Question 119 of 510
Security OperationshardMultiple ChoiceObjective-mapped

Quick Answer

The correct conclusion is that an attacker has compromised the jsmith account and used it to perform lateral movement and access sensitive data. This is because the sequence of Windows security events—Event ID 4624 with Logon Type 3 (a network logon) from jsmith to the domain controller, immediately followed by Event ID 4670 (permissions changed on an object) on a sensitive file share—is a classic indicator of lateral movement detection via Windows security events. The network authentication shows the attacker moved from one system to another using stolen credentials, while the permission change reveals privilege escalation to access protected data. On the CompTIA SecurityX CAS-004 exam, this scenario tests your ability to correlate logon types with subsequent object access events, a common trap where candidates mistake a simple network logon for benign activity. Remember the mnemonic “3-7-0” for lateral movement: Logon Type 3, then Event 4670, equals zero trust in that session.

CAS-004 Security Operations Practice Question

This CAS-004 practice question tests your understanding of security operations. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Refer to the exhibit.

```
Event: 4625 (An account failed to log on)
Account Name: Administrator
Source Network Address: 10.10.10.50
Logon Type: 3 (Network)
Status: 0xC000006D (bad username or password)

Event: 4624 (An account was successfully logged on)
Account Name: jsmith
Source Network Address: 10.10.10.50
Logon Type: 2 (Interactive)

Event: 4672 (Special privileges assigned to new logon)
Account Name: jsmith
Privileges: SeTcbPrivilege, SeDebugPrivilege

Event: 5140 (A network share object was accessed)
Account Name: jsmith$
Accesses: WriteData (or AddFile)
Share Name: \\*\C$
```

A security analyst reviews the above Windows security events from a domain controller. What is the most likely conclusion about the activity?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1hardmultiple choice
Full question →

Exhibit

Refer to the exhibit.

```
Event: 4625 (An account failed to log on)
Account Name: Administrator
Source Network Address: 10.10.10.50
Logon Type: 3 (Network)
Status: 0xC000006D (bad username or password)

Event: 4624 (An account was successfully logged on)
Account Name: jsmith
Source Network Address: 10.10.10.50
Logon Type: 2 (Interactive)

Event: 4672 (Special privileges assigned to new logon)
Account Name: jsmith
Privileges: SeTcbPrivilege, SeDebugPrivilege

Event: 5140 (A network share object was accessed)
Account Name: jsmith$
Accesses: WriteData (or AddFile)
Share Name: \\*\C$
```

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

An attacker has compromised the jsmith account and used it to perform lateral movement and access sensitive data.

Event ID 4624 with Logon Type 3 (network logon) from jsmith to the domain controller, followed by Event ID 4670 (permissions on an object changed) on a sensitive file share, indicates lateral movement and privilege escalation. The combination of network authentication and subsequent access to sensitive data is a classic indicator of an attacker using compromised credentials to move laterally within the network.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The jsmith account is performing routine administrative tasks with standard user privileges.

    Why it's wrong here

    The event 4672 shows special privileges (SeTcbPrivilege, SeDebugPrivilege) that are not standard for a typical user.

  • An attacker has compromised the jsmith account and used it to perform lateral movement and access sensitive data.

    Why this is correct

    The sequence matches typical PtH: failed logon as admin, then successful interactive logon with high privileges, then accessing admin share.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • The Administrator account is locked out due to repeated failed logon attempts.

    Why it's wrong here

    Lockout would generate a different event (4740), and there is a successful logon right after, so not lockout.

  • A user named jsmith is attempting to reset the Administrator password via network logon.

    Why it's wrong here

    The logon type for jsmith is interactive (2), not network (3), and the privileges indicate escalation, not password reset.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the distinction between logon types (e.g., Type 2 for interactive, Type 3 for network) and the specific event IDs associated with account management versus object access, leading candidates to confuse a network logon with a password reset or lockout event.

Trap categories for this question

  • Command / output trap

    The event 4672 shows special privileges (SeTcbPrivilege, SeDebugPrivilege) that are not standard for a typical user.

Detailed technical explanation

How to think about this question

Logon Type 3 (network logon) is used for SMB, RPC, or other network-based authentication, and when combined with Event ID 4670 (permission change on an object), it strongly suggests an attacker is using tools like PsExec or WMI to execute commands remotely after compromising credentials. In real-world attacks, this pattern is often seen in Pass-the-Hash or credential theft scenarios where an attacker uses a compromised domain account to access file shares or modify ACLs for persistence or data exfiltration.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related CAS-004 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free CAS-004 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this CAS-004 question test?

Security Operations — This question tests Security Operations — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: An attacker has compromised the jsmith account and used it to perform lateral movement and access sensitive data. — Event ID 4624 with Logon Type 3 (network logon) from jsmith to the domain controller, followed by Event ID 4670 (permissions on an object changed) on a sensitive file share, indicates lateral movement and privilege escalation. The combination of network authentication and subsequent access to sensitive data is a classic indicator of an attacker using compromised credentials to move laterally within the network.

What should I do if I get this CAS-004 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This CAS-004 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CAS-004 exam.