CompTIA CySA+ (CS0-002) — Question 209

A security analyst for a large pharmaceutical company was given credentials from a threat intelligence resources organization for internal users, which contain usernames and valid passwords for company accounts. Which of the following is the first action the analyst should take as part of security operations monitoring?

Answer options

• A. Run scheduled antivirus scans on all employees’ machines to look for malicious processes.
• B. Reimage the machines of all users within the group in case of a malware infection.
• C. Change all the user passwords to ensure the malicious actors cannot use them.
• D. Search the event logs for event identifiers that indicate Mimikatz was used.

Correct answer: D

Explanation

The correct answer is D because searching the event logs for Mimikatz usage can help identify whether any credentials have been compromised. Changing passwords (C) is also important but should come after assessing the current security situation. Reimaging machines (B) and running antivirus scans (A) may not address the immediate threat of credential misuse.