🔥 3-day streak
Microsoft Security Operations Analyst21 / 190
Question 21 of 190

During an incident investigation, you connect a live response session to a compromised Windows server in Microsoft Defender for Endpoint. The attacker installed a malicious Windows service named 'SvcHostUpdater' that re-launches a backdoor after every reboot. You have already stopped and quarantined the running backdoor process, but you must prevent the service from restarting the backdoor while forensics continues. Which live response command should you use to inspect and act on this persistence mechanism?

Reviewed for accuracy · Report an issueNext question