nerdexam
ExamsSY0-701Questions#670
CompTIACompTIA

SY0-701 · Question #670

SY0-701 Question #670: Real Exam Question with Answer & Explanation

The correct answer is A: Advise the user to change passwords.. The file contains keylogger output - the special tokens ([ENT], [BACKSPACE], [CTRL]c, etc.) are keylogger notation for keyboard actions, meaning the malware captured the user's Gmail credentials ([email protected] / NoOneCanGuessThis123!) in plaintext. Advising the user to change

Submitted by carter_n· Mar 6, 2026Security operations

Question

A SOC analyst establishes a remote control session on an end user's machine and discovers the following in a file: gmail.com[ENT][email protected][ENT]NoOneCanGuessThis123! [ENT]Hello Susan, it was great to see you the other day! Let's plan a followup[BACKSPACE]follow-up meeting soon. Here is the link to register. [RTN][CTRL]c [CTRL]v [RTN]after[BACKSPACE]After you register give me a call on my cellphone. Which of the following actions should the SOC analyst perform first?

Options

  • AAdvise the user to change passwords.
  • BReimage the end user's machine.
  • CCheck the policy on personal email at work.
  • DCheck host firewall logs.

Explanation

The file contains keylogger output - the special tokens ([ENT], [BACKSPACE], [CTRL]c, etc.) are keylogger notation for keyboard actions, meaning the malware captured the user's Gmail credentials ([email protected] / NoOneCanGuessThis123!) in plaintext. Advising the user to change their password immediately (A) is the correct first action because the credential is already compromised and an attacker may be accessing the account right now - every second of delay increases the damage window.

Why the distractors are wrong:

  • (B) Reimaging may be necessary later to remove the keylogger, but reimaging doesn't un-compromise the already-stolen credentials, so the account remains at risk even after a clean OS install.
  • (C) Checking personal email policy is an administrative concern irrelevant to the active credential theft - incident response always takes priority over policy enforcement.
  • (D) Checking firewall logs is a useful investigative step but doesn't stop an attacker who already has valid credentials from logging in externally through normal channels that firewalls won't block.

Memory tip: Use the phrase "Secure the victim before the scene" - in triage, contain active harm to the user (change the stolen password) before pivoting to forensics (logs, reimaging). If credentials are visible in evidence, treat them as breached immediately.

Topics

#Incident Response#Password Security#Sensitive Data Exposure#Containment

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SY0-701 PracticeBrowse All SY0-701 Questions