What method best describes how an attacker compromised a laptop according to SIEM logs?

The choice indicating that an attacker was able to move laterally from PC1 to PC2 using a pass-the-hash attack accurately describes a method that can be monitored and recorded within SIEM logs. A pass-the-hash attack involves capturing password hashes from one system and using them to authenticate against another system without needing the plaintext password. This type of lateral movement can be detected by SIEM systems, as they often log authentication attempts and can highlight unusual access patterns, such as an account being used to access different machines in a short period of time.

This method showcases an advanced technique that exploits weaknesses in credential storage and management within Windows environments. SIEM logs would capture these authentication events, allowing for investigation into any lateral movement and potential compromise of additional systems.

The other options represent valid attack vectors but might not demonstrate lateral movement as effectively as the chosen answer. B involves bypassing application whitelisting which is typically related to specific user behavior on a single system rather than across multiple systems. C focuses on malware installation and escalation which, although significant, does not necessarily indicate lateral movement. D describes credential phishing, which concerns initial access rather than movement between systems. Each option could lead to a compromise but A is most relevant for illustrating how SIEM logs would