200-201 · topic practice

Host-Based Analysis practice questions

Practise Cisco CyberOps Associate 200-201 Host-Based Analysis practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Host-Based Analysis

What the exam tests

What to know about Host-Based Analysis

Host-Based Analysis questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Host-Based Analysis exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Host-Based Analysis questions

20 questions · select your answer, then reveal the explanation

An analyst is investigating a Windows host suspected of malware persistence. Which registry key is commonly used by malware to run a program every time a user logs in, located under both HKLM and HKCU?

During an incident response on a Linux server, an analyst runs 'ps aux' and notices a process named 'cryptominer' with high CPU usage. The process PPID is 1. Which tool would best help the analyst examine the parent-child relationship and find how the process was started?

A security analyst is analyzing a suspicious PE file. Using a hex editor, the analyst sees the MZ header (4D 5A). The file's entropy is calculated as 7.8. What does the high entropy most likely indicate?

An analyst uses Volatility to analyze a memory dump from a compromised Windows machine. Which Volatility command would show the list of running processes along with their parent process IDs?

A Linux administrator checks authentication logs to investigate a possible brute-force attack. Which log file typically contains records of successful and failed SSH login attempts?

A Windows Event Log shows Event ID 4625 multiple times from the same source IP address. What type of activity does this indicate?

During memory analysis with Volatility, the 'cmdline' plugin shows a process with no command-line arguments. Which plugin could help recover the original command line if it was truncated or hidden?

An analyst is examining a suspicious file that appears to be a PDF but when checking the magic bytes at offset 0, sees '50 4B 03 04'. What does this indicate?

An analyst uses 'sc query' on a Windows host and finds a service named 'WindowsUpdate' with a binary path pointing to 'C:\Users\Public\update.exe'. The service is running. Why is this suspicious?

Which Windows artifact stores evidence of file execution, including the path and run count, and is located in C:\Windows\Prefetch?

A Linux host has an unusual cron job that runs a script from /tmp every minute. The analyst checks /etc/crontab and /var/spool/cron/ but finds nothing. Where else could the cron job be defined?

An analyst uses Volatility's 'netscan' on a memory dump and finds an established connection to an external IP on port 4444. Which type of activity is this commonly associated with?

An analyst is investigating a Windows host that likely has malware persistence via the registry. Which TWO registry hives are commonly used to store Run keys for user logon persistence? (Select 2)

A security analyst is analyzing a Linux system suspected of being used as a phishing server. Which THREE artifacts should the analyst examine to identify persistence mechanisms? (Select 3)

A Windows Event Log analysis reveals Event ID 4720 and 4726 occurrences for the same account within a short time. Which TWO actions were performed? (Select 2)

An analyst is investigating a Windows system for signs of malware persistence. Which registry key is commonly used by malware to run automatically at user logon?

During incident response on a Linux server, an analyst runs 'ss -tlnp' and sees an SSH service listening on a non-standard high port. Which step should the analyst take next to investigate potential unauthorized access?

An analyst is analyzing a suspicious executable file. Using the 'file' command, it returns 'data' instead of 'PE32 executable'. What is the most likely reason?

A forensic analyst uses Volatility on a memory dump and runs the 'malfind' plugin. The output shows a process with a VAD region that has PAGE_EXECUTE_READWRITE protection and contains the pattern 'MZ'. What does this indicate?

Which Windows Event ID is recorded when a user account is created, indicating potential unauthorized account creation?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Host-Based Analysis sessions

Start a Host-Based Analysis only practice session

Every question in these sessions is drawn from the Host-Based Analysis domain — nothing else.

Related practice questions

Related 200-201 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 200-201 exam test about Host-Based Analysis?
Host-Based Analysis questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Host-Based Analysis questions in a focused session?
Yes — the session launcher on this page draws every question from the Host-Based Analysis domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 200-201 topics?
Use the topic links above to move to related areas, or go back to the 200-201 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 200-201 exam covers. They are not copied from any real exam or dump site.