You see 100 HTTP GET and POST requests for various pages on one of your webservers. The user agent in the requests contain php code that, if executed, creates and writes to a new php file on the webserver. Which category does this event fall under as defined in the Diamond Model of Intrusion?
A. delivery
B. reconnaissance
C. action on objectives
D. installation
E. exploitation
Installation is the correct answer there. By writing you are installing
The answer it’s A cause the code has instructions about what to do to proceed with attack. In this phase the attacker already knows about the vulnerability and how to explore it, that’s why he delivered the weapon to the target.
I think A is correct. The key is in the wording that states ‘if executed’. we could infer that it the code has not been exploited and therefore the installation phase has not been reached. The installation phase, also known as the persistence phase, describes actions taken by the threat actor to establish a back door onto the targeted system, which allows the threat actor sustained and persistent access to the target.
Did you see “IF EXECUTED”?
That means it is delivered but not yet executed.
The answer is A. Delivery
GET – Requests data from a specified resource
POST – Submits data to be processed to a specified resource
may be C, but if a new php file is created… I think is D, Installation.
I think A is the correct answer.