Microsoft Security Operations Analyst Associate SC-200 Practice Question
You plan to use Microsoft Defender XDR Deception to detect credential-dumping attempts that target Local Security Authority Subsystem Service (LSASS) on Windows 11 endpoints. You need a rule that meets the following requirements:
Raises a high-severity alert when any running process opens a handle to the lsass.exe process.
Applies to every onboarded device without having to list them individually. How should you configure the deception rule?
Create a Process handle access deception rule that protects lsass.exe and scope it to All devices with High severity.
Create a File access deception rule that monitors %SystemRoot%\System32\lsass.exe and scope it to specific high-value servers only.
Create a Process creation deception rule that blocks any new process named lsass.exe from starting and apply it to all devices.
Create a Registry key access deception rule that protects HKLM\SYSTEM\CurrentControlSet\Control\Lsa and apply it to All devices with Medium severity.
To detect credential-dumping activity, create a Process handle access deception rule. This rule type allows you to specify a protected process (lsass.exe). When any other process opens a handle to the protected process, Defender XDR raises an alert. By choosing the All devices scoping option, the rule is enforced on every device that is onboarded to Microsoft Defender for Endpoint, so you do not need to maintain a static device list. Selecting High for Severity ensures the alert is surfaced with the required priority. The other options are incorrect because:
A File access rule watches for file I/O, not handle access to live processes.
A Registry key access rule monitors registry operations and cannot watch the LSASS process.
A Process creation rule only fires when a process starts; it would miss an attacker attaching to an already running lsass.exe process.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is LSASS and why is it targeted in credential-dumping attacks?
Open an interactive chat with Bash
What is a Process handle access deception rule and how does it work?
Open an interactive chat with Bash
How does scoping a deception rule to 'All devices' improve detection and reduce maintenance efforts?
Open an interactive chat with Bash
Microsoft Security Operations Analyst Associate SC-200
Configure protections and detections
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .