Practice Free PL-600 Exam Online Questions
A tester is performing an external phishing assessment on the top executives at a company. Two-factor authentication is enabled on the executives’ accounts that are in the scope of work.
Which of the following should the tester do to get access to these accounts?
- A . Configure an external domain using a typosquatting technique. Configure Evilginx to bypass two-factor authentication using a phishlet that simulates the mail portal for the company.
- B . Configure Gophish to use an external domain. Clone the email portal web page from the company and get the two-factor authentication code using a brute-force attack method.
- C . Configure an external domain using a typosquatting technique. Configure SET to bypass two-factor authentication using a phishlet that mimics the mail portal for the company.
- D . Configure Gophish to use an external domain. Clone the email portal web page from the company and get the two-factor authentication code using a vishing method.
A
Explanation:
To bypass two-factor authentication (2FA) and gain access to the executives’ accounts, the tester should use Evilginx with a typosquatting domain. Evilginx is a man-in-the-middle attack framework used to bypass 2FA by capturing session tokens.
Phishing with Evilginx:
Evilginx is designed to proxy legitimate login pages, capturing credentials and 2FA tokens in the process.
It uses "phishlets" which are configurations that simulate real login portals.
Typosquatting:
Typosquatting involves registering domains that are misspelled versions of legitimate domains (e.g., example.co instead of example.com).
This technique tricks users into visiting the malicious domain, thinking it’s legitimate.
Steps:
Configure an External Domain: Register a typosquatting domain similar to the company’s domain. Set Up Evilginx: Install and configure Evilginx on a server. Use a phishlet that mimics the company’s mail portal.
Send Phishing Emails: Craft phishing emails targeting the executives, directing them to the typosquatting domain.
Capture Credentials and 2FA Tokens: When executives log in, Evilginx captures their credentials and
session tokens, effectively bypassing 2FA.
Pentest
Reference: Phishing: Social engineering technique to deceive users into providing sensitive information. Two-Factor Authentication Bypass: Advanced phishing attacks like those using Evilginx can capture and reuse session tokens, bypassing 2FA mechanisms.
OSINT and Reconnaissance: Identifying key targets (executives) and crafting convincing phishing emails based on gathered information.
Using Evilginx with a typosquatting domain allows the tester to bypass 2FA and gain access to high-value accounts, demonstrating the effectiveness of advanced phishing techniques.
HOTSPOT
A company is creating a Power Platform solution to manage employees.
The company has the following requirements:
✑ Allow only the human resource manager to change an employee’s employment status when an employee is dismissed.
✑ Allow only approved device types to access the solution and company data.
You need to recommend a solution that meets the requirements.
What should you recommend? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Field security profile
Record-level permissions are granted at the entity level, but you may have certain fields associated with an entity that contain data that is more sensitive than the other fields. For these situations, you use field-level security to control access to specific fields.
Field-level security is available for the default fields on most out-of-box entities, custom fields, and custom fields on custom entities. Field-level security is managed by the security profiles.
Box 2: Compliancy policy
Compliance policy settings C Tenant-wide settings that are like a built-in compliance policy that every device receives. Compliance policy settings set a baseline for how compliance policy works in your Intune environment, including whether devices that haven’t received any device compliance policies are compliant or noncompliant.
Note: Mobile device management (MDM) solutions like Intune can help protect organizational data by requiring users and devices to meet some requirements. In Intune, this feature is called compliance policies.
Compliance policies in Intune:
Define the rules and settings that users and devices must meet to be compliant.
Include actions that apply to devices that are noncompliant. Actions for noncompliance can alert users to the conditions of noncompliance and safeguard data on noncompliant devices.
Can be combined with Conditional Access, which can then block users and devices that don’t meet the rules.
Reference:
https://docs.microsoft.com/en-us/power-platform/admin/field-level-security
https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started
A company Is undergoing, digital Transformation.
You must conduct an in-person workshop with several business stakeholders to learn more about the company and its solution requirements. You have limited time to get the Information from the stakeholders.
You need to ensure that the workshop is set up for success.
Which two actions should you perform? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. Choose two.
- A . Explain the technical aspects of the solution to the stakeholders.
- B . Present the proposed solution as part of the workshop.
- C . Keep to the agenda by minimizing side conversations.
- D . Publish the agenda in advance of the workshop.
You are implementing a solution that includes applications which perform high-volume Microsoft Dataverse operations.
The applications must not experience a loss of functionality or loss of performance due to service protection API limits.
You need to evaluate metrics for the service protection API limits.
Which three metrics should you evaluate? Each correct answer pat of the solution. NOTE Each correct selection is worth one point.
- A . Number of concurrent connections per user account.
- B . Number of API requests per web server.
- C . Amount of API calls made within plug-in code.
- D . Amount of execution time that can be used for each connection.
- E . Number of API requests per connection.
A company is creating a Microsoft Power Platform app to enable employees to log daily time entries. Employee user accounts are in multiple Azure AD tenants and are not located in the tenant that is running the app.
Employees must be added as Azure AD guest accounts within the tenant that will be running the app. Employees must access the model-driven app by being a member of a security team. The security team has been assigned the Employee Security role. Employees must create personal views of records to view within the system.
You need to implement a security solution.
Which privilege should you use?
- A . Direct basic level
- B . Azure AD security group
- C . Team
- D . Shared app access
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
A company uses a Microsoft Power Platform application.
Employees report that they are unable to open the application.
You need to ensure that the employees can access the application.
Solution: Add the employees to a security group and assign the security group to a Microsoft Teams team.
Does the solution meet the goal?
- A . Yes
- B . No
A company plans to use Power Bl.
The company plans to share reports indefinitely with a specific set of users.
You need to recommend a solution.
Which solution should you recommend?
- A . Share directly with the users.
- B . Embed code by using the Publish to web option.
- C . Embed code by using the website or portal option.
- D . Share by using a link.
You are designing a Microsoft Power Platform solution for a company that has multiple Microsoft Dataverse environments.
You need to prevent specific users from accessing specific environments.
What should you do?
- A . Remove all security roles from the users of the specific environments.
- B . Remove the user from the business unit.
- C . Remove the user from all security groups.
- D . Remove the user from all teams.
A
Explanation:
Microsoft Dataverse uses a role-based security model to help secure access to the database. Security roles can be used to configure environment-wide access to all resources in the environment.
Reference: https://docs.microsoft.com/en-us/power-platform/admin/database-security
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
A company uses a Microsoft Power Platform application.
Employees report that they are unable to open the application.
You need to ensure that the employees can access the application.
Solution: Add the employees to the user table in the environment.
Does the solution meet the goal?
- A . Yes
- B . No
HOTSPOT
You need to recommend solutions to meet the integration requirements.
What should you recommend? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Schedule board
Note: The Dynamics 365 Field Service schedule board provides an overview of resource availability and bookings you can make.
When you’re looking at the schedule board for the current day, you’ll see a blue line that indicates the current time of day. You can also see a picture of all the resources listed on the schedule board. To quickly view contact information for a resource, hover over their name to view the contact card.
Box 2: Azure IoT Central connector
Azure IoT Central makes it easy to connect, monitor, and manage your IoT devices at scale. With the IoT Central V3 connector, you can trigger workflows when a rule has fired, and take actions by executing commands, updating properties, getting telemetry from devices, and more. Use this connector with your Azure IoT Central V3 application.
This connector is available in the following products and regions:
Reference:
https://docs.microsoft.com/en-us/dynamics365/field-service/configure-schedule-board
https://docs.microsoft.com/en-us/azure/iot-hub/about-iot-hub