GREM Cheat Sheet 2026

The 30 highest-yield GREM facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

75 questions
120 min time limit
69% to pass
  1. Which Volatility plugin lists running processes by walking the EPROCESS doubly-linked list in a Windows memory dump? pslist
  2. Why is context important in threat intelligence? It enhances threat prioritization and relevance
  3. Which dynamic analysis tool allows you to monitor program behavior in a sandbox? Cuckoo Sandbox
  4. When a malware sample suspends a thread and modifies its CONTEXT structure to redirect execution (SetThreadContext), what injection technique is being used? Thread Execution Hijacking (Suspend-Inject-Resume)
  5. What is the purpose of analyzing the PEB (Process Environment Block) of a suspect process in memory forensics? To retrieve the process image path, command-line arguments, and loaded module list
  6. Why is assembly important in reverse engineering malware? Because malware analysts must analyze binary instructions directly
  7. Which Windows API function do malware authors call to programmatically clear event logs? ClearEventLog()
  8. Why do ransomware families commonly delete Volume Shadow Copies (VSS) as part of their attack? To prevent victims from restoring files from VSS snapshots without paying the ransom
  9. What is a Domain Generation Algorithm (DGA) and why do malware authors use it? A technique that generates large numbers of pseudo-random domain names for C2 resilience
  10. Which of the following is a primary limitation of using dynamic analysis for deobfuscating malware? Malware can employ anti-analysis techniques to detect the sandbox and alter its behavior.
  11. Which tool is commonly used for dynamic malware analysis? Process Monitor
  12. Which Volatility plugin is specifically designed to detect injected code by identifying VAD regions that are executable, private, and contain PE headers? malfind
  13. What is the primary function of WinPmem in a rootkit forensic investigation? Acquiring a raw physical memory dump from a live Windows system for offline analysis
  14. Which of the following x86 instructions performs a bitwise logical AND operation but discards the result, only updating the CPU flags (like the Zero Flag)? TEST
  15. In the context of PDF forensics, what is the primary purpose of the `/FlateDecode` filter? To decompress stream data that has been compressed using the zlib/deflate algorithm.
  16. Which Windows event logs does malware most commonly clear to eliminate forensic evidence? Both Security.evtx and System.evtx
  17. What is static code analysis? Examining the code without executing it
  18. What technique does 'process hollowing' use to disguise malicious code inside a legitimate host process? Unmapping the legitimate executable image and replacing it with malicious code in memory
  19. Which default Cobalt Strike Beacon artifacts are commonly identified in network captures? Default malleable C2 URIs such as /dpixel, /ca, and /pixel.gif
  20. What tool can capture system calls made by malware during execution? Process Monitor
  21. Which report format is typically used for threat intelligence sharing? STIX
  22. Which open-source tool cross-references multiple process listing sources to detect hidden processes that kernel rootkits conceal? Process Hacker (System Informer)
  23. Which platform helps automate threat intelligence processing? Threat Intelligence Platforms (TIPs)
  24. Which Wireshark display filter correctly isolates only HTTP GET requests from a traffic capture? http.request.method == "GET"
  25. Which tool passively captures network traffic and reassembles sessions to extract transferred files and credentials during malware analysis? NetworkMiner
  26. What is the primary purpose of comparing a PE image's in-memory IAT to its on-disk counterpart during malware analysis? To detect API hooking or IAT patching by malware
  27. Which of the following best describes dynamic analysis? Monitoring behavior while malware is running
  28. What does a NOP instruction do? It performs no operation
  29. Which scenario is best suited for dynamic analysis? When analyzing runtime behavior
  30. Which language is often used for scripting malware? Python
Turn these facts into recall: