GIAC
GCIH · Question #451
GCIH Question #451: Real Exam Question with Answer & Explanation
The correct answer is C: Commands from a virtual server are being executed on the Windows host. In a true virtual machine escape (VME) an attacker could jump from a guest to a host operating Egress traffic itself does not indicate compromise or a VME attack. The hypervisor would be expected to receive commands from virtual hosts.
Cloud Incident Response & Threat Hunting
Question
Following a virtual machine escape attack, a rebuilt Windows server hosting multiple VMWare guests is placed on a protected VLAN for monitoring. What activity would indicate that the root cause of the virtual machine escape has not been fully mitigated?
Options
- AEgress traffic from a virtual server to a host on another VLAN or subnet
- BCommands being sent from virtual hosts to the VMWare hypervisor
- CCommands from a virtual server are being executed on the Windows host
- DEgress traffic from the Windows server to a host on another VLAN or subnet
Explanation
In a true virtual machine escape (VME) an attacker could jump from a guest to a host operating Egress traffic itself does not indicate compromise or a VME attack. The hypervisor would be expected to receive commands from virtual hosts.
Topics
#VM escape#hypervisor exploitation#VMware security#virtualization threats
Community Discussion
No community discussion yet for this question.