Exam 200-201 topic 1 question 31 discussion

The correct answer should be Delivery. But, in this case, I would choose "C" - instalation. Here are the steps of the Kill Chain Model: Reconnaissance --> Weaponization --> Delivery --> Exploitation --> Installation --> Command and control (C2 or CnC) --> Actions on objectives 1) Reconnaissance: research on a target, search vulnerabilities. Ex: nmap 2) Weaponization: develop and test how the attack will be executed. Buld the "weapon". Ex: a file trojan. 3) Delivery: deliver the weapon against target. Ex: phishing 4) Exploitation: launch the weapon against a vulnerability. Ex: user open a trojan file. 5) Installation: instalation of the weapon in the target: Ex: a backdoor server 6) Command and control (C2 or CnC): the attacker accesses the breached system. Ex: orchestration of zumbi hosts 7) Actions on objectives: launching the attack. Ex: stole credit card number/password. Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide By Omar Santos

Read more: https://en.wikipedia.org/wiki/Kill_chain#Attack_phases_and_countermeasures I think A would be the best answer here as they threat actor is trying several different places to see where it works. This sounds more like Reconnaissance then actual installation already. If it was in the installation phase the threat actor would know where to exploit and therefore do a more targeted attack.

C. Installation - NO - That’s after exploitation, when malware/backdoors get installed. We're seeing the exploit now. ❌ ✅ D. Exploitation - Yes — the attacker is sending malicious payloads with PHP code to trigger code execution and write a new file = Exploitation phase. ✅

While it is true that the attacker could be exploiting a vulnerability in the server to write and execute PHP code, the act of writing the malicious PHP code and creating the PHP file itself is more in line with an installation action. The attacker is trying to establish a persistent tool on the system (such as a backdoor or web shell), which corresponds to the installation stage of the attack.

I also think it's C .The goal of the action described in the question is "install a new PHP file" on the web server.

The correct answer is D. In this case, the attacker is clearly trying to exploit a vulnerability on the web server in order to gain control of it. Therefore, the event category is exploitation.

C. installation

Recon - Can't be Action on Objectives - No actions, data exfiltration etc. has been made yet. Installation - Keyword: "creates and writes" Exploitation - No indications of taking advantage yet.

The correct answer is D exploitation. Installation (C) typically refers to the stage where an attacker establishes a foothold or installs malware on a compromised system. However, in the given scenario, the focus is on the exploitation of the web servers rather than the installation of persistent access or malware.

At first thought I went for exploitation -- like typical but when you look back at the Kill chain model the exploitation already happened through the vulnerability of HTTP-- all that's left is the actual installation because the payload is already there now So this is strictly "installation".

the HTTP requests with the PHP code are attempting to create and write to a new PHP file on the webserver, which is a form of exploiting a vulnerability. Therefore, the correct answer is D.

The event category described in the scenario is "exploitation" (option D). The scenario describes a situation where an attacker is attempting to exploit a vulnerability in the webserver by injecting malicious PHP code in the HTTP requests. The purpose of this code is to create and write to a new PHP file on the server, which could potentially allow the attacker to take control of the server or steal sensitive information. Reconnaissance (option A) refers to the initial stage of an attack where the attacker gathers information about the target system. Action on objectives (option B) refers to the stage of an attack where the attacker achieves their goals, such as stealing data or disrupting services. Installation (option C) refers to the stage of an attack where the attacker installs their tools or malware on the target system. None of these stages accurately describe the situation in the scenario.

The event category that is described in this scenario is "exploitation." The HTTP GET and POST requests, along with the presence of malicious PHP code in the user agent, suggest that an attacker is attempting to exploit a vulnerability in the web server. The creation and writing of a new PHP file on the server could be an attempt to establish persistent access to the system or to install a backdoor that would allow the attacker to maintain control even after the initial attack. Therefore, this scenario is consistent with an "exploitation" event category, where the attacker is attempting to take advantage of a vulnerability in the system to gain unauthorized access or control.

' for multiple pages' , then D.

D --> because it simply exploits the possibility to copy the script every time, to create a new page, nothing more.

I think it's D

It says "IF executed" which is before installation, so whats before installation? Exploitation