CompTIA Security+ (SY0-601) — Question 467

A systems administrator receives the following alert from a file integrity monitoring tool:

The hash of the cmd.exe file has changed.

The systems administrator checks the OS logs and notices that no patches were applied in the last two months. Which of the following most likely occurred?

Answer options

• A. The end user changed the file permissions.
• B. A cryptographic collision was detected.
• C. A snapshot of the file system was taken.
• D. A rootkit was deployed.

Correct answer: D

Explanation

The correct answer is D because a change in the hash of a critical system file like cmd.exe without any recent updates typically indicates malicious activity, such as the installation of a rootkit. Options A, B, and C do not logically explain the unexpected change in the file's integrity in this context.