CompTIA Security+ (SY0-501) — Question 487

An attacker has obtained the user ID and password of a datacenter's backup operator and has gained access to a production system. Which of the following would be the attacker's NEXT action?

Answer options

• A. Perform a passive reconnaissance of the network.
• B. Initiate a confidential data exfiltration process.
• C. Look for known vulnerabilities to escalate privileges.
• D. Create an alternate user ID to maintain persistent access.

Correct answer: B

Explanation

The correct answer, B, is appropriate because after gaining access, an attacker often seeks to extract valuable data. While options A, C, and D could also be potential actions, they are typically not the immediate next step compared to initiating data exfiltration once access is achieved.