CompTIA CASP+ (CAS-004) — Question 457

During an active attack, a security analyst evaluated a system for indicators of compromise. As part of the initial attack, the attacker executed a buffer overflow to perform privilege escalation. The file integrity monitoring system received an alert indicating an escalation. In which of the following MITRE ATT&CK framework phases does this alert belong?

Answer options

• A. Reconnaissance
• B. Data gathering
• C. Persistence
• D. Pivoting

Correct answer: C

Explanation

The correct answer is C, Persistence, as the alert indicates that the attacker has successfully escalated privileges to maintain access to the system. Options A and B relate to earlier stages of the attack cycle, while D, Pivoting, involves moving to other systems but does not directly relate to privilege escalation alerts.