Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›200-201›Objectives›Host-Based Analysis
Objective 3.0

Host-Based Analysis

200-201 Practice Questions

Use this page to practise Host-Based Analysis questions for this certification. Focus on how the exam tests host-based analysis in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

200-201 Host-Based Analysis — Key Topics

Host-Based Analysis questions on this certification test your ability to deploy and manage host-based analysis concepts in scenario-based situations.

  • Core Host-Based Analysis concepts and how they apply in real-world cloud scenarios.
  • How to deploy host-based analysis correctly and verify the outcome.
  • Troubleshooting host-based analysis issues by interpreting error output and system state.
  • Cloud best practices and Host-Based Analysis design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Host-Based Analysis

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

200-201 Host-Based Analysis — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Full question →

A security analyst is investigating a host that is suspected of being used as a pivot point in a network intrusion. The analyst needs to identify which process initiated an outbound connection to a known malicious IP address. Which host-based analysis approach should the analyst use to correlate the network connection to the specific process?

Question 3hardmultiple choice
Full question →

Refer to the exhibit. A security analyst is analyzing a Windows host that is communicating with an external server at 192.168.1.50. Based on the output, which process is likely malicious?

Exhibit

Refer to the exhibit.

C:\Users\Admin> tasklist /svc
Image Name                     PID Services
========================= ======== ============================================
svchost.exe                    1236 BrokerInfrastructure, DcomLaunch, PlugPlay
svchost.exe                    1420 RpcSs, LanmanWorkstation, Dhcp, NlaSvc
svchost.exe                    1508 WpnService, WpnUserService
notepad.exe                    2344 N/A
cmd.exe                        2568 N/A
powershell.exe                 2792 N/A

C:\Users\Admin> netstat -anob | findstr 192.168.1.50
  TCP    192.168.1.100:49152    192.168.1.50:443    ESTABLISHED     2792
  TCP    192.168.1.100:49153    192.168.1.50:80     ESTABLISHED     1420
Question 4easymulti select
Full question →

A security analyst is investigating a host that is suspected of being compromised. The analyst runs a series of commands to gather information. Which TWO of the following commands are most useful for collecting volatile data from a live Windows system? (Choose two.)

Question 5mediummultiple choice
Full question →

Refer to the exhibit. A network analyst sees repeated denied attempts from host 10.0.0.2 to 10.0.0.1 on port 23. Based on the log, what type of activity is most likely occurring?

Exhibit

Refer to the exhibit.

Mar  1 10:15:22 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49152) -> 10.0.0.1(23), 1 packet
Mar  1 10:15:23 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49153) -> 10.0.0.1(23), 1 packet
Mar  1 10:15:24 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49154) -> 10.0.0.1(23), 1 packet
Question 6hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst is responding to an incident on a critical Windows server that hosts a database application. The server is running Windows Server 2019 with all current patches. The analyst suspects that a remote attacker gained access and is using living-off-the-land binaries to move laterally. The analyst has captured a memory dump and a full disk image. The analyst needs to determine if the attacker used PowerShell to download additional tools. Which analysis step should the analyst perform first to identify PowerShell usage?

Question 7hardmulti select
Read the full NAT/PAT explanation →

An analyst is investigating a host that is suspected of being compromised. The host's security logs show multiple failed login attempts followed by a successful login from an unusual IP address, and then a series of outbound connections to known malicious destinations. Which TWO actions should the analyst take immediately? (Choose two.)

Question 8easymultiple choice
Full question →

Refer to the exhibit. An analyst runs the command 'tasklist /svc /fi "PID eq 1234"' on a Windows host and receives the output shown. Which conclusion can the analyst draw from this output?

Exhibit

Refer to the exhibit.

tasklist /svc /fi "PID eq 1234"
Image Name                     PID Services
========================= ======== ============================================
svchost.exe                   1234 CryptSvc, Dnscache, LanmanWorkstation, W32Time
Question 9mediummultiple choice
Full question →

An organization uses Windows 10 Enterprise workstations with standard user accounts (no local admin). Users run daily tasks including web browsing, document editing, and accessing a corporate intranet. Recently, the security team detected anomalous outbound traffic from one workstation to an IP address in a foreign country. The workstation's host-based firewall shows that a process named 'svch0st.exe' initiated the connection. Additionally, a scheduled task named 'UpdateTask' runs every hour with SYSTEM privileges, executing a script from a hidden folder. The user reports no unusual behavior except occasional system slowdowns. The analyst must determine the best immediate course of action. Which action should the analyst take first?

Question 10mediumdrag order
Full question →

Drag and drop the steps to investigate a security incident using a SIEM into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 11mediumdrag order
Full question →

Drag and drop the steps to configure a Cisco ASA firewall for basic network access into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 12mediummatching
Full question →

Match each Windows event log type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Logs success/failure audit events

Logs operating system events

Logs events from applications

Logs installation events

Logs events forwarded from other computers

Question 13mediummatching
Read the full network assurance explanation →

Match each log severity level to its description (syslog).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

System is unusable

Immediate action required

Critical conditions

Error conditions

Warning conditions

Question 14easymultiple choice
Read the full DNS explanation →

A security analyst notices that a workstation is generating multiple DNS queries to a known malicious domain. Which host-based analysis technique would be most effective in confirming the infection?

Question 15easymultiple choice
Full question →

A SOC analyst is investigating a suspicious file on a Windows host. The file hash matches a known malware variant in a threat intelligence feed. What is the next best step for host-based analysis?

Question 16mediummultiple choice
Full question →

An analyst is examining a Linux host suspected of being compromised. The file /etc/passwd shows unusual entries. Which host-based analysis tool is best for verifying if the accounts are actively being used?

Question 17mediummultiple choice
Read the full NAT/PAT explanation →

During a host-based investigation, an analyst finds a process named 'svchost.exe' consuming high CPU. The process path is 'C:\Windows\Temp\svchost.exe'. What should the analyst conclude?

Question 18hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst is reviewing host-based logs from a compromised system. The Windows Security Event Log shows multiple Event ID 4625 (failed logon) from a single source IP, but no successful logon. The network team confirms that IP is a known scanning host. What is the most likely explanation for the lack of successful logon events?

Question 19hardmultiple choice
Full question →

An analyst is performing host-based analysis on a machine that is part of a botnet. The machine is communicating with a C2 server over HTTPS. Which host-based evidence would be most useful to identify the C2 communication?

Question 20easymultiple choice
Full question →

Which Windows registry hive is most likely to contain evidence of malware persistence via a service?

Question 21mediummultiple choice
Read the full NAT/PAT explanation →

A host-based analysis tool reports that a file has a digital signature that is valid but from an untrusted publisher. What should the analyst interpret from this?

Question 22hardmultiple choice
Full question →

An analyst is reviewing Sysmon logs from a compromised host. They see Event ID 1 (Process creation) for cmd.exe with parent process winword.exe. What does this indicate?

Question 23easymulti select
Full question →

Which TWO host-based analysis techniques are most effective for detecting fileless malware?

Question 24mediummulti select
Full question →

Which THREE indicators in Windows Event Log are most commonly associated with a successful compromise?

Question 25hardmulti select
Full question →

Which TWO locations in a Linux filesystem should be checked for evidence of malware persistence?

Question 26easymultiple choice
Full question →

Refer to the exhibit. An analyst runs tasklist /SVC on a suspected host. Which process is most suspicious?

Exhibit

Refer to the exhibit.

```
C:\Users\admin>tasklist /SVC

Image Name                     PID Services
========================= ======== ============================================
svchost.exe                   1240   DcomLaunch, LSM
svchost.exe                   1500   BrokerInfrastructure, gpsvc, ProfSvc
svchost.exe                   1780   Schedule
svchost.exe                   1972   Themes
svchost.exe                   2100   WlanSvc
notmalware.exe                2300   No services are associated with this image.
```
Question 27mediummultiple choice
Full question →

Refer to the exhibit. A host-based analyst reviews auth.log. What does the accepted password log entry indicate?

Exhibit

Refer to the exhibit.

```
Aug 10 14:32:17 host1 sshd[2345]: Failed password for root from 192.168.1.100 port 34567 ssh2
Aug 10 14:32:20 host1 sshd[2345]: Failed password for root from 192.168.1.100 port 34568 ssh2
Aug 10 14:32:23 host1 sshd[2345]: Failed password for root from 192.168.1.100 port 34569 ssh2
Aug 10 14:32:26 host1 sshd[2346]: Accepted password for admin from 192.168.1.100 port 34570 ssh2
```
Question 28hardmultiple choice
Full question →

Refer to the exhibit. A host-based analysis tool outputs a JSON report. Which persistence mechanism is being used?

Exhibit

Refer to the exhibit.

```
{
  "File": "C:\\Users\\jdoe\\AppData\\Local\\Temp\\update.exe",
  "Process": "C:\\Windows\\System32\\msiexec.exe",
  "RegistryKey": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate",
  "RegistryValue": "C:\\Users\\jdoe\\AppData\\Local\\Temp\\update.exe"
}
```
Question 29easymultiple choice
Full question →

A security analyst is investigating a suspected malware infection on a Windows host. The analyst wants to identify processes that have network connections. Which built-in Windows tool should the analyst use?

Question 30easymultiple choice
Full question →

An analyst needs to review the Windows event logs from a host to determine if a user's account was used to log in at an unusual time. Which log type should the analyst check?

Question 31mediummultiple choice
Read the full NAT/PAT explanation →

A company's endpoint detection and response (EDR) agent is reporting a file that was created with a name matching a known ransomware pattern. The analyst suspects the file is malicious. What is the best first step to contain the threat?

More Host-Based Analysis questions available in the full practice test.

Continue Practising →
←

Previous objective

Security Monitoring

Next objective

Network Intrusion Analysis

→

All 200-201 Objectives

  • 1.Security Concepts
  • 2.Security Monitoring
  • 3.Host-Based Analysis
  • 4.Network Intrusion Analysis