Splunk Observability Cloud Certified Metrics User — Question 19

During their shift, an analyst receives an alert about an executable being run from C:\Windows\Temp. Why should this be investigated further?

Answer options

• A. Temp directories aren’t owned by any particular user, making it difficult to track the process owner when files are executed.
• B. Temp directories are flagged as non-executable, meaning that no files stored within can be executed, and this executable was run from that directory.
• C. Temp directories contain the system page file and the virtual memory file, meaning the attacker can use their malware to read the in memory values of running programs.
• D. Temp directories are world writable thus allowing attackers a place to drop, stage, and execute malware on a system without needing to worry about file permissions.

Correct answer: D

Explanation

The correct answer is D because temp directories being world writable allows unauthorized users to create and execute malicious files without restrictions. Option A is incorrect since ownership issues do not inherently indicate malicious activity. Option B is false as temp directories can contain executable files, and option C misrepresents the purpose of temp directories regarding page and virtual memory files.