Which item is listed as an indicator for detecting compromised endpoints without active malware?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the SANS FOR508 Exam. Use flashcards and multiple-choice questions, each with hints and explanations. Maximize your readiness for the test!

Multiple Choice

Which item is listed as an indicator for detecting compromised endpoints without active malware?

Explanation:
Event logs provide a centralized, time-stamped record of security-relevant actions on the host, which often reveals compromise even when no malware is actively running. When an attacker compromises an endpoint, they typically trigger observable activities that are logged by the OS and security tools: new user or privilege changes, creation or modification of services and scheduled tasks, unusual logon events (such as remote logons or logons at odd times), and process creations with command-line arguments that hint at PowerShell or other admin tools being abused. Auditing policy changes, tampering with security settings, or unexpected security alerts in the logs also stand out as indicators of suspicious activity. By correlating these events over time, analysts can reconstruct a attack chain and identify a breach without relying on a running malware process. Registry changes and file openings can be informative but are less reliable on their own—they may result from legitimate admin actions or benign software behavior. Network activity can reveal malicious communication, but if there’s no active malware, network patterns can be quiet or mimic legitimate usage, making it harder to attribute to compromise.

Event logs provide a centralized, time-stamped record of security-relevant actions on the host, which often reveals compromise even when no malware is actively running. When an attacker compromises an endpoint, they typically trigger observable activities that are logged by the OS and security tools: new user or privilege changes, creation or modification of services and scheduled tasks, unusual logon events (such as remote logons or logons at odd times), and process creations with command-line arguments that hint at PowerShell or other admin tools being abused. Auditing policy changes, tampering with security settings, or unexpected security alerts in the logs also stand out as indicators of suspicious activity. By correlating these events over time, analysts can reconstruct a attack chain and identify a breach without relying on a running malware process.

Registry changes and file openings can be informative but are less reliable on their own—they may result from legitimate admin actions or benign software behavior. Network activity can reveal malicious communication, but if there’s no active malware, network patterns can be quiet or mimic legitimate usage, making it harder to attribute to compromise.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy