A security assessor discovers evidence of unauthorized hashed passphrase collection on a Windows server. The assessor suspects a process in memory was targeted to harvest this data. Which approach might an attacker be using?
Obtaining an offline copy of the account database from the directory service
Snooping network traffic on a management interface during logins
Parsing local event logs for passphrase values
Attaching to the sign-in process and copying memory data
Attaching to the process that manages account sign-ins on a Windows system can reveal hashed passphrases that are active in memory. Parsing logs does not capture passphrases, offline copies of account databases are not synchronized with an active process, and snooping network traffic typically does not retrieve hashed passphrases from memory.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of hashed passphrases in memory?
Open an interactive chat with Bash
How does attaching to a process in memory work?
Open an interactive chat with Bash
Why is network snooping insufficient for passphrase harvesting?