CompTIA Security+ (SY0-701) — Question 34

A systems administrator receives the following alert from a file integrity monitoring tool:
The hash of the cmd.exe file has changed.
The systems administrator checks the OS logs and notices that no patches were applied in the last two months. Which of the following most likely occurred?

Answer options

• A. The end user changed the file permissions.
• B. A cryptographic collision was detected.
• C. A snapshot of the file system was taken.
• D. A rootkit was deployed.

Correct answer: D

Explanation

The correct answer is D because a rootkit can modify system files like cmd.exe without leaving a trace in the OS logs, especially if no patches were applied recently. Option A is incorrect as changing file permissions does not alter the file hash. Option B is unlikely since cryptographic collisions are rare and would not typically affect a specific file like cmd.exe. Option C is not relevant because taking a snapshot does not change the file itself.