CCNA Cbrops Host Analysis Questions

75 of 99 questions · Page 1/2 · Cbrops Host Analysis topic · Answers revealed

1
MCQmedium

A security analyst is analyzing a suspicious PE file. Using a hex editor, the analyst sees the ASCII string 'MZ' at the beginning. What does this indicate?

A.The file is a plain text file
B.The file is a Windows Portable Executable
C.The file is a Linux ELF binary
D.The file is a PDF document
AnswerB

Correct. 'MZ' is the PE signature.

Why this answer

The 'MZ' magic bytes (0x4D 0x5A) are the signature of a Portable Executable (PE) file, indicating it is a Windows executable. This is the first step in file identification.

2
Multi-Selectmedium

An analyst is examining a Linux system for signs of an attacker establishing persistence. Which TWO of the following locations should the analyst check? (Choose two.)

Select 2 answers
A./etc/passwd
B./proc/self/status
C./etc/systemd/system/
D./etc/crontab
E./home/user/.bash_history
AnswersC, D

Correct. Systemd services can be used for persistence.

Why this answer

Common persistence mechanisms on Linux include cron jobs and systemd services. Bash history only records commands, not persistence. /proc is a virtual filesystem. /etc/passwd lists users but doesn't directly show persistence.

3
MCQhard

When analyzing a suspicious PE file, the analyst calculates the file's entropy and finds it to be 7.8. What does a high entropy value typically indicate, and why is it relevant to malware analysis?

A.The file is likely packed or encrypted to evade signature-based detection.
B.The file contains no executable code.
C.The file is likely a legitimate application with high compression.
D.The file's imports are all standard Windows DLLs.
AnswerA

Malware often uses packing to obfuscate code, resulting in high entropy.

Why this answer

A high entropy value (close to 8.0) indicates that the data within the file is highly random, which is a strong sign of packing or encryption. Malware authors use packers to obfuscate the original executable code, making it harder for signature-based detection engines to identify known malicious patterns. In malware analysis, entropy is a quick heuristic to flag files that may be hiding their true content.

Exam trap

Cisco often tests the misconception that high entropy always means the file is malicious, when in fact it only indicates obfuscation or packing—legitimate files can also be packed (e.g., some installers), so entropy must be combined with other indicators like suspicious imports or network signatures.

How to eliminate wrong answers

Option B is wrong because a file with high entropy can still contain executable code that is simply obfuscated; the entropy value does not indicate the absence of code. Option C is wrong because legitimate applications rarely achieve entropy values near 7.8 through compression alone—standard compression algorithms like ZIP or LZMA produce entropy values around 6.5–7.0, not 7.8, and such high entropy is more characteristic of encryption or strong packing. Option D is wrong because the entropy calculation is based on the byte distribution of the entire file, not on the import table; a file with standard Windows DLL imports could still have high entropy if its code section is packed.

4
MCQeasy

Which Windows artifact stores evidence of file execution, including the path and run count, and is located in C:\Windows\Prefetch?

A.Windows Event Logs
B.Registry hives
C.Scheduled tasks
D.Prefetch files
AnswerD

Prefetch files are in C:\Windows\Prefetch.

Why this answer

Prefetch files (*.pf) are created by Windows to speed up application loading. They contain metadata about executed programs, including execution count and last run time.

5
MCQeasy

A Linux administrator checks authentication logs to investigate a possible brute-force attack. Which log file typically contains records of successful and failed SSH login attempts?

A./var/log/kern.log
B./var/log/auth.log
C./var/log/messages
D./var/log/syslog
AnswerB

auth.log is the standard authentication log.

Why this answer

On most Linux distributions, /var/log/auth.log (or /var/log/secure on Red Hat-based systems) records authentication events including SSH logins.

6
MCQmedium

An analyst uses Volatility on a memory dump and runs the 'pstree' command. What specific information does this provide compared to 'pslist'?

A.It shows only hidden processes.
B.It extracts command line arguments.
C.It displays the process tree hierarchy.
D.It lists loaded kernel modules.
AnswerC

pstree displays parent-child relationships in a tree format.

Why this answer

pstree shows parent-child relationships between processes, which pslist does not.

7
MCQeasy

When performing file analysis, which method is most reliable for determining the actual file type regardless of its extension?

A.Opening the file in a text editor
B.Checking the file extension
C.Examining the file's magic bytes
D.Checking the file size
AnswerC

Magic bytes are consistent and reliable for file type identification.

Why this answer

Magic bytes (or file signatures) are unique byte sequences at the beginning of a file that identify its format regardless of the file extension. This method is reliable because it examines the actual binary content, such as the 'PK' header for ZIP files or '‰PNG' for PNG images, rather than relying on user-assigned metadata that can be easily changed.

Exam trap

Cisco often tests the concept that file extensions are user-modifiable metadata and thus unreliable, while magic bytes provide a content-based verification that is independent of the filename.

How to eliminate wrong answers

Option A is wrong because opening a file in a text editor only displays raw text or garbled characters for binary files, and it does not reliably identify the file type; it may also misinterpret encoding or execute harmful content. Option B is wrong because checking the file extension is unreliable—extensions can be renamed arbitrarily (e.g., renaming a .exe to .jpg) and do not reflect the actual file content. Option D is wrong because checking the file size provides no information about the file's structure or format; two files of identical size can be completely different types.

8
Multi-Selectmedium

During memory analysis using Volatility, an analyst wants to identify processes with suspicious network connections and potentially injected code. Which THREE plugins should the analyst use? (Select THREE)

Select 3 answers
A.hashdump
B.pstree
C.hivelist
D.malfind
E.netscan
AnswersB, D, E

Shows parent-child relationships to identify anomalies.

Why this answer

pstree shows process hierarchy, netscan lists network connections, and malfind detects injected code.

9
MCQmedium

An analyst is examining a suspicious file that appears to be a PDF but when checking the magic bytes at offset 0, sees '50 4B 03 04'. What does this indicate?

A.The file is a genuine PDF file
B.The file is a plain text file
C.The file is a ZIP archive
D.The file is an executable
AnswerC

PK signature indicates ZIP.

Why this answer

The magic bytes 50 4B 03 04 correspond to a ZIP archive (PK is the signature). This suggests the file is actually a ZIP file disguised with a PDF extension, possibly containing malicious content.

10
MCQhard

A security analyst is analyzing a memory dump using Volatility. The command 'volatility -f mem.dump malfind' returns several results with VAD tags 'VadS' and 'Vadl'. What does this indicate?

A.The process has no suspicious memory regions
B.The process has legitimate DLLs loaded in memory
C.The process likely has injected code, as these VAD tags indicate executable writable memory
D.The process is a kernel-mode driver
AnswerC

Correct. PAGE_EXECUTE_READWRITE memory is a strong indicator of code injection.

Why this answer

Malfind detects injected code by scanning for VADs with specific protection flags. 'VadS' indicates a VAD with PAGE_EXECUTE_READWRITE protection, common for shellcode injection. 'Vadl' is for large pages. The presence of these tags strongly suggests code injection.

11
MCQeasy

A security analyst is investigating a Windows host suspected of malware infection. Which tool would allow the analyst to view parent-child relationships of running processes and inspect command line arguments?

A.Process Explorer
B.Task Manager
C.tasklist command
D.Resource Monitor
AnswerA

Process Explorer is a Sysinternals tool that provides a hierarchical process tree and command line arguments.

Why this answer

Process Explorer provides detailed process tree view and command line information, unlike Task Manager's default view or tasklist.

12
MCQmedium

An analyst is examining a Linux server and notices an unusual systemd service that starts automatically. Which command would be used to disable this service?

A.systemctl disable servicename
B.systemctl stop servicename
C.systemctl remove servicename
D.systemctl mask servicename
AnswerA

disable prevents the service from starting at boot.

Why this answer

The 'systemctl disable' command prevents a service from starting automatically at boot.

13
MCQmedium

An analyst investigating a Linux host notices an unusual process running as root. Which command would provide the most detailed process listing including parent PID and CPU usage?

A.ss -tlnp
B.ps aux
C.lsof
D.top
AnswerB

ps aux displays all processes with user, PID, CPU, memory, and command line.

Why this answer

ps aux is a common command for detailed process listing, but it does not show parent PID. ps -efj includes PPID. However, the question asks for most detailed; ps auxf shows tree but not PPID. Actually, ps aux is sufficient for most details.

Among the options, top is interactive but not for listing. ps -ef shows parent PID. But the best answer is ps aux as it's widely used for detailed listing.

14
MCQmedium

A Linux system administrator notices unauthorized SSH logins in /var/log/auth.log. Which of the following log entries would indicate a failed SSH login attempt?

A.Failed password for root
B.Connection closed by authenticating user
C.Session opened for user
D.Accepted publickey for root
AnswerA

This explicitly indicates a failed password attempt.

Why this answer

In auth.log, failed SSH logins typically contain 'Failed password' messages. Accepted password indicates success, and Invalid user may accompany failed attempts but the key indicator is 'Failed password'.

15
MCQhard

A Linux host has an unusual cron job that runs a script from /tmp every minute. The analyst checks /etc/crontab and /var/spool/cron/ but finds nothing. Where else could the cron job be defined?

A./etc/cron.d/
B./etc/cron.hourly/
C./etc/cron.allow
D.~/.bashrc
AnswerA

This directory contains per-package cron definitions.

Why this answer

The cron job is defined in /etc/cron.d/ because this directory allows system administrators to drop individual cron configuration files that are parsed by the cron daemon. Unlike /etc/crontab and /var/spool/cron/ (which contain user-specific crontabs), /etc/cron.d/ is a standard location for package-maintained or custom cron jobs that run with system privileges. The fact that the analyst found nothing in the other two locations strongly suggests the job is defined in /etc/cron.d/.

Exam trap

Cisco often tests the distinction between cron configuration directories and control files, trapping candidates who confuse /etc/cron.allow (an access control list) with a location where cron jobs are actually defined.

How to eliminate wrong answers

Option B is wrong because /etc/cron.hourly/ is a directory for scripts that run on an hourly schedule, not for defining arbitrary cron jobs with specific minute-level intervals; it uses run-parts and does not support custom cron syntax like 'every minute'. Option C is wrong because /etc/cron.allow is a control file that lists users allowed to use cron, not a location where cron jobs are defined. Option D is wrong because ~/.bashrc is a shell initialization script executed for interactive login shells, not a cron configuration file; cron jobs cannot be defined there.

16
Multi-Selectmedium

An analyst is reviewing a memory dump using Volatility. They want to identify processes with potential code injection. Which TWO Volatility plugins would be most appropriate for detecting injected code?

Select 2 answers
A.cmdline
B.dlllist
C.netscan
D.pslist
E.malfind
AnswersB, E

Correct. dlllist can show unusual DLLs that may indicate injection.

Why this answer

malfind scans for injected code by finding memory regions with suspicious permissions (e.g., RWX). dlllist lists loaded DLLs, and ldrmodules can find hidden or suspicious modules.

17
MCQmedium

An analyst finds a registry modification under 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options'. What is the primary use of this registry key?

A.To configure network firewall rules for the image
B.To set a debugger that runs when the image is executed
C.To change the file extension association for the image
D.To log all execution of the image to the Event Log
AnswerB

Correct. IFEO is used for debugging and can be abused for persistence.

Why this answer

Image File Execution Options (IFEO) allow setting debuggers for executables. Malware can abuse this for persistence or to inject code by setting a debugger that launches the malware when the legitimate executable is run.

18
Multi-Selecthard

An analyst is using Volatility to analyze a memory dump. Which TWO plugins are most effective for detecting code injection?

Select 2 answers
A.ldrmodules
B.pslist
C.malfind
D.pstree
E.netscan
AnswersA, C

ldrmodules detects discrepancies in DLL lists that may indicate injected or hidden modules.

Why this answer

malfind specifically detects injected code, and ldrmodules (or dlllist with ldrmodules) helps detect hidden/unlinked DLLs that may indicate injection. pslist shows processes, pstree shows tree, and netscan shows connections.

19
MCQmedium

An analyst uses Volatility to analyze a memory dump from a compromised Windows machine. Which Volatility command would show the list of running processes along with their parent process IDs?

A.volatility -f mem.dmp pslist
B.volatility -f mem.dmp malfind
C.volatility -f mem.dmp pstree
D.volatility -f mem.dmp netscan
AnswerC

pstree shows the process tree with PPID.

Why this answer

The 'pstree' plugin in Volatility displays the process tree with parent-child relationships, helping identify suspicious process hierarchies.

20
Multi-Selectmedium

An analyst is investigating a Windows system for signs of malware persistence. Which TWO registry locations are commonly used by malware to achieve automatic startup? (Choose two.)

Select 2 answers
A.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
B.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
C.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
D.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
E.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\AppInit_DLLs
AnswersA, D

User-specific Run key.

Why this answer

A is correct because the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key is a standard autostart location that launches programs when the current user logs in. Malware frequently writes a value here to achieve persistence without requiring administrative privileges, as it affects only the current user's session.

Exam trap

Cisco often tests the distinction between Run and RunOnce keys, and the trap here is that candidates mistakenly choose RunOnce options (B or C) thinking they provide persistence, when in fact they only execute a program a single time and then remove the entry.

21
MCQmedium

A Windows event log review shows Event ID 4625 multiple times from a single source IP. What does this event indicate, and which log contains it?

A.Successful logon; System log
B.Service start; System log
C.Failed logon; Security log
D.Account creation; Application log
AnswerC

Event ID 4625 indicates failed logon and is found in the Security event log.

Why this answer

Event ID 4625 is a failed logon attempt, recorded in the Security log.

22
MCQeasy

An analyst examines a Windows endpoint and finds a suspicious executable in the Startup folder. Which registry key is commonly used for persistence via legitimate startup programs and is often abused by malware?

A.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
B.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
C.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
D.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
AnswerB

Correct. Run keys are common for both legitimate and malicious startup.

Why this answer

The Run and RunOnce keys in both HKLM and HKCU cause programs to execute at user logon. They are commonly abused for persistence.

23
MCQmedium

A Windows Event Log shows Event ID 4625 multiple times from the same source IP address. What type of activity does this indicate?

A.Failed logon attempts indicating a possible brute-force attack
B.Successful logon after multiple attempts
C.Credential validation by a domain controller
D.A user account was created
AnswerA

4625 is failed logon; multiple from same source is suspicious.

Why this answer

Event ID 4625 indicates a failed logon attempt. Multiple failures from the same source suggest a brute-force attack.

24
MCQmedium

During an incident response on a Linux server, an analyst runs 'ps aux' and notices a process named 'cryptominer' with high CPU usage. The process PPID is 1. Which tool would best help the analyst examine the parent-child relationship and find how the process was started?

A.pstree
B.netstat
C.lsof
D.crontab -l
AnswerA

pstree displays the process tree including PPID relationships.

Why this answer

The pstree command shows the process hierarchy in a tree format, clearly displaying parent-child relationships. This helps trace how the malicious process was launched.

25
MCQmedium

During incident response on a Linux server, an analyst runs 'ss -tlnp' and sees an SSH service listening on a non-standard high port. Which step should the analyst take next to investigate potential unauthorized access?

A.Review the bash history of root user.
B.Check /etc/crontab for malicious scheduled tasks.
C.Run 'ps aux' to list all processes.
D.Examine /var/log/auth.log for successful logins.
AnswerD

Auth.log contains SSH login records that can reveal unauthorized access.

Why this answer

Checking /var/log/auth.log for successful SSH logins on that port helps identify unauthorized connections.

26
MCQhard

A Linux analyst notices a process named '[kworker/1:1+events]' in the process list with high CPU usage. Which further analysis step would help determine if this is a legitimate kernel worker or a rootkit hiding as one?

A.Check /proc/[pid]/cmdline; if empty, it is likely a kernel thread, otherwise it is a user-space process masquerading.
B.Run 'ls -la /proc/[pid]/exe' to see the symbolic link target.
C.Examine /var/log/syslog for kernel messages.
D.Use 'strace' to trace system calls of the process.
AnswerA

Kernel threads have no command line (empty), while user-space processes have their arguments stored.

Why this answer

Checking /proc/[pid]/cmdline for the process ID can reveal if it has a command line; legitimate kernel threads have empty cmdline, while user-space processes do not.

27
MCQhard

During forensic analysis of a Windows host, an analyst finds a file in C:\Windows\Prefetch with the name 'MALWARE.EXE-3F2A1B0C.pf'. Which type of information can be extracted from this prefetch file to assist the investigation?

A.The number of times the executable has been run and the last execution timestamp
B.The file's SHA256 hash and digital signature status
C.The registry keys modified by the executable during execution
D.The command-line arguments used when the executable was launched
AnswerA

Correct. Prefetch tracks execution count and last run time.

Why this answer

Prefetch files (.pf) contain the last run time, run count, and paths of files loaded by the executable. This helps determine how many times the malware was executed and when.

28
MCQeasy

An analyst is investigating a Windows system for signs of malware persistence. Which registry key is commonly used by malware to run automatically at user logon?

A.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
B.HKLM\SYSTEM\CurrentControlSet\Services
C.HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
D.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
AnswerA

This key contains programs that run automatically when the current user logs in.

Why this answer

HKCU\Software\Microsoft\Windows\CurrentVersion\Run is a common persistence location for user-level autoruns.

29
MCQhard

An analyst is analyzing a suspicious PE file. The file's entropy is high (close to 8.0), and the section names appear random. What does this likely indicate?

A.The file is likely packed or encrypted.
B.The file is a script compiled to an executable.
C.The file is a legitimate Windows system file.
D.The file has been digitally signed.
AnswerA

High entropy is characteristic of packing or encryption.

Why this answer

High entropy suggests the file is packed or encrypted. Normal executables have lower entropy. Packed malware uses compression/encryption to obfuscate code.

30
Multi-Selecteasy

A Windows analyst uses Process Explorer to investigate parent-child relationships. Which TWO characteristics are commonly associated with malicious processes?

Select 2 answers
A.A parent process with a valid digital signature
B.A process running from a user's Temp folder with a random name
C.A process with a long uptime and low CPU usage
D.A process chain where the parent is svchost.exe and child is explorer.exe
E.A child process spawned by a document reader (e.g., winword.exe spawning cmd.exe)
AnswersB, E

Correct. Random names in Temp folders are often malicious.

Why this answer

Malware often spawns child processes from unusual parents (e.g., Microsoft Word spawning cmd.exe) and may have suspicious command-line arguments.

31
MCQmedium

An analyst is reviewing Windows Security Event Logs and finds Event ID 4648. What does this event indicate?

A.A logon attempt using explicit credentials was attempted.
B.A service was installed.
C.A user account was created.
D.A scheduled task was created.
AnswerA

4648 is explicit credentials logon.

Why this answer

Event ID 4648 indicates explicit credentials were used to log on, such as running a program as a different user or using secondary logon. It is distinct from interactive logon (4624) or failed logon (4625).

32
Multi-Selecthard

A security analyst is analyzing a Linux system suspected of being used as a phishing server. Which THREE artifacts should the analyst examine to identify persistence mechanisms? (Select 3)

Select 3 answers
A./var/log/auth.log
B./etc/systemd/system/
C./etc/rc.local
D.~/.bash_history
E./etc/crontab
AnswersB, C, E

Systemd service unit files can enable services at boot.

Why this answer

Common Linux persistence mechanisms include cron jobs (crontab), systemd services, and startup scripts. Bash history may show commands but is not a persistence mechanism itself.

33
MCQhard

An analyst is reviewing a memory dump and uses Volatility's cmdline plugin to view process command lines. One process shows command line arguments that include a long base64-encoded string. What should the analyst suspect?

A.The process may be running obfuscated malicious code
B.The process is benign and the string is a normal parameter
C.The string is a hash for integrity verification
D.The process is using encryption
AnswerA

Attackers often use base64 to hide commands.

Why this answer

The presence of a long base64-encoded string in a process command line is a strong indicator of obfuscation, commonly used by malware to hide payloads or configuration data from static analysis. Base64 encoding is not encryption; it is a simple encoding scheme that can be easily decoded, but it obscures the string's content from casual inspection. Volatility's cmdline plugin reveals this artifact, and an analyst should suspect that the process is executing obfuscated malicious code, as attackers frequently use this technique to evade signature-based detection.

Exam trap

Cisco often tests the distinction between encoding and encryption, where candidates mistakenly think base64 is encryption or a hash, when it is actually a reversible encoding used for obfuscation.

How to eliminate wrong answers

Option B is wrong because a long base64-encoded string is not a normal parameter for legitimate processes; typical benign parameters are short, human-readable, and do not require encoding. Option C is wrong because a hash for integrity verification (e.g., SHA256, MD5) is a fixed-length hexadecimal string, not a variable-length base64-encoded string; base64 encoding is used for data, not hashes. Option D is wrong because encryption produces ciphertext that is not base64-encoded by default; base64 is an encoding scheme, not an encryption algorithm, and the string is obfuscated, not encrypted.

34
MCQeasy

In Linux forensics, which file would an analyst check to see command history of a user, potentially revealing malicious commands executed?

A./etc/passwd
B./proc/net/tcp
C./var/log/auth.log
D./home/user/.bash_history
AnswerD

The .bash_history file stores the command history for that user.

Why this answer

Bash history is stored in ~/.bash_history for each user.

35
Multi-Selectmedium

During memory analysis using Volatility, an analyst wants to identify processes that may be hiding. Which TWO plugins are most useful for detecting hidden or injected code? (Choose two.)

Select 2 answers
A.malfind
B.pslist
C.dlllist
D.psxview
E.cmdline
AnswersA, D

Detects injected code in processes.

Why this answer

psxview compares process listings from different sources to find discrepancies, while malfind detects injected code. pslist lists normally, and cmdline shows command lines.

36
MCQmedium

An analyst is investigating a Linux system and wants to view the current network connections. Which command is most appropriate to list listening TCP ports along with the associated processes?

A.netstat -anp
B.cat /proc/net/tcp
C.lsof -i TCP
D.ss -tlnp
AnswerD

This shows listening TCP ports with numeric addresses and process info.

Why this answer

The 'ss' command with options -t (TCP), -l (listening), -n (numeric), -p (process) shows listening TCP ports and the corresponding processes.

37
MCQeasy

Which Windows Prefetch file extension indicates that a program has been executed on the system?

A..evtx
B..pf
C..tmp
D..log
AnswerB

Prefetch files are stored in C:\Windows\Prefetch with .pf extension.

Why this answer

Prefetch files have the .pf extension and contain execution data for applications.

38
Multi-Selecthard

An analyst is analyzing a Linux system that may have been compromised. Which THREE artifacts would provide evidence of attacker activity? (Choose three.)

Select 3 answers
A./proc/cpuinfo
B./var/spool/cron/crontabs/
C./etc/passwd
D./var/log/auth.log
E./home/user/.bash_history
AnswersB, D, E

Contains user cron jobs for persistence.

Why this answer

Bash history contains commands executed by users, auth.log records login attempts, and cron jobs can be used for persistence. /etc/passwd shows user accounts but not activity.

39
Multi-Selecthard

An analyst is investigating a Windows host and observes a suspicious process with PID 1337. Which THREE of the following Volatility commands would provide useful information about this process? (Choose three.)

Select 3 answers
A.cmdline
B.hivelist
C.pslist
D.connscan
E.dlllist
AnswersA, C, E

Correct. Shows command-line arguments for the process.

Why this answer

The `cmdline` plugin displays the command-line arguments used to start a process, which is critical for identifying malicious or suspicious execution patterns (e.g., obfuscated paths, encoded commands). For PID 1337, this reveals exactly how the process was launched, helping to confirm or refute malicious intent.

Exam trap

Cisco often tests the distinction between process-specific plugins (like `cmdline`, `dlllist`, `pslist`) and system-wide or network plugins (like `hivelist`, `connscan`), leading candidates to select plugins that are useful for general analysis but not directly for investigating a specific process.

40
MCQhard

A security analyst is analyzing a suspicious PE file. Using a hex editor, the analyst sees the MZ header (4D 5A). The file's entropy is calculated as 7.8. What does the high entropy most likely indicate?

A.The file is a legitimate signed binary
B.The file is likely packed or obfuscated
C.The file is corrupted
D.The file contains mostly plain text strings
AnswerB

High entropy is indicative of packing/encryption.

Why this answer

High entropy (close to 8) suggests the file is packed or encrypted, as compressed or encrypted data has high randomness. This is often used by malware to evade signature detection.

41
Multi-Selecthard

A Linux server has been compromised. The analyst checks for persistence mechanisms. Which THREE of the following are common Linux persistence techniques that should be examined? (Select THREE)

Select 3 answers
A.Creating a systemd service unit
B.Cron jobs in /etc/crontab or user crontabs
C.Changing the system timezone
D.Adding SSH public keys to authorized_keys
E.Modifying the /etc/hosts file
AnswersA, B, D

Systemd services can start automatically on boot.

Why this answer

Creating a systemd service unit is a common Linux persistence technique because systemd is the default init system for most modern Linux distributions. An attacker can place a malicious service file (e.g., /etc/systemd/system/evil.service) that automatically starts the malware at boot or after a crash, ensuring continued access even after a reboot.

Exam trap

Cisco often tests the distinction between persistence (automatic code execution) and other system modifications; the trap here is confusing a configuration change (timezone or hosts file) with a mechanism that ensures malware runs repeatedly.

42
MCQmedium

An analyst uses 'sc query' on a Windows host and finds a service named 'WindowsUpdate' with a binary path pointing to 'C:\Users\Public\update.exe'. The service is running. Why is this suspicious?

A.The service is running
B.The service name is misspelled
C.The service displays 'WindowsUpdate'
D.The binary path is not in a system directory
AnswerD

Legitimate services normally run from system directories.

Why this answer

Option D is correct because legitimate Windows services, especially those mimicking system components like Windows Update, should have their binary paths in protected system directories (e.g., C:\Windows\System32). A binary path pointing to C:\Users\Public\update.exe indicates the executable is in a user-writable location, which is a common technique used by malware to evade detection and maintain persistence. The 'sc query' command reveals the service configuration, and this abnormal path is a strong indicator of compromise.

Exam trap

Cisco often tests the misconception that a service name or display name alone is the red flag, when in fact the critical indicator is the binary path location outside of system directories.

How to eliminate wrong answers

Option A is wrong because a service being running is not inherently suspicious; many legitimate services run continuously. Option B is wrong because the service name 'WindowsUpdate' is not misspelled; it matches the expected name for the Windows Update service. Option C is wrong because the service displaying 'WindowsUpdate' is expected behavior for a service named that; the suspicious element is the binary path, not the display name.

43
MCQmedium

An analyst is reviewing Windows Event Logs and sees multiple Event ID 4625 entries from a single IP address. What does this indicate?

A.A user account was locked out.
B.A brute-force password guessing attack.
C.A service account password expired.
D.Successful remote logins from that IP.
AnswerB

Multiple failed logon attempts are typical of brute-force attacks.

Why this answer

Event ID 4625 is a failed logon attempt. Multiple failures from the same IP suggest a brute-force attack.

44
MCQeasy

A security analyst is investigating a Windows host and wants to view running processes along with their parent-child relationships and command-line arguments. Which tool is best suited for this task?

A.Volatility
B.tasklist
C.Process Explorer
D.Task Manager
AnswerC

Process Explorer from Sysinternals displays parent-child relationships, command-line arguments, and more.

Why this answer

Process Explorer provides detailed process information including parent PID and command line, while Task Manager and tasklist show limited details. Volatility is a memory analysis tool, not for live host analysis.

45
MCQmedium

An analyst finds a suspicious service named 'UpdateSvc' running on a Windows system. Which tool or command would best help determine the service's binary path and start type?

A.net start
B.sc query UpdateSvc
C.tasklist /svc
D.Get-Service UpdateSvc
AnswerB

sc query displays service configuration including BINARY_PATH_NAME and START_TYPE.

Why this answer

The 'sc query' command with the service name provides detailed information including binary path and start type.

46
MCQmedium

An analyst runs Volatility's pstree plugin on a memory dump. The output shows that a process 'svchost.exe' is the child of 'explorer.exe'. What is suspicious about this?

A.explorer.exe should not have any child processes
B.Nothing, svchost.exe can be a child of any process
C.svchost.exe should be a child of services.exe, not explorer.exe
D.The pstree output is unreliable
AnswerC

svchost.exe is a service host process; its parent should be services.exe.

Why this answer

Option C is correct because in a normal Windows system, svchost.exe is a service host process that should always be a child of services.exe, which is the Service Control Manager (SCM). When svchost.exe appears as a child of explorer.exe, it indicates that a malicious process or attacker has spawned a fake svchost.exe from explorer.exe to evade detection, as legitimate svchost.exe instances are never launched from the Windows shell.

Exam trap

Cisco often tests the misconception that svchost.exe can be a child of any process because it is a common system process, but the trap is that candidates forget the strict parent-child relationship enforced by the Service Control Manager in Windows.

How to eliminate wrong answers

Option A is wrong because explorer.exe can and does have legitimate child processes, such as when a user launches an application from the Start menu or desktop; the statement that it should have no child processes is false. Option B is wrong because svchost.exe should never be a child of any arbitrary process; it must be a direct child of services.exe to be legitimate, as the SCM is the only authorized parent for service host processes. Option D is wrong because the pstree plugin from Volatility is a reliable tool for reconstructing process parent-child relationships from memory dumps; its output is trustworthy when the memory image is intact and properly analyzed.

47
MCQhard

A forensic analyst uses Volatility on a memory dump and runs the 'malfind' plugin. The output shows a process with a VAD region that has PAGE_EXECUTE_READWRITE protection and contains the pattern 'MZ'. What does this indicate?

A.The process has been infected with code injection, likely a PE executable mapped in memory.
B.The process is using a packed executable that was unpacked in memory.
C.The process has a heap spray attack, but not necessarily injected code.
D.The process is a legitimate browser with dynamic code.
AnswerA

Malfind detects injected code by finding executable regions with PE headers.

Why this answer

PAGE_EXECUTE_READWRITE protection combined with 'MZ' header suggests code injection, where a malicious executable has been written into the process memory.

48
MCQhard

An analyst is using Volatility's 'pslist' and 'pstree' commands on a memory dump. The output shows a process named 'lsass.exe' with a PID of 1024. However, the usual PID for lsass.exe on this system is 512. What does this discrepancy likely indicate?

A.It indicates a possible process hollowing or masquerading attack
B.It shows that the system has multiple instances of lsass running
C.It is normal; the PID can vary between system boots
D.It suggests the process is a legitimate child of services.exe
AnswerA

Correct. Anomalous PID for lsass is suspicious.

Why this answer

The 'lsass.exe' process (Local Security Authority Subsystem Service) is a critical Windows system process responsible for enforcing security policies and handling authentication. Under normal conditions, lsass.exe runs as a child of 'winlogon.exe' or 'services.exe' with a consistent PID (often 512 or 528) across boots on a given system. A PID of 1024, especially when the known baseline is 512, strongly suggests that a malicious actor has spawned a fake 'lsass.exe' process via process hollowing (replacing the legitimate process's memory with malicious code) or masquerading (naming a malicious binary to mimic the legitimate one) to evade detection.

Exam trap

Cisco often tests the misconception that PIDs are random or always change between boots, but in reality, critical system processes like lsass.exe have predictable PIDs due to their fixed boot order, making any significant deviation a clear sign of compromise.

How to eliminate wrong answers

Option B is wrong because having multiple instances of lsass.exe is not normal; Windows typically runs only one instance of lsass.exe at a time, and multiple instances would indicate either a misconfiguration or malicious activity, but the question focuses on the PID discrepancy, not the count. Option C is wrong because while PIDs can vary between boots, the PID for lsass.exe on a given system is usually consistent (e.g., 512 or 528) due to its early boot-time launch order; a significant deviation like 1024 is abnormal and a red flag. Option D is wrong because lsass.exe is indeed a legitimate child of services.exe (or winlogon.exe) in normal operation, but the PID discrepancy itself is the anomaly; the statement does not explain why the PID is different, and a legitimate child would still have the expected PID.

49
MCQhard

A security analyst is analyzing a memory dump from a compromised Windows system using Volatility. Which command would best reveal hidden or injected code within a process?

A.vol.py netscan
B.vol.py pslist
C.vol.py malfind
D.vol.py dlllist
AnswerC

malfind identifies suspicious memory protections and injected code.

Why this answer

The 'malfind' command scans for anomalous memory regions that often indicate code injection, such as executable pages not backed by a file on disk.

50
MCQeasy

Which Windows Event ID corresponds to a successful user logon?

A.4648
B.4776
C.4625
D.4624
AnswerD

4624 is the event ID for successful logon.

Why this answer

Event ID 4624 is logged when a user successfully logs on to a system.

51
MCQmedium

An analyst uses Volatility's 'netscan' on a memory dump and finds an established connection to an external IP on port 4444. Which type of activity is this commonly associated with?

A.Email communication
B.DNS query
C.Reverse shell or backdoor
D.Normal web browsing
AnswerC

Port 4444 is commonly used for reverse shells.

Why this answer

Port 4444 is commonly used by Metasploit and other remote access tools for reverse shells. An established connection to an external IP on this port is indicative of a backdoor or command-and-control communication.

52
MCQhard

An analyst discovers that a Windows system executes a payload each time a user logs in, even before the desktop appears. Which registry key is most likely used for such persistence, and why would it be harder to detect than typical Run keys?

A.HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
B.HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
C.HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
D.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AnswerC

AppInit_DLLs loads a DLL into each process using user32.dll, providing stealthy persistence.

Why this answer

AppInit_DLLs loads DLLs into every process that loads user32.dll, making it a stealthy persistence mechanism.

53
Multi-Selecthard

An analyst is examining a Windows system for evidence of privilege escalation or credential theft. Which THREE Event IDs should the analyst focus on in the Security log? (Select THREE)

Select 3 answers
A.4648
B.4776
C.4720
D.4625
E.4624
AnswersA, B, E

Explicit credentials logon, often used with runas for privilege escalation.

Why this answer

Event ID 4648 (A logon was attempted using explicit credentials) is correct because it records when a user explicitly provides credentials to run a program or service, which is a common technique in privilege escalation (e.g., runas) and credential theft (e.g., pass-the-hash). This event captures the target account, source process, and target workstation, making it invaluable for detecting lateral movement or credential misuse.

Exam trap

Cisco often tests the distinction between Event IDs that log authentication attempts (4624, 4625) versus those that log credential usage (4648, 4776), trapping candidates who confuse successful logons (4624) with evidence of credential theft.

54
MCQmedium

In a Linux system, an analyst wants to check for unauthorized cron jobs. Which of the following is a common location for user-specific cron jobs?

A./var/log/cron
B./etc/cron.d/
C./etc/crontab
D./var/spool/cron/crontabs/
AnswerD

This directory contains crontab files for individual users.

Why this answer

User-specific cron jobs are stored in /var/spool/cron/crontabs/ (or /var/spool/cron/ on some distributions), named after the user.

55
MCQmedium

An analyst finds an unknown scheduled task on a Windows system that runs a PowerShell script at system startup. Which tool is best for examining the task's trigger and actions?

A.Services.msc
B.Event Viewer
C.Registry Editor
D.Task Scheduler
AnswerD

Task Scheduler allows inspection of all task properties.

Why this answer

Task Scheduler (taskschd.msc) provides a GUI to view all scheduled tasks, their triggers, and actions.

56
MCQmedium

During a host-based analysis, an analyst discovers a suspicious service on a Windows machine. Which tool or command can be used to query the service configuration?

A.reg query
B.sc query
C.schtasks
D.tasklist
AnswerB

sc query displays service status and configuration.

Why this answer

The 'sc' command-line tool (Service Control) can query and modify services. 'sc query' shows the status, and 'sc qc' shows the configuration.

57
MCQeasy

During a host-based analysis of a Windows system, an analyst finds a suspicious executable that runs every time the system boots. Which registry key is most commonly used for this type of persistence?

A.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\AppInit_DLLs
B.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
C.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Image File Execution Options
D.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
AnswerD

This is the standard Run key for system-wide startup programs.

Why this answer

The Run registry key under HKLM and HKCU is a common location for programs to automatically start at boot. Malicious software often adds entries here to achieve persistence.

58
MCQmedium

A Windows system's security log shows Event ID 4720 followed by 4726 for the same username within minutes. What does this sequence indicate?

A.A user changed their password.
B.The account was successfully logged on.
C.A group membership was changed.
D.An account was created and then deleted, possibly for short-term unauthorized access.
AnswerD

Account creation then deletion is suspicious and indicative of a throwaway account.

Why this answer

Event 4720 is account creation, 4726 is deletion; rapid sequence suggests temporary account used for malicious activity.

59
MCQeasy

Which Windows Event ID is recorded when a user account is created, indicating potential unauthorized account creation?

A.4726
B.4648
C.4624
D.4720
AnswerD

4720 indicates account creation.

Why this answer

Event ID 4720 is logged when a user account is created in Active Directory or local SAM.

60
Multi-Selectmedium

During memory analysis using Volatility, an analyst suspects code injection. Which THREE commands would be most useful to identify injected code? (Select THREE)

Select 3 answers
A.malfind
B.pslist or pstree
C.netscan
D.dlllist or ldrmodules
E.hashdump
AnswersA, B, D

malfind scans for injected code or hidden memory regions.

Why this answer

malfind detects injected code, dlllist/ldrmodules show loaded modules anomalies, and pslist/pstree identify suspicious processes.

61
Multi-Selecteasy

An analyst is investigating a Linux system for persistence mechanisms. Which TWO of the following are common locations for cron-based persistence? (Select TWO)

Select 2 answers
A./var/spool/cron/crontabs/
B./etc/init.d/
C./etc/crontab
D./var/log/cron
E./etc/systemd/system/
AnswersA, C

User crontabs are stored here.

Why this answer

Crontabs for users are stored in /var/spool/cron/crontabs/ and system-wide cron jobs are in /etc/crontab.

62
Multi-Selecthard

An analyst is investigating a Windows system using prefetch files. The analyst notices a prefetch file for a tool called 'procdump.exe' with a run count of 1 and the last run time corresponding to the time of the incident. Which THREE conclusions can be drawn?

Select 3 answers
A.The parent process that launched the tool is identified
B.The tool was executed from a specific file path
C.The tool was executed at least once
D.The tool was executed with specific command-line arguments
E.The tool was executed only once (run count = 1)
AnswersB, C, E

Correct. Prefetch files contain the full path of the executable.

Why this answer

Prefetch shows evidence of execution, run count indicates how many times, and the path reveals the location. However, prefetch does not show the parent process or command-line arguments.

63
MCQmedium

An analyst discovers an unknown process on a Windows host that has no parent process (PPID 0). What does this likely indicate?

A.The process is a child of the System Idle Process.
B.The process is likely hidden or injected by malware.
C.The process is a user-initiated task running normally.
D.The process is a legitimate system process started at boot.
AnswerB

PPID 0 is suspicious and may indicate the process was created by a kernel-mode component or rootkit.

Why this answer

A process with PPID 0 is unusual and may indicate a rootkit or direct kernel manipulation. Normal processes have a parent, except for the System Idle Process (PID 0).

64
Multi-Selectmedium

A Windows Event Log analysis reveals Event ID 4720 and 4726 occurrences for the same account within a short time. Which TWO actions were performed? (Select 2)

Select 2 answers
A.User account was locked
B.User account was deleted
C.Group policy was updated
D.User logged on successfully
E.User account was created
AnswersB, E

4726 is account deletion.

Why this answer

Event ID 4720 indicates account creation, and 4726 indicates account deletion. The rapid creation and deletion may indicate an attempt to avoid detection or create a temporary account.

65
MCQeasy

An analyst wants to determine if a specific executable has been run on a Windows system. Which artifact provides evidence of prior execution?

A.Registry Run keys
B.Task Scheduler logs
C.Prefetch files
D.Windows Event Logs
AnswerC

Prefetch files are located in C:\Windows\Prefetch and track execution.

Why this answer

Prefetch files (.pf) are created by Windows when an executable runs, storing execution details such as the first eight file paths referenced and the last run time. Analyzing Prefetch files allows an analyst to determine if a specific executable has been executed, even if the executable itself has been deleted. This makes Prefetch the most direct artifact for evidence of prior execution.

Exam trap

Cisco often tests the misconception that Windows Event Logs (specifically Security Event ID 4688) are always enabled and capture all process executions, when in reality they require explicit audit policy configuration and are often not logging by default, making Prefetch a more reliable artifact for execution evidence.

How to eliminate wrong answers

Option A is wrong because Registry Run keys (e.g., HKLM\Software\Microsoft\Windows\CurrentVersion\Run) only indicate programs configured to start automatically at boot or user logon, not whether an arbitrary executable has been run. Option B is wrong because Task Scheduler logs record scheduled tasks and their execution history, but they do not capture execution of executables that were not scheduled. Option D is wrong because Windows Event Logs (e.g., Security log with Event ID 4688) can log process creation if auditing is enabled, but by default many systems do not log all process executions, making them unreliable for this specific forensic question.

66
MCQeasy

An analyst needs to check for services that were set to start automatically on a Windows host. Which command-line utility can be used to query the state and start type of all services?

A.sc query
B.tasklist
C.schtasks
D.netstat
AnswerA

Correct. sc query lists service status and configuration.

Why this answer

The 'sc query' command retrieves information about services, including their state and start type (auto, manual, disabled). It is useful for identifying suspicious services.

67
MCQhard

An analyst examining a Linux server notices an unusual cron job in /etc/crontab that runs a script every 5 minutes. Which of the following describes the best approach to determine if this cron job is malicious?

A.Ignore it because cron jobs are always legitimate.
B.Delete the cron job immediately to stop potential malicious activity.
C.Check the script's content, owner, and compare its hash with known threats.
D.Run the script in a sandbox to see what it does.
AnswerC

Analyzing the script and its origin is crucial for determination.

Why this answer

Inspecting the script content and correlating with known persistence techniques helps assess maliciousness.

68
MCQmedium

An analyst is performing memory forensics on a Windows machine using Volatility. Which command would be most useful to identify hidden or injected code within a process?

A.dlllist
B.netscan
C.pslist
D.malfind
AnswerD

malfind scans for suspicious memory patterns indicative of code injection.

Why this answer

malfind identifies suspicious memory regions, such as injected code. pslist lists processes, netscan shows network connections, and dlllist lists loaded DLLs.

69
MCQeasy

An analyst is investigating a Windows host suspected of malware persistence. Which registry key is commonly used by malware to run a program every time a user logs in, located under both HKLM and HKCU?

A.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
B.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
C.HKLM\SYSTEM\CurrentControlSet\Services
D.HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
AnswerB

This is a correct Run key for the current user.

Why this answer

The Run and RunOnce keys under HKLM and HKCU are common persistence mechanisms. Malware often adds entries here to execute automatically at user logon.

70
MCQhard

A forensic analyst is examining a suspicious file. The file has a high entropy score (close to 8.0) and the PE section names are obfuscated. Which tool or technique would best help determine if the file is packed?

A.Use the 'strings' command to extract readable strings
B.Check the file's digital signature
C.Run the 'file' command in Linux
D.Analyze the PE sections and calculate entropy to detect packing
AnswerD

Correct. High entropy and unusual section names are indicators of packing.

Why this answer

High entropy suggests compressed or encrypted data, common in packed executables. Tools like PEiD or manual analysis using 'strings' and entropy calculation can confirm packing. Hash comparison with VirusTotal can also help.

71
Multi-Selectmedium

A security analyst is investigating a Windows workstation that experienced a series of failed logon attempts followed by a successful logon. Which TWO Windows Event IDs should the analyst examine to understand this activity?

Select 2 answers
A.4624 - An account was successfully logged on
B.4720 - A user account was created
C.4648 - A logon was attempted using explicit credentials
D.4776 - The domain controller attempted to validate the credentials for an account
E.4625 - An account failed to log on
AnswersA, E

Correct. This event indicates a successful logon.

Why this answer

4625 is failed logon, 4624 is successful logon. These are the standard events for logon success/failure.

72
Multi-Selecthard

During a Linux forensic investigation, an analyst finds a suspicious process. The analyst wants to check for persistence mechanisms. Which THREE Linux artifacts should be examined?

Select 3 answers
A./var/log/auth.log
B./proc/net/tcp
C./etc/crontab and /var/spool/cron/
D./etc/systemd/system/ and /lib/systemd/system/
E./home/user/.bash_history
AnswersC, D, E

Correct. These files define cron jobs that can execute at specified times.

Why this answer

Cron jobs, systemd services, and bash history are common artifacts for persistence. Cron and systemd can schedule execution, bash history may show past commands.

73
MCQmedium

An analyst is analyzing a suspicious executable file. Using the 'file' command, it returns 'data' instead of 'PE32 executable'. What is the most likely reason?

A.The system is missing the file command database.
B.The file is a legitimate PE file with a different extension.
C.The file is actually a script written in Python.
D.The file has been packed or encrypted to hide its true nature.
AnswerD

Packed executables often have altered headers, causing 'file' to fail to recognize them.

Why this answer

The 'data' result indicates the file's magic bytes do not match known executables, suggesting it might be packed or obfuscated.

74
MCQhard

During incident response, a Linux server is found to have an unknown process listening on a high TCP port. The process is not listed in any systemd unit files. Which command will best help identify the process parent and its command-line arguments?

A.cat /proc/[pid]/cmdline && cat /proc/[pid]/status
B.ps aux | grep [pid]
C.journalctl -u unknown.service
D.ss -tlnp | grep [pid]
AnswerA

This retrieves command line and parent PID from the proc filesystem.

Why this answer

The /proc filesystem contains per-process directories. Checking /proc/[pid]/cmdline and /proc/[pid]/status reveals the command line and parent PID.

75
Multi-Selecthard

A security analyst is examining a Linux system suspected of compromise. Which THREE artifacts should be reviewed to identify potential persistence mechanisms?

Select 3 answers
A.Authorized SSH keys in ~/.ssh/authorized_keys
B./proc/cpuinfo
C.Cron jobs in /etc/crontab and /var/spool/cron/
D.Bash history in /home/*/.bash_history
E.Systemd services in /etc/systemd/system/
AnswersC, D, E

Cron jobs can be used to execute malicious scripts periodically.

Why this answer

Cron jobs, systemd services, and bash history are key for persistence detection. SSH keys can also be used. /proc/cpuinfo is hardware info, not persistence.

Page 1 of 2 · 99 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cbrops Host Analysis questions.