GREM Cheat Sheet 2026
The 30 highest-yield GREM facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
75 questions
120 min time limit
69% to pass
- Which Volatility plugin lists running processes by walking the EPROCESS doubly-linked list in a Windows memory dump? → pslist
- Why is context important in threat intelligence? → It enhances threat prioritization and relevance
- Which dynamic analysis tool allows you to monitor program behavior in a sandbox? → Cuckoo Sandbox
- When a malware sample suspends a thread and modifies its CONTEXT structure to redirect execution (SetThreadContext), what injection technique is being used? → Thread Execution Hijacking (Suspend-Inject-Resume)
- What is the purpose of analyzing the PEB (Process Environment Block) of a suspect process in memory forensics? → To retrieve the process image path, command-line arguments, and loaded module list
- Why is assembly important in reverse engineering malware? → Because malware analysts must analyze binary instructions directly
- Which Windows API function do malware authors call to programmatically clear event logs? → ClearEventLog()
- Why do ransomware families commonly delete Volume Shadow Copies (VSS) as part of their attack? → To prevent victims from restoring files from VSS snapshots without paying the ransom
- What is a Domain Generation Algorithm (DGA) and why do malware authors use it? → A technique that generates large numbers of pseudo-random domain names for C2 resilience
- Which of the following is a primary limitation of using dynamic analysis for deobfuscating malware? → Malware can employ anti-analysis techniques to detect the sandbox and alter its behavior.
- Which tool is commonly used for dynamic malware analysis? → Process Monitor
- Which Volatility plugin is specifically designed to detect injected code by identifying VAD regions that are executable, private, and contain PE headers? → malfind
- What is the primary function of WinPmem in a rootkit forensic investigation? → Acquiring a raw physical memory dump from a live Windows system for offline analysis
- Which of the following x86 instructions performs a bitwise logical AND operation but discards the result, only updating the CPU flags (like the Zero Flag)? → TEST
- In the context of PDF forensics, what is the primary purpose of the `/FlateDecode` filter? → To decompress stream data that has been compressed using the zlib/deflate algorithm.
- Which Windows event logs does malware most commonly clear to eliminate forensic evidence? → Both Security.evtx and System.evtx
- What is static code analysis? → Examining the code without executing it
- What technique does 'process hollowing' use to disguise malicious code inside a legitimate host process? → Unmapping the legitimate executable image and replacing it with malicious code in memory
- Which default Cobalt Strike Beacon artifacts are commonly identified in network captures? → Default malleable C2 URIs such as /dpixel, /ca, and /pixel.gif
- What tool can capture system calls made by malware during execution? → Process Monitor
- Which report format is typically used for threat intelligence sharing? → STIX
- Which open-source tool cross-references multiple process listing sources to detect hidden processes that kernel rootkits conceal? → Process Hacker (System Informer)
- Which platform helps automate threat intelligence processing? → Threat Intelligence Platforms (TIPs)
- Which Wireshark display filter correctly isolates only HTTP GET requests from a traffic capture? → http.request.method == "GET"
- Which tool passively captures network traffic and reassembles sessions to extract transferred files and credentials during malware analysis? → NetworkMiner
- What is the primary purpose of comparing a PE image's in-memory IAT to its on-disk counterpart during malware analysis? → To detect API hooking or IAT patching by malware
- Which of the following best describes dynamic analysis? → Monitoring behavior while malware is running
- What does a NOP instruction do? → It performs no operation
- Which scenario is best suited for dynamic analysis? → When analyzing runtime behavior
- Which language is often used for scripting malware? → Python
Turn these facts into recall: