A SOC analyst receives an alert from the EDR system indicating that the process 'C:\Program Files\Vendor\Updater.exe' attempted to modify the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key on a user's workstation. The analyst checks the file hash and finds it matches a known legitimate software updater. Which of the following actions is most appropriate for the analyst to take?
Trap 1: Disable the software updater immediately to prevent further…
Disabling the software updater might prevent future legitimate updates and does not address the possibility that the updater is being exploited. The analyst should first confirm whether the activity is malicious.
Trap 2: Create an exception rule in the EDR to suppress future alerts for…
Creating an exception without thorough investigation risks allowing an attacker to hide malicious activity behind a trusted process name. This is a common but dangerous shortcut.
Trap 3: Isolate the workstation from the network and reimage the system…
Isolation and reimaging are extreme measures that should be reserved for confirmed compromises. Without evidence that the workstation is truly infected, this action would be premature and disruptive.
- A
Disable the software updater immediately to prevent further registry modifications.
Why wrong: Disabling the software updater might prevent future legitimate updates and does not address the possibility that the updater is being exploited. The analyst should first confirm whether the activity is malicious.
- B
Create an exception rule in the EDR to suppress future alerts for this process.
Why wrong: Creating an exception without thorough investigation risks allowing an attacker to hide malicious activity behind a trusted process name. This is a common but dangerous shortcut.
- C
Investigate the user's recent activity and check for signs of process hollowing or DLL injection.
This is the correct next step. The analyst should examine the process's behavior in depth, including checking for anomalies such as unexpected command-line arguments, suspicious parent processes, or indicators of code injection, before concluding whether the alert is a false positive.
- D
Isolate the workstation from the network and reimage the system immediately.
Why wrong: Isolation and reimaging are extreme measures that should be reserved for confirmed compromises. Without evidence that the workstation is truly infected, this action would be premature and disruptive.