CompTIA CySA+ (CS0-001) — Question 64

When reviewing the system logs, the cybersecurity analyst noticed a suspicious log entry: wmic /node: HRDepartment1 computersystem get username
Which of the following combinations describes what occurred, and what action should be taken in this situation?

Answer options

• A. A rogue user has queried for users logged in remotely. Disable local access to network shares.
• B. A rogue user has queried for the administrator logged into the system. Attempt to determine who executed the command.
• C. A rogue user has queried for the administrator logged into the system. Disable local access to use cmd prompt.
• D. A rogue user has queried for users logged into in remotely. Attempt to determine who executed the command.

Correct answer: D

Explanation

The correct answer is D because the command executed queries for all users currently logged in remotely, indicating potential unauthorized access. The appropriate action is to investigate who ran the command to assess the security breach. Options A, B, and C misinterpret the query's context or suggest ineffective actions for the situation at hand.