🔥 3-day streak
CompTIA CySA+ (CS0-003)134 / 147
Question 134 of 147

A SOC analyst is reviewing Windows event logs after an alert flagged suspicious command execution on a finance workstation. She locates an Event ID 4104 entry containing a base64-encoded string passed through an obfuscated command that decodes to a download-and-execute routine reaching out to an external IP. Which logging capability produced this evidence, and why is it valuable for this investigation?

Reviewed for accuracy · Report an issueNext question