Incident Analysis: Credential Access

Career Paths
1

Hi Team,

I need to raise awareness regarding the following question:

  1. What is the name of the parent technique of the sub-technique T1543.003 Windows Service? Answer only with the name - do not include the technique identifier.

The answer required has the following format:
•• •••••••••• •••••••

The answer to this question I would call out as being incorrect.
T1543.003 is not even part of Credential Access TA0006.

The answer to this question wants it to be “OS Credential Dumping” and when one looks at all of the sub-techniques of this particular one, you will only find the following:
LSASS MEMORY
Security Account Manager
NTDS
LSA Secrets
Cached Domain Credentials
DCSync
Proc Filesystem
/etc/passwd and /etc/shadow

so, you can see that the answer to the question asked is totally incorrect.
My theory is that this question was copied from another track and incorrectly associated with the answer.

2

I have not done this challenge but in my experience… many times the dots “…” they are hidden: the answer is longer

Check Number of Characters :slight_smile:

:wink:

3

I’m pretty sure that’s what happened as well. The answer was correct, but the question was not. This has been fixed.

2 Likes
4

Excellent :slight_smile:

Thank you @CalmQuail2332

:wink:

5

Thank you for attending to this so promptly. The question now reads much better and correct.

6

Hi Team.
Picked up another error in this module.

1.3 Guided Exercise (2)
Q: 1. Part 4: In the output of the sekurlsa::logonpasswords command within Mimikatz, what is the User Name for the account with authentication ID 295918?

The correct answer should be: “DWM-2” rather the answer it accepts is “DMW-2”. Appears to be fat fingered typing when this one was coded.

Thanks in advance.

7

Thanks! I think we actually fixed this one shortly after your post last week. I can confirm it’s working today.

1 Like