🔥 3-day streak
Microsoft Security Operations Analyst27 / 190
Question 27 of 190
During investigation of a Defender for Endpoint incident, you connect a live response session to a compromised Windows server. The device timeline shows a suspicious scheduled task named 'SysHealthCheck' that re-launches a malicious PowerShell payload every 30 minutes. You have already isolated the device. You need to identify the exact command line and trigger configuration of this scheduled task directly from within the live response session, without downloading and analyzing a full investigation package offline. Which live response command should you use?
Reviewed for accuracy · Report an issueNext question