GIAC Certified Incident Handler (GCIH) — Question 108

A security team is actively monitoring windows event IDs 4634, 4688, and 4697. Which persistence mechanism will they detect with this approach?

Answer options

• A. Golden ticket use
• B. Web shell placement
• C. New Service creation
• D. Local Account addition

Correct answer: C

Explanation

Monitoring event IDs 4634, 4688, and 4697 allows the detection of new service creation, as these events relate to service management and process creation. The other options, such as golden ticket use, web shell placement, and local account addition, do not specifically correlate with these event IDs, making them less relevant in this context.