A security analyst is investigating an incident to determine what an attacker was able to do on a compromised laptop. The analyst reviews the following SIEM log:
Which of the following describes the method that was used to compromise the laptop?
A.
An attacker was able to move laterally from PC1 to PC2 using a pass-the-hash attack.
B.
An attacker was able to bypass application whitelisting by emailing a spreadsheet attachment with an embedded PowerShell in the file.
C.
An attacker was able to install malware to the C:\asdf234 folder and use it to gain administrator rights and launch Outlook.
D.
An attacker was able to phish user credentials successfully from an Outlook user profile
The first event says that .exe file was blocked.
The second event says that PowerShell process started and initiated by outlook.
So an email attachment is most likely the case. Among all available options B is talking about attachment. It is not known that is Spreadsheet but it is the only correct option.
A blocked app (grouppolicy == application whitelisting), a powershell process launched via outlook. Everything fits.
There is no mention of any hashes, and hacker was not able to log into PC2 so lateral movement, if present, failed.
I think it is A, despite the discrepancy with the voters.
"A pass the hash attack takes advantage of weak points in the NT LAN Manager (NTLM) and LANMAN protocols. If the attacker has the hash of a user’s password, the attacker can skip any kind of brute-force attack and use the hashed password to access the network." (from: Mike Meyers CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) by Mike Meyers, Scott Jernigan)
Also, the powershell script is named “lat” and PC1 attempted to log into PC2
Based on the provided information, it appears that the attacker was able to bypass application whitelisting by emailing a spreadsheet attachment with an embedded PowerShell in the file, as indicated by the "New Process" event with the process name "lat.ps1" and the "Creator Process Name" of "powershell.exe". This suggests that the attacker was able to execute a PowerShell script to run malicious code. Therefore, the answer is B.
i have never heard of embedded Powershell in a spreadsheet before. and if so, then it should show outlook opening MS Excel instead of powershell. Excel will open Powershell not outlook.
typically VBScript code is embedded in a Macro, not powershell.
VBScript code can be used to invoke Powershell in Excel
Sub RunPowerShellScript()
Dim psScriptPath As String
Dim returnValue As String
' Path to your PowerShell script
psScriptPath = "C:\Path\To\YourScript.ps1"
' Using Shell function to execute the PowerShell script
returnValue = Shell("powershell -ExecutionPolicy Bypass -File """ & psScriptPath & """", vbNormalFocus)
End Sub
Pass-the-Hash is a credential theft and lateral movement technique in which an attacker abuses the NTLM authentication protocol to authenticate as a user without ever obtaining the account's plaintext password.
While there have been attempts to login on PC2, we dont have evidence to be anything related to pass the hash, so I think its safe to assume this isnt the correct answer.
upvoted 5 times
...
...
This section is not available anymore. Please use the main Exam Page.SY0-601 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
JSOG
Highly Voted 2 years, 5 months ago[Removed]
2 years, 5 months agoBlueteam
2 years, 5 months agoNirmalabhi
2 years, 3 months ago123gLO
Highly Voted 1 year, 4 months agoedoardottt
1 year, 4 months agoBhatyi
Most Recent 1 year, 3 months agoBD69
1 year, 2 months agothecheat97
1 year, 5 months agoklinkklonk
1 year, 3 months agokevgjo
1 year, 4 months agoTeleco0997
1 year, 6 months agoAfel_Null
1 year, 7 months agoworkhard
2 years agorline63
1 year, 8 months agoprincajen
2 years, 1 month agoSamo1
2 years, 2 months agoBD69
1 year, 1 month agoramesh2022
2 years, 2 months agoviksap
2 years, 5 months agobkrich
2 years agoRanaer
2 years, 3 months ago