Exam SY0-601 topic 1 question 446 discussion

CHANGING MY ANSWER TO C A Trojan is a type of malware that disguises itself as legitimate software to gain access to a system and carry out malicious activities. The firewall logs show excessive traffic from the laptop to an external site, indicating that the laptop is communicating with a remote server or command and control center. The presence of unknown processes and unauthorized RDP connections also suggest that the laptop has been compromised and is being controlled by an attacker. A keylogger is a type of malware that records keystrokes, while a worm is a self-replicating malware that spreads through a network. A logic bomb is a type of malware that is triggered by a specific event or condition. While these types of malware may also be present on the laptop, they are less likely to explain the symptoms described in the scenario. My Pen Tester friend also agrees it is C

They really could provide a little more context. I am thinking Logic Bomb here, as it's triggered by an event (in this case, a user resetting their password) which certainly could result in the listed characteristics.

why cant it be logic bomb? it says SINCE he changed the password?

It took some digging. (c) It's trojan....I was originally convinced that this was a keylogger attack.

I think people are overanalyzing over this. There's no mention of the user downloading anything so the Trojan option is unlike. I'll go with B key logger.

Switching my answer to B here's why. The question does not state if the user downloaded anything to be a Trojan, they simply changed their password. Keylogger makes most sense since the keystrokes was possible sent to a remote attacker and that attacker began to perform all the functions that were displayed on the logs.

Trojan it is

KEYLOGGER This is how it all began, not by downloading anything.

C. Because a Trojan could include a Keylogger. A keylogger is usually installed by some type of malware (links, attachment)

B. Keylogger The key logger captured the user's reset credentials. Then the attacker reset the credentials to something else locking out the user. Then got access to the user's email account and also made RDP connections using the new credentials.

Here is what Chat GPT says C. Trojan Here's the reasoning for this choice based on the identified findings: Excessive Traffic to External Site: Trojans are known for establishing unauthorized connections to external servers or sites, often to communicate with a command and control server controlled by attackers. Unknown Processes: Trojans often run as malicious processes in the background, and their presence may be concealed by using random or inconspicuous process names. Unauthorized RDP Connections: Trojans can provide attackers with remote access to compromised systems. Unauthorized RDP connections suggest that an attacker may be controlling the laptop remotely. High Bandwidth Utilization: Trojans may perform various malicious activities, including data exfiltration or participating in distributed denial-of-service (DDoS) attacks, leading to high bandwidth utilization. Given the combination of these indicators, a Trojan is the most likely culprit in this scenario.

The first statement provides the first clue, "A user reset the password for a laptop but has been unable to log in to it since then". Everything after this is a consequence of the account password being changed thereby locking the user out. To add to the argument, "RDP connections that appeared to be authorized were made to other network devices from the laptop." This would not happen if the attacker did not have full access to the corporate account. From the options provided, a keylogger is the best tool for the attacker to deny the user access to their corporate account again.

I'm going to go against the grain here, like examstudy1 said. None of this happened until the user reset their password. As dicey as this questions is, it has to be a Keylogger.

I choose A since there is a high utilization of user's bandwidth .

Surely this is a keylogger - The user resets their password and then all of this starts happening. Keylogger recorded the users password, with the password, used to send out emails and then rdp to other devices etc.

Not Trojan in my opinion since the question did not highlight anything about user downloading legitimate software/application. Trojan's signature is as the name implies.. It appears to be a legitimate software/application but it not, as it contain malicious components. Following Worms fits the description in the question: 1) Once Morto infects one computer on a network, the worm scans for other devices that have Remote Desktop Protocol enabled and copies itself to these computer's local drives as a DLL file, which then created additional files on the computers. 2) Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource

A- just because of this statement here: "RDP connections that appeared to be authorized were made to other network devices from the laptop." Worm- A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively