Exam SY0-701 topic 1 question 539 discussion

If they have a keylogger, you cant be sure what type of malware or if its just 1. You reimage the machine.

A. Only because the user could use a different device to change their password that is currently exposed.

Keylogger present. First priority should be to tell them to change their password. Afterwards, take care of the keylogger issue.

Although the SOC analyst should reimage the computer to get rid of the keyloger. The first thing to do is have the user change passwordl.

I think a) advise to change pw is better than B) reimage the end user because changing the exposed password immediately prevents unauthorized access, whereas reimaging the machine is a more drastic step that comes later after confirming a compromise.

Changing the password on an infected machine would do no good, as the password could still be leaked with a keylogger, etc. Reimaging the system FIRST would be best in this scenario.

The correct answer is A. Advise the user to change passwords. Here's why: The file contains sensitive information, including an email address and a password ("NoOneCanGuessThis123!"), along with a suspicious message that includes commands like "[CTRL]c" and "[CTRL]v" (which may indicate attempts to copy/paste content, possibly in a malicious context). The immediate concern is the password being exposed. Given that the password appears in plaintext, the first action should be to advise the user to change their password—especially since it may be associated with a critical account (e.g., Gmail) that could be used for further attacks. It’s also important to ensure that the user is aware of the potential compromise and that the password isn't being used elsewhere.

Answer B - To ensure the integrity of the system and prevent any further compromise, the first priority should be to reimage the end user's machine. Reimaging will remove any potential malware or unauthorized software that may be affecting the system.