A security analyst reviews domain activity logs and notices the following: Which of the following is the best explanation for what the security analyst has discovered?
A.
The user jsmith’s account has been locked out.
B.
A keylogger is installed on jsmith’s workstation.
C.
An attacker is attempting to brute force jsmith’s account.
Well the best issue would be quarantined the keylogger still. If you only deal with the brute force problem. The issue will still be there since the key logger is still on the device. You can fix the issue with brute force all you want but if I will still know your password every time you log in.
"You can fix the issue with brute force all you want but the keylogger issue will still record the users input, every time the user logs in"
Sorry fixing my grammar
The scenario perfectly matches a common security issue where attackers gain partial access through stolen credentials but are thwarted by MFA, which they try to bypass unsuccessfully.The repeated success in password authentication suggests that the attacker has access to jsmith's password, but the failure of MFA points to an attempt to guess or brute-force the MFA code.
C.
It’s not B because you can brute-force anything. A brute-force attack relies on trial and error and isn’t limited to passwords—you can brute-force usernames, URLs, directories, parameters, MFA, etc.
This could very well be a case of someone whose credentials (username and password) were leaked on the dark web, which also rules out B. The attacker knows the username and password but doesn’t have access to the MFA, so they are brute-forcing it.
The answer is B.
Why is it B? because If it was brute force the Password authentication would have failed and not successful. When brute force occurs, it means that the attacker is running a script to input different kind of password until it hit the right one. In this case the attacker knew the password since the password authentication successful for all four logins. And someone that say MFA failed is a brute force. yes that can be true but the right answer would be still B since the keylogger was the main issue. If MFA wasn't in place the hacker would have access to the account.
I think this is a poorly written question.
A. If the user entered their MFA token incorrectly a bunch of times it possible that the system locked them out so it’s not working.
B. This could be how the threat actor obtained the user’s password
C. While foolish and a waste of time, attempting to guess the MFA code is essentially the same trying to guess the user’s password, thus making it a brute force attack.
Given the limited information we have I’m going with C
Actually, now that I've thought about it some more, given how unlikely and foolish it would be to try to brute force an MFA token, I think it's more likely jsmith has a keylogger installed on his device, so B.
B: Keylogger got the PW and is stuck on MFA.
C is incorrect as MFA code changes every time so you cant brute force it. It would be possible to try the SAME code every time until you got lucky or got locked out but that aint BF.
The correct answer is A. The user jsmith’s account has been locked out. This is because the log shows multiple failed attempts with an “invalid code” error, which is typically a result of too many incorrect password attempts. This would trigger an account lockout policy to prevent brute-force attacks.
Option B. There is no indication of a keylogger in the log. Keyloggers typically don’t trigger account lockouts.
Option C. While this might be a possible scenario, the log doesn’t explicitly show a brute-force attack. The “invalid code” error suggests a lockout due to incorrect password attempts, not a brute force attack.
Option D. There is no indication of ransomware in the log. Ransomware typically doesn’t trigger account lockouts.
The log entries show multiple successful password authentications followed by multiple failed MFA (Multi-Factor Authentication) attempts due to invalid codes. This pattern suggests that the user’s password has been correctly entered multiple times, but the MFA codes are consistently failing.
The best explanation for what the security analyst has discovered is:
C. An attacker is attempting to brute force jsmith’s account.
The repeated successful password authentications followed by failed MFA attempts indicate that an attacker may have obtained the user’s password and is now trying to bypass the second layer of security, the MFA, by attempting multiple invalid codes.
The log entries indicate that the user "jsmith" has successfully authenticated with a password but has repeatedly failed the Multi-Factor Authentication (MFA) step due to an invalid code. This pattern suggests that the correct password is known or has been compromised, but the attacker is unable to provide the correct MFA code.
Given this information, the most likely explanation is:
C. An attacker is attempting to brute force jsmith’s account.
The repeated MFA failures suggest that someone other than the legitimate user is trying to gain access, potentially indicating a brute force attempt or another form of unauthorized access where the password is known, but the second factor of authentication is not.
Brute force involves trying different combinations of passwords/other credentials. This attacker knows the username and password and is clearly not guessing. A keylogger would know the username and password, but not have access to the MFA.
If the question mentioned a login from a specific workstation, or said its local login only, then yes it would be keylogger. However, this could be a login from home computer, mobile device, anything. Answer B could be correct but more info would be needed. Based on available info C is best.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
nyyankee718
Highly Voted 8 months, 3 weeks agoa4e15bd
8 months, 1 week agoKSoLL
1 month, 1 week agoKSoLL
1 month, 1 week agodbrowndiver
Highly Voted 8 months agoshootweb
Most Recent 1 week, 4 days agoKSoLL
1 month, 1 week agojustin1995
1 month, 2 weeks agoAshtom
1 month, 3 weeks agovm_mscs
1 month, 4 weeks agofufuuu
2 months, 2 weeks agoAces155
2 months, 3 weeks agoAces155
2 months, 3 weeks agoCoznet
2 months, 3 weeks agoMaxiPrince
3 months, 2 weeks agoDamique
4 months, 1 week agoGreyhat
4 months, 1 week agobarracouto
6 months agoEtc_Shadow28000
9 months, 3 weeks agoleedsbarber
9 months, 3 weeks agoc80f5c5
10 months ago