec, WMI, PowerShell remoting, and RDP round out the toolkit.
YARA is the pattern-matching standard for malware identification — scan files, processes, and memory. Volatility is the standard memory forensics framework: pslist, netscan, malfind, and dlllist are the four most-tested plugins. Malfind identifies process injection.
The GCIH exam loves to test these three. PtH uses NTLM hashes (no Kerberos). PtT steals existing Kerberos tickets. Golden Ticket forges a TGT using the krbtgt hash — giving 10-year domain persistence. Know what artifact each attack requires and what it bypasses.
Virus requires a host file and user action to spread. Worm self-replicates with no host file. Trojans disguise as legitimate software. Rootkits hide their own presence. Ransomware destroys availability. The exam distinguishes these — memorize the defining characteristic of each.
Malfind is the Volatility plugin for finding injected code — it looks for executable memory regions not backed by a file on disk (MZ header present but no file mapping). YARA rule structure: meta (info) → strings (patterns) → condition (logic). Both are exam-ready topics.
Understand how each malware category operates, what makes it distinct, and how attackers build and hide their command-and-control channels.
| Type | Definition | Key Characteristic | Example |
|---|---|---|---|
| Virus | Attaches to files; spreads via user action | Requires host file | ILOVEYOU |
| Worm | Self-replicating; spreads via network | No host file needed | WannaCry, Conficker |
| Trojan | Disguised as legitimate software | Social engineering delivery | RAT disguised as game |
| RAT (Remote Access Trojan) | Full remote control of victim | Keylogging, screen capture, file access | njRAT, DarkComet |
| Rootkit | Hides attacker presence; kernel or user mode | Subverts OS; very hard to detect | TDSS, Azazel |
| Ransomware | Encrypts files; demands payment | Destroys availability | WannaCry, REvil, Conti |
| Keylogger | Records keystrokes | Credential theft | Ardamax |
| Backdoor | Persistent unauthorized access channel | Often combined with RAT | Web shell |
| Botnet/Bot | Compromised device under C2 control | Used for DDoS, spam, cryptomining | Mirai, Emotet |
| Dropper/Loader | Delivers and installs other malware | First stage | TrickBot loading Ryuk |
| Spyware | Monitors and exfiltrates user activity | Stalkerware variant | Pegasus |
Examine malware without executing it. Techniques: file hashing (MD5/SHA-256), strings extraction, PE header analysis, import table inspection, YARA scanning. Tools: strings, PEStudio, Ghidra (disassembly), IDA Pro. Safe — no execution risk.
Execute in a controlled sandbox and observe behavior: file writes, registry changes, network connections, process creation. Tools: Cuckoo, Any.run, VirusTotal dynamic, Wireshark (network), Process Monitor (host). Risk: malware may detect sandbox and alter behavior.
Combines static and dynamic: use static first for quick triage (hash lookup, strings, YARA), then dynamic for behavioral confirmation. Most professional workflows use both — static for speed, dynamic for depth. x64dbg used for live debugging during dynamic phase.
Attackers establish persistence so they survive reboots and credential changes. Know every location — on both Windows and Linux — and how to detect each one.
| Mechanism | Location / Method | Detection |
|---|---|---|
| Registry Run Keys | HKCU\...\Run, HKLM\...\Run, RunOnce | Autoruns, reg query |
| Startup Folder | C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup | Autoruns, file monitoring |
| Scheduled Tasks | schtasks /create; Task Scheduler GUI | schtasks /query, Event ID 4698 |
| Services | sc create; HKLM\SYSTEM\CurrentControlSet\Services | sc query, Autoruns |
| DLL Hijacking | Place malicious DLL earlier in app search path than legitimate DLL | ProcMon "DLL not found", Sigcheck |
| WMI Subscriptions | __EventFilter + __EventConsumer + __FilterToConsumerBinding | Get-WMIObject, WMI-Activity event log |
| Boot/Pre-OS | Bootkit in MBR/VBR/UEFI | Boot integrity checks, Secure Boot |
| COM Hijacking | Override COM object CLSID in HKCU registry | ProcMon, Autoruns |
| LOLBins | regsvr32, mshta, certutil, bitsadmin — legitimate Windows binaries abused | Behavioral monitoring, application whitelisting |
/etc/crontab, /etc/cron.d/, /var/spool/cron/crontabs/root — example: * * * * * /tmp/backdoor executes every minute.service file in /etc/systemd/system/ — survives reboots and restarts automatically~/.ssh/authorized_keys — provides password-free persistent SSH accesschmod u+s on a binary — executes as file owner (often root) regardless of who runs itAfter gaining initial access, attackers pivot to additional systems. Master the credential-based and remote execution techniques — and their detection signatures — for the GCIH exam.
sekurlsa::pth), CrackMapExec, Impacket (psexec.py, wmiexec.py). Windows 8.1+ KB2871997 limits PtH for some accounts; local Administrator accounts still vulnerable if the same hash is reused across hosts.kerberos::ptt).\ADMIN$)wmic /node:target process call create "cmd.exe"; uses Win32_Process; Event ID 4648 (logon using explicit credentials), WMI-Activity logInvoke-Command -ComputerName target -ScriptBlock {...}; Event IDs 4103/4104 (Script Block logging captures executed code)\ADMIN$; monitor for unusual share access (Event ID 5140)dcomexec.py; lower visibility than PsExec in many environmentsrule RuleName { meta: author="analyst" strings: $s1 = "malicious_string" $hex = {DE AD BE EF} condition: $s1 or $hex }all of them, 2 of ($s*), filesize < 1MB and $hex)10 questions covering malware taxonomy, C2 channels, persistence mechanisms, lateral movement, YARA, and memory forensics. Select your answers and submit for instant scoring.
1. Which malware type self-replicates across networks without requiring a host file or user interaction?
2. Pass-the-Hash (PtH) attacks work by:
3. A Golden Ticket attack requires the attacker to have compromised which account's hash?
4. Which Windows persistence mechanism executes malicious code by placing a DLL earlier in the application's search path than the legitimate DLL?
5. Kerberoasting targets service accounts because:
6. Which C2 channel encodes attacker commands within DNS queries, making it difficult to block without disrupting legitimate DNS?
7. The Autoruns (Sysinternals) tool is primarily used to:
8. Which YARA rule component defines the patterns (strings, hex sequences, regex) to search for?
9. In Volatility memory forensics, which plugin identifies potentially injected code in process memory by looking for executable memory regions not backed by a file on disk?
10. A DGA (Domain Generation Algorithm) is used by malware to:
Six sticky mnemonics to lock in the most-tested concepts from this topic before exam day.
Click any card to flip and reveal the answer. Use the Study Advisor to get targeted guidance on each topic area.
Click a card to flip it · Click again to flip back
-p flag for process memory scanning. Multiple strings increase specificity and reduce false positives.Select a topic to get targeted study guidance for the GCIH exam.