An analyst discovers unusual outbound connections to an IP that was previously blocked at the web proxy and firewall. Upon further investigation, it appears that the proxy and firewall rules that were in place were removed by a service account that is not recognized. Which of the following parts of the Cyber Kill Chain does this describe?
The removal of proxy and firewall rules by an unrecognized service account, coupled with unusual outbound connections, indicates that the attacker has established a command and control (C2) channel. This stage in the Cyber Kill Chain is where the attacker communicates with the compromised system to gain control and execute commands, which matches the description given.
the proxy and firewall rules that were in place were removed by a service account. First keyword "Removing" is not part of gathering. Second, "Outbound traffic "It must have been done by C2C. Another
The scenario described aligns with the Reconnaissance phase of the Cyber Kill Chain. During this phase, adversaries gather information about their target, which can include identifying vulnerabilities, understanding network architecture, and discovering potential weaknesses. In this case, the discovery of unusual outbound connections and unauthorized rule changes indicates reconnaissance activities by an attacker. The subsequent phases would involve weaponization, delivery, exploitation, installation, command and control, and finally, actions on the objective.
C2C = "Command channel for remote manipulation of victim"