A security analyst is performing a forensic investigation involving compromised account credentials.
Using the Event Viewer, the analyst was able to detect the following message: Special privileges assigned to new logon.
Several of these messages did not have a valid logon associated with the user before these privileges were assigned.
Which of the following attacks is MOST likely being detected?
A.
Pass-the-hash B.
Buffer overflow C.
Cross-site scripting D.
Session replay.
A.
A security analyst is performing a forensic investigation involving compromised account credentials.
Using the Event Viewer, the analyst was able to detect the following message: Special privileges assigned to new logon.
Several of these messages did not have a valid logon associated with the user before these privileges were assigned.
Which of the following attacks is MOST likely being detected?
A.
Pass-the-hash
B.
Buffer overflow
C.
Cross-site scripting
D.
Session replay.
A.
The answer to this question is A, Pass-the-hash.
Pass-the-hash is a common attack that occurs when an attacker gains access to a user's password hash and uses it to authenticate as that user without having to crack the password. Instead of obtaining the user's actual password, the attacker can use the hash to access systems and networks as the compromised user.
The message "Special privileges assigned to new logon" indicates that the attacker was able to obtain special privileges by using the compromised user's credentials, which is consistent with pass-the-hash attacks. Furthermore, the fact that the messages did not have a valid logon associated with the user before the privileges were assigned suggests that the attacker was using the compromised credentials to create a new logon session.
The other options are not likely to be the correct answer:
In summary, the most likely attack being detected in this scenario is pass-the-hash, which involves an attacker using compromised credentials to gain special privileges and create a new logon session.