A cybersecurity analyst notices multiple new user accounts have been created on a company's Active Directory within a very short period. All accounts follow a similar naming convention and were created by an administrator account that usually does not perform this task. Which of the following would be the BEST step for the analyst to take in order to determine if this activity is malicious?
You selected this option
Analyze current threat intelligence reports to check for similar activity patterns.
You selected this option
Immediately disable the newly created accounts until they can be verified.
You selected this option
Increase the network bandwidth to handle the additional load introduced by new users.
You selected this option
Investigate the credentials and recent activity of the administrator account in question.
Investigating the credentials and recent activity of the administrator account that created the new accounts is the best step to determine if this action is legitimate or malicious. Usually, an account that does not typically perform these actions but suddenly creates multiple new accounts is indicative of compromised credentials or insider threat. Reviewing the time of creation, IP address, and access patterns can reveal anomalies or confirm authorized activity. Disabling the new accounts does not address the potential root cause and can disrupt legitimate operations if the accounts are valid. Analyzing prior threat intelligence might assist in a broader context but does not directly relate to the immediate incident. Finally, increasing network bandwidth would not be useful in this situation and does not address the creation of new accounts.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Active Directory and what role does it play in user management?
Open an interactive chat with Bash
What are some signs that an administrator account might be compromised?
Open an interactive chat with Bash
How can a cybersecurity analyst investigate recent activities of an account in Active Directory?