CompTIA CySA+ (CS0-003) — Question 260

A list of IoCs released by a government security organization contains the SHA-256 hash for a Microsoft-signed legitimate binary, svchost.exe. Which of the following best describes the result if security teams add this indicator to their detection signatures?

Answer options

• A. This indicator would fire on the majority of Windows devices.
• B. Malicious files with a matching hash would be detected.
• C. Security teams would detect rogue svchost.exe processes in their environment.
• D. Security teams would detect event entries detailing execution of known-malicious svchost.exe processes.

Correct answer: A

Explanation

The correct answer is A because svchost.exe is a legitimate Windows file that is present on nearly all Windows devices, meaning the detection signature would frequently trigger. Option B is incorrect since it does not account for legitimate binaries; the hash will not identify malicious files. Options C and D are also wrong as they imply detecting unauthorized or malicious processes, which is not the case when using a hash for a legitimate file.