A security assessor discovers evidence of unauthorized hashed passphrase collection on a Windows server. The assessor suspects a process in memory was targeted to harvest this data. Which approach might an attacker be using?
Snooping network traffic on a management interface during logins
Parsing local event logs for passphrase values
Attaching to the sign-in process and copying memory data
Obtaining an offline copy of the account database from the directory service
Attaching to the process that manages account sign-ins on a Windows system can reveal hashed passphrases that are active in memory. Parsing logs does not capture passphrases, offline copies of account databases are not synchronized with an active process, and snooping network traffic typically does not retrieve hashed passphrases from memory.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is process memory and how is it targeted during attacks?
Open an interactive chat with Bash
What tools or techniques are commonly used to attach to a process in memory?
Open an interactive chat with Bash
Why don’t offline copies of account databases or network traffic snooping retrieve hashed passphrases in memory?