Question 618 of 730 from exam SY0-601: CompTIA Security+

Question 618 of 730 from exam SY0-601: CompTIA Security+

Prev Question Next Question

Question

A security analyst receives a SIEM alert that someone logged in to the appadmin test account, which is only used for the early detection of attacks.

The security analyst then reviews the following application log:

[03/06/20xx:17:20:18] system 127.0.0.1 FindxPath=//User[Username/text ()="foo' or 7=7 or 'o'='o' And Password/text="bar']
[03/06/20xx:17:21:18] appaamin 194.28.114.102 action:login result:success

[03/06/20xx:17:22:18] appadmin 194.28.114.102 action:open.account (12345) result:fail

[03/06/20xx:17:23:18] appadmin 194.28.114.102 action:open.account (23456) result:fail

[03/06/20xx:17:23:18] appadmin 194,28.114.102 action:open.account (23456) result:fail

03/06/20xx:17:23:18] appadmin 194.28.114.102 action:open.account (45678) result:fail

Which of the following can the security analyst conclude?

A.

A replay attack is being conducted against the application. B.

An injection attack is being conducted against a user authentication system. C.

A service account password may have been changed, resulting in continuous failed logins within the application. D.

A credentialed vulnerability scanner attack is testing several CVEs against the application.

C.

Explanations

A security analyst receives a SIEM alert that someone logged in to the appadmin test account, which is only used for the early detection of attacks.

The security analyst then reviews the following application log:

[03/06/20xx:17:20:18] system 127.0.0.1 FindxPath=//User[Username/text ()="foo' or 7=7 or 'o'='o' And Password/text="bar']
[03/06/20xx:17:21:18] appaamin 194.28.114.102 action:login result:success

[03/06/20xx:17:22:18] appadmin 194.28.114.102 action:open.account (12345) result:fail

[03/06/20xx:17:23:18] appadmin 194.28.114.102 action:open.account (23456) result:fail

[03/06/20xx:17:23:18] appadmin 194,28.114.102 action:open.account (23456) result:fail

03/06/20xx:17:23:18] appadmin 194.28.114.102 action:open.account (45678) result:fail

Which of the following can the security analyst conclude?

A.

A replay attack is being conducted against the application.

B.

An injection attack is being conducted against a user authentication system.

C.

A service account password may have been changed, resulting in continuous failed logins within the application.

D.

A credentialed vulnerability scanner attack is testing several CVEs against the application.

C.