🔥 3-day streak
CompTIA CySA+ (CS0-003)143 / 147
Question 143 of 147
A CySA+ analyst reviewing Sysmon logs on a domain controller notices Event ID 10 (ProcessAccess) entries showing a non-standard process named 'svhost.exe' repeatedly opening handles to lsass.exe with the access mask 0x1010 (PROCESS_VM_READ and PROCESS_QUERY_INFORMATION). No legitimate administrative or backup tooling is scheduled at this time. Which malicious activity does this MOST likely indicate?
Reviewed for accuracy · Report an issueNext question