Which of the following response actions should the analyst take FIRST?

A security analyst notices a number of SIEM events that show the following activity:

Which of the following response actions should the analyst take FIRST?
A . Disable powershell.exe on all Microsoft Windows endpoints.
B . Restart Microsoft Windows Defender.
C . Configure the forward proxy to block 40.90.23.154.
D . Disable local administrator privileges on the endpoints.

View Answer

Answer: C

Explanation:

The SIEM events show that powershell.exe was executed on multiple endpoints with an outbound connection to 40.90.23.154, which is an IP address associated with malicious activity. This could indicate a malware infection or a command-and-control channel. The best response action is to configure the forward proxy to block 40.90.23.154, which would prevent further communication with the malicious IP address. Disabling powershell.exe on all endpoints may not be feasible or effective, as it could affect legitimate operations and not remove the malware. Restarting Microsoft Windows Defender may not detect or stop the malware, as it could have bypassed or disabled it. Disabling local administrator privileges on the endpoints may not prevent the malware from running or communicating, as it could have escalated privileges or used other methods.

Verified Reference:

https://www.comptia.org/blog/what-is-a-forward-proxy

https://partners.comptia.org/docs/default-source/resources/casp-content-guide