CompTIA Security+ (SY0-601) — Question 818

A junior security analyst is conducting an analysis after passwords were changed on multiple accounts without users' interaction. The SIEM have multiple login entries with the following text: suspicious event - user: scheduledtasks successfully authenticate on AD on abnormal time suspicious event - user: scheduledtasks failed to execute c:\weekly_checkups\amazing-3rdparty-domain-assessment.py suspicious event - user: scheduledtasks failed to execute c:\weekly_checkups\secureyourAD-3rdparty-compliance.sh suspicious event - user: scheduledtasks successfully executed c:\weekly_checkups\amazing-3rdparty-domain-assessment.py
Which of the following is the MOST likely attack conducted on the environment?

Answer options

• A. Malicious script
• B. Privilege escalation
• C. Domain hijacking
• D. DNS poisoning

Correct answer: A

Explanation

The correct answer is A, as the presence of a malicious script is indicated by the successful execution of 'amazing-3rdparty-domain-assessment.py' and the abnormal authentication pattern. The other options do not fit the scenario: privilege escalation would imply gaining higher access, domain hijacking involves taking control of a domain, and DNS poisoning alters DNS records, none of which directly relate to the events described.