Exam SY0-601 topic 1 question 75 discussion

A Keylogger would be the reason of why even after resetting the passwords the issue persisted. There is no information about the password itself that would allows to determine if any brute force attack method is being used

Keyloggers seems to be it. Enduser protection is disabled and someone installed a keyloggers since workstations are being shared. Changing password doesn't uninstall this keylogger which is likely recording the new changed passwords and sending them out to the attacker.

B. Keylogger

- All users sharing workstations could mean that the keylogger is capturing keystrokes across multiple user sessions. - Endpoint protection being disabled on several workstations suggests that the attackers might have gained administrative access to the workstations, allowing them to disable security software without detection. - Impossible travel times on logins from the affected users indicate that someone other than the legitimate user might be logging in using their credentials, possibly from a different location. - Sensitive data being uploaded to external sites indicates unauthorized access to sensitive information, likely obtained through captured keystrokes. The hint that everyone missed: ✑ Sensitive data is being uploaded to external sites. This means that the keylogger was hardware-based and it must have had a WAP that the attacker was able to connect to and retrieve all the users' keystrokes through the login portal of the keylogger (a local IP like 192.168.0.10).

The key indicators in the scenario point towards the presence of a keylogger: All users share workstations throughout the day: This means that multiple users are accessing the same workstations, making it easier for a keylogger to capture keystrokes from different users. Endpoint protection was disabled on several workstations: Disabling endpoint protection allows malware, including keyloggers, to go undetected on the compromised workstations. Impossible travel times on logins: This suggests that the attacker is remotely accessing the compromised accounts, which is consistent with the use of a keylogger. Sensitive data uploaded to external sites: The presence of a keylogger enables the attacker to capture sensitive information, such as login credentials and other data, and upload it to external sites for unauthorized use.

Nothing was clear until you pick out the fact that the password resets didn't help. Makes it pretty clear

passwords have been reset but the issue continue, in this case can only be a keylogger which is "recording" the new password entered

Answer - Keylogger A keylogger or keystroke logger is a type of monitoring software that can be used to collect keystrokes that you type. A keylogger was likely used to capture various sensitive information and credentials. As the issue continued after the password reset, the keylogger was still capturing information as it wasn't removed. ========================= Brute-force - trail and error attempts to guess login info Dictionary - a form of brute force attack that uses common words, phrases and variations Rainbow - uses tables of reversed hashes to crack passwords

There is no relationship between the context and the questions/responses. It's so weird