Michael is performing a forensic analysis of a compromised workstation and discovers a copy of cmd.exe in the \system32 folder on a Windows workstation that does not match the real cmd.exe file. When he looks at the file, he discovers that it is capable of running as an administrator. What type of attack has he discovered?

The ability to run a program as a privileged user like an administrator from an unexpected or uncommon location is a common indicator of a privilege escalation attack. A buffer overflow would push data into a variable to attempt to cause it to take a desired action, a Trojan would look like a wanted or desirable file but would be malware, and a replay attack would send successful authentication or other information again to gain access to a system.