🔥 3-day streak
CompTIA SecurityX (CAS-005)109 / 120
Question 109 of 120

A threat hunter at a large enterprise is investigating a possible insider compromise. The UEBA platform flags a service account that normally authenticates only to two database servers during business hours. Over the past 48 hours, the same account authenticated interactively to 14 different workstations across three subnets, all between 01:00 and 04:00, using NTLM. No malware alerts fired, and the account's password has not changed. Which conclusion best explains the value UEBA provided and the most likely activity underway?

Reviewed for accuracy · Report an issueNext question