ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 6 question 14 discussion

Actual exam question from Microsoft's SC-200
Question #: 14
Topic #: 6
[All SC-200 Questions]

HOTSPOT
-

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR and contains a Windows device named Device1.

You investigate Device1 for malicious activity and discover a suspicious file named File1.exe. You collect an investigation package from Device1.

You need to review the following forensic data points:

• Is an attacker currently accessing Device1 remotely?
• When was File1.exe first executed?

Which folder in the investigation package should you review for each data point? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by rsanx42 at May 31, 2024, 2 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
g_man_rap
Highly Voted 8 months, 1 week ago
Is an attacker currently accessing Device1 remotely? Correct Folder: Network connections The "Network connections" folder would contain details on active network connections, which can reveal if a remote attacker is currently connected to the device. This would show any existing or recent network sessions that could indicate remote access. When was File1.exe first executed? Correct Folder: Prefetch files The "Prefetch files" folder is crucial for determining when an executable was first run. Windows creates a prefetch file the first time an application is executed, and this file includes a timestamp indicating when the application was initially launched. This would provide the information on when File1.exe was first executed.
upvoted 6 times
xRiot007
3 months, 2 weeks ago
Is an attacker currently accessing Device1 remotely - network connections When was File1.exe first executed? - prefetch files. Ref: https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts#investigation-package-contents-for-windows-devices You should stop approving answers without references. This is a paid service after all and we expect answers to be backed up by real documentation, not hunches and presumptions.
upvoted 3 times
...
...
sapphire
Most Recent 5 months, 2 weeks ago
Correct answers.
upvoted 3 times
...
smanzana
9 months ago
Correct
upvoted 2 times
...
rsanx42
11 months ago
Seems correct per link below. https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago