CompTIA Security+ (SY0-601) — Question 669

A company's help desk received several AV alerts indicating Mimikatz attempted to run on the remote systems. Several users also reported that the new company flash drives they picked up in the break room only have 512KB of storage. Which of the following is most likely the cause?

Answer options

• A. The GPO prevents the use of flash drives, which triggers a false positive AV indication and restricts the drives to only 512KB of storage.
• B. The new flash drives need a driver that is being blocked by the AV software because the flash drives are not on the application's allow list, temporarily restricting the drives to 512KB of storage.
• C. The new flash drives are incorrectly partitioned, and the systems are automatically trying to use an unapproved application to repartition the drives.
• D. The GPO blocking the flash drives is being bypassed by a malicious flash drive that is attempting to harvest plaintext credentials from memory.

Correct answer: D

Explanation

The correct answer is D because it indicates that a malicious flash drive is evading the Group Policy Object (GPO) that restricts flash drive usage and is executing Mimikatz to steal credentials. Options A and B suggest benign issues related to GPO and driver problems, which do not account for the security threat posed. Option C implies a technical error unrelated to malicious intent.