SY0-701 Question #558: Real Exam Question with Answer & Explanation

Question

A security analyst attempts to start a company's database server. When the server starts, the analyst receives an error message indicating the database server did not pass authentication. After reviewing and testing the system, the analyst receives confirmation that the server has been compromised and that attackers have redirected all outgoing database traffic to a server under their control. Which of the following MITRE ATT&CK techniques did the attacker most likely use to redirect database traffic?

Options

• ABrowser extension
• BProcess injection
• CValid accounts
• DEscape to host

Explanation

Escape to host (T1611) is correct because this technique allows an attacker to break out of a containerized or virtualized environment and gain access to the underlying host system. With host-level privileges, the attacker can manipulate low-level network configurations - such as iptables rules or routing tables - to silently redirect outgoing database traffic to a server they control, which also explains why the database server fails authentication (it's unknowingly connecting to the attacker's server instead of a legitimate endpoint).

Browser extension (A) is wrong because it targets browser-based credential or session data, not server-level network traffic. Process injection (B) involves inserting malicious code into a running process to execute it in that process's context - while powerful, it doesn't inherently explain network-level traffic redirection. Valid accounts (C) describes using legitimate credentials to authenticate, which could grant access but does not describe a mechanism for rerouting traffic.

Memory tip: Think "escape the box, own the network" - once an attacker escapes from a container to the host, they control the entire network stack beneath it, making traffic redirection straightforward.

No community discussion yet for this question.