ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam SY0-601 All Questions

View all questions & answers for the SY0-601 exam
Go to Exam

Exam SY0-601 topic 1 question 561 discussion

Actual exam question from CompTIA's SY0-601
Question #: 561
Topic #: 1
[All SY0-601 Questions]

An application owner reports suspicious activity on an internal financial application from various internal users within the past 14 days. A security analyst notices the following:

• Financial transactions were occurring during irregular time frames and outside of business hours by unauthorized users.
• Internal users in question were changing their passwords frequently during that time period.
• A jump box that several domain administrator users use to connect to remote devices was recently compromised.
• The authentication method used in the environment is NTLM.

Which of the following types of attacks is most likely being used to gain unauthorized access?

  • A. Pass-the-hash
  • B. Brute-force
  • C. Directory traversal
  • D. Replay
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Ryabrre at July 25, 2023, 12:39 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
fercho2023
Highly Voted 1 year, 8 months ago
Option A is correct option. This link explains why. https://blog.quest.com/ntlm-authentication-what-it-is-and-why-you-should-avoid-using-it/
upvoted 8 times
Mr_Tttt
1 year, 7 months ago
Clear and useful explanation! Thanks!
upvoted 2 times
...
...
_deleteme_
Highly Voted 1 year, 2 months ago
A - Per Dion 601 Training Guide - Pass the hash allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LM hash instead of the password. After this attack occurred it also appears the attack was replayed, aka replay hash. Another COMPTIA senseless question to trick and take your money versus see if you know.
upvoted 5 times
...
j904
Most Recent 1 year, 6 months ago
Selected Answer: D
This is definitely D. Replay as the attacker is using the username and password during irregular hours aka the hours they are offline.
upvoted 1 times
...
JT4
1 year, 8 months ago
Option A is correct option. Typical Mimikatz approach.
upvoted 3 times
...
shocky377
1 year, 10 months ago
Selected Answer: A
I choose A because it says the jump box used to connect devices was compromised, and the users were changing their password frequently. This means an attacker on the jump box could see devices trying to connect using their hashed passwords, and then using this hash to login. Once logged in using pass the hash it is common for the attacker to change the password to something else
upvoted 4 times
...
ApplebeesWaiter1122
1 year, 11 months ago
Selected Answer: A
Pass-the-hash is an attack technique used to gain access to a system by using the hash value of a user's password, rather than the actual password itself. This attack is particularly effective against systems using NTLM authentication, where the hash of a user's password can be captured and then reused to authenticate as that user without knowing the actual password. The compromise of the jump box used by domain administrator users could also be an indication that the attacker gained access to privileged credentials and is using pass-the-hash to move laterally through the network.
upvoted 4 times
...
Ryabrre
1 year, 11 months ago
D. Replay
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel