Question 9 of 10Pro Only

During your monitoring shift, you observe the following sequence of alerts from the same internal workstation: a DNS query to a newly registered domain, followed by a large outbound data transfer to an external IP, followed by a new scheduled task being created. How would you assess this situation using the Cyber Kill Chain or MITRE ATT&CK framework?

Sample answer preview

This sequence of alerts is highly concerning because each individual event, while potentially benign in isolation, together they paint a picture of a possible active compromise progressing through multiple stages.

Cyber Kill ChainMITRE ATT&CKcommand and controlexfiltrationpersistencescheduled task

Unlock the full answer

Get the complete model answer, key points, common pitfalls, and access to 9+ more SOC Analyst interview questions.

Upgrade to Pro

Starting at $19/month • Cancel anytime

Back to Track