ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 5 question 7 discussion

Actual exam question from Microsoft's SC-200
Question #: 7
Topic #: 5
[All SC-200 Questions]

You have a Microsoft 365 E5 subscription that contains a device named Device1. Device1 is enrolled in Microsoft Defender for Endpoint.

Device1 reports an incident that includes a file named File1.exe as evidence.

You initiate the Collect Investigation Package action and download the ZIP file.

You need to identify the first and last time File1.exe was executed.

What should you review in the investigation package?

  • A. Processes
  • B. Autoruns
  • C. Security event log
  • D. Scheduled tasks
  • E. Prefetch files
Show Suggested Answer Hide Answer
Suggested Answer: E 🗳️
by pk69 at April 25, 2024, 6:38 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
wheeldj
Highly Voted 1 year, 2 months ago
Definitely E To identify the first and last time that File1.exe was executed on Device1, you should review the Prefetch files in the investigation package. Prefetch files in Windows are designed to speed up the application launch process and contain information about how often and when a particular application is run. This data can be used to determine the execution history of File1.exe. https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices
upvoted 12 times
wheeldj
1 year, 2 months ago
Here’s a breakdown of the options: Processes: This would show active processes at the time of the collection but not historical execution data. Autoruns: This includes programs that are configured to run during system boot or login, which might not necessarily indicate when a file was executed. Security event log: While this log contains a record of security-related events, it may not specifically track the execution times of individual executables unless auditing is configured to do so. Scheduled tasks: This would show tasks that are scheduled to run automatically, which could include File1.exe if it was set up as a task, but it wouldn’t provide historical execution data. Prefetch files (E): These files are specifically designed to track program execution information and would contain the data needed to determine when File1.exe was first and last run.
upvoted 6 times
...
...
281f173
Highly Voted 1 year, 2 months ago
Selected Answer: E
Prefetch files record the first and last times an executable has been run, the name and the path it was executed from, how many times it has been executed
upvoted 7 times
liveup2it
1 year, 1 month ago
E: The timestamps of a prefetch file are arguably the most beneficial aspect of the file itself. The creation date of a prefetch file is the first time that an executable was ran on a system, while the modification date of a prefetch file is the last time that an executable was ran on a system.
upvoted 1 times
...
...
sapphire
Most Recent 8 months, 2 weeks ago
Selected Answer: E
https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices
upvoted 1 times
...
sapphire
8 months, 2 weeks ago
E is correct - https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices
upvoted 1 times
...
g_man_rap
11 months, 1 week ago
Selected Answer: E
Prefetch files (Option E): These files are created by the Windows operating system to speed up the startup of applications. Each time an executable file runs, Windows records the launch in the prefetch data. The prefetch file for a specific executable will include information about the first time and the last time the executable was run. By analyzing the prefetch file for File1.exe, you can determine the exact timestamps of its first and most recent executions.
upvoted 1 times
...
ServerBrain
1 year, 2 months ago
Selected Answer: A
To identify the first and last time the File1.exe was executed, you should review the Processes information in the investigation package. Collect Investigation Package: By collecting the investigation package, you can understand the current state of the device and further investigate the tools and techniques used by the attacker. The package includes relevant data and logs related to the incident, which can help you analyze events and activities on the device. Processes: The Processes section provides details about running processes on the device. You can look for entries related to File1.exe to determine when it was first and last executed. Pay attention to timestamps, process names, and any associated events.
upvoted 2 times
...
DChilds
1 year, 3 months ago
A https://learn.microsoft.com/en-us/defender-endpoint/investigate-files?view=o365-worldwide#devices
upvoted 2 times
...
pk69
1 year, 3 months ago
Selected Answer: C
Security event log
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel