Scenario

As a senior cybersecurity engine$$r for an organization, you review past incident reports involving the recovery of systems or applications from a backup image. You read a very recent after$-$action report $($AAR$)$ from one of the offices, summarizing the following incident:

$"$On June $20,2022,$ at $1$:$55$ P$.$M$.,$ finance department personnel reported that their web applications were no longer accessible. At $3$:$00$ P$.$M$.,$ a system admin opens a VM console to the department's VM and finds it at the BSOD. The admin reboots the server resulting in no change. The security admin if$=$searches the stop error code and notates a possible security breach. The admin copies the VM to disk to isolate the data for further examination and restores the server at $4$:$00$ P$.$M$.$ from the previous night's backup image. The system admin confirmed the web services were running, and users.confirmed that they could access services at $4$:$30$ P$.$M$."$

You notice many ways to improve the response time to the incident. As you further analyze the AAR and various technical logs$,$ you pinpoint multiple items discovered and list the source from which you found the items. You plan to educate the organization's security operations team on how to better utilize the various tools they have in place to detect and prevent similar breaches.

Instructions

Based on the scenario, match the source to the indicator of compromise $($IoC$).$

$\backslash$table$[[\backslash$table$[[$A non$-$administrative$],[$account$,$ added to an$],[$administrative AD group,$],[$triggered an alert.$],[$Blank $1]],\backslash$table$[[$Various nmap actions$],[$detected across multiple$],[$subnets$.],[$Blank $2]],\backslash$table$[[$Entry in the Windows Event$],[$Viewer indicate a log$-$on with$],[$new credentials that was$],[$allocated special privileges.$],[$Blank $3]],\backslash$table$[[$Employee testimony$],[$indicates that they may have$],[$witnessed a breach in$],[$progress$.],[$Blank $4]]],[\backslash$table$[[$Increased traffic across the$],[$network points to an$],[$attempted denial of service$],[($DoS$)$ attack.$]],\backslash$table$[[$Cryptographic hash of an$],[$important file no longer$],[$matches its known, accepted$],[$value$.]],\backslash$table$[[$An entry in the firewall log$],[$indicates a dropped$],[$connection intended for a$],[$blocked port.$]],\backslash$table$[[$An organization named$],[\text{'}$Anonymous$\text{'}$ has posted on$],[$social media that they are$],[$responsible for the attack.$]]],[$Blank $5,$Blank $6,$Blank $7,$Blank $8]]$