🔥 3-day streak
CompTIA SecurityX (CAS-005)104 / 120
Question 104 of 120
During a proactive threat hunt, an analyst reviews process telemetry and finds numerous invocations of certutil.exe and mshta.exe on multiple workstations. These binaries are signed, native Windows utilities that the EDR allowlist trusts, and no malware signatures fired. The analyst notes certutil.exe was used with arguments that decode a base64 file and download content from an external URL. What is the MOST appropriate conclusion and next step for the hunt?
Reviewed for accuracy · Report an issueNext question