200-201 · Question #460
200-201 Question #460: Real Exam Question with Answer & Explanation
The correct answer is C: Malware Attack. Looking at the event log, there are several indicators that suggest a potential malware attack: Event ID 4688: A new process was created in the C:\Temp directory (s21351b.exe). This is suspicious because legitimate processes typically don't run from temporary directories, which a
Question
Refer to the exhibit. A SOC analyst is examining the Windows security logs of one of the endpoints. What is the possible reason for this event log?
Options
- ASystem maintenance logs
- BWindows failed to audit logs
- CMalware Attack
- DBrute force attack
Explanation
Looking at the event log, there are several indicators that suggest a potential malware attack: Event ID 4688: A new process was created in the C:\Temp directory (s21351b.exe). This is suspicious because legitimate processes typically don't run from temporary directories, which are often used by malware to hide malicious executables. Event ID 1102: The audit log was cleared by SYSTEM. Attackers often clear event logs to cover their tracks after gaining access to a system, which is a clear indicator of malicious activity. Event ID 4657: A registry key related to Windows Defender was modified. Malware often disables security software like Windows Defender to prevent detection and removal. Event ID 7045: The Windows Defender Antivirus Service was stopped. Stopping the antivirus service is a common action taken by malware to disable security defenses. These events together strongly suggest that a malware attack is taking place, where an attacker has executed a malicious process, modified system security settings, and disabled the antivirus to avoid detection.
Topics
Community Discussion
No community discussion yet for this question.