Examice

Exam SY0-601 All QuestionsBrowse all questions from this exam

Question 515

A company's help desk received several AV alerts indicating Mimikatz attempted to run on the remote systems. Several users also reported that the new company flash drives they picked up in the break room only have 512KB of storage. Which of the following is most likely the cause?

The GPO prevents the use of flash drives, which triggers a false positive AV indication and restricts the drives to only 512KB of storage.

The new flash drives need a driver that is being blocked by the AV software because the flash drives are not on the application's allow list, temporarily restricting the drives to 512KB of storage.

The new flash drives are incorrectly partitioned, and the systems are automatically trying to use an unapproved application to repartition the drives.

The GPO blocking the flash drives is being bypassed by a malicious flash drive that is attempting to harvest plaintext credentials from memory.

Correct Answer: D

The presence of AV alerts indicating Mimikatz, a known tool for harvesting plaintext credentials from memory, suggests a security incident involving malicious activity. The fact that the new company flash drives only have 512KB of storage further implies tampering. It's most likely that the GPO blocking the use of flash drives is being bypassed by these malicious flash drives, which are attempting to harvest credentials from the system.

Discussion

rline63

Maybe a good solution for this is just not keeping a bowl of flash drives for public use in the company breakroom.

ApplebeesWaiter1122Option: D

The GPO blocking the flash drives is being bypassed by a malicious flash drive that is attempting to harvest plaintext credentials from memory. The presence of Mimikatz alerts and reports of new company flash drives having only 512KB of storage indicate a potential security incident involving malicious activity. Mimikatz is a well-known tool used for extracting plaintext passwords and other sensitive information from memory, which could indicate an attempt to compromise the security of the systems. Additionally, the fact that the new flash drives have been tampered with and do not have their original storage capacity suggests that a malicious actor is using the flash drives to bypass the Group Policy Object (GPO) settings that block the use of flash drives. This could be an attempt to introduce malware or exfiltrate data using unauthorized hardware.

Dapsie

Also, could that policy be looking for devices with 512gb storage?

GamsjeOption: D

Mimikatz is an open-source application that allows users to view and save authentication credentials such as Kerberos tickets. D

LeonardSnartOption: D

Mimikatz A tool used by many penetration testers, attackers, and even malware that can be useful for retrieving password hashes from memory; it is a useful post-exploitation tool." -Security+ SY0-601 Pearson IT Cert Guide by Santos, Taylor, & Mlodzianowski

blockfaceOption: D

I believe D is the answer Mimikatz is a tool that is commonly used by hackers and security professionals to extract sensitive information, such as passwords and credentials, from a system's memory. The flash drive most likely has a malicious code that is trying to execute Mimikatz do dump credentials from memory.

ComPCertOnOption: D

isn't it keylogger impl. method?