nerdexam
GIAC

GCIH · Question #418

You are a member of your organization's security team. A new ticket just came into your service desk and was escalated to you. One of the system administrators noticed the following entry in a Windows

The correct answer is A. Initiate the Containment phase of the Incident Handling process. An audit failure event for sensitive privilege use attributed to a non-standard process on a file server constitutes a suspected security incident requiring immediate initiation of the Containment phase.

Incident Response & Cyber Kill Chain

Question

You are a member of your organization's security team. A new ticket just came into your service desk and was escalated to you. One of the system administrators noticed the following entry in a Windows Server 2008 R2 file server Security event log:

Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 2/1/2012 2:24:07 AM Event ID: 4674 Task Category: Sensitive Privilege Use Level: Information Keywords: Audit Failure User: N/A Computer: somehost.somecompany.com Description: An operation was attempted on a privileged object. Subject:

Security ID: LOCAL SERVICE Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Object:

Object Server: LSA Object Type:

Object Name:

Object Handle: 0x0 Process Information:

Process ID: 0x1d8 Process Name: C:\Windows\System32\Isass.exe Requested Operation:

Desired Access: 16777216 Privileges: SeSecurityPrivilege What is your next step?

Options

  • AInitiate the Containment phase of the Incident Handling process
  • BSearch Microsoft's TechNet to find out if this is a normal Windows Security event
  • CDisable the trusted account status of the Local Service account
  • DRequest that all audit failure log entries be forwarded to you

How the community answered

(43 responses)
  • A
    77% (33)
  • B
    14% (6)
  • C
    2% (1)
  • D
    7% (3)

Why each option

An audit failure event for sensitive privilege use attributed to a non-standard process on a file server constitutes a suspected security incident requiring immediate initiation of the Containment phase.

AInitiate the Containment phase of the Incident Handling processCorrect

Event ID 4674 logged as an Audit Failure indicates a failed attempt to exercise privileges on a sensitive object, and the process listed as 'C:\Windows\System32\Isa' does not match any legitimate Windows system process, suggesting potential malicious or compromised activity. Per the NIST SP 800-61 incident response lifecycle, once an incident has been identified, the next required step is Containment to limit damage and prevent further spread. Delaying containment to perform additional research while a potentially active threat exists increases organizational risk.

BSearch Microsoft's TechNet to find out if this is a normal Windows Security event

Searching TechNet is an identification-phase activity; the combination of audit failure, sensitive privilege use, and an unrecognized process name provides sufficient indicators to move to Containment rather than prolonging investigation.

CDisable the trusted account status of the Local Service account

Disabling the LOCAL SERVICE account trust status would disrupt legitimate Windows services that depend on it and is not a recognized containment action without conclusive forensic evidence.

DRequest that all audit failure log entries be forwarded to you

Forwarding audit failure log entries is a monitoring configuration change, not an incident response action, and does nothing to contain the threat indicated by the suspicious log entry.

Concept tested: Incident response lifecycle - Containment phase initiation

Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Topics

#Windows event log#audit failure#incident containment#privilege use

Community Discussion

No community discussion yet for this question.

Full GCIH Practice