A cybersecurity analyst is reviewing the following alerts generated by the organization's SIEM overnight. The analyst must determine which event represents the most critical and immediate threat. Which of the following alerts should be prioritized for investigation?
Three new accounts with administrative privileges were created on a production server at 3:00 AM.
The HR department's automated script created 10 new standard user accounts during regular business hours.
A high volume of failed login attempts against a single executive account from an external IP address.
A user account was automatically locked out after five incorrect password attempts, per company policy.
The correct answer is the creation of three new administrative accounts at 3:00 AM. This is the most critical event because it is a strong indicator of a successful compromise where an attacker is creating persistent access. The creation of privileged accounts, especially at unusual hours, is a common post-exploitation technique (MITRE ATT&CK T1136) and represents a much higher immediate risk than the other events. A high volume of failed logins is concerning but indicates an unsuccessful attempt so far. An account lockout is a successful preventative security control action. The creation of standard user accounts by an HR script during business hours is expected and normal behavior.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the significance of newly created administrative accounts in cybersecurity?
Open an interactive chat with Bash
What is the MITRE ATT&CK framework, and how does it relate to account creation threats?
Open an interactive chat with Bash
Why is a high volume of failed login attempts considered less critical than administrative account creation?