← Detection Engineer
// final assessment
Final Exam
20 scenario-based questions · Pass at 80% to earn your certificate
Question 1 of 20
An EDR alert fires: lsass.exe was accessed by a process named 'svchost.exe' (PID 9812) with GrantedAccess 0x1FFFFF from C:\Users\jdoe\AppData\Local\Temp\svchost.exe. CloudTrail shows jdoe's AWS credentials were used 3 minutes later from IP 185.220.101.5. What is the complete attack chain and what is the correct immediate response?