nerdexam
GIAC

GCIH · Question #451

Following a virtual machine escape attack, a rebuilt Windows server hosting multiple VMWare guests is placed on a protected VLAN for monitoring. What activity would indicate that the root cause of the

The correct answer is C. Commands from a virtual server are being executed on the Windows host. In a true virtual machine escape (VME) an attacker could jump from a guest to a host operating Egress traffic itself does not indicate compromise or a VME attack. The hypervisor would be expected to receive commands from virtual hosts.

Cloud Incident Response & Threat Hunting

Question

Following a virtual machine escape attack, a rebuilt Windows server hosting multiple VMWare guests is placed on a protected VLAN for monitoring. What activity would indicate that the root cause of the virtual machine escape has not been fully mitigated?

Options

  • AEgress traffic from a virtual server to a host on another VLAN or subnet
  • BCommands being sent from virtual hosts to the VMWare hypervisor
  • CCommands from a virtual server are being executed on the Windows host
  • DEgress traffic from the Windows server to a host on another VLAN or subnet

How the community answered

(59 responses)
  • A
    22% (13)
  • B
    12% (7)
  • C
    59% (35)
  • D
    7% (4)

Explanation

In a true virtual machine escape (VME) an attacker could jump from a guest to a host operating Egress traffic itself does not indicate compromise or a VME attack. The hypervisor would be expected to receive commands from virtual hosts.

Topics

#VM escape#hypervisor exploitation#VMware security#virtualization threats

Community Discussion

No community discussion yet for this question.

Full GCIH Practice