🔥 3-day streak
CompTIA CySA+ (CS0-003)18 / 147
Question 18 of 147

A CySA+ analyst is reviewing EDR telemetry on a Windows workstation after an alert fired. The process tree shows that WINWORD.EXE (Microsoft Word) spawned cmd.exe, which then launched powershell.exe with an encoded command that reached out to an external IP. No legitimate business macro is deployed in the environment. Which host indicator is the strongest evidence of malicious activity in this telemetry?

Reviewed for accuracy · Report an issueNext question