Question

An incident response analyst in a corporate security operations center receives a phone call from an SOC analyst. The SOC analyst explains the help desk recently reimaged a workstation that was suspected of being infected with an unknown type of malware; however, even after reimaging, the host continued to generate SIEM alerts. Which of the following types of malware is MOST likely responsible for producing the SIEM alerts?

A. Ransomware
B. Logic bomb
C. Rootkit
D. Adware

Answer 1

A rootkit is most likely the malware causing persistent SIEM alerts after reimaging because it can embed itself deeply into system components that are not removed during the reimaging process.

Step-by-step explanation:

An incident response analyst has been notified by a SOC analyst via phone that a workstation continues to generate SIEM alerts even after being reimaged due to a suspected malware infection. The type of malware most likely responsible for these persistent SIEM alerts after reimaging is a rootkit. Rootkits are known for their ability to embed themselves deeply into the operating system, sometimes in the bootloader or firmware, which can survive the reimaging of the operating system. Unlike other malware such as ransomware, adware, or logic bombs, rootkits have the capability to maintain persistence and conceal their presence, thus continuing to trigger alerts after the system is thought to be clean.