Which of the following was the suspicious event able to accomplish?

An analyst received an alert regarding an application spawning a suspicious command shell process.

Upon further investigation, the analyst observes the following registry change occurring immediately after the suspicious event:

Which of the following was the suspicious event able to accomplish?
A . Impair defenses.
B. Establish persistence.
C. Bypass file access controls.
D. Implement beaconing.

View Answer

Answer: B

Explanation:

The suspicious event was able to accomplish establishing persistence by creating a registry change that runs a command shell process every time a user logs on.

The registry change modifies the Userinit value under the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon key, which specifies what programs should run when a user logs on to Windows. By appending “cmd.exe,” to the existing value, the event ensures that a command shell process will be launched every time a user logs on, which can allow the attacker to maintain access to the system or execute malicious commands. The other options are not related to the registry change. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 10; https://docs.microsoft.com/en-us/windows/win32/sysinfo/userinit-entry