Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications200-201TopicsHost-Based Analysis
Free · No Signup RequiredCisco · 200-201

200-201 Host-Based Analysis Practice Questions

20+ practice questions focused on Host-Based Analysis — one of the most tested topics on the Cisco CyberOps Associate 200-201 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Host-Based Analysis Practice

Exam Domains

Security Policies and ProceduresSecurity ConceptsSecurity MonitoringHost-Based AnalysisNetwork Intrusion AnalysisAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Host-Based Analysis Questions

Practice all 20+ →
1.

A security analyst is investigating a host that is suspected of being used as a pivot point in a network intrusion. The analyst needs to identify which process initiated an outbound connection to a known malicious IP address. Which host-based analysis approach should the analyst use to correlate the network connection to the specific process?

A.Run 'netstat -b' on the Windows host to display active connections with the associated process executable.
B.Examine the Windows Firewall log to see the source and destination IP addresses and ports for outbound traffic.
C.Review Windows Security Event Log for Event ID 4688 (Process Creation) for the timeline of process starts.
D.Use PowerShell cmdlet 'Get-NetTCPConnection' to list current TCP connections and their states.

Explanation: Running 'netstat -b' on a Windows host displays active TCP connections along with the executable name of the process that created each connection. This directly correlates the outbound connection to the malicious IP with the specific process, which is exactly what the analyst needs to identify the pivot point.

2.

Refer to the exhibit. A security analyst is analyzing a Windows host that is communicating with an external server at 192.168.1.50. Based on the output, which process is likely malicious?

A.svchost.exe (PID 1420) because it is connecting to an external IP on port 80.
B.cmd.exe (PID 2568) because it could be used to launch other processes.
C.powershell.exe (PID 2792) because it has an established HTTPS connection to an external server.
D.notepad.exe (PID 2344) because it is not expecting to make any network connections.

Explanation: PowerShell.exe (PID 2792) is the likely malicious process because it has an established HTTPS connection (TCP port 443) to an external server at 192.168.1.50. PowerShell is a powerful scripting tool often abused by attackers to execute arbitrary code, download payloads, or establish command-and-control (C2) channels over encrypted HTTPS, which can evade detection by traditional signature-based security tools.

3.

A security analyst is investigating a host that is suspected of being compromised. The analyst runs a series of commands to gather information. Which TWO of the following commands are most useful for collecting volatile data from a live Windows system? (Choose two.)

A.netstat -anob
B.tasklist /svc
C.dir /s C:\Windows\System32\config
D.wevtutil qe System /c:10

Explanation: The `netstat -anob` command displays active network connections, listening ports, and the associated process IDs (PIDs) along with the executable name. This is critical for identifying unauthorized outbound connections or backdoor listeners that indicate compromise. Because network state and process-to-port mappings reside in volatile memory (RAM), they are lost on reboot, making this command essential for live forensic collection.

4.

Refer to the exhibit. A network analyst sees repeated denied attempts from host 10.0.0.2 to 10.0.0.1 on port 23. Based on the log, what type of activity is most likely occurring?

A.DNS amplification attack
B.ARP spoofing
C.Brute force attempt on Telnet service
D.ICMP flood attack

Explanation: The log shows repeated denied attempts from host 10.0.0.2 to 10.0.0.1 on port 23, which is the default port for Telnet. Multiple failed connection attempts to a Telnet service indicate a brute force attack, where an attacker tries to guess credentials by repeatedly attempting to log in.

5.

A security analyst is responding to an incident on a critical Windows server that hosts a database application. The server is running Windows Server 2019 with all current patches. The analyst suspects that a remote attacker gained access and is using living-off-the-land binaries to move laterally. The analyst has captured a memory dump and a full disk image. The analyst needs to determine if the attacker used PowerShell to download additional tools. Which analysis step should the analyst perform first to identify PowerShell usage?

A.Examine the Windows Registry for Run keys to identify persistence mechanisms.
B.Parse PowerShell operational logs (Event ID 4104) to extract executed scripts and commands.
C.Review prefetch files (.pf) to determine when PowerShell was last executed.
D.Analyze network connection logs to identify outbound connections to known malicious IPs.

Explanation: PowerShell operational logs, specifically Event ID 4104 (Script Block Logging), capture the full text of PowerShell scripts and commands executed on the system. Since the analyst suspects the attacker used PowerShell to download additional tools, parsing these logs is the most direct and efficient first step to confirm that activity. This log source provides the actual commands run, including any download commands like Invoke-WebRequest or Start-BitsTransfer, without relying on indirect artifacts.

+15 more Host-Based Analysis questions available

Practice all Host-Based Analysis questions

How to master Host-Based Analysis for 200-201

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Host-Based Analysis. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Host-Based Analysis questions on the 200-201 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many 200-201 Host-Based Analysis questions are on the real exam?

The exact number varies per candidate. Host-Based Analysis is tested as part of the Cisco CyberOps Associate 200-201 blueprint. Practicing with targeted Host-Based Analysis questions ensures you can handle any format or difficulty that appears.

Are these 200-201 Host-Based Analysis practice questions free?

Yes. Courseiva provides free 200-201 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Host-Based Analysis one of the harder 200-201 topics?

Difficulty is subjective, but Host-Based Analysis is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Host-Based Analysis practice session with instant scoring and detailed explanations.

Start Host-Based Analysis Practice →

Topic Info

Topic

Host-Based Analysis

Exam

200-201

Questions available

20+