CompTIA Security+ (SY0-701) — Question 482
A SOC analyst establishes a remote control session on an end user’s machine and discovers the following in a file:
gmail.com[ENT][email protected][ENT]NoOneCanGuessThis123! [ENT]Hello Susan, it was great to see you the other day! Let’s plan a followup[BACKSPACE]follow-up meeting soon. Here is the link to register. [RTN][CTRL]c [CTRL]v [RTN]after[BACKSPACE]After you register give me a call on my cellphone.
Which of the following actions should the SOC analyst perform first?
Answer options
- A. Advise the user to change passwords.
- B. Reimage the end user’s machine.
- C. Check the policy on personal email at work.
- D. Check host firewall logs.
Correct answer: B
Explanation
The correct answer is B because reimaging the machine eliminates any potential malware or data breaches associated with the compromised system. Advising the user to change passwords (A) is important but should come after ensuring the machine is secure. Checking policies (C) and firewall logs (D) can provide context but do not address the immediate need to secure the system.