PT0-002 · Question #481
PT0-002 Question #481: Real Exam Question with Answer & Explanation
The correct answer is A: Indicators of prior compromise. The presence of files such as mimikatz.exe, mimidrv.sys, and mimilib.dll on a target server indicates prior compromise. Mimikatz is a well-known post-exploitation tool used for extracting plaintext passwords, hash dumps, PIN codes, and Kerberos tickets from memory. These files su
Question
A penetration tester exploits a vulnerable service to gain a shell on a target server. The tester receives the following: Directory of C:\Users\Guest 05/13/2022 09:23 PM mimikatz.exe 05/18/2022 09:24 PM mimidrv.sys 05/18/2022 09:24 PM mimilib.dll Which of the following best describes these findings?
Options
- AIndicators of prior compromise
- BPassword encryption tools
- CFalse positives
- DDe-escalation attempts
Explanation
The presence of files such as mimikatz.exe, mimidrv.sys, and mimilib.dll on a target server indicates prior compromise. Mimikatz is a well-known post-exploitation tool used for extracting plaintext passwords, hash dumps, PIN codes, and Kerberos tickets from memory. These files suggest that an attacker has previously gained access to the system and used Mimikatz for credential harvesting. This is a strong indicator of a prior security breach rather than tools used for password encryption or false positives.
Topics
Community Discussion
No community discussion yet for this question.