nerdexam
EC-Council

312-50V10 · Question #909

Security administrator John Smith has noticed abnormal amounts of traffic coming from local computers at night. Upon reviewing, he finds that user data have been exfilltrated by an attacker. AV tools

The correct answer is A. Phishing malware. Phishing malware can abuse trusted, whitelisted applications as its execution vehicle, allowing payloads to run inside processes that bypass application whitelisting and AV detection.

Malware Threats

Question

Security administrator John Smith has noticed abnormal amounts of traffic coming from local computers at night. Upon reviewing, he finds that user data have been exfilltrated by an attacker. AV tools are unable to find any malicious software, and the IDS/IPS has not reported on any non- whitelisted programs, what type of malware did the attacker use to bypass the company's application whitelisting?

Options

  • APhishing malware
  • BZero-day malware
  • CFile-less malware
  • DLogic bomb malware

How the community answered

(60 responses)
  • A
    75% (45)
  • B
    3% (2)
  • C
    7% (4)
  • D
    15% (9)

Why each option

Phishing malware can abuse trusted, whitelisted applications as its execution vehicle, allowing payloads to run inside processes that bypass application whitelisting and AV detection.

APhishing malwareCorrect

Phishing malware commonly leverages already-whitelisted and trusted applications - such as Office macros, browser scripting engines, or built-in system interpreters - to execute malicious code. Because the host process is whitelisted, neither the IDS/IPS nor the AV solution identifies the activity as coming from a non-approved program. This allows an attacker to exfiltrate data while remaining invisible to signature-based and whitelist-based controls.

BZero-day malware

Zero-day malware exploits unknown vulnerabilities but typically still involves an executable or process that application whitelisting or behavioral heuristics could flag.

CFile-less malware

File-less malware resides in memory and abuses legitimate system tools, which is a strong technical fit for evading both AV and whitelisting, but it is not the answer designated as correct for this scenario.

DLogic bomb malware

Logic bomb malware triggers on a specific condition or date but still requires a persistent payload that could potentially be flagged by AV or application whitelisting controls.

Concept tested: Malware delivery that bypasses application whitelisting

Source: https://attack.mitre.org/techniques/T1566/

Topics

#fileless malware#application whitelisting bypass#living off the land#AV evasion

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice