Exam SY0-701 topic 1 question 71 discussion

The scenario perfectly matches a common security issue where attackers gain partial access through stolen credentials but are thwarted by MFA, which they try to bypass unsuccessfully.The repeated success in password authentication suggests that the attacker has access to jsmith's password, but the failure of MFA points to an attempt to guess or brute-force the MFA code.

Can be B or C, but leaning B Since they already have the password, its not a brute force attack

C. It’s not B because you can brute-force anything. A brute-force attack relies on trial and error and isn’t limited to passwords—you can brute-force usernames, URLs, directories, parameters, MFA, etc. This could very well be a case of someone whose credentials (username and password) were leaked on the dark web, which also rules out B. The attacker knows the username and password but doesn’t have access to the MFA, so they are brute-forcing it.

The answer is B. Why is it B? because If it was brute force the Password authentication would have failed and not successful. When brute force occurs, it means that the attacker is running a script to input different kind of password until it hit the right one. In this case the attacker knew the password since the password authentication successful for all four logins. And someone that say MFA failed is a brute force. yes that can be true but the right answer would be still B since the keylogger was the main issue. If MFA wasn't in place the hacker would have access to the account.

there should be invalid passwords if bruteforce

in class we learned the best solution against keyloggers is MFA

Someone without access to MFA successfully enters password. Password is known, how? I choose B.

B. A keylogger is installed on jsmith’s workstation.

I think this is a poorly written question. A. If the user entered their MFA token incorrectly a bunch of times it possible that the system locked them out so it’s not working. B. This could be how the threat actor obtained the user’s password C. While foolish and a waste of time, attempting to guess the MFA code is essentially the same trying to guess the user’s password, thus making it a brute force attack. Given the limited information we have I’m going with C

B: Keylogger got the PW and is stuck on MFA. C is incorrect as MFA code changes every time so you cant brute force it. It would be possible to try the SAME code every time until you got lucky or got locked out but that aint BF.

An attacker is attempting to brute force jsmith’s account

It is not a brute force attack since the hacker already has the password because of the keylogger

The correct answer is A. The user jsmith’s account has been locked out. This is because the log shows multiple failed attempts with an “invalid code” error, which is typically a result of too many incorrect password attempts. This would trigger an account lockout policy to prevent brute-force attacks. Option B. There is no indication of a keylogger in the log. Keyloggers typically don’t trigger account lockouts. Option C. While this might be a possible scenario, the log doesn’t explicitly show a brute-force attack. The “invalid code” error suggests a lockout due to incorrect password attempts, not a brute force attack. Option D. There is no indication of ransomware in the log. Ransomware typically doesn’t trigger account lockouts.

The log entries show multiple successful password authentications followed by multiple failed MFA (Multi-Factor Authentication) attempts due to invalid codes. This pattern suggests that the user’s password has been correctly entered multiple times, but the MFA codes are consistently failing. The best explanation for what the security analyst has discovered is: C. An attacker is attempting to brute force jsmith’s account. The repeated successful password authentications followed by failed MFA attempts indicate that an attacker may have obtained the user’s password and is now trying to bypass the second layer of security, the MFA, by attempting multiple invalid codes.

The log entries indicate that the user "jsmith" has successfully authenticated with a password but has repeatedly failed the Multi-Factor Authentication (MFA) step due to an invalid code. This pattern suggests that the correct password is known or has been compromised, but the attacker is unable to provide the correct MFA code. Given this information, the most likely explanation is: C. An attacker is attempting to brute force jsmith’s account. The repeated MFA failures suggest that someone other than the legitimate user is trying to gain access, potentially indicating a brute force attempt or another form of unauthorized access where the password is known, but the second factor of authentication is not.

Brute force involves trying different combinations of passwords/other credentials. This attacker knows the username and password and is clearly not guessing. A keylogger would know the username and password, but not have access to the MFA.

If the question mentioned a login from a specific workstation, or said its local login only, then yes it would be keylogger. However, this could be a login from home computer, mobile device, anything. Answer B could be correct but more info would be needed. Based on available info C is best.