350-201(NEW-127Q) · Question #52
350-201(NEW-127Q) Question #52: Real Exam Question with Answer & Explanation
The correct answer is B. T1195 - Supply Chain Compromise. T1195 - Supply Chain Compromise is correct because threat actors infiltrated the upstream software development pipeline and poisoned a legitimate patch before it ever reached customers - the attack happened in the supply chain, not on the victim's systems directly. Classic exampl
Question
Options
- AT1496 - Data Encrypted for Impact
- BT1195 - Supply Chain Compromise
- CT1570 - Lateral Tool Transfer
- DT1136 - Network Share Discovery
Explanation
T1195 - Supply Chain Compromise is correct because threat actors infiltrated the upstream software development pipeline and poisoned a legitimate patch before it ever reached customers - the attack happened in the supply chain, not on the victim's systems directly. Classic examples include SolarWinds (SUNBURST) and the 3CX incident.
Why the distractors are wrong:
- A (T1496 - Data Encrypted for Impact): This TTP covers ransomware-style encryption to deny data access - no encryption occurs in this scenario, and it targets impact, not distribution.
- C (T1570 - Lateral Tool Transfer): This involves moving tools within a compromised network (attacker-to-victim lateral movement), not weaponizing a vendor's software before release.
- D (T1136 - Network Share Discovery): This covers enumerating shared network drives for reconnaissance - completely unrelated to tampered software updates.
Memory tip: Think of T1195 as "poison the well before anyone drinks." If the attack happens before the software/update/hardware reaches the victim - at the vendor, build system, or distribution channel - it's a Supply Chain Compromise. The victim installs something they trust, not knowing it was already tainted.
Topics
Community Discussion
No community discussion yet for this question.