CompTIA Security+ (SY0-601) — Question 440
An application owner reports suspicious activity on an internal financial application from various internal users within the past 14 days. A security analyst notices the following:
• Financial transactions were occurring during irregular time frames and outside of business hours by unauthorized users.
• Internal users in question were changing their passwords frequently during that time period.
• A jump box that several domain administrator users use to connect to remote devices was recently compromised.
• The authentication method used in the environment is NTLM.
Which of the following types of attacks is most likely being used to gain unauthorized access?
Answer options
- A. Pass-the-hash
- B. Brute-force
- C. Directory traversal
- D. Replay
Correct answer: A
Explanation
The most likely attack being utilized is Pass-the-hash, as it allows attackers to exploit NTLM authentication by using hashed credentials to gain unauthorized access without needing to know the plaintext password. The other options, such as brute-force and replay attacks, do not align with the observed behavior of frequent password changes and accessing the application during odd hours.