Learn which combination of Windows Event IDs a CHFI should focus on when investigating a complex security breach involving account creation, privilege escalation, and service installation. Detailed explanation of the correct Event IDs to analyze. Prepare for the ECCouncil 312-49v10 certification exam.
Table of Contents
Question
A CHFI has been tasked to analyze Windows Security Logs in a highly complex and multi-layered security breach investigation. The breach involved an account creation, privilege escalation, and the installation of a service, all happening sequentially within a short duration. The investigator is required to retrieve a combination of Event IDs that would chronologically corroborate these events. Which combination of Event IDs should the investigator focus on?
A. Event ID 624, Event ID 4670, and Event ID 6011
B. Event ID 624, Event ID 500, and Event ID 7045
C. Event ID 4720, Event ID 4672, and Event ID 7045
D. Event ID 4720, Event ID 500, and Event ID 6011
Answer
C. Event ID 4720, Event ID 4672, and Event ID 7045
Explanation
Here’s a detailed explanation of each Event ID and why this combination would corroborate the events described in the security breach:
Event ID 4720: A user account was created
This Event ID indicates that a new user account was created in Active Directory. It provides details about the new account, including the account name, security identifier (SID), and the user who created the account. In the context of the described breach, Event ID 4720 would be logged when the initial account was maliciously created.
Event ID 4672: Special privileges assigned to new logon
This Event ID is logged when a user logs on with special privileges, such as Administrator rights or the “Act as part of the operating system” user right. It includes the username and domain of the account that logged on. Event ID 4672 would capture the privilege escalation aspect of the breach, showing the previously created account gaining elevated privileges.
Event ID 7045: A service was installed in the system
This Event ID is generated when a new service is installed on a Windows system. It provides information about the service name, service file path, service type, and start type. In the breach scenario, Event ID 7045 would be logged when the malicious service was installed by the privilege escalated account.
By focusing on this combination of Event IDs in chronological order, the investigator can trace the key events of the security breach:
- Event ID 4720 shows the creation of a new, likely unauthorized account
- Event ID 4672 captures that account escalating privileges
- Event ID 7045 reveals the privileged account installing a suspicious service
The other Event ID combinations would not fully capture the critical events in the correct order, making C the best answer. This question tests a CHFI’s knowledge of key Windows Event IDs and their ability to analyze logs to investigate a multi-stage security breach.
ECCouncil 312-49v10 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the ECCouncil 312-49v10 exam and earn ECCouncil 312-49v10 certification.