GCIH · Question #418
You are a member of your organization's security team. A new ticket just came into your service desk and was escalated to you. One of the system administrators noticed the following entry in a Windows
The correct answer is A. Initiate the Containment phase of the Incident Handling process. An audit failure event for sensitive privilege use attributed to a non-standard process on a file server constitutes a suspected security incident requiring immediate initiation of the Containment phase.
Question
You are a member of your organization's security team. A new ticket just came into your service desk and was escalated to you. One of the system administrators noticed the following entry in a Windows Server 2008 R2 file server Security event log:
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2/1/2012 2:24:07 AM Event ID: 4674 Task Category: Sensitive Privilege Use Level: Information Keywords: Audit Failure User: N/A Computer: somehost.somecompany.com Description: An operation was attempted on a privileged object. Subject:
Security ID: LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Object:
Object Server: LSA Object Type:
Object Name:
Object Handle: 0x0 Process Information:
Process ID: 0x1d8 Process Name: C:\Windows\System32\Isass.exe Requested Operation:
Desired Access: 16777216 Privileges: SeSecurityPrivilege What is your next step?
Options
- AInitiate the Containment phase of the Incident Handling process
- BSearch Microsoft's TechNet to find out if this is a normal Windows Security event
- CDisable the trusted account status of the Local Service account
- DRequest that all audit failure log entries be forwarded to you
How the community answered
(43 responses)- A77% (33)
- B14% (6)
- C2% (1)
- D7% (3)
Why each option
An audit failure event for sensitive privilege use attributed to a non-standard process on a file server constitutes a suspected security incident requiring immediate initiation of the Containment phase.
Event ID 4674 logged as an Audit Failure indicates a failed attempt to exercise privileges on a sensitive object, and the process listed as 'C:\Windows\System32\Isa' does not match any legitimate Windows system process, suggesting potential malicious or compromised activity. Per the NIST SP 800-61 incident response lifecycle, once an incident has been identified, the next required step is Containment to limit damage and prevent further spread. Delaying containment to perform additional research while a potentially active threat exists increases organizational risk.
Searching TechNet is an identification-phase activity; the combination of audit failure, sensitive privilege use, and an unrecognized process name provides sufficient indicators to move to Containment rather than prolonging investigation.
Disabling the LOCAL SERVICE account trust status would disrupt legitimate Windows services that depend on it and is not a recognized containment action without conclusive forensic evidence.
Forwarding audit failure log entries is a monitoring configuration change, not an incident response action, and does nothing to contain the threat indicated by the suspicious log entry.
Concept tested: Incident response lifecycle - Containment phase initiation
Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Topics
Community Discussion
No community discussion yet for this question.