Certified SOC Analyst (CSA v2) — Question 6

A threat hunter analyzing an infected endpoint finds that malicious processes keep reappearing even after termination, making traditional remediation ineffective. The user of the endpoint reports occasional system slowdowns, abnormal pop-ups, and unauthorized application launches. Upon deeper inspection, the threat hunter discovers that the system has multiple scheduled tasks executing unknown scripts at specific intervals, along with suspicious registry modifications that enable automatic script execution upon startup. Further investigation reveals that the endpoint has made occasional outbound connections to an unclassified external server, though the traffic is encrypted and intermittent. Additionally, the organization recently experienced multiple failed login attempts on privileged accounts originating from the same subnet, raising concerns about potential credential theft or lateral movement. With the possibility of persistence mechanisms, lateral movement, or external C2 activity, which signs should the threat hunter look out for to confirm and mitigate the threat?

Answer options

• A. Network-Based Artifacts
• B. Threat Intelligence & Adversary
• C. Indicators of Attack (IoAs)
• D. Host-Based Artifacts

Correct answer: C

Explanation

The correct answer, Indicators of Attack (IoAs), are crucial for identifying and mitigating threats, as they provide specific clues about malicious activities. Network-Based Artifacts and Host-Based Artifacts are less focused on the immediate signs of attack, while Threat Intelligence & Adversary is more about understanding the threat landscape rather than specific indicators. IoAs help in recognizing the patterns of an attack, making them essential for effective threat hunting.