nerdexam
GIAC

GCIH · Question #788

What action is being performed in the following session?

The correct answer is A. Gathering Active Directory hashes. The session shown performs Active Directory credential harvesting by extracting NTLM password hashes from domain accounts, a technique distinct from targeting the local LSASS process. Tools like secretsdump.py or DCSync replicate credentials directly from the domain controller.

Vulnerability Exploitation & Privilege Escalation

Question

What action is being performed in the following session?

Options

  • AGathering Active Directory hashes
  • BEscalating privileges
  • CCreating a rescue boot disc
  • DDumping information from the LSASS.EXE process

How the community answered

(35 responses)
  • A
    77% (27)
  • B
    6% (2)
  • C
    3% (1)
  • D
    14% (5)

Why each option

The session shown performs Active Directory credential harvesting by extracting NTLM password hashes from domain accounts, a technique distinct from targeting the local LSASS process. Tools like secretsdump.py or DCSync replicate credentials directly from the domain controller.

AGathering Active Directory hashesCorrect

Gathering Active Directory hashes involves techniques such as DCSync (using replication privileges to pull all domain account hashes from a domain controller) or offline parsing of the NTDS.dit database, yielding NTLM hashes for all domain accounts rather than only locally cached credentials.

BEscalating privileges

Privilege escalation involves exploiting a vulnerability or misconfiguration to gain a higher-privilege context; the session shown is performing credential harvesting after elevated access is already present.

CCreating a rescue boot disc

Creating a rescue boot disc involves disk imaging or bootable media utilities and has no relationship to the credential extraction activity depicted.

DDumping information from the LSASS.EXE process

Dumping the LSASS.EXE process is a specific Windows memory-scraping technique targeting locally cached credentials, which is a different method from domain-wide Active Directory hash extraction shown here.

Concept tested: Active Directory NTLM hash harvesting via DCSync

Source: https://attack.mitre.org/techniques/T1003/003/

Topics

#Active Directory#credential dumping#NTDS#password hashes

Community Discussion

No community discussion yet for this question.

Full GCIH Practice