Exam CS0-003 topic 1 question 84 discussion

The suspicious activity described in the alert is: C. A new program has been set to execute on system start. This is indicated by the entry: ``` Host: Webserver01 Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Key Added: RunME (%appdata%\abc.exe) ``` which shows that a new registry key (`RunME`) was added under `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`, pointing to an executable file (`%appdata%\abc.exe`), indicating that a program has been configured to run automatically when the system starts.

Not only is the answer clearly understandable when looking at BanesTech comment but also understand what FIM does and now you can play process of elimination. Not be because that would be alerted by network monitoring not file integrity. Not D because definitely not file integrity. We wouldn't have an alert in FIM about IP. Between A and C, A is less likely because FIM monitors for programs and files already installed to ensure they haven't been tampered with. In addition, this alert doesn't tell us that something was downloaded by the threat actor. Hope that helps.

I was thinking B here, not sure on why you guys are choosing C.

Agree with C. Options A and D doesn't make sense. and option B looks legitimate.

Of the 5 alerts below, C seems to be the most malicious as this can establish persistence of malware. Host: Webserver01 Path: HKLM/Software/Microsoft/Windows/CurrentVersion/Personalization Key Added: Allow (1) --- Host: Webserver01 Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Key Added: RunME (%appdata%\abc.exe) --- Host: Webserver01 Path: HKCU\Printers\ConvertUserDevModesCount Key added: microsoft xps writer (2) --- Host: WEBSERVER01 Path: HKCU\Network\Z Key Added: Remote Path (192.168.1.0 CorpZ_Drive) --- Host: Webserver01 Path: HKLM\Software\Microsoft\PCHealthCheck Key added: Installed (1)

Of the options described above, the most correct option is C.