312-50V12 Question #145: Real Exam Question with Answer & Explanation

Question

In an advanced persistent threat scenario, an adversary follows a detailed set of procedures in the cyber kill chain. During one such instance, the adversary has successfully gained access to a corporate network and now attempts to obfuscate malicious traffic within legitimate network traffic. Which of the following actions would most likely be part of the adversary's current procedures?

Options

• AEmploying data staging techniques to collect and aggregate sensitive data.
• BInitiating DNS tunneling to communicate with the command-and-control server.
• CEstablishing a command-and-control server to communicate with compromised systems.
• DConducting internal reconnaissance using PowerShell scripts.

Explanation

The adversary has gained network access and is attempting to conceal malicious command-and-control traffic within legitimate network traffic flows. Initiating DNS tunneling is a common technique used for this purpose.

Common mistakes.

• A. Employing data staging techniques is related to preparing data for exfiltration or further processing, not primarily for obfuscating command-and-control communication within legitimate traffic.
• C. Establishing a command-and-control server describes the setup of the infrastructure for communication, not the specific method used to obfuscate the communication traffic itself.
• D. Conducting internal reconnaissance using PowerShell scripts is an activity focused on discovery within the network, not the primary method for obfuscating C2 traffic within legitimate network flows.

Concept tested. Cyber Kill Chain: Command and Control obfuscation

Reference. https://learn.microsoft.com/en-us/security/threat-protection/intelligence/dns-tunneling

No community discussion yet for this question.