GCIH · Question #451
Following a virtual machine escape attack, a rebuilt Windows server hosting multiple VMWare guests is placed on a protected VLAN for monitoring. What activity would indicate that the root cause of the
The correct answer is C. Commands from a virtual server are being executed on the Windows host. In a true virtual machine escape (VME) an attacker could jump from a guest to a host operating Egress traffic itself does not indicate compromise or a VME attack. The hypervisor would be expected to receive commands from virtual hosts.
Question
Following a virtual machine escape attack, a rebuilt Windows server hosting multiple VMWare guests is placed on a protected VLAN for monitoring. What activity would indicate that the root cause of the virtual machine escape has not been fully mitigated?
Options
- AEgress traffic from a virtual server to a host on another VLAN or subnet
- BCommands being sent from virtual hosts to the VMWare hypervisor
- CCommands from a virtual server are being executed on the Windows host
- DEgress traffic from the Windows server to a host on another VLAN or subnet
How the community answered
(59 responses)- A22% (13)
- B12% (7)
- C59% (35)
- D7% (4)
Explanation
In a true virtual machine escape (VME) an attacker could jump from a guest to a host operating Egress traffic itself does not indicate compromise or a VME attack. The hypervisor would be expected to receive commands from virtual hosts.
Topics
Community Discussion
No community discussion yet for this question.