Threat Detection and Evasion Questions

Covers how defenders detect malicious activity and the techniques attackers use to avoid detection, as well as the indicators that reveal compromise. Candidates should understand sources of telemetry and what to look for in logs and network data, including suspicious file hashes, malicious network endpoints, unusual process behavior, abnormal authentication patterns, registry modifications, and persistence artifacts. Describe common detection technologies such as antivirus, host based detection, network intrusion detection systems, and security information and event management systems, and explain how signature based, heuristic, and behavioral detection differ. Explain detection engineering and threat hunting approaches, including creating detection rules, baselining normal behavior, anomaly detection, and using threat intelligence. Cover evasion and stealth techniques such as encryption and tunneling of command traffic, mimicking legitimate applications and traffic patterns, living off the land using built in operating system tools, fileless and memory resident techniques, process injection and masquerading, timing and slow low attacks, obfuscation and packing, credential theft and lateral movement, and disabling or tampering with defensive controls. Discuss how indicators of compromise may appear across host, network, and application telemetry, the limitations that cause missed detections, and defender mitigations such as improved telemetry coverage, layered detection logic, containment and response playbooks, and proactive threat hunting.