1. What is the correct relationship between a program, a process, and a thread?
A program and a process are the same thing; a thread is an older term for a process A program is the instructions on disk; a process is the running container that owns memory and security context; a thread is a single line of execution inside the process A process is the instructions on disk; a program is the running instance; a thread is a child process A thread is the container that owns memory; a process is the unit of execution; a program is the running environment 2. A single application is running on a Windows machine. Which statement best describes how threads relate to that process?
The process can only contain one thread at a time; additional threads require a second process Each thread has its own dedicated memory space, separate from the process's memory The process can contain many threads, all sharing the same memory and security context Threads and processes are interchangeable terms; the distinction has no practical meaning for security work 3. What does it mean for a process to have a parent, and why does that relationship matter for detection?
The parent process owns the child's PID and can terminate it at any time; this controls process lifecycle When one process starts another, the starter is the parent; defenders use expected lineage to spot anomalies, like a document viewer spawning a command shell The parent-child relationship only exists while the parent is alive; if the parent exits first, the relationship never existed Every unusual parent-child pairing indicates malicious activity and should be escalated immediately 4. The System process on a Windows machine always has PID 4. What is the primary purpose of a PID?
To identify the user account that launched the process To group related threads so they share memory more efficiently To give each running process a unique numeric handle so it can be referenced, filtered, and terminated precisely To track how much CPU time the process has consumed since it started 5. What is the difference between user mode and kernel mode, and which one do defenders primarily analyze?
User mode is for administrators; kernel mode is for standard users. Defenders analyze kernel mode because that is where attacks happen. Kernel mode is for trusted OS code with direct hardware access; user mode is for ordinary applications. Almost everything analysts investigate lives in user mode. User mode and kernel mode differ only in execution speed; security analysts must understand both equally for any meaningful analysis Kernel mode processes are invisible to standard tools like tasklist; defenders must use specialized kernel debuggers for all analysis 6. You observe a process with no living parent on a Windows system. What does this most likely indicate?
The process is definitely malicious. Malware frequently kills its parent to hide its origin The parent process exited after spawning the child, which is a normal and expected pattern on Windows The system experienced a crash that terminated the parent unexpectedly The process has elevated privileges because it no longer has a parent to inherit restrictions from 7. During a client debrief, you need to explain why a malicious document produced an alert. Which statement best demonstrates clear process-model communication?
The malware ran on the endpoint and we detected it The document spawned a child PowerShell process, which then established a network connection, an unexpected parent-child pairing that the detection rule flagged A thread inside lsass.exe consumed unusual memory, indicating kernel-mode compromise The PID for the malicious process was 4, which is the System process and always indicates OS-level attack