An attacker has obtained the user ID and password of a data center's backup operator and has gained access to a production system. Which of the following would be the attacker's NEXT action?
A. Perform a passive reconnaissance of the network.
B. Initiate a confidential data exfiltration process
C. Look for known vulnerabilities to escalate privileges
D. Create an alternate user ID to maintain persistent access