CAS-005 Question #306: Real Exam Question with Answer & Explanation

Question

A malware researcher has discovered a credential stealer is looking at a specific memory register to harvest passwords that will be used later for lateral movement in corporate networks. The malware is using TCP 4444 to communicate with other workstations. The lateral movement would be best mitigated by:

Options

• AConfiguring the CPU's NX bit
• BEnabling a host firewall
• CEnabling an edge firewall
• DEnforcing all systems to use UEFI
• EEnabling ASLR on the Active Directory server

Explanation

A credential stealer harvests passwords from memory and uses TCP 4444 for lateral movement; the objective is to best mitigate this lateral movement.

Common mistakes.

• A. Configuring the CPU's NX bit prevents code execution from data segments, mitigating certain exploits like buffer overflows, but it does not directly prevent network-based lateral movement using specific TCP ports.
• C. Enabling an edge firewall controls traffic entering and leaving the entire corporate network but is typically ineffective at preventing lateral movement within the internal network between workstations.
• D. Enforcing all systems to use UEFI improves boot security but does not directly mitigate malware's network communication for lateral movement once the operating system is running.
• E. Enabling ASLR randomizes memory locations to make exploit development harder but does not prevent established malware from using a specific port for lateral movement.

Concept tested. Host-based intrusion prevention

Reference. https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-windows-firewall-with-advanced-security

No community discussion yet for this question.