300-215 · Question #26
300-215 Question #26: Real Exam Question with Answer & Explanation
The correct answer is C: Contain the threat for further analysis as this is an indication of suspicious activity.. This behavior is consistent with malicious macro activity. A PowerShell process being spawned from winword.exe via cmd.exe strongly indicates execution of an embedded script. Contain the threat as soon as malicious behavior is observed to prevent lateral movement or additional co
Question
An engineer received a report of a suspicious email from an employee. The employee had already opened the attachment, which was an empty Word document. The engineer cannot identify any clear signs of compromise but while reviewing running processes, observes that PowerShell.exe was spawned by cmd.exe with a grandparent winword.exe process. What is the recommended action the engineer should take?
Options
- AUpload the file signature to threat intelligence tools to determine if the file is malicious.
- BMonitor processes as this is standard behavior of Word macro embedded documents.
- CContain the threat for further analysis as this is an indication of suspicious activity.
- DInvestigate the sender of the email and communicate with the employee to determine the
Explanation
This behavior is consistent with malicious macro activity. A PowerShell process being spawned from winword.exe via cmd.exe strongly indicates execution of an embedded script. Contain the threat as soon as malicious behavior is observed to prevent lateral movement or additional compromise.
Topics
Community Discussion
No community discussion yet for this question.