Exam CS0-003 topic 1 question 147 discussion

Sadly there's a character limit so I can't knowledge dump, but the answer is indeed C. When you disable unnecessary services, they can't privilege escalate. Toaster and the ones below me are thinking you privesc on the machine, that's rarely the case on initial entry, you'll get creds, scan the internal network for services like SMB, WinRM, SSH, SQL, internal web hosts, etc. And blast found creds at those. There's linux apps like crackmapexec that will spray at every open SMB connection and let you know if they're local admin on that machine, evilwinRM will basically give you a command prompt, and you use your initial creds to find more creds. Someone maybe left some powershell history, has an insecure custom app or path, tons of ways. This happens every day and by hardening the system you can prevent or at least contain the threat.

The question is saying windows native tools, blocking untrusted apps has nothing to do with the question

D. Implementing controls to block execution of untrusted applications can prevent privilege escalation attacks that leverage native Windows tools, such as PowerShell, WMIC, or Rundll32

Setting UAC to the most restrictive level ensures that even if an attacker gains initial access to a system, they will face additional prompts and controls when attempting to escalate privileges or execute commands with higher privileges. Given the trend of adversary privilege escalation using native Windows tools, setting user account control protection to the most restrictive level on all devices (option A) is the most effective control. It directly addresses the method of attack described by adding an additional layer of security and control over privilege escalation attempts. Therefore, option A is the best choice to reduce the rate of success of privilege escalation attempts using native Windows tools.

This approach, often referred to as application whitelisting or the use of application control policies, is effective in preventing the execution of unauthorized or malicious software, including the misuse of legitimate tools for malicious purposes. By only allowing trusted applications to run, you significantly reduce the ability of an adversary to use native tools in unintended ways. This is particularly effective against the described technique, which involves using native tools for privilege escalation.

C. Harden systems by disabling or removing unnecessary services

According to ChatGPT, A is the correct answer : UAC helps prevent unauthorized system changes asking for prompt consent or more before elevating privileges. My experience would lead me to A

While adversary may use native tools to access system, they will invariably use hacking tools to escalate an attack. Think of ssh-ing into a sys and running a hash-cracking tool. That tool will be foreign to the system. That's the execution of an untrusted app that needs blocking.

Implement controls to block execution of untrusted applications (D): This would include application whitelisting, which allows only approved applications to run. Since the adversaries are using native Windows tools (which are usually trusted), restricting execution to a list of approved applications can help mitigate these types of attacks.

etting user account control (UAC) protection to the most restrictive level on all devices can be effective in reducing the rate of success of attempts involving privilege escalation using native Windows tools. UAC helps prevent unauthorized changes to the system by notifying users or administrators when potentially harmful actions are being attempted. By setting UAC to the highest level, users and applications will need to prompt for consent or administrative credentials before performing actions that could potentially modify the system or execute privileged commands

The question specifically states the privilege escalation is being done via "native tools". By default, the operating system will trust native tools-- They are native. Blocking untrusted applications won't solve anything.