GCIH · Question #662
Which of the following actions can prevent the successful use of Metasploit against a Windows host?
The correct answer is C. Deploying controls on what applications are allowed to run. Application allowlisting prevents Metasploit payloads from executing on a Windows host by restricting which programs are permitted to run.
Question
Which of the following actions can prevent the successful use of Metasploit against a Windows host?
Options
- ADeploying User and Entity Behavior Analytics (UEBA) tools
- BUsing the Microsoft Anti-Cross Site Scripting Library
- CDeploying controls on what applications are allowed to run
- DTracking UserIDs for unsuccessful login attempts
How the community answered
(65 responses)- A8% (5)
- B12% (8)
- C77% (50)
- D3% (2)
Why each option
Application allowlisting prevents Metasploit payloads from executing on a Windows host by restricting which programs are permitted to run.
UEBA tools detect anomalous behavior and generate alerts after events occur, but do not actively block Metasploit payloads from executing on the host.
The Microsoft Anti-Cross Site Scripting Library defends against XSS attacks in web applications, which is unrelated to preventing Metasploit exploitation of a Windows OS.
Metasploit relies on executing payloads or shellcode on a target system after exploitation; deploying application control policies - such as Windows Defender Application Control (WDAC) or AppLocker - prevents unauthorized executables and scripts from running, directly blocking the execution phase of a Metasploit attack. This control is effective even when a vulnerability exists because the payload itself is denied execution rights on the host.
Tracking UserIDs for failed login attempts helps detect brute-force credential attacks but does not prevent Metasploit from exploiting software or service vulnerabilities.
Concept tested: Application allowlisting to prevent exploit payload execution
Source: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/wdac
Topics
Community Discussion
No community discussion yet for this question.