After a breach, investigators discover attackers used modified legitimate system utilities and a Windows service to persist undetected and harvest credentials. What key step would best protect against similar future attacks?
A.
Disable unused ports and restrict outbound firewall traffic
B.
Perform weekly backups and store them off-site
C.
Ensure antivirus and firewall software are up to date
D.
Monitor file hashes of critical executables for unauthorized changes
CEH materials describe this attack pattern as Living-off-the-Land (LotL), where attackers abuse legitimate tools to avoid detection. Because these binaries are normally trusted, traditional antivirus solutions may not flag them.
CEH recommends file integrity monitoring (FIM), which tracks cryptographic hashes of sensitive executables and alerts administrators when unauthorized modifications occur.
Option D is correct.
Options A and B support resilience but do not detect tampering.
Option C alone is insufficient against LotL attacks.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit