Question

A systems administrator is concerned that a server may be compromised. A security analyst notices the following log output while aiding with the investigation July 23 01:35:10 LINSERV01 useradd [30245]: failed adding user 'hjasole, data deleted July 23 01:35:10 LINSERVO1 passwd [ 30246] : password for 'hjasole changed by 'root' July 23 01:35:12 LINSERV01 passwd [30263] : password for 'mroch' changed by 'root' July 23 01:38:10 LINSERV01 useradd(30523]: failed adding user 'apache', data deleted July 23 01:42:48 LINSERV01 passwd [32532] : password for 'sleeman' changed by 'root' July 23 01:47:07 LINSERV01 useradd [633]: failed adding user 'mysql, data deleted Which of the following types of activities is the threat actor attempting? A Gain persistence В. Password brute forcing C Pivoting Elevation of privilege

Answer 1

Answer C. Pivoting Explanation In this scenario the user got control of root user and its password and was able to change the password of other users. The hacker already done brute force attacking by accessing the root password and has rights to change the password of other users like “hjasaole", "morch", "sleeeman". So there is no need for elevation privilege as the root user got all privileges as the hacker is able to compromise the server already. Since the hacker is trying to add users as a pivoting approach as she wants to to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines. For example, if an attacker compromises a web server on a corporate network, the attacker can then use the compromised web server to attack other systems on the network. These types of attacks are often called multi-layered attacks or pivoting