Refer to the exhibit. A security analyst detects unusual process creation. Which attack technique is most likely being observed?
Mimikatz can inject into lsass.exe to dump credentials; spawning cmd.exe from lsass is a common post-exploitation step.
Why this answer
The exhibit shows that a cmd.exe process was spawned by lsass.exe, which is abnormal. lsass.exe is the Local Security Authority Subsystem Service. The parent process being lsass.exe indicates that an attacker may have injected code into lsass.exe to execute commands. The privileges assigned to the logon session include SeDebugPrivilege and SeTcbPrivilege, which are high privileges.
This is indicative of a Pass-the-Hash or credential dumping attack where the attacker uses LSASS to extract credentials or execute commands with SYSTEM privileges.