EC-Council
312-39 · Question #62
312-39 Question #62: Real Exam Question with Answer & Explanation
Sign in or unlock 312-39 to reveal the answer and full explanation for question #62. The question stem and answer options stay visible for context.
Question
A SOC analyst detects multiple instances of powershell.exe being launched with the -ExecutionPolicy Bypass and -NoProfile arguments on a domain controller. The parent process is winrm.exe, and the activity occurs during non-business hours. What should be the analyst's primary focus?
Options
- ALook for Event ID 4625 to check for failed authentication attempts before execution
- BInvestigate Event ID 7045 to determine if a malicious service was created
- CSearch for Event ID 4688 to find similar PowerShell executions within the last 24 hours
- DReview Event ID 5145 to see if unauthorized network shares were accessed
Unlock 312-39 to see the answer
You've previewed enough free 312-39 questions. Unlock 312-39 for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.