🔥 3-day streak
Microsoft Security Operations Analyst20 / 190
Question 20 of 190

During an incident investigation, a device timeline in Microsoft Defender for Endpoint shows that a suspicious process wrote a value to HKCU\Software\Microsoft\Windows\CurrentVersion\Run pointing to an executable in the user's AppData folder. You start a live response session on the affected device to remove this persistence mechanism and confirm the malicious binary is no longer set to auto-start. Which sequence of live response actions accomplishes this?

Reviewed for accuracy · Report an issueNext question