nerdexam
GIAC

GCIH · Question #811

What can be inferred from the results below?

The correct answer is D. RDunn has an administrative account. When forensic or log analysis output shows an account with elevated or privileged access indicators, it can be inferred that the account holds administrative rights.

Incident Response & Cyber Kill Chain

Question

What can be inferred from the results below?

Exhibit

GCIH question #811 exhibit

Options

  • AThere are less logs for RDunns account
  • BRDunn has a higher priority than other accounts
  • CThere is a higher cost for RDunn's account
  • DRDunn has an administrative account

How the community answered

(36 responses)
  • A
    3% (1)
  • B
    14% (5)
  • C
    6% (2)
  • D
    78% (28)

Why each option

When forensic or log analysis output shows an account with elevated or privileged access indicators, it can be inferred that the account holds administrative rights.

AThere are less logs for RDunns account

A lower log count would suggest less activity, not an administrative distinction; log volume alone does not define account type.

BRDunn has a higher priority than other accounts

Account priority is not a standard Windows security or Active Directory attribute and cannot be inferred from typical log output.

CThere is a higher cost for RDunn's account

User accounts in Windows do not have an inherent 'cost' metric visible in security logs or registry output.

DRDunn has an administrative accountCorrect

Forensic tooling and log queries typically surface administrative accounts through distinguishing markers such as membership in privileged groups (e.g., Administrators, Domain Admins), elevated SID attributes, or a higher volume of security-sensitive event IDs (4672 - Special Logon). The results shown indicate RDunn carries these administrative privileges, setting the account apart from standard user accounts.

Concept tested: Identifying administrative accounts from forensic log output

Source: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672

Topics

#log analysis#administrative accounts#privilege detection#account investigation

Community Discussion

No community discussion yet for this question.

Full GCIH Practice