GIAC
GCIH · Question #144
GCIH Question #144: Real Exam Question with Answer & Explanation
The correct answer is C: A backdoor the intruder created so that he can re-enter the network.. An unknown account with remote access permissions discovered after a confirmed intrusion is the hallmark of a backdoor - a deliberate mechanism left by the attacker for persistent re-entry.
Question
Your IDS discovers that an intruder has gained access to your system. You immediately stop that access, change passwords for administrative accounts, and secure your network. You discover an odd account (not administrative) that has permission to remotely access the network. What is this most likely?
Options
- AAn example of privilege escalation.
- BA normal account you simply did not notice before. Large networks have a number of
- CA backdoor the intruder created so that he can re-enter the network.
- DAn example of IP spoofing.
Explanation
An unknown account with remote access permissions discovered after a confirmed intrusion is the hallmark of a backdoor - a deliberate mechanism left by the attacker for persistent re-entry.
Common mistakes.
- A. Privilege escalation refers to an attacker gaining higher-level permissions than initially granted, not the creation of a separate account as a re-entry mechanism.
- B. While large networks have many accounts, the timing of this discovery immediately following a confirmed intrusion and the account's specific remote access permission makes benign oversight an implausible explanation.
- D. IP spoofing is a network-layer technique where an attacker forges source IP addresses in packets; it does not involve the creation of user accounts or remote access credentials on a compromised system.
Concept tested. Backdoor account creation for persistent attacker access
Reference. https://attack.mitre.org/techniques/T1136/
Community Discussion
No community discussion yet for this question.