GCIH · Question #811
What can be inferred from the results below?
The correct answer is D. RDunn has an administrative account. When forensic or log analysis output shows an account with elevated or privileged access indicators, it can be inferred that the account holds administrative rights.
Question
What can be inferred from the results below?
Exhibit
Options
- AThere are less logs for RDunns account
- BRDunn has a higher priority than other accounts
- CThere is a higher cost for RDunn's account
- DRDunn has an administrative account
How the community answered
(36 responses)- A3% (1)
- B14% (5)
- C6% (2)
- D78% (28)
Why each option
When forensic or log analysis output shows an account with elevated or privileged access indicators, it can be inferred that the account holds administrative rights.
A lower log count would suggest less activity, not an administrative distinction; log volume alone does not define account type.
Account priority is not a standard Windows security or Active Directory attribute and cannot be inferred from typical log output.
User accounts in Windows do not have an inherent 'cost' metric visible in security logs or registry output.
Forensic tooling and log queries typically surface administrative accounts through distinguishing markers such as membership in privileged groups (e.g., Administrators, Domain Admins), elevated SID attributes, or a higher volume of security-sensitive event IDs (4672 - Special Logon). The results shown indicate RDunn carries these administrative privileges, setting the account apart from standard user accounts.
Concept tested: Identifying administrative accounts from forensic log output
Source: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672
Topics
Community Discussion
No community discussion yet for this question.
