During a weekly review of the organization's identity-management logs, a security analyst notices several account-related events that occurred within the last 24 hours. Which of the following events should be treated as an immediate red flag that may indicate an attacker is attempting to establish unauthorized persistence?
A guest account with read-only access to a shared folder was created for an onsite vendor.
Forty temporary contractor accounts were bulk-provisioned at 09:00 during a planned onboarding exercise.
A DevOps pipeline generated a test service account that was automatically deleted after the build completed.
A new domain-administrator account was created from a workstation at 02:17, well outside the change-control window.
Creation of a new domain-level administrator account at 02:17, outside the approved change-control window, is highly suspicious. Attackers often create or elevate accounts during off-hours to avoid detection and quickly gain privileged access. Bulk onboarding during scheduled hours, limited-privilege guest accounts, and short-lived test service accounts generally follow documented procedures and, while they should be logged, are not inherently malicious.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are administrative privileges?
Open an interactive chat with Bash
Why are non-standard hours a risk for new account creation?
Open an interactive chat with Bash
How can monitoring detect unauthorized account activity?