Are You Studying Cybersecurity? Here’s Some Malware Attacks and OSI Layers
Do you want to be a cybersecurity professional? A good skill to have is being able know what layer of the OSI Model a malware attack resides.
Let’s keep this simple. We’ll just provide a list of random malware attacks and then give a quick description of what layer each attack targets. This is important to know because the ‘good guys’ need to find all of the holes to defend a network. The ‘bad guys’ just need to find one hole to attack.
Support more content like this by subscribing OR purchase some merch from my store on Redbubble.
pass the hash:
The “pass the hash” attack would typically fall under the application layer (layer 7) or the presentation layer (layer 6), depending on the specific implementation of the attack.
At the application layer, the attack could involve exploiting vulnerabilities in the authentication process of an application, while at the presentation layer, it could involve manipulating the protocol used for authentication.
Dynamic Link Library:
The DLL attack would typically fall under the application layer (layer 7) or the presentation layer (layer 6), depending on the specifics of the attack.
At the application layer, the attack could involve exploiting vulnerabilities in the way an application loads and uses DLL files. At the presentation layer, it could involve manipulating the communication protocol used to load and execute the DLL files.
LDAP:
The LDAP attack would typically fall under the application layer (layer 7) or the session layer (layer 5), depending on the specifics of the attack.
At the application layer, the attack could involve exploiting vulnerabilities in the way an application interacts with an LDAP server, such as through the use of injection attacks or bypassing authentication checks. At the session layer, the attack could involve manipulating the session or connection to gain access to sensitive data or resources.
Driver Manipulation:
Device drivers are software components that facilitate communication between a hardware device and the operating system. A driver manipulation attack would typically fall under Layer 2 (Data Link Layer) or Layer 3 (Network Layer) of the OSI model.
In a driver manipulation attack, the attacker seeks to modify or replace a legitimate device driver with a malicious one. The attack may be aimed at compromising the security of the operating system or gaining control of the affected system.
At the Data Link Layer (layer 2), an attacker could carry out a spoofing attack, pretending to be a legitimate network device, in order to gain access to the target network and compromise device drivers on that network.
At the Network Layer (Layer 3), an attacker could use IP spoofing techniques to impersonate a trusted device on the network and send malicious commands or data to the target device, which could lead to the installation of a malicious driver.
DNS (Domain Name System):
The DNS attack would typically fall under the application layer (Layer 7) or the transport layer (Layer 4), depending on the specifics of the attack.
At the application layer, the attack could involve exploiting vulnerabilities in the DNS server software or configuration, such as cache poisoning or domain hijacking. At the transport layer, the attack could involve manipulating the DNS traffic, such as through a DDoS (Distributed Denial of Service) attack on the DNS server or by intercepting and modifying DNS queries and responses.
PowerShell:
A PowerShell attack is a type of attack that involves using PowerShell, a command-line shell and scripting language, to execute malicious code on a targeted system.
In the Open Systems Interconnection (OSI) model, the PowerShell attack would typically fall under the application layer (Layer 7), as it involves exploiting vulnerabilities in an application, such as PowerShell, to gain unauthorized access or execute malicious code on a system.
Attackers may use PowerShell commands to carry out a wide range of malicious activities, such as stealing sensitive data, downloading and executing malware, escalating privileges, and establishing persistence on the system. PowerShell’s versatility and integration with the Windows operating system makes it a popular choice for attackers looking to carry out advanced attacks.
Media Access Control (MAC) flooding:
This is a type of network attack that targets the data link layer (Layer 2) of the Open Systems Interconnection (OSI) model. This attack aims to overload a switch’s MAC address table by flooding it with fake MAC addresses.
In the OSI model, MAC flooding attacks typically fall under the data link layer (Layer 2) since it exploits a weakness in the way switches operate at this layer. When a switch receives a frame with a new MAC address, it adds the MAC address to its table, associating it with the port that received the frame. This table is used to forward frames to their destination devices. In a MAC flooding attack, an attacker sends a large number of frames with different fake MAC addresses, causing the switch’s MAC address table to become full. Once the table is full, the switch goes into fail-open mode, which means that it starts broadcasting all frames to all ports, effectively creating a hub-like network. This allows the attacker to eavesdrop on network traffic and potentially launch other types of attacks, such as a man-in-the-middle attack.
Final Thoughts
It’s worth noting that many of these attacks are not specific to any one layer of the OSI model and can occur at multiple layers depending on the specifics of the attack.