You see 100 HTTP GET and POST requests for various pages on one of your web servers. The user agent in the requests contain php code that, if executed, creates and writes to a new php file on the webserver. Which category does this event fall under as defined in the Diamond Model of Intrusion?
A. delivery
B. reconnaissance
C. action on objectives
D. installation
E. exploitation
Answer should B – Reconnaissance.
Lets break the question: “You see 100 HTTP GET and POST requests…”
According to SECFND “Status codes starting with 1xx are Informational”, what means the attacker is not writing anything yet on the server.
On Cisco Cert Guide page 372 says about Reconnaissance: “An example would be identifying multiple web-facing servers and uncovering a vulnerable version of software installed on one of the servers, making it the ideal target to exploit”.
Before exploring you should deliver, before delivering you should weaponize according to the information you gathered in reconnaissance phase.
Correct answer is Delivery.
Guys,
It is being mentioned in the question “if executed”. Cisco again is trying to confuse us. Then, through the process of elimination, Options B,C are easily excluded. Exploitation is the attacker taking advantage of a vulnerability and we are not sure that the web server is vulnerable to this attack.
Lastly, the answer cannot be “installation” as per the below excerpt from the official guide:
“The installation step of the kill chain can simply be seen as an adversary successfully installing the
previously developed weapon and being capable of maintaining persistence inside the target system
or environment. Sometimes this step is referred to as “establishing a foothold,””
Therefore the answer is A.
I think is E, delivery is the vector and exploit mean that something writes and execute on the server.
CCNA Cyber Ops SECOPS 210-255 OFFICIAL CERT GUIDE
Page 260
Delivery
Correct Answer = A
delivery
So is it an A or B it looks like both are correct, bcz the attacker is trying to exploit the server and at the same time he is trying to deliver the PHP malware file
I think A here too. The key to the answer is in the ‘if executed’ portion.
I think the answer is A