Cisco CyberOps Associate 200-201 (200-201) — Questions 901975

985 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQmedium

An organization is developing an Acceptable Use Policy (AUP). Which of the following topics is typically covered in an AUP?

A.Password complexity requirements
B.Incident reporting procedures
C.Data classification levels
D.Prohibition of using company resources for illegal activities
AnswerD

AUPs commonly prohibit illegal activities.

Why this answer

An AUP defines acceptable use of IT resources, including prohibiting unauthorized access, personal use guidelines, and security responsibilities.

902
MCQeasy

Which best practice helps ensure accurate network intrusion analysis when reviewing logs from multiple sources?

A.Use synchronized time across all devices.
B.Disable all logging except firewall logs.
C.Rely solely on automated analysis tools.
D.Store logs in different formats for each source.
AnswerA

Time synchronization enables accurate correlation of events.

Why this answer

Synchronized time (via NTP) ensures that logs from different sources share a consistent timestamp, which is critical for correlating events across network devices during intrusion analysis. Without time synchronization, an attacker's actions might appear out of order or be missed entirely, leading to inaccurate incident reconstruction.

Exam trap

Cisco often tests the misconception that log format consistency is more important than time synchronization, but without synchronized time, even identical formats cannot provide accurate event correlation.

How to eliminate wrong answers

Option B is wrong because disabling all logging except firewall logs eliminates valuable data from sources like IDS/IPS, servers, and endpoints, which are essential for detecting multi-stage attacks. Option C is wrong because relying solely on automated analysis tools can miss context-dependent attacks or generate false positives; human analysis is needed to validate alerts. Option D is wrong because storing logs in different formats for each source increases parsing complexity and hinders correlation, whereas standardized formats (e.g., syslog, CEF) simplify analysis.

903
Multi-Selecthard

During PCAP analysis, a security analyst observes the following pattern: a series of TCP SYN packets to multiple ports on a target, followed by RST packets from the target for closed ports. Which TWO characteristics describe this scan?

Select 2 answers
A.It uses ICMP echo requests
B.It is a SYN scan
C.It is a UDP scan
D.It completes the TCP three-way handshake
E.It is a stealthy scan that may avoid logging
AnswersB, E

SYN packets are sent to probe ports.

Why this answer

The SYN scan sends SYN packets and listens for SYN-ACK (open) or RST (closed). It is a stealthy scan because it doesn't complete the TCP handshake.

904
MCQmedium

A company is developing a new security policy for cloud storage. Which principle should be the foundation of the policy to ensure data confidentiality and integrity?

A.Access logs must be retained for at least one year.
B.Only authorized users can access the cloud storage.
C.All data must be encrypted at rest and in transit.
D.Data must be backed up daily.
AnswerC

Encryption provides confidentiality and integrity regardless of location.

Why this answer

Option C is correct because encryption at rest and in transit directly protects data confidentiality and integrity by rendering data unreadable without the proper decryption keys and by ensuring data is not tampered with during transmission. In cloud storage, encryption at rest (e.g., AES-256) safeguards data stored on disk, while encryption in transit (e.g., TLS 1.2/1.3) prevents interception or modification during upload/download. This dual-layer approach is the foundational security control for meeting confidentiality and integrity objectives, as defined in the CIA triad.

Exam trap

Cisco often tests the distinction between foundational security principles (encryption) and supporting controls (logging, access control, backups), trapping candidates who confuse a necessary but insufficient measure like 'only authorized users' with the core requirement for confidentiality and integrity.

How to eliminate wrong answers

Option A is wrong because retaining access logs for one year supports auditing and incident response but does not directly enforce data confidentiality or integrity; logs are a detective control, not a preventive or protective measure. Option B is wrong because only allowing authorized users to access cloud storage addresses confidentiality through access control, but it does not ensure integrity (e.g., authorized users could still modify data) and provides no protection against data exposure if the storage medium is compromised. Option D is wrong because daily backups ensure availability and disaster recovery, not confidentiality or integrity; backups can be encrypted, but the act of backing up alone does not protect data from unauthorized access or tampering.

905
MCQeasy

A security analyst detects a host infected with ransomware on the corporate network. According to incident response procedures, what should be the first action?

A.Reimage the host immediately
B.Update antivirus signatures
C.Notify the IT management team
D.Isolate the host from the network
AnswerD

Isolation stops lateral movement and is the first containment step.

Why this answer

The first action when a host is infected with ransomware is to isolate it from the network to prevent lateral movement and further encryption of shared resources. Ransomware often uses SMB, RDP, or other network protocols to spread, so disconnecting the host (e.g., by disabling the switch port or unplugging the cable) stops the propagation immediately. This aligns with the NIST incident response framework's containment phase, which prioritizes stopping the attack before any remediation.

Exam trap

Cisco often tests the misconception that immediate eradication (reimaging) or notification is the priority, but the correct first step is always containment to stop the spread, as per the NIST and SANS incident response frameworks.

How to eliminate wrong answers

Option A is wrong because reimaging the host immediately destroys forensic evidence (e.g., memory dumps, registry keys, or ransomware binary) that could be critical for attribution and understanding the attack vector. Option B is wrong because updating antivirus signatures is a preventive measure that does not stop an active ransomware infection; the ransomware is already executing and may evade signature-based detection. Option C is wrong because notifying IT management is a communication step that should occur after containment; delaying isolation to notify first allows the ransomware to spread further across the network.

906
MCQmedium

During a security incident, the incident handler identifies that the breach involves personally identifiable information (PII) of customers. Which role is primarily responsible for determining if legal notification requirements apply?

A.Legal counsel
B.Incident handler
C.HR
D.CISO
AnswerA

Legal counsel interprets laws and notification obligations.

Why this answer

Legal counsel advises on data breach notification laws and regulatory requirements.

907
MCQeasy

Which data source provides the most detailed information about the application layer payload in network traffic?

A.NetFlow
B.Syslog
C.Full packet capture (PCAP)
D.SNMP
AnswerC

PCAP captures the entire packet including payload.

Why this answer

Full packet capture (PCAP) provides the most detailed information because it records the entire raw network packet, including headers and the complete application-layer payload. This allows deep inspection of protocols like HTTP, DNS, or SMTP at the byte level, which is essential for detecting malware, data exfiltration, or application-specific anomalies.

Exam trap

Cisco often tests the misconception that NetFlow provides deep packet inspection because it can report application information via NBAR, but NBAR is a classification engine that still does not capture the raw payload; the trap is confusing flow metadata with full packet content.

How to eliminate wrong answers

Option A is wrong because NetFlow only exports metadata (e.g., IP addresses, ports, protocol, byte counts) and never includes the application payload; it summarizes flows rather than capturing full packet contents. Option B is wrong because Syslog is a logging protocol for system events and messages from devices or applications, not a network traffic capture mechanism; it cannot provide packet-level payload data. Option D is wrong because SNMP is used for monitoring and managing network device status (e.g., CPU, interface counters) via MIBs, and it does not capture or transmit network traffic payloads.

908
MCQhard

Refer to the exhibit. A Cisco router is configured with the shown access list applied inbound on the external interface. An external attacker sends a packet with source IP 10.0.0.1, destination IP 192.168.1.100, destination port 22. What will the router do?

A.Forward the packet to the next hop
B.Permit the packet only if it is HTTP
C.Permit the packet
D.Drop the packet
AnswerD

The packet is denied by the first ACE.

Why this answer

The access list applied inbound on the external interface denies the packet because the source IP 10.0.0.1 is a private RFC 1918 address, which is typically blocked by a standard or extended ACL to prevent spoofed or internal traffic from entering from outside. Since the packet matches a deny entry (either explicitly or implicitly via the implicit deny all at the end of the ACL), the router drops it without forwarding.

Exam trap

Cisco often tests the implicit deny any at the end of an ACL, leading candidates to mistakenly think a packet will be permitted if no explicit deny matches, when in fact the implicit deny drops it.

How to eliminate wrong answers

Option A is wrong because the router does not forward the packet; it is dropped due to matching a deny rule in the inbound ACL. Option B is wrong because the access list does not permit the packet based on HTTP; the destination port 22 (SSH) is not HTTP (port 80), and the ACL logic evaluates all fields, not just protocol. Option C is wrong because the packet is not permitted; the source IP falls within a denied range or is implicitly denied, so the router does not allow it through.

909
MCQmedium

An analyst notices that a DNS query for 'www.attacker.com' contains a long subdomain with Base64-encoded data. This activity is observed every 5 minutes. What exfiltration technique is most likely in use?

A.Steganography
B.DNS tunneling
C.HTTP POST exfiltration
D.FTP exfiltration
AnswerB

DNS tunneling uses DNS queries to exfiltrate data.

Why this answer

DNS exfiltration encodes data in subdomain queries. The data is sent to a DNS server controlled by the attacker, who extracts it from the logs.

910
Multi-Selectmedium

A security analyst is investigating a host that may have been compromised via a drive-by download. Which three indicators of compromise should the analyst look for in the host's logs and artifacts?

Select 3 answers
A.Unusual outbound network connections
B.Modified system files in %SystemRoot%\System32
C.A new user account added to the local Administrators group
D.A large number of 404 errors in the web server log
E.Presence of a scheduled task that runs an unknown executable
AnswersA, B, E

Malware often communicates with C2 servers.

Why this answer

A drive-by download typically exploits a browser or plugin vulnerability to silently execute code on the host. Once compromised, the malware often establishes command-and-control (C2) communication, which manifests as unusual outbound network connections to suspicious IP addresses or domains on non-standard ports (e.g., TCP 4444, 8080). Analyzing netstat output or firewall logs for unexpected outbound traffic is a primary indicator of such post-exploitation activity.

Exam trap

Cisco often tests the distinction between host-based and network-based indicators, and the trap here is that candidates confuse web server logs (network-based) with host-based artifacts, or they assume that any post-exploitation action like adding an admin user is a direct indicator of the initial compromise vector rather than a later persistence step.

911
MCQhard

A security analyst needs to verify that a downloaded software update has not been tampered with. The update's publisher provides a file containing a hash value. Which process should the analyst use to verify integrity?

A.Decrypt the file using the publisher's public key
B.Use a digital signature to sign the file
C.Compute the file's hash and compare it with the provided hash
D.Encrypt the file using the publisher's private key
AnswerC

Hash comparison verifies that the file has not been altered.

Why this answer

Option C is correct because verifying file integrity involves computing a cryptographic hash (e.g., SHA-256) of the downloaded file and comparing it to the hash provided by the publisher. If the hashes match, the file has not been altered; any tampering would produce a different hash value. This is a standard integrity check, not a confidentiality or authentication mechanism.

Exam trap

Cisco often tests the distinction between integrity (hash comparison) and authenticity (digital signatures), leading candidates to mistakenly choose digital signature verification when the question only asks about integrity.

How to eliminate wrong answers

Option A is wrong because decrypting a file with the publisher's public key would only work if the file were encrypted with the publisher's private key, which is used for confidentiality or non-repudiation, not for integrity verification of a hash. Option B is wrong because signing the file with a digital signature is a process the publisher performs to provide authenticity and integrity, but the analyst does not sign the file; the analyst verifies the signature using the publisher's public key. Option D is wrong because encrypting the file with the publisher's private key is not a standard integrity check; private key encryption is used for digital signatures or to prove origin, and the analyst would not have access to the publisher's private key.

912
MCQhard

An organization is developing a new cloud-based application. The security policy requires that all data be encrypted in transit and at rest. Which combination of controls meets this requirement?

A.Use a VPN for all connections
B.Encrypt the database using Transparent Data Encryption (TDE)
C.Use HTTPS for all communication
D.Use HTTPS and encrypt the database with TDE
AnswerD

Combining HTTPS (transit) and TDE (at rest) satisfies both requirements.

Why this answer

Option D is correct because HTTPS encrypts data in transit and TDE encrypts data at rest. Option A is wrong because HTTPS alone does not encrypt data at rest. Option B is wrong because database encryption alone does not encrypt in transit.

Option C is wrong because VPN encrypts in transit but not at rest.

913
Multi-Selectmedium

A security analyst is investigating a network breach. Which TWO activities are examples of passive reconnaissance? (Choose two.)

Select 2 answers
A.Reviewing LinkedIn profiles of employees
B.Sending ping sweeps to identify live hosts
C.Using a vulnerability scanner to find weaknesses
D.Searching WHOIS records for domain registration details
E.Performing a port scan on the target network
AnswersA, D

Social media review is a passive information gathering technique.

Why this answer

Passive reconnaissance involves gathering information without directly interacting with the target, such as searching public records and social media.

914
Multi-Selecteasy

A healthcare organization uses an online patient portal where patients can view their medical records. Recently, it was discovered that patient records were being modified by an unauthorized insider, and the system suffered a ransomware attack that encrypted the database, making it inaccessible for three days. Which TWO security principles were primarily violated? (Choose two.)

Select 2 answers
A.Confidentiality
B.Authentication
C.Integrity
D.Availability
E.Non-repudiation
AnswersC, D

The unauthorized modification of patient records directly violates integrity.

Why this answer

The unauthorized modification of patient records violates integrity, which ensures data has not been altered by unauthorized entities. The ransomware attack that encrypted the database and made it inaccessible for three days violates availability, which ensures systems and data are accessible when needed. These two incidents directly compromise the CIA triad principles of integrity and availability.

Exam trap

Cisco often tests the distinction between confidentiality (unauthorized viewing) and integrity (unauthorized modification), so the trap here is confusing the insider's modification of records as a confidentiality breach rather than an integrity violation.

915
MCQmedium

An organization is required to protect cardholder data. Which compliance framework applies to this requirement?

A.ISO 27001
B.HIPAA
C.GDPR
D.PCI DSS
AnswerD

PCI DSS is the standard for protecting payment card data.

Why this answer

PCI DSS is the Payment Card Industry Data Security Standard, which applies to organizations that handle credit card data.

916
Multi-Selectmedium

A security policy requires that all data at rest be encrypted. Which TWO of the following are considered best practices for implementing encryption?

Select 2 answers
A.Implement encryption at the application layer only.
B.Store encryption keys separately from the encrypted data.
C.Use weak encryption algorithms to reduce performance impact.
D.Use hardware-based encryption if available.
E.Use the same key for all data to simplify management.
AnswersB, D

Essential for key security.

Why this answer

Options A and C are correct. Option A: hardware-based encryption is more secure. Option C: separate key storage.

Option B: same key weakens security. Option D: weak encryption is poor practice. Option E: encryption should be at multiple layers.

917
MCQmedium

You are a SOC analyst monitoring traffic on a corporate network. The network uses a next-generation firewall (NGFW) with intrusion prevention system (IPS). You receive an alert that the IPS detected a SQL injection attempt against the internal web application server (10.0.1.10) from an external IP (203.0.113.5). The IPS action was set to "alert" only, not "drop". Further investigation shows that the web server logs indicate the SQL injection succeeded and data was exfiltrated to 203.0.113.5. The web application is a custom application developed in-house. The database server (10.0.1.20) contains customer PII. Which of the following is the BEST immediate action to contain the incident?

A.Apply a software patch to the web application to fix the SQL injection vulnerability
B.Restore the web server from a known good backup
C.Block the attacker's IP address at the firewall and implement a temporary rule to drop all traffic from 203.0.113.5
D.Shut down the database server to prevent further data loss
AnswerC

This immediately cuts off the attacker's access and stops exfiltration.

Why this answer

The immediate priority is to stop the active data exfiltration and prevent further exploitation. Since the IPS was configured to 'alert' only, it did not block the malicious traffic. Blocking the attacker's IP at the firewall with a temporary drop rule is the fastest way to sever the attacker's access to the web server and stop the ongoing data theft, containing the incident while preserving forensic evidence.

Exam trap

Cisco often tests the distinction between containment, eradication, and recovery actions, and the trap here is that candidates confuse a long-term fix (patching) or a disruptive action (shutting down the database) with the immediate need to stop active data exfiltration.

How to eliminate wrong answers

Option A is wrong because applying a software patch is a remediation step, not an immediate containment action; it takes time to develop, test, and deploy, during which the attacker can continue exfiltrating data. Option B is wrong because restoring the web server from a known good backup is a recovery step that destroys volatile evidence (e.g., logs, active connections) and does not stop the attacker if they still have network access. Option D is wrong because shutting down the database server would cause immediate denial of service to legitimate users and may corrupt data; it also does not prevent the attacker from re-establishing access via the web server if the firewall remains open.

918
MCQmedium

A SOC analyst is investigating a possible insider threat. Which team member should be consulted due to the nature of the incident?

A.Public Relations
B.CISO
C.Legal counsel
D.Human Resources
AnswerD

HR is consulted for insider threats involving employees.

Why this answer

HR is involved in insider threat cases due to employee relations.

919
Multi-Selectmedium

An analyst is triaging alerts and encounters a scenario where an IDS alerted on a network scan, but further investigation reveals the traffic was from a legitimate vulnerability scanner. Which TWO terms best describe this alert?

Select 2 answers
A.True negative
B.Benign trigger
C.False negative
D.False positive
E.True positive
AnswersB, D

Correct. The alert was triggered by legitimate activity.

Why this answer

The alert triggered but there is no actual attack (false positive). Since the scanner is legitimate, it is not malicious.

920
MCQmedium

A SOC Tier 2 analyst is investigating an alert that was escalated from Tier 1. The analyst suspects the malware is using a new variant of ransomware. What is the most appropriate next step for the Tier 2 analyst?

A.Notify legal counsel immediately
B.Escalate directly to Tier 3 for advanced analysis
C.Perform malware analysis and correlate with other alerts
D.Delete the affected files to contain the spread
AnswerC

This is typical Tier 2 responsibility.

Why this answer

Tier 2 conducts deeper investigation, including malware analysis and correlation with other data.

921
Multi-Selectmedium

Which TWO of the following are indicators of a potential data exfiltration attempt?

Select 2 answers
A.An internal host transferring large amounts of data to an unknown external IP at 3 AM.
B.A user accessing an internal file server during business hours.
C.An internal host sending large DNS TXT queries to an external server.
D.A failed login attempt from an internal workstation.
E.A spike in ICMP echo requests from an external IP.
AnswersA, C

Unusual time and volume strongly suggest exfiltration.

Why this answer

Option A is correct because data exfiltration often involves transferring large volumes of data to an unknown external IP during off-hours (e.g., 3 AM) to evade detection. This behavior deviates from normal business patterns and is a classic indicator of a data breach or insider threat.

Exam trap

Cisco often tests the distinction between normal network activity (e.g., file server access during business hours) and anomalous patterns (e.g., off-hours bulk transfers or DNS tunneling), so candidates must focus on the context of time, volume, and protocol misuse rather than just the action itself.

922
MCQmedium

An analyst is investigating a Linux host and runs 'cat /proc/1234/cmdline'. What information does this provide?

A.The memory map of the process
B.The command line and arguments used to start the process
C.The environment variables of the process
D.The current working directory of the process
AnswerB

Correct. cmdline contains the command line.

Why this answer

The /proc/[pid]/cmdline file contains the full command line used to start the process, including arguments. This helps verify if a process was launched with suspicious parameters.

923
Multi-Selectmedium

After a security incident, the IR team holds a lessons learned meeting. Which THREE activities are part of the Post-Incident Activity phase?

Select 3 answers
A.Developing metrics to measure IR effectiveness
B.Identifying improvements to the IR process
C.Updating the incident response plan
D.Conducting initial triage of new alerts
E.Restoring systems from backup
AnswersA, B, C

Metrics help track performance over time.

Why this answer

Post-incident activities include identifying improvements, updating the IR plan, and creating metrics.

924
MCQhard

An analyst is examining a suspicious PE file. The file's entropy is very high (close to 8.0) and the import table is almost empty. What does this indicate?

A.The file is likely packed or obfuscated
B.The file is a DLL file
C.The file is a standard Windows executable with many imports
D.The file has been digitally signed
AnswerA

High entropy and few imports indicate packing.

Why this answer

High entropy and a sparse import table strongly suggest the file is packed or encrypted. Packers often compress the original code, raising entropy and obfuscating imports.

925
MCQhard

A security analyst at a financial firm is investigating a potential data breach. The company uses Cisco Firepower NGFW and Stealthwatch for network visibility. Over the past week, an internal server with IP 10.10.10.50 has been sending large amounts of data to an external IP 203.0.113.55 on TCP port 443. The Stealthwatch flow records show that the server typically communicates with only internal hosts and a few known external update servers. The analyst checks the Firepower events and sees no alerts for this traffic. The server is running a custom web application that handles financial transactions. The analyst suspects data exfiltration. What should the analyst do next?

A.Capture a packet trace of the suspicious traffic and analyze the SSL/TLS handshake to determine if the traffic is legitimate.
B.Immediately block the destination IP on the firewall and quarantine the server.
C.Review the server's web server logs for any unusual requests or responses.
D.Check the server's running processes and network connections with a command line tool like netstat.
AnswerA

Deep packet inspection of the encrypted handshake can reveal certificate details or anomalies indicating a covert channel.

Why this answer

Option A is correct because the traffic is encrypted over TCP port 443 (HTTPS), so the analyst cannot determine the content or legitimacy of the data transfer without decrypting or inspecting the SSL/TLS handshake. Capturing a packet trace allows the analyst to examine the TLS handshake details, such as the server certificate, cipher suites, and SNI, which can reveal whether the external IP is a legitimate service or an unauthorized endpoint. This step is non-disruptive and provides forensic evidence before taking any blocking or quarantine actions.

Exam trap

Cisco often tests the distinction between flow/event data and full packet inspection, trapping candidates who think firewall logs or netstat alone can confirm exfiltration over encrypted channels.

How to eliminate wrong answers

Option B is wrong because immediately blocking the destination IP and quarantining the server could disrupt legitimate business operations and destroy forensic evidence; the analyst should first verify the traffic is malicious. Option C is wrong because reviewing web server logs only shows HTTP-level requests and responses, but the traffic is encrypted over TLS, so the logs would not reveal the actual data being exfiltrated. Option D is wrong because checking running processes and netstat connections only provides a snapshot of current connections, not the historical flow data or encrypted payload details needed to confirm exfiltration.

926
MCQeasy

Which port is used by RDP (Remote Desktop Protocol) and is a common target for brute force attacks?

A.443
B.3389
C.22
D.1433
AnswerB

3389 is the standard port for RDP.

Why this answer

RDP uses TCP port 3389 and is frequently targeted by attackers attempting to gain remote access.

927
MCQhard

An analyst uses Volatility's pstree plugin on a memory dump. The output shows that process 'winlogon.exe' has a child process 'cmd.exe' that is not typical. What is the most likely explanation?

A.An attacker may have used Sticky Keys or similar persistence.
B.A user is running a command prompt remotely.
C.A scheduled task is running.
D.The system is performing a normal update.
AnswerA

Sticky Keys (sethc.exe) can be replaced with cmd.exe to provide a command prompt at login.

Why this answer

winlogon.exe spawning cmd.exe is unusual and may indicate an attacker used Sticky Keys or similar accessibility feature abuse (sethc.exe) to gain a command prompt at the login screen. Normal winlogon does not launch cmd.exe as a child.

928
MCQmedium

Refer to the exhibit. What is the effect of this ACL applied to an interface?

A.Allows all traffic to host 10.0.1.10
B.Allows any TCP traffic
C.Allows only HTTP traffic to host 10.0.1.10 and denies all else
D.Denies all traffic
AnswerC

The permit line specifically allows HTTP; the deny line blocks other traffic.

Why this answer

The ACL in the exhibit (assuming it is a standard or extended ACL with a permit statement for TCP port 80 to host 10.0.1.10 and an implicit deny all) explicitly permits only HTTP traffic (TCP port 80) to the destination host 10.0.1.10. All other traffic is denied by the implicit deny all at the end of the ACL, making option C correct.

Exam trap

Cisco often tests the implicit deny all behavior, where candidates mistakenly think an ACL with only a permit statement allows all other traffic, when in fact it denies everything not explicitly permitted.

How to eliminate wrong answers

Option A is wrong because the ACL does not allow all traffic to host 10.0.1.10; it only permits HTTP (TCP/80) and denies everything else, including other protocols and ports. Option B is wrong because the ACL does not allow any TCP traffic; it specifically restricts TCP traffic to only port 80 (HTTP) to host 10.0.1.10, blocking all other TCP ports. Option D is wrong because the ACL does not deny all traffic; it explicitly permits HTTP traffic to host 10.0.1.10, so some traffic is allowed.

929
MCQhard

During a forensic examination of a Linux system, an analyst wants to check for persistence mechanisms. Which file or directory should be examined to find user-specific cron jobs that may have been added by an attacker?

A./etc/cron.hourly/
B./etc/cron.d/
C./etc/crontab
D./var/spool/cron/crontabs/
AnswerD

User crontabs are stored in this directory, one file per user.

Why this answer

User-specific cron jobs are stored in /var/spool/cron/crontabs/ (or /var/spool/cron/). /etc/crontab is system-wide, /etc/cron.d is system-wide directories, and /etc/cron.hourly are scripts. The user-specific location is under /var/spool/cron/.

930
MCQmedium

A SOC analyst is monitoring network traffic and notices a large amount of data being transferred from the HR file server to an external IP address during off-hours. The server is supposed to be used only during business hours. The analyst checks the server logs and sees that a user account named 'backup_service' has been active and copying files. The 'backup_service' account is a service account that is normally used for automated backups, but the backup schedule is set to run at midnight, and the current time is 3 AM. The analyst suspects credential theft. Which of the following should the analyst do first?

A.Capture a memory dump of the server for forensic analysis.
B.Disable the 'backup_service' account immediately.
C.Take the HR file server offline.
D.Block the external IP address at the firewall.
AnswerA

A memory dump preserves evidence of the attacker's current activities, which is crucial for understanding the attack.

Why this answer

Option A is correct because capturing a memory dump preserves volatile evidence (e.g., running processes, network connections, and in-memory credentials) that is critical for forensic analysis of a suspected credential theft incident. This aligns with the NIST SP 800-86 forensic process, where memory acquisition is prioritized before any system shutdown or network changes to avoid losing evidence of the attacker's active session or malicious code.

Exam trap

Cisco often tests the principle of 'preservation of evidence' where candidates mistakenly choose immediate containment actions (disable account, take offline, block IP) instead of the forensic first step of capturing volatile data.

How to eliminate wrong answers

Option B is wrong because immediately disabling the 'backup_service' account could alert the attacker and cause them to destroy evidence or escalate privileges before a forensic snapshot is taken. Option C is wrong because taking the HR file server offline without first capturing memory would lose volatile data (e.g., active network connections, running processes, and encryption keys) that are essential for identifying the attack vector. Option D is wrong because blocking the external IP address at the firewall is a containment step that should occur after evidence collection; doing it first may tip off the attacker and does not preserve the in-memory state needed for attribution or root-cause analysis.

931
MCQhard

During a vulnerability assessment, a security team discovers that a web application allows users to upload files without proper validation. An attacker could upload a malicious file and execute it on the server. Which type of vulnerability is this?

A.Cross-site scripting (XSS)
B.SQL injection
C.Remote code execution (RCE)
D.Insecure direct object reference
AnswerC

Improper file validation can lead to arbitrary code execution on the server.

Why this answer

The vulnerability allows an attacker to upload a malicious file (e.g., a web shell) and then execute it on the server, which is the definition of remote code execution (RCE). This occurs because the application fails to validate file types, contents, or execution permissions, enabling arbitrary code to run in the server's context.

Exam trap

Cisco often tests the distinction between client-side attacks (XSS) and server-side attacks (RCE), so candidates may confuse file upload RCE with XSS because both involve malicious file or script injection, but the execution context (server vs. client) is the key differentiator.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts (e.g., JavaScript) into web pages viewed by other users, not executing code on the server. Option B is wrong because SQL injection targets database queries by manipulating input to alter SQL statements, not file uploads or server-side code execution. Option D is wrong because insecure direct object reference (IDOR) allows unauthorized access to resources by manipulating object references (e.g., user IDs in URLs), not file uploads or code execution.

932
Multi-Selectmedium

An analyst is investigating a Windows host that likely has malware persistence via the registry. Which TWO registry hives are commonly used to store Run keys for user logon persistence? (Select 2)

Select 2 answers
A.HKEY_CLASSES_ROOT\*\shell
B.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
C.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppInit_DLLs
D.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
E.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
AnswersB, E

HKLM Run key is a common persistence location.

Why this answer

The Run keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run are standard locations where Windows executes programs automatically at user logon. Malware commonly writes entries to these keys to achieve persistence, making them critical for host-based analysis.

Exam trap

Cisco often tests the distinction between Run keys (user logon persistence) and other registry locations like AppInit_DLLs or Services, so candidates must know that only the Run paths under HKLM and HKCU are correct for this specific persistence method.

933
MCQmedium

During packet analysis, an analyst notices a TCP connection with a large number of SYN packets sent to various ports on a single host but no completed handshakes. This is characteristic of which activity?

A.Port scan reconnaissance
B.Normal web browsing behavior
C.SYN flood denial-of-service attack
D.Data exfiltration using FTP
AnswerA

SYN scans are used to discover open ports.

Why this answer

A port scan typically sends SYN packets to multiple ports; responses indicate open ports. The lack of completed handshakes suggests a scan, not an attack.

934
MCQeasy

An analyst notices an intrusion alert triggered by an internal host scanning multiple ports on a single external IP address. The signature is 'Port Scan'. Which of the following is the most likely cause?

A.Misconfigured service
B.Malware spreading
C.Network mapping tool
D.Normal user activity
AnswerC

Network mapping tools like Nmap perform port scans for reconnaissance.

Why this answer

A port scan targeting multiple ports on a single external IP is the classic behavior of network mapping tools like Nmap or Masscan. These tools systematically probe ports to discover open services, which is distinct from the random or sequential scanning patterns of malware or the limited connections of normal user activity.

Exam trap

Cisco often tests the distinction between scanning a single external IP (network mapping) versus scanning many internal IPs (malware spreading), causing candidates to confuse the target scope with the scanning pattern.

How to eliminate wrong answers

Option A is wrong because a misconfigured service typically causes repeated connections to a single port (e.g., DNS or SMTP retries), not a systematic scan across many ports. Option B is wrong because malware spreading usually scans random or sequential internal IPs for vulnerable services (e.g., SMB on 445/tcp), not a single external IP across many ports. Option D is wrong because normal user activity, such as a web browser or email client, connects to a few well-known ports (80, 443, 25) on a server, not a broad sweep of hundreds of ports.

935
Multi-Selecthard

Which THREE are common indicators of a distributed denial-of-service (DDoS) attack? (Choose three.)

Select 3 answers
A.Slow network performance and service unavailability
B.A single IP address generating excessive traffic
C.High bandwidth consumption on the network link
D.Unusual traffic patterns from many different sources
E.Encrypted traffic from a known malware C2 server
AnswersA, C, D

Overwhelmed resources cause slowdowns.

Why this answer

Option A is correct because a DDoS attack floods the target with traffic from multiple sources, overwhelming network resources and causing legitimate requests to time out or be dropped. This results in slow network performance and service unavailability as the system struggles to process the excessive load. The distributed nature of the attack makes it difficult to mitigate with simple IP-based filtering.

Exam trap

Cisco often tests the distinction between a single-source DoS and a multi-source DDoS, so candidates may incorrectly select 'a single IP address generating excessive traffic' as a DDoS indicator, but the key is the distributed nature of the attack.

936
MCQeasy

A network administrator is tasked with creating a security policy for handling sensitive data. Which of the following is the most critical element to include?

A.Detailed network topology diagrams.
B.List of antivirus software versions.
C.Data classification and handling procedures.
D.Vendor contact information.
AnswerC

This defines how data should be categorized and protected, which is essential for any data security policy.

Why this answer

Data classification and handling procedures are fundamental to any data security policy. Topology, antivirus, and contacts are supporting but not the most critical.

937
MCQmedium

In Windows, prefetch files (C:\Windows\Prefetch\*.pf) are used by the system to speed up application loading. How can an analyst leverage prefetch files during host-based analysis?

A.They provide evidence of file execution, including frequency and timestamps.
B.They store network connection logs.
C.They store registry keys modified by the application.
D.They contain the contents of the running process memory.
AnswerA

Prefetch files record execution details useful for forensic timeline.

Why this answer

Prefetch files in Windows record metadata about application launches, including the executable path, run count, and last run timestamp. During host-based analysis, an analyst can examine these .pf files to determine which executables have been executed, how often, and when, providing crucial evidence of file execution activity.

Exam trap

Cisco often tests the specific purpose of prefetch files versus other forensic artifacts, and the trap here is confusing prefetch files with memory dumps or registry logs, leading candidates to select options that describe unrelated Windows components.

How to eliminate wrong answers

Option B is wrong because prefetch files do not store network connection logs; network connection logs are typically found in Windows Event Logs (e.g., Security log with Event ID 5156) or firewall logs. Option C is wrong because prefetch files do not store registry keys modified by the application; registry modifications are tracked in the Registry hive files (e.g., NTUSER.DAT, SYSTEM, SOFTWARE) and can be analyzed via tools like RegRipper. Option D is wrong because prefetch files do not contain the contents of the running process memory; process memory contents are captured in memory dumps (e.g., .dmp files) or via forensic tools like Volatility.

938
MCQmedium

A security analyst is reviewing PCAP data and sees a TCP stream with interactive shell commands such as 'whoami', 'ls -la', and 'cat /etc/passwd'. The session appears to be bidirectional with a remote IP. Which type of attack is most likely occurring?

A.Reverse shell
B.DNS tunnelling
C.SQL injection
D.Man-in-the-middle attack
AnswerA

Interactive shell commands characterize a reverse shell.

Why this answer

Interactive shell commands over TCP indicate a reverse shell, where the attacker has a command shell on the victim.

939
MCQhard

An analyst is investigating a host that is beaconing to a known malicious domain every 60 seconds. The host also shows outbound connections to multiple IPs on port 443. To confirm the beaconing, which data source is most useful?

A.DNS logs from the internal DNS server.
B.NetFlow records from the border router.
C.Full packet capture of all outbound traffic.
D.Host-based firewall logs.
AnswerB

Shows flow timestamps and destinations; reveals periodic connections.

Why this answer

NetFlow records from the border router provide aggregated metadata (source/destination IP, port, protocol, timestamps) that can reveal the periodic 60-second beaconing pattern to the malicious domain and the volume of outbound connections on port 443. Unlike DNS logs, NetFlow captures the actual connection attempts regardless of DNS resolution, making it ideal for identifying regular, repetitive outbound flows.

Exam trap

Cisco often tests the distinction between DNS logs (which show name resolution) and NetFlow (which shows actual traffic flows), leading candidates to mistakenly choose DNS logs because they associate beaconing with domain names, not realizing that the beaconing is confirmed by the connection pattern itself.

How to eliminate wrong answers

Option A is wrong because DNS logs only show queries for domain resolution, not the actual TCP connections; if the host uses cached DNS or direct IP connections, the beaconing pattern may be missed. Option C is wrong because full packet capture, while thorough, is resource-intensive and impractical for continuous monitoring of all outbound traffic; NetFlow provides sufficient metadata to confirm the beaconing pattern without the overhead. Option D is wrong because host-based firewall logs only record allowed or blocked connections at the host level, but they may not capture the precise timing and destination IPs of outbound flows if the firewall is configured to permit all outbound traffic, and they lack the network-wide perspective of the border router.

940
Multi-Selecteasy

Which TWO activities are typically part of a security policy review cycle? (Choose two.)

Select 2 answers
A.Reviewing regulatory updates
B.Delivering security awareness training
C.Conducting periodic policy audits
D.Handling a security incident
E.Applying system patches
AnswersA, C

Laws change, policies must adapt.

Why this answer

Policy review includes identifying changes in regulatory requirements and periodic audits. Options A and B are correct. Option C (patching) is operational.

Option D (user training) is part of awareness, not review. Option E (incident handling) is not review.

941
Multi-Selectmedium

An analyst is investigating a Windows host for malware persistence. Which TWO registry locations are commonly abused for persistence by modifying the 'Run' key? (Select TWO)

Select 2 answers
A.HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
B.HKLM\Software\Microsoft\Windows\CurrentVersion\Run
C.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
D.HKLM\System\CurrentControlSet\Services
E.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
AnswersB, C

This Run key loads programs for all users at startup.

Why this answer

Both HKLM and HKCU Run keys are commonly used for persistence.

942
MCQmedium

A security analyst is asked to assess the risk of a new web application. The analyst calculates the likelihood of a SQL injection as 0.3 and the impact as $100,000. What is the annualized loss expectancy (ALE) if the asset value is $500,000 and the exposure factor is 0.2?

A.$100,000
B.$50,000
C.$15,000
D.$30,000
AnswerD

ALE = SLE * ARO = ($500,000 * 0.2) * 0.3 = $30,000.

Why this answer

The annualized loss expectancy (ALE) is calculated as ALE = SLE × ARO, where SLE = AV × EF. Here, AV = $500,000 and EF = 0.2, so SLE = $100,000. The likelihood of 0.3 represents the annualized rate of occurrence (ARO), so ALE = $100,000 × 0.3 = $30,000.

Option D is correct because it correctly multiplies the single loss expectancy by the annualized rate of occurrence.

Exam trap

Cisco often tests the distinction between SLE and ALE, tricking candidates into stopping at the SLE calculation ($100,000) or misapplying the exposure factor to the impact instead of the asset value.

How to eliminate wrong answers

Option A is wrong because $100,000 is the single loss expectancy (SLE), not the annualized loss expectancy (ALE); it fails to multiply by the ARO of 0.3. Option B is wrong because $50,000 would result from multiplying the impact ($100,000) by 0.5, which is not the given ARO or any correct calculation step. Option C is wrong because $15,000 would result from multiplying the asset value ($500,000) by the likelihood (0.3) and then by 0.1, or from incorrectly using the exposure factor as a multiplier on the impact; it ignores the correct SLE calculation.

943
MCQmedium

Which tool can be used to extract files from a PCAP file for further analysis?

A.Wireshark (Export Objects)
B.Snort
C.tcpdump
D.nmap
AnswerA

Correct. Wireshark's Export Objects feature extracts files from protocols like HTTP.

Why this answer

Wireshark's 'Export Objects' feature allows you to extract files (e.g., HTTP objects, SMB files, or other application-layer payloads) from a PCAP file. This is essential for further analysis of malware or data exfiltration, as it reconstructs the original files from the captured network streams without needing to replay the traffic.

Exam trap

Cisco often tests the distinction between packet capture tools (tcpdump) and protocol analysis tools (Wireshark), leading candidates to mistakenly think tcpdump can extract files because it can read PCAPs, but it only outputs raw packet data without application-layer reconstruction.

How to eliminate wrong answers

Option B (Snort) is wrong because Snort is an intrusion detection/prevention system (IDS/IPS) that analyzes traffic in real-time using rules, but it does not have a built-in feature to extract files from a PCAP for offline analysis. Option C (tcpdump) is wrong because tcpdump is a command-line packet capture tool that can read PCAP files and display packet headers, but it cannot extract application-layer objects like files; it lacks the protocol dissection and reassembly needed for file extraction. Option D (nmap) is wrong because nmap is a network scanning tool used for host discovery and port scanning, not for parsing PCAP files or extracting embedded objects.

944
MCQmedium

An analyst is reviewing IDS alerts and sees an alert with signature name 'ET POLICY Suspicious inbound to MySQL port 3306'. The source IP is external and destination is an internal database server. What is the best immediate action?

A.Allow the traffic because it is a legitimate database query
B.Ignore the alert as it is a false positive
C.Disable the signature to reduce noise
D.Block the external IP at the firewall
AnswerD

Blocking the source IP stops potential attack.

Why this answer

Option D is correct because an inbound connection from an external IP to a MySQL server (port 3306) is highly suspicious — MySQL is a database service that should never be exposed directly to the internet. The immediate best action is to block the external IP at the firewall to prevent potential exploitation, data exfiltration, or brute-force attacks. This aligns with the principle of least privilege and defense-in-depth, as database servers should only accept connections from trusted internal hosts.

Exam trap

Cisco often tests the misconception that IDS alerts should be analyzed for false positives before taking action, but in this scenario, the immediate risk of an external connection to a database port demands a blocking response first, with analysis to follow.

How to eliminate wrong answers

Option A is wrong because allowing the traffic assumes it is legitimate, but external inbound MySQL traffic is almost always malicious or misconfigured — legitimate database queries should come from internal application servers, not the public internet. Option B is wrong because ignoring the alert as a false positive is premature without investigation; while some alerts may be false positives, an inbound connection to a database port from an external source warrants immediate action due to the high risk. Option C is wrong because disabling the signature reduces visibility and increases risk — the signature is correctly firing on suspicious behavior, and disabling it would allow future attacks to go undetected.

945
MCQmedium

A manufacturing company's ICS network was infected with ransomware that encrypted files on the file server. The company has offline backups and restores the files. However, during the investigation, the security analyst finds that the ransomware entered through an RDP connection from an infected workstation on the corporate network. The corporate network and ICS network are separated by a firewall that allows RDP from specific corporate IPs to the ICS file server. The analyst wants to prevent a recurrence. Which of the following is the most effective long-term control?

A.Require multi-factor authentication for all RDP connections.
B.Disable RDP on the ICS file server and use a jump box.
C.Implement network segmentation with a DMZ for file transfers.
D.Install antivirus on all corporate workstations.
AnswerA

MFA significantly reduces the risk of unauthorized RDP access even if passwords are compromised.

Why this answer

Requiring multi-factor authentication for all RDP connections adds a critical layer of security, making it much harder for attackers to gain access even if credentials are compromised.

946
MCQmedium

A security engineer is setting up a Snort rule to detect FTP traffic where the source IP is not from the internal network. Which Snort rule header correctly specifies the action, protocol, source, and destination?

A.alert tcp !$HOME_NET any -> any 21
B.alert tcp $HOME_NET any -> any 21
C.alert tcp any any -> any 21
D.alert udp any any -> any 21
AnswerA

The ! negation operator excludes the internal network, focusing on external sources.

Why this answer

The correct Snort rule header format is: alert tcp !$HOME_NET any -> any 21. It alerts on TCP traffic from any IP not in $HOME_NET to any destination on port 21 (FTP).

947
MCQeasy

Which of the following is the CORRECT order of the NIST SP 800-61 Rev 2 incident response lifecycle phases?

A.Containment Eradication and Recovery, Detection and Analysis, Preparation, Post-Incident Activity
B.Post-Incident Activity, Preparation, Detection and Analysis, Containment Eradication and Recovery
C.Preparation, Detection and Analysis, Containment Eradication and Recovery, Post-Incident Activity
D.Detection and Analysis, Preparation, Containment Eradication and Recovery, Post-Incident Activity
AnswerC

This is the correct sequence.

Why this answer

The correct order is Preparation, Detection and Analysis, Containment Eradication and Recovery, and Post-Incident Activity.

948
Multi-Selecteasy

Which TWO are common sources of security event data in a Security Information and Event Management (SIEM) system?

Select 2 answers
A.SMTP logs
B.NetFlow records
C.SNMP traps
D.Syslog from network devices
E.DNS queries
AnswersB, D

NetFlow provides metadata on network traffic flows.

Why this answer

NetFlow records (B) are a common source of security event data in a SIEM because they provide detailed metadata about network flows, including source/destination IPs, ports, protocols, and byte counts. SIEMs ingest NetFlow to detect anomalies, such as data exfiltration or beaconing, by analyzing flow patterns rather than full packet payloads. This makes NetFlow a standard telemetry source for network visibility and threat hunting.

Exam trap

Cisco often tests the distinction between network management protocols (SNMP) and security monitoring sources (syslog, NetFlow), leading candidates to mistakenly select SNMP traps as a security event source because they associate 'traps' with alerts, when in fact SNMP is for device health, not security event logging.

949
MCQeasy

During which phase of the NIST SP 800-61 Rev 2 incident response process would the incident response team conduct initial triage and determine whether an event qualifies as an incident?

A.Detection and Analysis
B.Preparation
C.Containment, Eradication, and Recovery
D.Post-Incident Activity
AnswerA

This phase includes identifying incidents and performing initial triage.

Why this answer

Initial triage and identification of incidents occur in the Detection and Analysis phase.

950
Multi-Selectmedium

An analyst is investigating a potential compromise using Indicators of Compromise (IoCs). Which TWO of the following are valid types of IoCs?

Select 2 answers
A.User name
B.IP address
C.Geographic location
D.File hash (MD5)
E.Protocol name
AnswersB, D

IP addresses of C2 servers are common IoCs.

Why this answer

IP addresses are a fundamental type of Indicator of Compromise (IoC) because they directly identify the network location of a malicious host, such as a command-and-control (C2) server or a source of an attack. Security analysts use IP addresses in threat intelligence feeds and SIEM queries to correlate logs and detect inbound or outbound connections to known malicious hosts.

Exam trap

Cisco often tests the distinction between an IoC (a specific, observable artifact of compromise) and contextual or behavioral data (like usernames or geographic locations) that may be useful in an investigation but are not valid IoCs themselves.

951
MCQmedium

An analyst sees a Snort alert with the message 'ET POLICY Outbound connection to known malicious IP'. What does this indicate?

A.A malicious IP is connecting to an internal host.
B.The firewall blocked the connection.
C.An internal host is connecting to an IP that is on a threat intelligence blacklist.
D.The connection is encrypted and safe.
AnswerC

'Known malicious IP' indicates the destination is blacklisted.

Why this answer

Snort signature-based IDS alerts on matching rules. This alert indicates a connection from an internal host to a known malicious IP address, likely a command-and-control server.

952
MCQmedium

A network administrator configures an IPS to drop packets that match a signature for SQL injection. However, legitimate web traffic is being blocked. What is the most likely cause?

A.IPS hardware failure
B.Network congestion
C.Signature false positive
D.Signature false negative
AnswerC

The signature incorrectly matches legitimate SQL-like patterns in normal traffic.

Why this answer

Option C is correct because a false positive occurs when the IPS incorrectly identifies legitimate traffic as malicious based on its signature. In this case, the SQL injection signature is matching benign web requests that contain patterns resembling SQL syntax (e.g., 'SELECT', 'DROP'), causing the IPS to drop valid packets. This is a common issue with signature-based detection systems that lack contextual analysis.

Exam trap

Cisco often tests the distinction between false positives and false negatives, and the trap here is that candidates may confuse 'blocking legitimate traffic' with a false negative, not realizing that a false positive is the correct term for incorrectly flagged benign traffic.

How to eliminate wrong answers

Option A is wrong because an IPS hardware failure would typically cause complete loss of inspection or system crashes, not selective blocking of specific traffic patterns. Option B is wrong because network congestion might cause packet loss or latency, but it would not cause the IPS to drop packets based on signature matching; congestion does not alter detection logic. Option D is wrong because a false negative means the IPS fails to detect actual malicious traffic, which would allow SQL injection attacks to pass, not block legitimate traffic.

953
MCQeasy

An organization deploys a firewall to block unauthorized traffic. This is an example of which type of security control?

A.Detective
B.Physical
C.Technical
D.Administrative
AnswerC

Firewalls are technical controls that prevent unauthorized access.

Why this answer

A firewall is a technical control because it uses software or hardware mechanisms—such as packet filtering, stateful inspection, or application-layer filtering—to enforce security policies and block unauthorized traffic. Technical controls are implemented through technology systems (e.g., routers, firewalls, IDS/IPS) rather than through physical barriers or administrative procedures.

Exam trap

Cisco often tests the distinction between preventive and detective controls, and the trap here is that candidates may confuse a firewall's logging capability (detective) with its primary function of blocking traffic (preventive/technical).

How to eliminate wrong answers

Option A is wrong because detective controls are designed to identify and log security events after they occur (e.g., intrusion detection systems, audit logs), whereas a firewall actively prevents unauthorized traffic in real time. Option B is wrong because physical controls involve tangible barriers like locks, fences, or security guards, not network-level packet filtering. Option D is wrong because administrative controls are policies, procedures, and training (e.g., acceptable use policies, background checks), not technology-based enforcement mechanisms.

954
MCQmedium

Refer to the exhibit. An administrator sees many alerts for DNS tunneling. The current DNS inspection policy is shown. What change would most likely help detect DNS tunneling?

A.Remove the dns-guard command.
B.Lower the message-length maximum to 128 bytes.
C.Raise the message-length maximum to 4096 bytes.
D.Disable DNS inspection entirely.
AnswerC

Larger messages allow tunneling to be observed; also, correlating with frequency can detect anomalies.

Why this answer

DNS tunneling exploits the DNS protocol to exfiltrate data by encoding it in DNS queries and responses. Raising the message-length maximum to 4096 bytes allows the DNS inspection engine to inspect larger DNS payloads, which is necessary to detect tunneling attempts that use long TXT or other resource records to carry data. The current lower limit may allow tunneled data to pass undetected because the inspection engine truncates or ignores oversized messages.

Exam trap

Cisco often tests the misconception that lowering the message-length maximum would block tunneling, when in fact tunneling uses large payloads that would be ignored or passed through if the limit is too low, so raising the limit is required to inspect and detect the oversized messages.

How to eliminate wrong answers

Option A is wrong because the dns-guard command prevents DNS spoofing and cache poisoning by ensuring DNS responses match outstanding queries; removing it would weaken security, not help detect tunneling. Option B is wrong because lowering the message-length maximum to 128 bytes would cause the inspection engine to drop or ignore legitimate DNS messages and would not help detect tunneling, as tunneled data often uses larger payloads. Option D is wrong because disabling DNS inspection entirely would remove all DNS anomaly detection, making it impossible to detect DNS tunneling through the firewall.

955
MCQhard

A SIEM correlation rule triggers when a user account is created and then added to a privileged group within 10 minutes. Which activity does this rule detect?

A.Malicious insider data theft.
B.Privileged account creation and elevation.
C.Privilege escalation via token manipulation.
D.Lateral movement using pass-the-hash.
AnswerB

The rule specifically matches account creation followed by group membership change.

Why this answer

The SIEM rule specifically correlates the creation of a user account followed by its addition to a privileged group within a short time window. This sequence directly maps to the definition of privileged account creation and elevation, where a new account is granted administrative rights. The rule does not require any other malicious activity like data theft or lateral movement to trigger.

Exam trap

Cisco often tests the distinction between the administrative action of adding a user to a privileged group (privileged account creation/elevation) and the exploitation of system tokens or authentication protocols, leading candidates to confuse the SIEM rule's trigger with token manipulation or pass-the-hash attacks.

How to eliminate wrong answers

Option A is wrong because malicious insider data theft typically involves exfiltration of sensitive data, not just account creation and group membership changes; the rule does not monitor data access or transfer events. Option C is wrong because privilege escalation via token manipulation involves exploiting operating system mechanisms like SeDebugPrivilege or token duplication, not the administrative action of adding a user to a group via directory services. Option D is wrong because lateral movement using pass-the-hash relies on NTLM hash reuse to authenticate to remote systems, which is unrelated to account creation or group membership modifications.

956
MCQhard

During memory analysis with Volatility, the 'pstree' plugin shows a parent process of 'winlogon.exe' spawning 'cmd.exe'. What is the most likely explanation for this anomaly?

A.This is a normal occurrence when a user opens cmd after logging in.
B.A user is running a command prompt from the Windows login screen.
C.A debugger or persistence mechanism like Image File Execution Options has replaced sethc.exe with cmd.exe.
D.The cmd.exe is a system process running under winlogon's session.
AnswerC

IFEO can redirect accessibility binaries to cmd.exe, making winlogon launch it.

Why this answer

Normally, winlogon.exe does not spawn cmd.exe; this could indicate a 'sticky keys' (sethc.exe) persistence or other accessibility tool abuse where cmd.exe replaces the debugger.

957
MCQhard

Refer to the exhibit. A security analyst is analyzing a Windows host that is communicating with an external server at 192.168.1.50. Based on the output, which process is likely malicious?

A.svchost.exe (PID 1420) because it is connecting to an external IP on port 80.
B.cmd.exe (PID 2568) because it could be used to launch other processes.
C.powershell.exe (PID 2792) because it has an established HTTPS connection to an external server.
D.notepad.exe (PID 2344) because it is not expecting to make any network connections.
AnswerC

PowerShell making an outbound HTTPS connection is atypical and often used for malicious purposes.

Why this answer

PowerShell.exe (PID 2792) is the likely malicious process because it has an established HTTPS connection (TCP port 443) to an external server at 192.168.1.50. PowerShell is a powerful scripting tool often abused by attackers to execute arbitrary code, download payloads, or establish command-and-control (C2) channels over encrypted HTTPS, which can evade detection by traditional signature-based security tools.

Exam trap

Cisco often tests the misconception that any process connecting to an external IP is malicious, but the trap here is that candidates overlook the context of the process—PowerShell is a legitimate tool that is frequently abused, whereas svchost.exe making HTTP connections is normal system behavior.

How to eliminate wrong answers

Option A is wrong because svchost.exe (PID 1420) connecting to an external IP on port 80 is normal behavior for Windows services that perform HTTP-based updates or telemetry; svchost.exe is a legitimate system process. Option B is wrong because cmd.exe (PID 2568) could be used to launch other processes, but the exhibit does not show any network connection or suspicious activity from cmd.exe, making it not directly indicative of malicious behavior. Option D is wrong because notepad.exe (PID 2344) is not expected to make network connections, but the exhibit does not show any network connection from notepad.exe, so there is no evidence of malicious activity from that process.

958
MCQeasy

An analyst receives a syslog message with facility 'authpriv' and severity '3'. What does severity 3 indicate?

A.Error
B.Emergency
C.Critical
D.Alert
AnswerA

Error is severity 3.

Why this answer

Syslog severity levels range from 0 (Emergency) to 7 (Debug). Severity 3 corresponds to 'Error', which indicates error conditions that require attention but are not immediately critical. This is defined in RFC 5424, where level 3 is explicitly labeled 'Error' and is used for conditions such as configuration failures or service degradation.

Exam trap

Cisco often tests the specific numeric-to-name mapping of syslog severity levels, and the trap here is that candidates confuse severity 3 (Error) with severity 2 (Critical) or severity 1 (Alert) because they assume any 'high' severity number means more urgent, when in fact lower numbers indicate higher urgency.

How to eliminate wrong answers

Option B is wrong because Emergency (severity 0) indicates a system is unusable, such as a kernel panic or complete service failure. Option C is wrong because Critical (severity 2) denotes critical conditions like hard disk errors or major component failures. Option D is wrong because Alert (severity 1) requires immediate action, such as a security breach or loss of backup connectivity.

959
Multi-Selectmedium

A security analyst is investigating a PCAP that shows multiple failed SMB authentication attempts from a single host to different IP addresses, followed by a successful authentication. Which TWO techniques are likely being used?

Select 2 answers
A.SQL injection
B.SMB brute force
C.ARP spoofing
D.DNS tunnelling
E.Pass-the-hash
AnswersB, E

Brute force attempts multiple credentials until success.

Why this answer

Pass-the-hash uses NTLM hashes for authentication, and SMB brute force involves trying multiple passwords or hashes. Both can produce multiple failed attempts then success.

960
MCQmedium

Refer to the exhibit. The analyst sees two IDS alerts from the same source. What should the analyst conclude?

A.The alerts are false positives because the user-agent is common
B.The host is being scanned
C.The host is likely infected with malware
D.The host is downloading a large file
AnswerC

Multiple alerts to a known malicious domain suggest infection.

Why this answer

The correct answer is C because the IDS alerts indicate the same source IP is communicating with a known malicious domain (evil.com) using a suspicious user-agent string. This pattern of repeated connections to a known bad destination is characteristic of malware beaconing or command-and-control (C2) traffic, not a false positive or benign activity.

Exam trap

Cisco often tests the distinction between a false positive and a true positive by making candidates focus on the user-agent being common, but the key is that the destination is known malicious, not the user-agent's commonality.

How to eliminate wrong answers

Option A is wrong because a common user-agent does not automatically make an alert a false positive; malware often uses common user-agents to evade detection, and the destination (evil.com) is known malicious. Option B is wrong because scanning typically involves multiple destinations or ports from a single source, not repeated connections to the same malicious domain. Option D is wrong because downloading a large file would show a single sustained connection with high data transfer, not multiple separate alerts with the same source and destination.

961
MCQeasy

An analyst needs to establish a normal traffic pattern baseline for the network. Which activity is most appropriate for this purpose?

A.Capture traffic during a known attack to identify anomalies
B.Use only firewall logs as they are the most reliable
C.Average traffic from multiple different organizations
D.Capture traffic over a period of normal operation, such as a week
AnswerD

Normal traffic over time establishes a reliable baseline.

Why this answer

Option D is correct because establishing a baseline requires capturing traffic during a period of normal operation, typically over a week, to account for daily and weekly usage patterns. This baseline represents the typical volume, protocol mix, and flow characteristics, enabling the analyst to later detect deviations that may indicate security incidents. Using a representative sample from normal conditions is the foundational step in anomaly-based monitoring.

Exam trap

Cisco often tests the misconception that baselines can be derived from attack traffic or external averages, but the key is that a baseline must be network-specific and captured during normal operations to serve as a valid reference for anomaly detection.

How to eliminate wrong answers

Option A is wrong because capturing traffic during a known attack provides a sample of malicious activity, not a baseline of normal behavior; baselines must reflect benign patterns to identify anomalies. Option B is wrong because firewall logs alone are insufficient for a comprehensive baseline; they lack visibility into internal traffic, application-layer protocols, and non-firewalled segments, and they may miss encrypted or lateral movement traffic. Option C is wrong because averaging traffic from multiple different organizations introduces irrelevant patterns due to differing network architectures, user behaviors, and business operations; a baseline must be specific to the network being monitored.

962
MCQeasy

Which security policy defines the process for reporting discovered security vulnerabilities to the organization?

A.Vulnerability Disclosure Policy
B.Acceptable Use Policy
C.Incident Response Policy
D.Change Management Policy
AnswerA

This policy guides reporting of vulnerabilities.

Why this answer

A vulnerability disclosure policy outlines how to report and handle security weaknesses. Option C is correct. Option A (incident response) is for active attacks.

Option B (acceptable use) is for employee behavior. Option D (change management) is for changes.

963
Multi-Selecthard

Which TWO characteristics are typical of host-based intrusion detection systems (HIDS) compared to network-based intrusion detection systems (NIDS)?

Select 2 answers
A.Better suited for protecting a large number of devices simultaneously.
B.Visibility into local system events such as file system changes and registry modifications.
C.Ability to inspect encrypted traffic at the host level.
D.Less susceptible to host-based attacks.
E.Lower latency in detecting network attacks.
AnswersB, C

HIDS monitors host-specific activities.

Why this answer

Option B is correct because HIDS are installed directly on a host and have direct access to the host's operating system, allowing them to monitor local system events such as file system changes, registry modifications, and process activity. This granular visibility is a key advantage over NIDS, which only sees network traffic and cannot inspect internal host state.

Exam trap

Cisco often tests the misconception that HIDS are better at detecting network attacks or scaling to many devices, but the key differentiator is that HIDS provide host-level visibility (like registry and file changes) and can inspect decrypted traffic, while NIDS are network-focused and cannot see internal host events.

964
MCQeasy

An analyst is investigating a Windows host for signs of malware persistence. Which registry key would the analyst check for programs that run automatically when any user logs in?

A.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
B.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
C.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
D.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
AnswerD

Correct. This key runs programs for all users at logon.

Why this answer

The Run registry key under HKEY_LOCAL_MACHINE specifies programs that run for all users at logon, while HKEY_CURRENT_USER is per-user. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run is the most common location for malware persistence.

965
Multi-Selectmedium

An organization wants to protect sensitive data at rest and in transit. Which THREE cryptographic methods can provide confidentiality? (Choose three.)

Select 3 answers
A.Digital signature
B.Transport Layer Security (TLS)
C.Symmetric encryption
D.Hashing
E.Asymmetric encryption
AnswersB, C, E

TLS encrypts data in transit using symmetric and asymmetric methods.

Why this answer

Symmetric encryption, asymmetric encryption, and TLS (which uses both) provide confidentiality. Hashing does not.

966
MCQeasy

A security policy requires that all email attachments be scanned for malware. An employee receives a legitimate PDF from a customer that is flagged as malicious. What should the analyst do first?

A.Allow the email through since it's from a known sender.
B.Contact the customer to verify the file is intended.
C.Quarantine the email and delete the attachment.
D.Escalate to the incident response team.
E.Update the antivirus signatures and rescan.
AnswerB

Verification with sender is the appropriate first step.

Why this answer

Option B is correct because the first step when a legitimate-seeming email attachment is flagged as malicious is to verify its authenticity with the sender. This aligns with the security policy's requirement to scan attachments while avoiding unnecessary disruption to business operations. Contacting the customer confirms whether the file was intentionally sent and is safe, allowing the analyst to make an informed decision before taking further action.

Exam trap

Cisco often tests the principle of 'verify before acting' in security operations, and the trap here is that candidates may jump to quarantine or escalate based on the alert, forgetting that the first step in handling a potential false positive is to confirm the file's legitimacy with the sender.

How to eliminate wrong answers

Option A is wrong because allowing the email through solely based on the sender's known status bypasses the security policy's scanning requirement and could allow a compromised account to deliver malware. Option C is wrong because quarantining and deleting the attachment without verification may cause unnecessary data loss and disrupt legitimate business communication, especially if the file is actually safe. Option D is wrong because escalating to the incident response team is premature without first confirming whether the detection is a false positive; incident response should be reserved for confirmed incidents.

Option E is wrong because updating antivirus signatures and rescanning assumes the detection is due to outdated signatures, but the file was already flagged by current signatures, and this step does not address the need to verify the file's legitimacy with the sender.

967
MCQeasy

A security analyst is reviewing network traffic and notices a high volume of small packets from an internal IP to a single external IP on port 53. Which type of activity is most likely indicated?

A.DNS amplification attack
B.Port scan
C.Data exfiltration via DNS tunneling
D.Normal DNS resolution
AnswerC

DNS tunneling encodes data in DNS queries to exfiltrate data, often resulting in many small packets to a single external DNS server.

Why this answer

DNS tunneling encodes data within DNS queries and responses, often using small packets to evade detection. A high volume of small packets from an internal IP to a single external IP on port 53, without corresponding internal DNS server traffic, is a classic indicator of data exfiltration via DNS tunneling.

Exam trap

Cisco often tests the distinction between a DNS amplification attack (which uses large responses to flood a victim) and DNS tunneling (which uses small, consistent queries for covert data transfer), so candidates may confuse the two due to both involving DNS traffic.

How to eliminate wrong answers

Option A is wrong because a DNS amplification attack uses spoofed source IPs and large response packets (e.g., 4000+ bytes) to overwhelm a victim, not small packets from a single internal IP. Option B is wrong because a port scan typically targets multiple ports on a single IP or multiple IPs, not a sustained high volume of traffic to a single external port 53. Option D is wrong because normal DNS resolution involves queries to a local or recursive DNS server, not a direct high-volume stream of small packets to a single external IP, and would not show such a consistent pattern.

968
Multi-Selecthard

An analyst is investigating a potential data exfiltration. Which two indicators in network traffic are most indicative of data exfiltration over DNS? (Choose two.)

Select 2 answers
A.Use of standard DNS ports
B.Large DNS response packets
C.DNSSEC enabled
D.Frequent DNS query retransmissions
E.High volume of DNS queries to unusual domains
AnswersB, E

Used to carry exfiltrated data in DNS responses.

Why this answer

Large DNS response packets (Option B) are indicative of data exfiltration because attackers often encode stolen data into DNS TXT or other record types, causing response sizes to exceed the typical 512-byte limit and triggering EDNS0 extensions. This anomaly stands out against normal DNS traffic, where most responses are small.

Exam trap

Cisco often tests the misconception that any deviation from normal DNS behavior (like retransmissions or non-standard ports) is malicious, but the key indicators for exfiltration are unusually large response sizes and a high volume of queries to suspicious domains.

969
Multi-Selecteasy

Which two Sysmon Event IDs are most commonly associated with code injection techniques?

Select 2 answers
A.Event ID 3 (Network connect)
B.Event ID 8 (CreateRemoteThread)
C.Event ID 1 (Process creation)
D.Event ID 7 (Image loaded)
E.Event ID 10 (ProcessAccess)
AnswersB, E

CreateRemoteThread is a common method for code injection.

Why this answer

Sysmon Event ID 8 (CreateRemoteThread) is directly associated with code injection because it logs when a thread is created in a remote process, a common technique used by malware to inject malicious code into a legitimate process. Event ID 10 (ProcessAccess) is also critical as it records when a process opens a handle to another process, often a precursor to injecting code via APIs like OpenProcess and WriteProcessMemory.

Exam trap

Cisco often tests the distinction between direct indicators of injection (Event ID 8 and 10) versus indirect artifacts (Event ID 1 or 7), leading candidates to mistakenly choose process creation or image load events as primary injection indicators.

970
MCQmedium

An analyst detects traffic from an internal host that periodically sends small DNS queries to a domain with high entropy subdomains (e.g., 'a3k9f2.example.com'). The domain is not on any blocklist, and the query intervals are consistent every 60 seconds. Which technique is most likely being used?

A.DNS tunnelling for C2 communication
B.DNS amplification attack
C.Normal DNS resolution for a dynamic DNS service
D.DNS cache poisoning attempt
AnswerA

Encoded data in subdomains with regular intervals is typical of DNS tunnelling for command and control.

Why this answer

DNS tunnelling encodes data in subdomain queries, and periodic beaconing is common for C2. High entropy subdomains and regular intervals suggest DNS tunnelling for C2.

971
MCQhard

Given a packet capture showing TCP packets with flags: first packet SYN, second packet SYN-ACK, third packet ACK, then a fourth packet with RST flag. What should the analyst suspect?

A.Port scan
B.Normal traffic
C.SYN flood
D.Denial of service
AnswerA

Correct. The completed handshake followed by RST is characteristic of a connect scan.

Why this answer

The three-way handshake (SYN, SYN-ACK, ACK) completes a TCP connection, but the immediate RST after the ACK indicates the client terminated the connection without sending any application data. This pattern is characteristic of a port scan (e.g., using nmap's connect scan), where the scanner verifies the port is open by completing the handshake and then immediately resets to avoid leaving the connection half-open.

Exam trap

Cisco often tests the distinction between a completed three-way handshake followed by a reset (port scan) versus an incomplete handshake (SYN flood) or sustained data transfer (normal traffic).

How to eliminate wrong answers

Option B is wrong because normal traffic would continue with data exchange (e.g., HTTP GET) after the ACK, not an immediate RST. Option C is wrong because a SYN flood involves sending a high volume of SYN packets without completing the handshake, not a full handshake followed by a reset. Option D is wrong because a denial of service (DoS) attack typically aims to overwhelm resources with traffic or exploit vulnerabilities, not to perform a single, clean handshake-and-reset sequence.

972
MCQeasy

A security analyst receives an alert for a known malware signature in an outbound file transfer. After investigation, the file is confirmed as benign software. This alert is classified as:

A.False positive
B.True positive
C.False negative
D.True negative
AnswerA

Alert triggered but no attack present.

Why this answer

A false positive occurs when an alert is triggered but no actual attack exists. The file is benign, so the alert is incorrect.

973
MCQhard

An organization is implementing a threat intelligence sharing program. They want to exchange both structured indicators and full reports with other members of their ISAC. Which combination of standards/protocols should they choose? (Choose two.)

A.Snort rules
B.TAXII
C.OpenIOC
D.STIX
E.MISP
AnswerB, D

TAXII is the protocol for exchanging STIX content.

Why this answer

STIX (Structured Threat Information Expression) is the standard for representing structured threat indicators and full reports, while TAXII (Trusted Automated Exchange of Indicator Information) is the protocol for exchanging that STIX content over HTTPS. Together, they enable ISAC members to share both machine-readable indicators and human-readable reports in a standardized, automated manner.

Exam trap

Cisco often tests the distinction between a data model (STIX) and a transport protocol (TAXII), and candidates mistakenly choose MISP as a standard instead of recognizing it as a platform that implements these standards.

How to eliminate wrong answers

Option A is wrong because Snort rules are a signature format for intrusion detection systems, not a standard for exchanging threat intelligence between organizations. Option C is wrong because OpenIOC is a format for representing indicators of compromise, but it does not include a transport protocol for sharing full reports or support the structured report exchange required by an ISAC. Option E is wrong because MISP is a platform for threat intelligence sharing, not a standard or protocol; it can use STIX and TAXII for exchange, but MISP itself is not a standard/protocol combination.

974
Multi-Selecteasy

A security analyst is creating a network baseline for normal traffic patterns. Which TWO metrics should be included to detect anomalies?

Select 2 answers
A.Average bandwidth usage per hour
B.Geolocation of source IPs
C.Number of connections per host
D.MAC addresses of devices
E.CPU utilization of servers
AnswersA, C

Bandwidth is a key metric for baselines.

Why this answer

Average bandwidth usage per hour is correct because it establishes a baseline of typical traffic volume over time, allowing the analyst to detect sudden spikes or drops that may indicate anomalies such as DDoS attacks or data exfiltration. Number of connections per host is correct because it provides a per-device baseline for connection counts, enabling detection of unusual behavior like port scans, botnet activity, or compromised hosts generating excessive outbound connections.

Exam trap

Cisco often tests the distinction between network traffic metrics and host/system metrics, so the trap here is confusing server CPU utilization (a host metric) with network baseline metrics, leading candidates to incorrectly select it as a valid network anomaly detection parameter.

975
MCQmedium

An attacker sends a fraudulent email that appears to come from the company's IT department, requesting that the recipient click a link and enter their login credentials. Which type of social engineering attack is this?

A.Vishing
B.Phishing
C.Pretexting
D.Spear phishing
AnswerB

Phishing is a broad term for fraudulent emails asking for credentials.

Why this answer

This is a phishing attack because the attacker uses a fraudulent email that impersonates a trusted entity (the IT department) to trick the recipient into clicking a malicious link and entering sensitive login credentials. Phishing is a broad category of social engineering that relies on deceptive electronic communications, typically email, to harvest credentials or deliver malware.

Exam trap

Cisco often tests the distinction between generic phishing and spear phishing, where the trap is that candidates confuse a broad phishing email with a targeted one, but the question lacks any indication of personalization or specific targeting, making 'Phishing' the correct choice over 'Spear phishing'.

How to eliminate wrong answers

Option A (Vishing) is wrong because vishing (voice phishing) uses voice calls or VoIP systems, not email, to deceive victims. Option C (Pretexting) is wrong because pretexting involves fabricating a scenario or false identity to obtain information, but it does not necessarily use a fraudulent email with a link to harvest credentials; it often relies on direct interaction or impersonation over phone or in person. Option D (Spear phishing) is wrong because spear phishing is a targeted form of phishing aimed at a specific individual or organization, often using personalized details; the question describes a generic email sent to a recipient without indicating targeting, so it fits the broader phishing category.

Page 12

Page 13 of 14

Page 14
Cisco CyberOps Associate 200-201 200-201 Questions 901–975 | Page 13/14 | Courseiva