CS0-003 · Question #170
CS0-003 Question #170: Real Exam Question with Answer & Explanation
The correct answer is C: A new program has been set to execute on system start.. A new program has been set to execute on system start is the most likely cause of the suspicious activity that is occurring, as it indicates that the malware has modified the registry keys of the system to ensure its persistence. File Integrity Monitoring (FIM) is a tool that mon
Question
A security analyst is reviewing the following alert that was triggered by FIM on a critical system: Which of the following best describes the suspicious activity that is occurring?
Options
- AA fake antivirus program was installed by the user.
- BA network drive was added to allow exfiltration of data.
- CA new program has been set to execute on system start.
- DThe host firewall on 192.168.1.10 was disabled.
Explanation
A new program has been set to execute on system start is the most likely cause of the suspicious activity that is occurring, as it indicates that the malware has modified the registry keys of the system to ensure its persistence. File Integrity Monitoring (FIM) is a tool that monitors changes to files and registry keys on a system and alerts the security analyst of any unauthorized or malicious modifications. The alert triggered by FIM shows that the malware has created a new registry key under the Run subkey, which is used to launch programs automatically when the system starts. The new registry key points to a file named "update.exe" in the Temp folder, which is likely a malicious executable disguised as a legitimate update file.
Topics
Community Discussion
No community discussion yet for this question.