🔥 3-day streak
CompTIA CySA+ (CS0-003)59 / 147
Question 59 of 147
A SOC analyst reviewing EDR telemetry observes that a suspicious executable ran the command 'wevtutil cl Security' followed shortly by 'vssadmin delete shadows /all /quiet'. The analyst is mapping this activity to the MITRE ATT&CK framework to document the adversary's behavior. Which ATT&CK tactic best categorizes BOTH of these observed actions?
Reviewed for accuracy · Report an issueNext question