CCNA Cbrops Host Analysis Questions

24 of 99 questions · Page 2/2 · Cbrops Host Analysis topic · Answers revealed

76
MCQeasy

An analyst discovers a suspicious service on a Windows host. Which command can be used to query the status and details of services from the command line?

A.services.msc
B.net start
C.sc query
D.tasklist /svc
AnswerC

sc query displays detailed service information from the command line.

Why this answer

sc query displays service status and configuration. services.msc is GUI-based, tasklist shows processes, and net start lists running services but with less detail.

77
Multi-Selectmedium

An analyst is examining a suspicious executable file. The file has a .pdf extension but the magic bytes are 'MZ'. Which THREE indicators suggest the file is malicious?

Select 3 answers
A.The file imports functions like URLDownloadToFile
B.The file has a valid Authenticode signature
C.The file extension does not match the magic bytes
D.The file has a low entropy value (e.g., 2.5)
E.The file has a high entropy value (e.g., 7.8)
AnswersA, C, E

Correct. Network-related imports are common in malware.

Why this answer

Magic bytes MZ indicate PE, high entropy suggests packing, suspicious imports (e.g., URLDownloadToFile) are common in malware.

78
MCQmedium

During a host-based analysis, a Windows system is found to have a suspicious service that starts automatically. Which command-line tool can be used to query the status and configuration of services, particularly to identify non-standard service names or paths?

A.sc query
B.services.msc
C.tasklist /svc
D.net start
AnswerA

sc query shows service status and configuration including binary path name.

Why this answer

sc query displays detailed service information including name, display name, and binary path.

79
MCQmedium

An analyst is reviewing Windows Event Logs and finds Event ID 4648. What does this event typically indicate?

A.A failed logon attempt
B.An account creation event
C.A successful logon event
D.A logon using explicit credentials
AnswerD

4648 is logged when a process attempts to log on using explicit credentials.

Why this answer

Event ID 4648 indicates that a logon was attempted using explicit credentials, meaning a user supplied credentials to run a program or access a resource.

80
Multi-Selectmedium

During a Linux incident response, an analyst runs 'ps aux' and sees a process with a suspicious name. The analyst wants to gather more information. Which TWO commands can provide the process's network connections?

Select 2 answers
A.cat /proc/[pid]/net/tcp
B.lsof -i
C.ss -tlnp
D.cat /var/log/syslog
E.netstat -antp
AnswersA, C

Correct. This file contains TCP connection details for the PID.

Why this answer

ss -tlnp shows listening TCP sockets with the process PID. /proc/[pid]/net/tcp contains TCP connection info for that process.

81
MCQmedium

During an incident response, a Linux system shows unusual outbound network connections from a process named 'httpd'. The analyst uses 'ss -tlnp' to examine listening sockets. Which column would most likely indicate if the process is malicious?

A.Local Address:Port
B.State
C.Peer Address:Port
D.Process
AnswerD

Correct. The Process column reveals the program name and PID.

Why this answer

The 'Process' column in 'ss -tlnp' shows the PID and process name. If the process name is misrepresented or the PID does not match a legitimate httpd, it indicates malicious activity.

82
MCQeasy

An analyst is reviewing Windows Event Logs and sees Event ID 4625. What does this event indicate?

A.Credential validation was attempted
B.An account logon failed
C.An account was created
D.An account was successfully logged on
AnswerB

Correct. 4625 is failed logon.

Why this answer

Event ID 4625 in the Security log indicates a failed logon attempt. This is often used to detect brute-force attacks or unauthorized access attempts.

83
MCQmedium

An analyst is investigating a Windows system where a suspicious executable is running. Using Process Explorer, the analyst observes that the process 'svchost.exe' has a parent process of 'cmd.exe'. What is the significance of this parent-child relationship?

A.It shows that svchost.exe is a critical system process and is safe
B.It indicates that svchost.exe is likely malicious, as it should be spawned by services.exe
C.It suggests that svchost.exe is a child of explorer.exe, which is normal
D.It is normal behavior; svchost.exe often has cmd.exe as parent
AnswerB

Correct. Anomalous parent process is a red flag.

Why this answer

Legitimate svchost.exe processes are spawned by services.exe, not cmd.exe. A parent of cmd.exe indicates that svchost.exe was launched manually, which is abnormal and suggests malicious activity.

84
Multi-Selectmedium

An incident responder is analyzing a Windows machine for evidence of malware persistence. Which TWO registry keys are commonly abused to achieve automatic execution at user logon?

Select 2 answers
A.HKLM\Software\Microsoft\Windows\CurrentVersion\Run
B.HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
C.HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
D.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
E.HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
AnswersA, D

This key runs programs at logon for all users.

Why this answer

HKLM\...\Run and HKCU\...\Run are common persistence locations. RunOnce keys also exist but are for one-time execution. AppInit_DLLs is for DLL injection, and Image File Execution Options are for debugging.

85
MCQmedium

An analyst is examining a Linux system for persistence mechanisms. Which of the following files should be reviewed to detect cron-based persistence?

A./var/log/auth.log
B./etc/passwd
C./home/user/.bash_history
D./var/spool/cron/crontabs
AnswerD

Correct. User crontabs are stored here.

Why this answer

Cron jobs can be set in /etc/crontab, /etc/cron.d/, and user-specific crontabs in /var/spool/cron/. /var/spool/cron/crontabs contains per-user crontabs.

86
MCQmedium

During an incident response, an analyst checks for persistence mechanisms and finds an entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. What is the most likely purpose of this registry key?

A.It lists recently accessed documents.
B.It specifies programs to run automatically at user logon.
C.It stores user interface settings for the current user.
D.It controls Windows Defender exclusions.
AnswerB

The Run key is used for auto-starting applications at logon.

Why this answer

The Run key in HKCU or HKLM causes programs to execute automatically when a user logs in. It is commonly used for legitimate software but also for malware persistence.

87
MCQmedium

Which Linux log file is most appropriate for reviewing failed SSH login attempts?

A./var/log/auth.log
B./var/log/messages
C./var/log/kern.log
D./var/log/syslog
AnswerA

Auth.log is the standard location for authentication logs on Debian-based systems.

Why this answer

/var/log/auth.log (or /var/log/secure on some distributions) records authentication events including SSH failures.

88
MCQmedium

An analyst is examining a PE file and notices that the 'TimeDateStamp' in the optional header is 0x00000000. What does this suggest?

A.The timestamp has been deliberately erased or not set, possibly to avoid forensic analysis.
B.The file is digitally signed.
C.The file was compiled on January 1, 1970 (Unix epoch).
D.The file is a DLL rather than an executable.
AnswerA

Malware authors often zero out the timestamp to hinder timeline analysis.

Why this answer

A timestamp of zero often indicates the linker did not set it, which is common for malware or files compiled with certain tools that omit the timestamp.

89
MCQeasy

A Linux analyst wants to identify all listening TCP ports on a system. Which command is most appropriate?

A.netstat -an
B.ss -tlnp
C.lsof -i
D.ps aux
AnswerB

ss -tlnp -t: TCP, -l: listening, -n: numeric, -p: show process.

Why this answer

ss -tlnp shows listening TCP sockets with process info.

90
MCQmedium

An analyst is investigating a Linux host and runs 'cat /proc/1234/cmdline'. What information does this provide?

A.The memory map of the process
B.The command line and arguments used to start the process
C.The environment variables of the process
D.The current working directory of the process
AnswerB

Correct. cmdline contains the command line.

Why this answer

The /proc/[pid]/cmdline file contains the full command line used to start the process, including arguments. This helps verify if a process was launched with suspicious parameters.

91
MCQhard

An analyst is examining a suspicious PE file. The file's entropy is very high (close to 8.0) and the import table is almost empty. What does this indicate?

A.The file is likely packed or obfuscated
B.The file is a DLL file
C.The file is a standard Windows executable with many imports
D.The file has been digitally signed
AnswerA

High entropy and few imports indicate packing.

Why this answer

High entropy and a sparse import table strongly suggest the file is packed or encrypted. Packers often compress the original code, raising entropy and obfuscating imports.

92
MCQhard

An analyst uses Volatility's pstree plugin on a memory dump. The output shows that process 'winlogon.exe' has a child process 'cmd.exe' that is not typical. What is the most likely explanation?

A.An attacker may have used Sticky Keys or similar persistence.
B.A user is running a command prompt remotely.
C.A scheduled task is running.
D.The system is performing a normal update.
AnswerA

Sticky Keys (sethc.exe) can be replaced with cmd.exe to provide a command prompt at login.

Why this answer

winlogon.exe spawning cmd.exe is unusual and may indicate an attacker used Sticky Keys or similar accessibility feature abuse (sethc.exe) to gain a command prompt at the login screen. Normal winlogon does not launch cmd.exe as a child.

93
MCQhard

During a forensic examination of a Linux system, an analyst wants to check for persistence mechanisms. Which file or directory should be examined to find user-specific cron jobs that may have been added by an attacker?

A./etc/cron.hourly/
B./etc/cron.d/
C./etc/crontab
D./var/spool/cron/crontabs/
AnswerD

User crontabs are stored in this directory, one file per user.

Why this answer

User-specific cron jobs are stored in /var/spool/cron/crontabs/ (or /var/spool/cron/). /etc/crontab is system-wide, /etc/cron.d is system-wide directories, and /etc/cron.hourly are scripts. The user-specific location is under /var/spool/cron/.

94
Multi-Selectmedium

An analyst is investigating a Windows host that likely has malware persistence via the registry. Which TWO registry hives are commonly used to store Run keys for user logon persistence? (Select 2)

Select 2 answers
A.HKEY_CLASSES_ROOT\*\shell
B.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
C.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AppInit_DLLs
D.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
E.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
AnswersB, E

HKLM Run key is a common persistence location.

Why this answer

The Run keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run are standard locations where Windows executes programs automatically at user logon. Malware commonly writes entries to these keys to achieve persistence, making them critical for host-based analysis.

Exam trap

Cisco often tests the distinction between Run keys (user logon persistence) and other registry locations like AppInit_DLLs or Services, so candidates must know that only the Run paths under HKLM and HKCU are correct for this specific persistence method.

95
MCQmedium

In Windows, prefetch files (C:\Windows\Prefetch\*.pf) are used by the system to speed up application loading. How can an analyst leverage prefetch files during host-based analysis?

A.They provide evidence of file execution, including frequency and timestamps.
B.They store network connection logs.
C.They store registry keys modified by the application.
D.They contain the contents of the running process memory.
AnswerA

Prefetch files record execution details useful for forensic timeline.

Why this answer

Prefetch files in Windows record metadata about application launches, including the executable path, run count, and last run timestamp. During host-based analysis, an analyst can examine these .pf files to determine which executables have been executed, how often, and when, providing crucial evidence of file execution activity.

Exam trap

Cisco often tests the specific purpose of prefetch files versus other forensic artifacts, and the trap here is confusing prefetch files with memory dumps or registry logs, leading candidates to select options that describe unrelated Windows components.

How to eliminate wrong answers

Option B is wrong because prefetch files do not store network connection logs; network connection logs are typically found in Windows Event Logs (e.g., Security log with Event ID 5156) or firewall logs. Option C is wrong because prefetch files do not store registry keys modified by the application; registry modifications are tracked in the Registry hive files (e.g., NTUSER.DAT, SYSTEM, SOFTWARE) and can be analyzed via tools like RegRipper. Option D is wrong because prefetch files do not contain the contents of the running process memory; process memory contents are captured in memory dumps (e.g., .dmp files) or via forensic tools like Volatility.

96
Multi-Selectmedium

An analyst is investigating a Windows host for malware persistence. Which TWO registry locations are commonly abused for persistence by modifying the 'Run' key? (Select TWO)

Select 2 answers
A.HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
B.HKLM\Software\Microsoft\Windows\CurrentVersion\Run
C.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
D.HKLM\System\CurrentControlSet\Services
E.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
AnswersB, C

This Run key loads programs for all users at startup.

Why this answer

Both HKLM and HKCU Run keys are commonly used for persistence.

97
MCQhard

During memory analysis with Volatility, the 'pstree' plugin shows a parent process of 'winlogon.exe' spawning 'cmd.exe'. What is the most likely explanation for this anomaly?

A.This is a normal occurrence when a user opens cmd after logging in.
B.A user is running a command prompt from the Windows login screen.
C.A debugger or persistence mechanism like Image File Execution Options has replaced sethc.exe with cmd.exe.
D.The cmd.exe is a system process running under winlogon's session.
AnswerC

IFEO can redirect accessibility binaries to cmd.exe, making winlogon launch it.

Why this answer

Normally, winlogon.exe does not spawn cmd.exe; this could indicate a 'sticky keys' (sethc.exe) persistence or other accessibility tool abuse where cmd.exe replaces the debugger.

98
MCQeasy

An analyst is investigating a Windows host for signs of malware persistence. Which registry key would the analyst check for programs that run automatically when any user logs in?

A.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
B.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
C.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
D.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
AnswerD

Correct. This key runs programs for all users at logon.

Why this answer

The Run registry key under HKEY_LOCAL_MACHINE specifies programs that run for all users at logon, while HKEY_CURRENT_USER is per-user. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run is the most common location for malware persistence.

99
MCQhard

During memory analysis with Volatility, the 'cmdline' plugin shows a process with no command-line arguments. Which plugin could help recover the original command line if it was truncated or hidden?

A.consoles
B.cmdscan
C.malfind
D.dlllist
AnswerB

cmdscan searches for command-line history in memory.

Why this answer

The 'cmdscan' plugin scans the memory for command-line history that might not be captured by cmdline. It can recover previously typed commands.

← PreviousPage 2 of 2 · 99 questions total

Ready to test yourself?

Try a timed practice session using only Cbrops Host Analysis questions.