Practice 200-201 Network Intrusion Analysis questions with full explanations on every answer.
Start practicing
Network Intrusion Analysis — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
During a network intrusion analysis, a security analyst observes repeated TCP SYN packets sent to a range of ports on a target host, each followed by an RST response. No subsequent ACK packets are observed. Which phase of the Cyber Kill Chain is the attacker most likely executing?
2An analyst reviewing network alerts notices a rule triggered for 'ET SCAN NMAP -sU scan' based on traffic to a Linux server. The packet capture shows multiple UDP packets to various ports, and for closed ports, the server responds with ICMP Destination Unreachable (Port Unreachable). Which type of scan is being performed, and how should the analyst classify this alert?
3A security analyst is investigating an alert that indicates a potential SQL injection attack. Which of the following HTTP request patterns is most indicative of a SQL injection attempt?
4An analyst detects traffic from an internal host that periodically sends small DNS queries to a domain with high entropy subdomains (e.g., 'a3k9f2.example.com'). The domain is not on any blocklist, and the query intervals are consistent every 60 seconds. Which technique is most likely being used?
5During an incident response, an analyst extracts a file from a PCAP using Wireshark's 'Export Objects' feature. The file contains shellcode that uses NOP sleds and encodes a reverse shell command. Which Cyber Kill Chain phase does this file represent?
6An analyst is investigating lateral movement and observes SMB authentication attempts from host A to multiple other hosts using NTLM authentication with a hash value instead of a password. Which attack technique is most likely being used?
7A network analyst is examining a PCAP file and applies the Wireshark display filter 'http.request'. The results show several POST requests to '/login.php' with parameters containing 'username=admin&password=secret'. What type of attack is indicated?
8An intrusion detection system alerts on traffic that appears to be a command and control (C2) beacon. Which of the following characteristics is most typical of beaconing traffic?
9An analyst detects a large outbound FTP transfer from a sensitive server to an external IP address not previously seen. The file being transferred is a compressed archive containing database dumps. Which Cyber Kill Chain phase is most directly indicated?
10A security analyst is reviewing PCAP data and sees a TCP stream with interactive shell commands such as 'whoami', 'ls -la', and 'cat /etc/passwd'. The session appears to be bidirectional with a remote IP. Which type of attack is most likely occurring?
11An analyst receives an alert for 'ET WEB_SERVER Possible SQL Injection Attempt' triggered by a URL parameter containing ' OR 1=1--'. After investigating, the analyst confirms that the web application is not vulnerable to SQL injection and the request was a benign test. How should this alert be classified?
12During an intrusion analysis, an analyst identifies that an attacker used a domain generation algorithm (DGA) to resolve C2 domains. Which of the following traffic patterns is most consistent with DGA?
13A security analyst is investigating a suspected data exfiltration incident. Which TWO of the following indicators are most consistent with exfiltration over DNS?
14An analyst is analyzing a PCAP from a compromised host. Which THREE of the following are common indicators of exploitation attempts in network traffic?
15An analyst is examining network alerts for lateral movement. Which TWO of the following are typical indicators of lateral movement using SMB?
16A security analyst observes repeated ICMP port unreachable responses from a target host. The source IP is sending packets to multiple UDP ports. Which type of scan is most likely being performed?
17During an intrusion analysis, a SOC analyst reviews logs showing an outbound connection from an internal host to an external IP at 03:00 AM every 60 seconds. The traffic is HTTPS to a suspicious domain with a high entropy name. Which phase of the Cyber Kill Chain does this activity represent?
18An analyst is reviewing alerts from an IDS. A signature matched 'script' and 'alert' in HTTP request parameters. The analyst inspects the packet and sees <script>alert('XSS')</script> in the URI. What is the most accurate classification of this alert?
19In a PCAP analysis, an analyst uses the filter 'http.request.uri contains "UNION"' and finds multiple HTTP requests with 'SELECT' and 'UNION SELECT' in the URI parameter. Which type of attack is likely occurring?
20An analyst examines PCAP and sees multiple SMB sessions from internal host 10.1.1.10 to 10.1.1.20, 10.1.1.30, and 10.1.1.40 within seconds. The NTLM authentication contains a hash parameter that is identical across sessions. Which lateral movement technique is most likely being used?
21An analyst observes a series of DNS queries for subdomains like 'ZGVzdGluYXRpb24= .malicious.com' where the subdomain part appears base64-encoded. The volume of DNS traffic from a single host is unusually high. Which exfiltration technique is most likely in use?
22During incident response, an analyst extracts files from a PCAP using Wireshark's Export Objects feature. One extracted file is a PDF that triggers an IDS alert for 'Exploit:PDF/HeapSpray'. Which technique does this alert describe?
23A SOC analyst sees an alert for 'Possible SQL Injection' on a web server. Reviewing the PCAP, the analyst finds the parameter 'id=1 OR 1=1' in the HTTP request. However, the web server returns a normal page with no signs of compromise. What is the correct classification?
24An analyst captures traffic and sees a TCP connection with only a SYN packet and an RST response. No SYN-ACK is observed. Which scan technique is this?
25A threat hunter identifies a binary that uses a Domain Generation Algorithm (DGA) to create domain names like 'eksdghf23.com', 'mzncxv89.net' each day. The malware contacts these domains over HTTPS. Which phase of the Cyber Kill Chain is most directly associated with this technique?
26An analyst reviews network logs and sees a large outbound FTP transfer of 500 MB from a workstation to an external IP at 2:00 AM. The workstation regularly sends 10 MB daily. What should the analyst suspect?
27An analyst filters PCAP with 'tcp.stream eq 0' and sees an interactive shell session with commands like 'whoami', 'ls -la', 'cd /etc'. The session originated from an HTTP POST to a web shell. Which type of attack is this?
28An analyst identifies an alert for 'ET TROJAN Win32/DarkComet RAT Beacon'. The analyst confirms the host is infected. Which TWO phases of the Cyber Kill Chain have been completed prior to this C2 beacon? (Choose two.)
29A SOC analyst is investigating a suspected data exfiltration. Which THREE indicators in network traffic are most consistent with exfiltration? (Choose three.)
30An analyst is reviewing PCAP from a network intrusion. The attacker used a payload with ROP gadgets and shellcode. Which TWO exploitation indicators are associated with this attack? (Choose two.)
31An analyst observes an alert triggered by a single SYN packet to a closed port. The packet did not complete a TCP handshake. What type of attack does this most likely indicate?
32During alert triage, an analyst determines that an alert fired but no actual attack or malicious activity occurred on the network. How should this alert be classified?
33An analyst reviews PCAP traffic and sees a series of HTTP POST requests from an internal host to an external IP at exactly 60-second intervals. The payload size is consistent. Which phase of the Cyber Kill Chain does this activity most likely represent?
34While analyzing a PCAP, an analyst uses the Wireshark filter 'http.request' and finds a URI parameter containing '%27%20UNION%20SELECT%201,2,3%20--'. What type of attack is indicated?
35An analyst detects multiple SMB authentication attempts from a single internal host to several other internal hosts using NTLM hashes instead of plaintext passwords. Which technique is most likely being used?
36An analyst notices that a DNS query for 'www.attacker.com' contains a long subdomain with Base64-encoded data. This activity is observed every 5 minutes. What exfiltration technique is most likely in use?
37In a PCAP, an analyst sees a large outbound data transfer over FTP to an external IP address during non-business hours. The source host is a database server. Which phase of the Cyber Kill Chain does this represent?
38An analyst is reviewing PCAP and sees a TCP stream with a Wireshark filter 'tcp.stream eq 0'. The conversation shows an interactive shell session with commands like 'whoami' and 'ls'. This is most likely evidence of what?
39An analyst examines a PCAP and finds a series of UDP packets sent to multiple ports on a target. The target responds with ICMP 'Destination Unreachable (Port Unreachable)' messages for each port. What type of scan is being performed?
40A security analyst is investigating a potential exploit. The PCAP shows a HTTP POST request containing a long string of characters that, when decoded, reveals a series of return-oriented programming (ROP) gadgets. What is the likely purpose of this payload?
41During a forensic analysis, an analyst uses NetworkMiner to extract files from a PCAP. One of the extracted files contains a PE executable with a known signature of a malware variant. Which phase of the Cyber Kill Chain does the file transfer most likely represent?
42An analyst detects HTTPS traffic to a domain that was registered only 24 hours ago and has no web content. The traffic occurs at odd hours and with consistent packet sizes. What technique is likely being used for C2?
43An analyst identifies a series of SMB authentication attempts from a compromised host to multiple internal servers. The authentication uses NTLM hashes. Which TWO techniques are most likely being used for lateral movement? (Select 2)
44During an incident, an analyst observes the following in PCAP: (1) DNS queries with random-looking subdomains to a known malicious domain, (2) large outbound FTP transfers of .zip files, (3) HTTP POST requests with Base64-encoded data in the body. Which THREE exfiltration techniques are being used? (Select 3)
45An analyst reviews a PCAP and sees HTTP requests containing script tags and event handlers such as 'onload' and 'onerror'. Additionally, the URI contains 'alert(1)'. Which TWO types of attacks are indicated? (Select 2)
46In the Cyber Kill Chain, which phase involves sending a malicious attachment to a targeted user?
47A security analyst receives an alert for a known malware signature in an outbound file transfer. After investigation, the file is confirmed as benign software. This alert is classified as:
48During a SYN scan, an attacker sends a SYN packet to a closed port on a target. What response does the target typically send back?
49Which type of attack is indicated by a series of SMB authentication attempts from one host to multiple other hosts in a short time frame?
50A security analyst observes periodic outbound HTTPS connections to an unusual domain that resolves to different IP addresses each time. This behavior is most indicative of:
51A PCAP contains an HTTP POST request with a parameter containing "UNION SELECT username, password FROM users". This is evidence of:
52Which Wireshark filter can be used to extract the full TCP data of a specific conversation from a PCAP?
53A network analyst finds a PCAP with a series of DNS queries for subdomains like "data12345.example.com" and "data67890.example.com" where the subdomain names appear to contain encoded base64 data. This pattern suggests:
54In a PCAP, an analyst sees an interactive shell session over TCP with irregular command prompts and responses. Which tool was likely used to generate this traffic?
55An alert shows a high volume of outbound traffic from an internal host to an external IP using FTP. The data includes files with names matching internal document names. This activity is most likely:
56In Wireshark, which filter can be used to quickly find all HTTP requests that contain a specific keyword in the URL?
57Which MITRE ATT&CK tactic corresponds to the Cyber Kill Chain phase 'Actions on Objectives'?
58A security analyst is investigating a PCAP that shows multiple failed SMB authentication attempts from a single host to different IP addresses, followed by a successful authentication. Which TWO techniques are likely being used?
59A PCAP contains the following patterns: (1) A TCP connection with a complete handshake to an external IP on port 443, (2) periodic data transfers every 60 seconds of approximately 1 KB, (3) the domain name in the TLS SNI field is generated by a DGA. Which THREE indicators are present?
60An analyst identifies HTTP traffic containing the string "<script>alert('XSS')</script>" in the URL parameter. Which TWO attack types are likely being attempted?
61During the Cyber Kill Chain, which phase involves sending a malicious attachment to a target user via email?
62An analyst observes repeated TCP SYN packets to various ports on a target IP with no SYN-ACK responses. What type of scan is most likely being performed?
63An intrusion detection system alerts on HTTP traffic containing the string 'UNION SELECT' in the URI parameter. This is most indicative of what type of attack?
64During alert triage, an analyst determines that an alert was triggered by legitimate administrative activity. How should this alert be classified?
65An analyst notices periodic HTTP GET requests to a suspicious domain every 60 seconds. The payload size is small and consistent. This behavior is characteristic of which phase of the Cyber Kill Chain?
66In network forensics, which Wireshark filter would be used to reconstruct a TCP conversation between two hosts?
67An analyst detects an attack where the attacker uses NTLM authentication with a hashed password instead of the plaintext password. This technique is known as:
68Which of the following is a common indicator of DNS tunneling used for exfiltration?
69An analyst analyzing a PCAP sees a series of TCP connections where the client sends data with interactive patterns and receives commands. This is most likely indicative of:
70In the MITRE ATT&CK framework, TTPs are mapped to:
71An analyst observes a large outbound FTP transfer to an external IP address from a server that normally does not generate such traffic. This is most likely an indicator of:
72Which tool can be used to extract files from a PCAP file for further analysis?
73An analyst is investigating a potential malware infection. Which TWO of the following are indicators of command and control (C2) communication?
74During an incident response, an analyst finds evidence of lateral movement. Which THREE of the following are common techniques used for lateral movement?
75Which TWO of the following are valid classifications for alerts during triage?
76During network intrusion analysis, an analyst reviews logs and observes an alert for a TCP SYN scan. Which characteristic of a SYN scan would the analyst look for in packet captures?
77An analyst is investigating a potential DNS tunneling attack. Which characteristic in DNS traffic would most likely indicate DNS tunneling?
78In the Cyber Kill Chain model, which phase involves delivering the exploit to the target, such as via email attachment or malicious link?
79An analyst is reviewing a PCAP and sees multiple HTTP requests with the parameter 'id=1 UNION SELECT username,password FROM users'. What type of attack is being attempted?
80During a network intrusion investigation, an analyst notices repeated SMB authentication attempts from a single host to multiple other hosts using different usernames. Which type of activity does this pattern suggest?
81An analyst is monitoring network traffic and observes a host making outbound HTTPS connections to a domain that appears to be generated by a Domain Generation Algorithm (DGA). Which phase of the Cyber Kill Chain best describes this activity?
82An analyst is investigating a PCAP file and wants to reconstruct a conversation between two hosts. Which Wireshark filter would be most appropriate to follow the entire TCP stream?
83During an incident response, an analyst identifies a PCAP containing an HTTP POST request to a suspicious external IP with a large payload. The response is not typical for web applications. What type of activity is most likely occurring?
84An analyst reviews an alert that triggered on a network signature for 'shellcode' in a payload. The payload contains a sequence of NOP sleds followed by executable code. Which type of exploitation technique does this indicate?
85An analyst is analyzing a PCAP and sees multiple ICMP port unreachable responses from a target host when scanning UDP ports. What does this indicate about the scanned ports?
86An analyst is investigating a host that is making outbound HTTPS connections to multiple random-looking domains, each with a short TTL. The domains are not in any threat intelligence feeds. Which technique is most likely being used?
87An analyst identifies a PCAP with a reverse shell session. Which characteristic in the traffic would most likely indicate an interactive shell session?
88An analyst is triaging alerts and encounters a scenario where an IDS alerted on a network scan, but further investigation reveals the traffic was from a legitimate vulnerability scanner. Which TWO terms best describe this alert?
89An analyst observes a host making outbound connections to a server on TCP port 443, with traffic patterns showing small packets at regular 60-second intervals. The destination IP is in a country where the company does no business. Which THREE characteristics suggest this is C2 beaconing?
90An analyst is examining a PCAP for signs of pass-the-hash attack. Which THREE indicators would be consistent with pass-the-hash?
91A security analyst observes a large number of SYN packets sent to various ports on a target host, receiving RST responses for closed ports and no response for open ports. Which phase of the Cyber Kill Chain does this activity represent?
92During a PCAP analysis, a security analyst notices an HTTP request with the URI parameter 'id=1 UNION SELECT username,password FROM users--'. What is the most likely attack being attempted?
93Which TWO of the following are typical indicators of a C2 beaconing communication?
94An analyst is reviewing alerts from an IDS and needs to classify them. Which THREE of the following are valid alert classification types?
95A network analyst is investigating a suspected DNS tunneling attack. Which THREE of the following are indicators of DNS tunneling?
96An analyst is examining a PCAP file for signs of lateral movement. Which TWO of the following are typical indicators of lateral movement using pass-the-hash?
97In the Cyber Kill Chain, which TWO phases occur after the attacker establishes command and control (C2)?
98A security analyst is investigating a PCAP and sees the following HTTP POST request: POST /login HTTP/1.1 ... username=admin&password=letmein. Which TWO attack indicators are present?
99During PCAP analysis, a security analyst observes the following pattern: a series of TCP SYN packets to multiple ports on a target, followed by RST packets from the target for closed ports. Which TWO characteristics describe this scan?
The Network Intrusion Analysis domain covers the key concepts tested in this area of the 200-201 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 200-201 domains — no account required.
The Courseiva 200-201 question bank contains 99 questions in the Network Intrusion Analysis domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Network Intrusion Analysis domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included