Exam CS0-002 topic 1 question 394 discussion

I was leaning more towards C, but the last sentence in the question includes the word "monitoring" and knowing Comptia are so specific, so changed to D now.

Prep > Identification > Containment > Eradication > Recovery > Lessons Learned. I don't know how some of you guys are going straight to C with confirming D first.

The question states the "first action the analyst should take as part of security operations monitoring?" not remediation or fixes but to monitor what happened. Therefore it should be D. Search the event logs for event identifiers that indicate Mimikatz was used.

I think that the incident has been confimed now you have to contain the user's machines, the only option here to do so is C. There are many ways that the attackers could have obtained the credential, the most common one is through a phising campaign, so not necessarily only trying to find mimikatz artifacts would be enough to determine how the breach was performed.

I think it's a classic CompTIA move where they're just trying to get you to choose the FIRST thing you should do. Which in my mind would be to change the passwords first, that way, access is no longer available (yes, there are better ways to secure accounts, but those aren't specified.). THEN, start doing scans to see how the accounts were accessed. Analogy: if its cold out, you dont turn the heat on when the front door is wide open. you close it, so no more cold air can come in, then you turn the heat on. any other way would be useless and make no sense.

The first action the security analyst should take when provided with credentials from a threat intelligence resource is to search the event logs for event identifiers that indicate Mimikatz or similar credential dumping tools were used. This is a proactive step to identify any potential compromise of accounts within the organization. Changing passwords and running antivirus scans can be important subsequent actions, but initially, the focus should be on identifying potential threats and indicators of compromise.

Priority would be to get change password immediately. You perform your analysis afterwards. Answer is C

Mimikatz=looking for how all of the passwords would have been obtained to begin with

I agree with kyky!! Scanning all employees' machines (option A) is not practical or necessary in this scenario, they already have the list of names and passwords (as mentioned in the question) so why not just scan the devices of the affected users only? Scanning them devices of the affected users may be a more targeted approach to identifying any potential malicious processes or malware that may have been introduced as a result of the compromised credentials. + what if the attacker didn’t start any malicious processes or malware onto the affected devices. In that case, scanning all employees' machines is not going to provide any additional value to the investigation.

This question is very messy, it lacks of context, they are asking for "security operation monitoring", which leads to A or D (the ones that refers to monitoring) option d- Mimikatz is both an exploit on Microsoft Windows that extracts passwords stored in memory and software that performs that exploit. they are not mentioning microsoft OS. option A run a scan to check for malicious processes its the best on here.

2 / 2 In this scenario, the first action the security analyst should take as part of security operations monitoring is: D. Search the event logs for event identifiers that indicate Mimikatz was used. Mimikatz is a well-known tool used by attackers to extract credentials from compromised systems. Since the security analyst has received credentials that may have been compromised, searching the event logs for any indicators of Mimikatz usage will help identify any potential unauthorized access attempts or compromised accounts. By analyzing the event logs, the analyst can gain insights into any suspicious activities and take appropriate actions to mitigate any potential risks or threats.

I think we need to change the passwords first and then start to check if any of the devices that use these accounts got compromised so it's C

Asnwer C

Answer is A