312-50V12 Question #264: Real Exam Question with Answer & Explanation

Question

John, a security analyst, is analyzing a server suspected of being compromised. The attacker has used a non admin account and has already gained a foothold on the system. John discovers that a new Dynamic Link Library is loaded in the application directory of the affected server. This DLL does not have a fully qualified path and seems to be malicious. What privilege escalation technique has the attacker likely used to compromise this server?

Options

• ADLL Hijacking
• BNamed Pipe Impersonation
• CSpectre and Meltdown Vulnerabilities
• DExploiting Misconfigured Services

Explanation

A security analyst discovers a malicious Dynamic Link Library (DLL) loaded without a fully qualified path in an application's directory on a compromised server, indicating a privilege escalation attempt by an attacker. The specific technique used is DLL Hijacking.

Common mistakes.

• B. Named Pipe Impersonation is a privilege escalation technique involving a server impersonating a client's security context over a named pipe, which does not align with the discovery of a malicious DLL in an application directory.
• C. Spectre and Meltdown are hardware-level side-channel vulnerabilities that allow information disclosure by exploiting speculative execution, not a software-based technique involving the loading of malicious DLLs.
• D. Exploiting Misconfigured Services is a broader category often involving weak permissions on service executables or unquoted service paths; while it can lead to DLL loading issues, the specific scenario of an unqualified malicious DLL points directly to DLL Hijacking as the underlying technical mechanism.

Concept tested. Privilege escalation via DLL Hijacking

Reference. https://learn.microsoft.com/en-us/windows/win32/dlls/security-considerations-for-dll-loading

No community discussion yet for this question.