An organizations threat intelligence team notes a recent tre - CompTIA CySA+ CSO-003

The correct answer is A. Set user account control protection to the most restrictive level on all devices.

In this scenario, adversaries are leveraging native Windows tools to escalate privileges and bypass system controls. One effective way to reduce the success rate of such privilege escalation attempts is to use User Account Control (UAC) to restrict how and when users or applications can execute commands with elevated privileges.

• UAC (User Account Control) in Windows is a security feature that helps prevent unauthorized changes to the operating system. By setting UAC to the most restrictive level, the system will prompt for administrative credentials before allowing any program to run with elevated privileges. This makes it more difficult for an adversary to gain elevated privileges without user intervention, even if they are exploiting native tools.

• When set to a more restrictive level, UAC helps protect the system from unauthorized privilege escalation by requiring users to confirm or provide credentials before granting elevated privileges. This significantly reduces the risk of attackers executing commands with privileged credentials.

Why the Other Options Are Incorrect:

• Implement MFA requirements for all internal resources:

  • Multi-factor authentication (MFA) enhances security by requiring multiple forms of authentication for users to access resources, but it is primarily designed to protect against unauthorized access rather than mitigating privilege escalation. MFA will not directly prevent the use of native tools for privilege escalation on systems where attackers already have access.

• Harden systems by disabling or removing unnecessary services:

  • Disabling unnecessary services is an important security measure to reduce the attack surface of a system. While this can help mitigate some attack vectors, it does not specifically address privilege escalation techniques or the use of native tools by adversaries to gain elevated privileges. It's a broader security measure but not the most effective for preventing privilege escalation in this context.

• Implement controls to block execution of untrusted applications:

  • Blocking untrusted applications (e.g., via application whitelisting or antivirus software) can prevent the execution of malicious or unauthorized applications. However, in the case of native Windows tools being used for privilege escalation, these tools are trusted by the operating system and would likely not be blocked by such controls. As such, this control would not be directly effective against adversaries using legitimate system tools for privilege escalation.