Certified SOC Analyst (CSA v2) — Question 2

A SIEM alert is triggered due to unusual network traffic involving NetBIOS. The System log shows that “The TCP/IP NetBIOS Helper service entered the running state”. Concurrently, Event Code 4624: “An account was successfully logged on” appears for multiple machines within a short time frame. The logon type is identified as 3 (Network logon). Which of the following security incidents is the SIEM detecting?

Answer options

• A. A user connecting to shared files from multiple workstations
• B. A malware infection spreading via SMB protocol
• C. A network administrator conducting routine maintenance
• D. An attacker performing lateral movement within the network

Correct answer: D

Explanation

The correct answer is D because the simultaneous logon events across multiple machines with a network logon type suggest an attacker is moving laterally within the network. Option A is incorrect as it implies legitimate user activity, while B suggests malware, which is not indicated by the logs. Option C is also incorrect because routine maintenance would not typically trigger such alerts.