GCIH · Question #788
What action is being performed in the following session?
The correct answer is A. Gathering Active Directory hashes. The session shown performs Active Directory credential harvesting by extracting NTLM password hashes from domain accounts, a technique distinct from targeting the local LSASS process. Tools like secretsdump.py or DCSync replicate credentials directly from the domain controller.
Question
What action is being performed in the following session?
Options
- AGathering Active Directory hashes
- BEscalating privileges
- CCreating a rescue boot disc
- DDumping information from the LSASS.EXE process
How the community answered
(35 responses)- A77% (27)
- B6% (2)
- C3% (1)
- D14% (5)
Why each option
The session shown performs Active Directory credential harvesting by extracting NTLM password hashes from domain accounts, a technique distinct from targeting the local LSASS process. Tools like secretsdump.py or DCSync replicate credentials directly from the domain controller.
Gathering Active Directory hashes involves techniques such as DCSync (using replication privileges to pull all domain account hashes from a domain controller) or offline parsing of the NTDS.dit database, yielding NTLM hashes for all domain accounts rather than only locally cached credentials.
Privilege escalation involves exploiting a vulnerability or misconfiguration to gain a higher-privilege context; the session shown is performing credential harvesting after elevated access is already present.
Creating a rescue boot disc involves disk imaging or bootable media utilities and has no relationship to the credential extraction activity depicted.
Dumping the LSASS.EXE process is a specific Windows memory-scraping technique targeting locally cached credentials, which is a different method from domain-wide Active Directory hash extraction shown here.
Concept tested: Active Directory NTLM hash harvesting via DCSync
Source: https://attack.mitre.org/techniques/T1003/003/
Topics
Community Discussion
No community discussion yet for this question.