← Detection Engineer

// final assessment

Final Exam

20 scenario-based questions · Pass at 80% to earn your certificate

Question 1 of 20

An EDR alert fires: lsass.exe was accessed by a process named 'svchost.exe' (PID 9812) with GrantedAccess 0x1FFFFF from C:\Users\jdoe\AppData\Local\Temp\svchost.exe. CloudTrail shows jdoe's AWS credentials were used 3 minutes later from IP 185.220.101.5. What is the complete attack chain and what is the correct immediate response?