nerdexam
GIAC

GCIH · Question #662

Which of the following actions can prevent the successful use of Metasploit against a Windows host?

The correct answer is C. Deploying controls on what applications are allowed to run. Application allowlisting prevents Metasploit payloads from executing on a Windows host by restricting which programs are permitted to run.

Vulnerability Exploitation & Privilege Escalation

Question

Which of the following actions can prevent the successful use of Metasploit against a Windows host?

Options

  • ADeploying User and Entity Behavior Analytics (UEBA) tools
  • BUsing the Microsoft Anti-Cross Site Scripting Library
  • CDeploying controls on what applications are allowed to run
  • DTracking UserIDs for unsuccessful login attempts

How the community answered

(65 responses)
  • A
    8% (5)
  • B
    12% (8)
  • C
    77% (50)
  • D
    3% (2)

Why each option

Application allowlisting prevents Metasploit payloads from executing on a Windows host by restricting which programs are permitted to run.

ADeploying User and Entity Behavior Analytics (UEBA) tools

UEBA tools detect anomalous behavior and generate alerts after events occur, but do not actively block Metasploit payloads from executing on the host.

BUsing the Microsoft Anti-Cross Site Scripting Library

The Microsoft Anti-Cross Site Scripting Library defends against XSS attacks in web applications, which is unrelated to preventing Metasploit exploitation of a Windows OS.

CDeploying controls on what applications are allowed to runCorrect

Metasploit relies on executing payloads or shellcode on a target system after exploitation; deploying application control policies - such as Windows Defender Application Control (WDAC) or AppLocker - prevents unauthorized executables and scripts from running, directly blocking the execution phase of a Metasploit attack. This control is effective even when a vulnerability exists because the payload itself is denied execution rights on the host.

DTracking UserIDs for unsuccessful login attempts

Tracking UserIDs for failed login attempts helps detect brute-force credential attacks but does not prevent Metasploit from exploiting software or service vulnerabilities.

Concept tested: Application allowlisting to prevent exploit payload execution

Source: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/wdac

Topics

#Metasploit#application whitelisting#exploit prevention#Windows hardening

Community Discussion

No community discussion yet for this question.

Full GCIH Practice