Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Host-Based Analysis practice sets

200-201 Host-Based Analysis • Complete Question Bank

200-201 Host-Based Analysis — All Questions With Answers

Complete 200-201 Host-Based Analysis question bank — all 0 questions with answers and detailed explanations.

46
Questions
Free
No signup
Certifications/200-201/Practice Test/Host-Based Analysis/All Questions
Question 1mediummultiple choice
Read the full Host-Based Analysis explanation →

A security analyst is investigating a host that is suspected of being used as a pivot point in a network intrusion. The analyst needs to identify which process initiated an outbound connection to a known malicious IP address. Which host-based analysis approach should the analyst use to correlate the network connection to the specific process?

Question 2hardmultiple choice
Read the full Host-Based Analysis explanation →

Refer to the exhibit. A security analyst is analyzing a Windows host that is communicating with an external server at 192.168.1.50. Based on the output, which process is likely malicious?

Exhibit

Refer to the exhibit.

C:\Users\Admin> tasklist /svc
Image Name                     PID Services
========================= ======== ============================================
svchost.exe                    1236 BrokerInfrastructure, DcomLaunch, PlugPlay
svchost.exe                    1420 RpcSs, LanmanWorkstation, Dhcp, NlaSvc
svchost.exe                    1508 WpnService, WpnUserService
notepad.exe                    2344 N/A
cmd.exe                        2568 N/A
powershell.exe                 2792 N/A

C:\Users\Admin> netstat -anob | findstr 192.168.1.50
  TCP    192.168.1.100:49152    192.168.1.50:443    ESTABLISHED     2792
  TCP    192.168.1.100:49153    192.168.1.50:80     ESTABLISHED     1420
Question 3easymulti select
Read the full Host-Based Analysis explanation →

A security analyst is investigating a host that is suspected of being compromised. The analyst runs a series of commands to gather information. Which TWO of the following commands are most useful for collecting volatile data from a live Windows system? (Choose two.)

Question 4mediummultiple choice
Read the full Host-Based Analysis explanation →

Refer to the exhibit. A network analyst sees repeated denied attempts from host 10.0.0.2 to 10.0.0.1 on port 23. Based on the log, what type of activity is most likely occurring?

Exhibit

Refer to the exhibit.

Mar  1 10:15:22 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49152) -> 10.0.0.1(23), 1 packet
Mar  1 10:15:23 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49153) -> 10.0.0.1(23), 1 packet
Mar  1 10:15:24 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49154) -> 10.0.0.1(23), 1 packet
Question 5hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst is responding to an incident on a critical Windows server that hosts a database application. The server is running Windows Server 2019 with all current patches. The analyst suspects that a remote attacker gained access and is using living-off-the-land binaries to move laterally. The analyst has captured a memory dump and a full disk image. The analyst needs to determine if the attacker used PowerShell to download additional tools. Which analysis step should the analyst perform first to identify PowerShell usage?

Question 6hardmulti select
Read the full NAT/PAT explanation →

An analyst is investigating a host that is suspected of being compromised. The host's security logs show multiple failed login attempts followed by a successful login from an unusual IP address, and then a series of outbound connections to known malicious destinations. Which TWO actions should the analyst take immediately? (Choose two.)

Question 7easymultiple choice
Read the full Host-Based Analysis explanation →

Refer to the exhibit. An analyst runs the command 'tasklist /svc /fi "PID eq 1234"' on a Windows host and receives the output shown. Which conclusion can the analyst draw from this output?

Exhibit

Refer to the exhibit.

tasklist /svc /fi "PID eq 1234"
Image Name                     PID Services
========================= ======== ============================================
svchost.exe                   1234 CryptSvc, Dnscache, LanmanWorkstation, W32Time
Question 8mediummultiple choice
Read the full Host-Based Analysis explanation →

An organization uses Windows 10 Enterprise workstations with standard user accounts (no local admin). Users run daily tasks including web browsing, document editing, and accessing a corporate intranet. Recently, the security team detected anomalous outbound traffic from one workstation to an IP address in a foreign country. The workstation's host-based firewall shows that a process named 'svch0st.exe' initiated the connection. Additionally, a scheduled task named 'UpdateTask' runs every hour with SYSTEM privileges, executing a script from a hidden folder. The user reports no unusual behavior except occasional system slowdowns. The analyst must determine the best immediate course of action. Which action should the analyst take first?

Question 9mediumdrag order
Read the full Host-Based Analysis explanation →

Drag and drop the steps to investigate a security incident using a SIEM into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 10mediumdrag order
Read the full Host-Based Analysis explanation →

Drag and drop the steps to configure a Cisco ASA firewall for basic network access into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 11mediummatching
Read the full Host-Based Analysis explanation →

Match each Windows event log type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Logs success/failure audit events

Logs operating system events

Logs events from applications

Logs installation events

Logs events forwarded from other computers

Question 12mediummatching
Read the full network assurance explanation →

Match each log severity level to its description (syslog).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

System is unusable

Immediate action required

Critical conditions

Error conditions

Warning conditions

Question 13easymultiple choice
Read the full DNS explanation →

A security analyst notices that a workstation is generating multiple DNS queries to a known malicious domain. Which host-based analysis technique would be most effective in confirming the infection?

Question 14easymultiple choice
Read the full Host-Based Analysis explanation →

A SOC analyst is investigating a suspicious file on a Windows host. The file hash matches a known malware variant in a threat intelligence feed. What is the next best step for host-based analysis?

Question 15mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst is examining a Linux host suspected of being compromised. The file /etc/passwd shows unusual entries. Which host-based analysis tool is best for verifying if the accounts are actively being used?

Question 16mediummultiple choice
Read the full NAT/PAT explanation →

During a host-based investigation, an analyst finds a process named 'svchost.exe' consuming high CPU. The process path is 'C:\Windows\Temp\svchost.exe'. What should the analyst conclude?

Question 17hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst is reviewing host-based logs from a compromised system. The Windows Security Event Log shows multiple Event ID 4625 (failed logon) from a single source IP, but no successful logon. The network team confirms that IP is a known scanning host. What is the most likely explanation for the lack of successful logon events?

Question 18hardmultiple choice
Read the full Host-Based Analysis explanation →

An analyst is performing host-based analysis on a machine that is part of a botnet. The machine is communicating with a C2 server over HTTPS. Which host-based evidence would be most useful to identify the C2 communication?

Question 19easymultiple choice
Read the full Host-Based Analysis explanation →

Which Windows registry hive is most likely to contain evidence of malware persistence via a service?

Question 20mediummultiple choice
Read the full NAT/PAT explanation →

A host-based analysis tool reports that a file has a digital signature that is valid but from an untrusted publisher. What should the analyst interpret from this?

Question 21hardmultiple choice
Read the full Host-Based Analysis explanation →

An analyst is reviewing Sysmon logs from a compromised host. They see Event ID 1 (Process creation) for cmd.exe with parent process winword.exe. What does this indicate?

Question 22easymulti select
Read the full Host-Based Analysis explanation →

Which TWO host-based analysis techniques are most effective for detecting fileless malware?

Question 23mediummulti select
Read the full Host-Based Analysis explanation →

Which THREE indicators in Windows Event Log are most commonly associated with a successful compromise?

Question 24hardmulti select
Read the full Host-Based Analysis explanation →

Which TWO locations in a Linux filesystem should be checked for evidence of malware persistence?

Question 25easymultiple choice
Read the full Host-Based Analysis explanation →

Refer to the exhibit. An analyst runs tasklist /SVC on a suspected host. Which process is most suspicious?

Exhibit

Refer to the exhibit.

```
C:\Users\admin>tasklist /SVC

Image Name                     PID Services
========================= ======== ============================================
svchost.exe                   1240   DcomLaunch, LSM
svchost.exe                   1500   BrokerInfrastructure, gpsvc, ProfSvc
svchost.exe                   1780   Schedule
svchost.exe                   1972   Themes
svchost.exe                   2100   WlanSvc
notmalware.exe                2300   No services are associated with this image.
```
Question 26mediummultiple choice
Read the full Host-Based Analysis explanation →

Refer to the exhibit. A host-based analyst reviews auth.log. What does the accepted password log entry indicate?

Exhibit

Refer to the exhibit.

```
Aug 10 14:32:17 host1 sshd[2345]: Failed password for root from 192.168.1.100 port 34567 ssh2
Aug 10 14:32:20 host1 sshd[2345]: Failed password for root from 192.168.1.100 port 34568 ssh2
Aug 10 14:32:23 host1 sshd[2345]: Failed password for root from 192.168.1.100 port 34569 ssh2
Aug 10 14:32:26 host1 sshd[2346]: Accepted password for admin from 192.168.1.100 port 34570 ssh2
```
Question 27hardmultiple choice
Read the full Host-Based Analysis explanation →

Refer to the exhibit. A host-based analysis tool outputs a JSON report. Which persistence mechanism is being used?

Exhibit

Refer to the exhibit.

```
{
  "File": "C:\\Users\\jdoe\\AppData\\Local\\Temp\\update.exe",
  "Process": "C:\\Windows\\System32\\msiexec.exe",
  "RegistryKey": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate",
  "RegistryValue": "C:\\Users\\jdoe\\AppData\\Local\\Temp\\update.exe"
}
```
Question 28easymultiple choice
Read the full Host-Based Analysis explanation →

A security analyst is investigating a suspected malware infection on a Windows host. The analyst wants to identify processes that have network connections. Which built-in Windows tool should the analyst use?

Question 29easymultiple choice
Read the full Host-Based Analysis explanation →

An analyst needs to review the Windows event logs from a host to determine if a user's account was used to log in at an unusual time. Which log type should the analyst check?

Question 30mediummultiple choice
Read the full NAT/PAT explanation →

A company's endpoint detection and response (EDR) agent is reporting a file that was created with a name matching a known ransomware pattern. The analyst suspects the file is malicious. What is the best first step to contain the threat?

Question 31easymultiple choice
Read the full Host-Based Analysis explanation →

A security analyst is analyzing a memory dump from a compromised Linux server. Which tool is most appropriate for extracting running processes and network connections from the dump?

Question 32hardmultiple choice
Read the full NAT/PAT explanation →

During a host-based analysis of a Windows system, an analyst finds that the Windows Event ID 4688 (process creation) logs show a child process spawning from a legitimate application, but the parent process path is empty. What does this likely indicate?

Question 33hardmultiple choice
Read the full Host-Based Analysis explanation →

An analyst is reviewing Sysmon logs on a Windows host and sees Event ID 1 (process creation) with a signed parent process but an unsigned child. The child has a CommandLine that includes 'powershell -EncodedCommand'. What is the most likely threat?

Question 34easymultiple choice
Read the full Host-Based Analysis explanation →

Which Windows registry hive contains user-specific configuration settings that can be modified by applications?

Question 35mediummultiple choice
Read the full Host-Based Analysis explanation →

A security analyst wants to monitor file creation events on a critical Windows server without installing additional software. Which Windows audit policy should be configured?

Question 36mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst needs to collect volatile data from a live host before performing a memory dump. Which data is most volatile?

Question 37easymulti select
Read the full Host-Based Analysis explanation →

Which two Sysmon Event IDs are most commonly associated with code injection techniques?

Question 38mediummulti select
Read the full Host-Based Analysis explanation →

A security analyst is investigating a host that may have been compromised via a drive-by download. Which three indicators of compromise should the analyst look for in the host's logs and artifacts?

Question 39hardmulti select
Read the full Host-Based Analysis explanation →

An analyst is examining the Windows Registry on a host suspected of persistence via a malicious service. Which two registry keys are most relevant to investigate?

Question 40mediummultiple choice
Read the full Host-Based Analysis explanation →

Based on the exhibit, what is the most likely conclusion about the host's security state?

Exhibit

Refer to the exhibit.

From a Windows host, the analyst runs:
C:\> netstat -ano | findstr 4444

Output:
TCP    192.168.1.100:49201    203.0.113.5:4444      ESTABLISHED     1234
UDP    0.0.0.0:4444            *:*                                    5678

The analyst also runs:
C:\> tasklist | findstr 1234
cmd.exe                      1234 Console                 1     2,048 K
C:\> tasklist | findstr 5678
svchost.exe                  5678 Services                0     1,024 K
Question 41hardmultiple choice
Read the full Host-Based Analysis explanation →

Based on the exhibit, what does the sequence of events indicate?

Exhibit

Refer to the exhibit.

Event 4688 (Process Creation):
New Process ID: 0x1234
New Process Name: C:\Users\Public\svchost.exe
Creator Process ID: 0x9ABC
Creator Process Name: C:\Windows\System32\wmiprvse.exe
Process Command Line: svchost.exe -k ntsvcs

Event 4688 (Process Creation):
New Process ID: 0x5678
New Process Name: C:\Windows\System32\svchost.exe
Creator Process ID: 0x1234
Creator Process Name: C:\Users\Public\svchost.exe
Process Command Line: C:\Windows\System32\calc.exe
Question 42hardmultiple choice
Read the full NAT/PAT explanation →

A company's security team is investigating an alert from their EDR platform indicating that a workstation in the finance department has been making repeated connections to an external IP address associated with a known command-and-control (C2) server. The analyst has isolated the host from the network and is performing host-based analysis. The host is running Windows 10 with Sysmon deployed and Windows Event Logging enabled. The analyst reviews Sysmon events and finds: - Event ID 1 (Process Creation): 'powershell.exe -NoP -NonI -W Hidden -Enc JABzAD0ATgBlAHcALQBPAEI ...' (long encoded string) - Event ID 3 (Network Connect): powershell.exe connecting to the C2 IP on port 443 (HTTPS), and also to an internal IP on port 445 (SMB). - Event ID 11 (FileCreate): a file created at C:\Users\financeuser\AppData\Roaming\Microsoft\svchost.exe (size 512KB) with no signature. - Event ID 7 (Image Load): svchost.exe (from AppData) loaded 'crypt32.dll'. - Event ID 8 (CreateRemoteThread): not observed. The analyst also checks the Windows Security log and finds Event ID 4624 (Success Logon) for the user 'financeuser' from a remote workstation at 2:00 AM, which is outside normal hours. The workstation is part of the Active Directory domain. The analyst needs to determine the most effective next step to contain the threat and prevent recurrence.

Question 43mediummultiple choice
Read the full Host-Based Analysis explanation →

An analyst is investigating a host that is suspected of being compromised. She runs the 'netstat -anb' command and sees an established connection to an unknown IP address on port 4444. The associated process is svchost.exe. Which conclusion is MOST appropriate?

Question 44hardmulti select
Read the full Host-Based Analysis explanation →

Which TWO characteristics are typical of host-based intrusion detection systems (HIDS) compared to network-based intrusion detection systems (NIDS)?

Question 45easymultiple choice
Read the full Host-Based Analysis explanation →

A financial firm uses Sysmon for endpoint monitoring on all Windows servers. One server, 'FIN-SRV-01', which hosts a critical database application, is exhibiting high CPU usage and unusual outbound network connections to a known malicious IP on port 8080. The Sysmon logs show Event ID 1 (Process Create) with a suspicious process 'rundll32.exe' spawned from 'winword.exe', and Event ID 3 (Network Connect) showing the connection to the malicious IP. The antivirus has not detected any threats. The analyst must decide the next immediate action to contain the threat while preserving evidence.

Question 46mediummultiple choice
Read the full Host-Based Analysis explanation →

A company uses Microsoft Windows Event Logging for host monitoring. The security team receives an alert from a Windows 10 workstation 'WS-102' indicating multiple failed logon attempts (Event ID 4625) within a short period from an internal IP address 10.10.10.50, followed by a successful logon (Event ID 4624) for user 'jdoe'. Shortly after, Event ID 4688 (Process Creation) shows 'cmd.exe' started by 'explorer.exe' with a command line launching 'powershell.exe -EncodedCommand ...'. The encoded command decodes to a script that attempts to download a payload from a remote server. The analyst needs to determine the most effective immediate response to limit lateral movement and impact.

Practice tests

Scored 10-question sessions with instant feedback and explanations.

200-201 Practice Test 1 — 10 Questions→200-201 Practice Test 2 — 10 Questions→200-201 Practice Test 3 — 10 Questions→200-201 Practice Test 4 — 10 Questions→200-201 Practice Test 5 — 10 Questions→200-201 Practice Exam 1 — 20 Questions→200-201 Practice Exam 2 — 20 Questions→200-201 Practice Exam 3 — 20 Questions→200-201 Practice Exam 4 — 20 Questions→Free 200-201 Practice Test 1 — 30 Questions→Free 200-201 Practice Test 2 — 30 Questions→Free 200-201 Practice Test 3 — 30 Questions→200-201 Practice Questions 1 — 50 Questions→200-201 Practice Questions 2 — 50 Questions→200-201 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Security Policies and ProceduresSecurity ConceptsSecurity MonitoringHost-Based AnalysisNetwork Intrusion Analysis

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Host-Based Analysis setsAll Host-Based Analysis questions200-201 Practice Hub