Question 3 - CertNexus CFR-410 Real Exam Questions [Jan 2026 Update]

Q: 3

While performing routing maintenance on a Windows Server, a technician notices several unapproved Windows Updates and that remote access software has been installed. The technician suspects that a malicious actor has gained access to the system. Which of the following steps in the attack process does this activity indicate?

Options

Correct Answer:

Explanation

The described activities—installing unapproved remote access software and updates—are classic examples of an attacker establishing persistence. Persistence techniques are used by malicious actors to maintain access to a compromised system across interruptions such as system reboots, credential changes, or other defensive measures. The remote access software creates a backdoor for the attacker to reconnect at will, while unapproved updates could be used to modify system configurations or install malicious code that ensures their continued foothold on the server.

Why Incorrect

A. Expanding access: This phase involves escalating privileges on the compromised host or moving laterally to other systems on the network, which is not what is described.

B. Covering tracks: This involves removing evidence of the intrusion, such as deleting logs or malware. The actions taken here add tools and make changes, which is the opposite.

C. Scanning: This is a reconnaissance activity performed before an intrusion to identify vulnerabilities. The scenario describes actions taken after the system has already been compromised.

References

1. MITRE. (2023). ATT&CK Framework

Enterprise Tactic TA0003 - Persistence. The MITRE ATT&CK framework

a globally-accessible knowledge base of adversary tactics and techniques

defines persistence as the set of techniques adversaries use to maintain access to systems. It explicitly lists "External Remote Services" (T1133) and modifying system configurations as methods for achieving this. The installation of remote access software directly aligns with this definition.

Source: MITRE ATT&CK

Tactic TA0003

"Persistence". Available at: https://attack.mitre.org/tactics/TA0003/

2. Purdue University. (n.d.). The Cyber Kill Chain. Course materials from Purdue University's Cyber Forensics program describe the attack lifecycle. The "Installation" phase

which follows initial exploitation

involves installing malware or backdoors on the victim's system to establish a persistent presence. This directly corresponds to the installation of remote access software mentioned in the scenario.

Source: Purdue University Global

"The Cyber Kill Chain

" section on Stage 4: Installation.

3. Conti

& Sobiesk

E. (2010). An Offensive and Defensive Security Curriculum. In this academic paper presented at the 4th USENIX Workshop on Offensive Technologies (WOOT '10)

the authors outline a security curriculum that includes the phases of an attack. They describe the "Maintaining Access" phase

which involves installing rootkits

backdoors

or other mechanisms to ensure the attacker can return to the compromised system. This academic source categorizes the described activity as maintaining access

synonymous with persistence.

Source: USENIX

WOOT '10 Proceedings

Page 4

Section "Maintaining Access".

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE