Certified SOC Analyst (CSA v2) — Question 4

As a SOC Administrator at a mid-sized financial institution, you noticed intermittent network slowdowns and unexplained high memory usage across multiple critical systems. Your initial analysis found no traces of malware, but a forensic investigation revealed unauthorized scheduled tasks that executed during off-peak hours. These tasks ran obfuscated scripts that connected to an external C2 server. Further investigations showed that the adversary had gained access months ago through a compromised VPN account, leveraging stolen credentials from a phishing campaign. Which phase of the Advanced Persistent Threat (APT) lifecycle does this scenario align with?

Answer options

• A. Persistence
• B. Cleanup
• C. Search and Exfiltration
• D. Initial Intrusion

Correct answer: A

Explanation

The correct answer is A, Persistence, because the adversary has maintained their foothold in the network by creating unauthorized scheduled tasks that continue to execute malicious scripts. Options B (Cleanup) and D (Initial Intrusion) are incorrect as they refer to either the removal of traces or the initial breach, respectively, while C (Search and Exfiltration) relates to data theft rather than maintaining ongoing access.