Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Eccouncil Exam 212-82 Topic 6 Question 34 Discussion

Actual exam question for Eccouncil's 212-82 exam
Question #: 34
Topic #: 6
[All 212-82 Questions]

The SOC department in a multinational organization has collected logs of a security event as

"Windows.events.evtx". Study the Audit Failure logs in the event log file located in the Documents folder of the

-Attacker Maehine-1" and determine the IP address of the attacker. (Note: The event ID of Audit failure logs is

4625.)

(Practical Question)

Show Suggested Answer Hide Answer
Suggested Answer: C

The IP address of the attacker is 10.10.1.16. This can be verified by analyzing the Windows.events.evtx file using a tool such as Event Viewer or Log Parser. The file contains several Audit Failure logs with event ID 4625, which indicate failed logon attempts to the system. The logs show that the source network address of the failed logon attempts is 10.10.1.16, which is the IP address of the attacker3. The screenshot below shows an example of viewing one of the logs using Event Viewer4: Reference: Audit Failure Log, [Windows.events.evtx], [Screenshot of Event Viewer showing Audit Failure log]


Contribute your Thoughts:

Lettie
3 months ago
I bet the attacker is using a VPN to hide their real IP address. Good luck finding them, they're probably sipping piña coladas on a beach somewhere.
upvoted 0 times
...
Mattie
4 months ago
I'm going to have to go with A - 10.10.1.12. It's the only option that doesn't sound like it was pulled out of a hat.
upvoted 0 times
...
Xenia
4 months ago
This is a no-brainer! The IP address of the attacker is clearly D - 10.10.1.19. I can practically smell the hacker's cologne from here.
upvoted 0 times
Jannette
3 months ago
Yep, D - 10.10.1.19 is definitely the IP address of the attacker in this case.
upvoted 0 times
...
Rebbecca
3 months ago
I agree, it's pretty obvious that the answer is D - 10.10.1.19.
upvoted 0 times
...
Howard
3 months ago
I think you're right, the IP address of the attacker is indeed D - 10.10.1.19.
upvoted 0 times
...
...
Son
4 months ago
Hmm, let's see. The question says to study the Audit Failure logs, so I'm going to have to go with C - 10.10.1.16. I'm feeling lucky today!
upvoted 0 times
Sheridan
3 months ago
I'm going with D - 10.10.1.19
upvoted 0 times
...
Elli
3 months ago
I believe it's C - 10.10.1.16
upvoted 0 times
...
Leonie
3 months ago
I'm leaning towards B - 10.10.1.10
upvoted 0 times
...
Shoshana
3 months ago
I think it might be A - 10.10.1.12
upvoted 0 times
...
...
Rolande
4 months ago
The event ID 4625 indicates a failed login attempt, so I'm going to go with option B - 10.10.1.10. That's the most likely IP address of the attacker based on the information provided.
upvoted 0 times
Kris
3 months ago
Let's go with option B - 10.10.1.10 as the IP address of the attacker in this security event.
upvoted 0 times
...
Floyd
3 months ago
Yeah, 10.10.1.10 is the most likely IP address of the attacker based on the Audit Failure logs.
upvoted 0 times
...
Anthony
3 months ago
I agree, the event ID 4625 points to a failed login, so option B seems like the right choice.
upvoted 0 times
...
Joye
3 months ago
I think option B - 10.10.1.10 makes sense because of the failed login attempt.
upvoted 0 times
...
...
Leanna
4 months ago
I agree with Vincenza, I also think the attacker's IP address is C) 10.10.1.16.
upvoted 0 times
...
Vincenza
5 months ago
I'm leaning towards C) 10.10.1.16, based on the logs I analyzed.
upvoted 0 times
...
Mike
5 months ago
I disagree, I believe the correct answer is B) 10.10.1.10.
upvoted 0 times
...
Fernanda
5 months ago
I think the answer is A) 10.10.1.12.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77