300-215 · Question #139
300-215 Question #139: Real Exam Question with Answer & Explanation
The correct answer is B: C:\Windows\Temp\samsrv.dll. A security-critical DLL loaded from a temporary directory is highly abnormal and strongly suggests DLL search-order hijacking or injection, so the samsrv.dll instance under the Temp path requires immediate investigation. Also, CRYPT32.dll is a core Windows cryptography library an
Question
Refer to the exhibit. The company was taken over by a larger one, and the IT Security team was brought in to evaluate the security architecture and setup. After the information collected by the team was reviewed, it was found that the main company server had been breached and affected by ransomware seven months ago, but was subsequently recovered and re-imaged by a well- known incident response company. The report was read by IT Security team members, who spotted inconsistencies and requested all logs available on the server, extracted using a forensic script. The log file must be interpreted, and DLL files requiring further investigation must be identified. Which two DLL files should be selected? (Choose two.)
Options
- AC:\Windows\system32\bcrypt.dll
- BC:\Windows\Temp\samsrv.dll
- CC:\Windows\System32\CRYPT32.dll
- DC:\Windows\system32\lsasrv.dll
- EC:\Windows\System32\msvcrt.dll
Explanation
A security-critical DLL loaded from a temporary directory is highly abnormal and strongly suggests DLL search-order hijacking or injection, so the samsrv.dll instance under the Temp path requires immediate investigation. Also, CRYPT32.dll is a core Windows cryptography library and, in the exhibit, it appears loaded from an anomalous “Systern32” path rather than the expected System32 location, which is a classic masquerading indicator and warrants validation of the file’s legitimacy and provenance.
Topics
Community Discussion
No community discussion yet for this question.