\" in the URL parameter. Which TWO…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-identifies-http-traffic-containing-the-string-s-w61pz"},{"@type":"ListItem","position":15,"name":"An analyst reviews network logs and sees a large outbound FTP transfer of 500 MB from a workstation to an external IP at…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-reviews-network-logs-and-sees-a-large-outbound-ft-62zsi"},{"@type":"ListItem","position":16,"name":"During alert triage, an analyst determines that an alert fired but no actual attack or malicious activity occurred on th…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-alert-triage-an-analyst-determines-that-an-alert-fir-5zus4"},{"@type":"ListItem","position":17,"name":"An alert shows a high volume of outbound traffic from an internal host to an external IP using FTP. The data includes fi…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-alert-shows-a-high-volume-of-outbound-traffic-from-an-int-1wy7y"},{"@type":"ListItem","position":18,"name":"Which TWO of the following are valid classifications for alerts during triage?","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/which-two-of-the-following-are-valid-classifications-for-ale-v965b"},{"@type":"ListItem","position":19,"name":"An analyst is reviewing alerts from an IDS. A signature matched 'script' and 'alert' in HTTP request parameters. The ana…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-is-reviewing-alerts-from-an-ids-a-signature-matc-vrmbv"},{"@type":"ListItem","position":20,"name":"An analyst is examining a PCAP for signs of pass-the-hash attack. Which THREE indicators would be consistent with pass-t…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-is-examining-a-pcap-for-signs-of-pass-the-hash-at-hyqgl"},{"@type":"ListItem","position":21,"name":"During a network intrusion analysis, a security analyst observes repeated TCP SYN packets sent to a range of ports on a …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-a-network-intrusion-analysis-a-security-analyst-obse-b1e4r"},{"@type":"ListItem","position":22,"name":"An analyst is analyzing a PCAP from a compromised host. Which THREE of the following are common indicators of exploitati…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-is-analyzing-a-pcap-from-a-compromised-host-whic-fxgf8"},{"@type":"ListItem","position":23,"name":"An analyst is investigating a potential malware infection. Which TWO of the following are indicators of command and cont…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-is-investigating-a-potential-malware-infection-w-2f48q"},{"@type":"ListItem","position":24,"name":"An analyst observes a host making outbound connections to a server on TCP port 443, with traffic patterns showing small …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-observes-a-host-making-outbound-connections-to-a-ktzdy"},{"@type":"ListItem","position":25,"name":"An analyst observes a series of DNS queries for subdomains like 'ZGVzdGluYXRpb24= .malicious.com' where the subdomain pa…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-observes-a-series-of-dns-queries-for-subdomains-l-ffi83"},{"@type":"ListItem","position":26,"name":"A security analyst is investigating a suspected data exfiltration incident. Which TWO of the following indicators are mo…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-security-analyst-is-investigating-a-suspected-data-exfiltr-ok9gy"},{"@type":"ListItem","position":27,"name":"A network analyst is examining a PCAP file and applies the Wireshark display filter 'http.request'. The results show sev…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-network-analyst-is-examining-a-pcap-file-and-applies-the-w-iwxgy"},{"@type":"ListItem","position":28,"name":"An analyst reviewing network alerts notices a rule triggered for 'ET SCAN NMAP -sU scan' based on traffic to a Linux ser…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-reviewing-network-alerts-notices-a-rule-triggered-w38vn"},{"@type":"ListItem","position":29,"name":"An analyst examines PCAP and sees multiple SMB sessions from internal host 10.1.1.10 to 10.1.1.20, 10.1.1.30, and 10.1.1…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-examines-pcap-and-sees-multiple-smb-sessions-from-kovcz"},{"@type":"ListItem","position":30,"name":"An analyst is reviewing PCAP from a network intrusion. The attacker used a payload with ROP gadgets and shellcode. Which…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-is-reviewing-pcap-from-a-network-intrusion-the-a-955sm"},{"@type":"ListItem","position":31,"name":"A security analyst observes repeated ICMP port unreachable responses from a target host. The source IP is sending packet…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-security-analyst-observes-repeated-icmp-port-unreachable-r-md91l"},{"@type":"ListItem","position":32,"name":"During a network intrusion investigation, an analyst notices repeated SMB authentication attempts from a single host to …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-a-network-intrusion-investigation-an-analyst-notices-t9x19"},{"@type":"ListItem","position":33,"name":"During an incident, an analyst observes the following in PCAP: (1) DNS queries with random-looking subdomains to a known…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-an-incident-an-analyst-observes-the-following-in-pca-yp5y4"},{"@type":"ListItem","position":34,"name":"A security analyst observes a large number of SYN packets sent to various ports on a target host, receiving RST response…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-security-analyst-observes-a-large-number-of-syn-packets-se-3w8v6"},{"@type":"ListItem","position":35,"name":"An analyst identifies a PCAP with a reverse shell session. Which characteristic in the traffic would most likely indicat…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-identifies-a-pcap-with-a-reverse-shell-session-w-pp0ed"},{"@type":"ListItem","position":36,"name":"During an incident response, an analyst extracts a file from a PCAP using Wireshark's 'Export Objects' feature. The file…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-an-incident-response-an-analyst-extracts-a-file-from-89dr6"},{"@type":"ListItem","position":37,"name":"A PCAP contains the following patterns: (1) A TCP connection with a complete handshake to an external IP on port 443, (2…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-pcap-contains-the-following-patterns-1-a-tcp-connection-1w13s"},{"@type":"ListItem","position":38,"name":"During a forensic analysis, an analyst uses NetworkMiner to extract files from a PCAP. One of the extracted files contai…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-a-forensic-analysis-an-analyst-uses-networkminer-to-e4m8x"},{"@type":"ListItem","position":39,"name":"An analyst notices periodic HTTP GET requests to a suspicious domain every 60 seconds. The payload size is small and con…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-notices-periodic-http-get-requests-to-a-suspiciou-r55dk"},{"@type":"ListItem","position":40,"name":"While analyzing a PCAP, an analyst uses the Wireshark filter 'http.request' and finds a URI parameter containing '%27%20…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/while-analyzing-a-pcap-an-analyst-uses-the-wireshark-filter-vmy9z"},{"@type":"ListItem","position":41,"name":"A SOC analyst sees an alert for 'Possible SQL Injection' on a web server. Reviewing the PCAP, the analyst finds the para…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-soc-analyst-sees-an-alert-for-possible-sql-injection-on-lha9u"},{"@type":"ListItem","position":42,"name":"An intrusion detection system alerts on HTTP traffic containing the string 'UNION SELECT' in the URI parameter. This is …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-intrusion-detection-system-alerts-on-http-traffic-contain-8qpm0"},{"@type":"ListItem","position":43,"name":"A PCAP contains an HTTP POST request with a parameter containing \"UNION SELECT username, password FROM users\". This is e…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-pcap-contains-an-http-post-request-with-a-parameter-contai-v5wph"},{"@type":"ListItem","position":44,"name":"An analyst reviews PCAP traffic and sees a series of HTTP POST requests from an internal host to an external IP at exact…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-reviews-pcap-traffic-and-sees-a-series-of-http-po-0mbpo"},{"@type":"ListItem","position":45,"name":"An analyst is reviewing a PCAP and sees multiple HTTP requests with the parameter 'id=1 UNION SELECT username,password F…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-is-reviewing-a-pcap-and-sees-multiple-http-reques-0mifc"},{"@type":"ListItem","position":46,"name":"During incident response, an analyst extracts files from a PCAP using Wireshark's Export Objects feature. One extracted …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-incident-response-an-analyst-extracts-files-from-a-p-e9v71"},{"@type":"ListItem","position":47,"name":"A security analyst observes periodic outbound HTTPS connections to an unusual domain that resolves to different IP addre…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-security-analyst-observes-periodic-outbound-https-connecti-wmbq4"},{"@type":"ListItem","position":48,"name":"A security analyst is investigating a potential exploit. The PCAP shows a HTTP POST request containing a long string of …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-security-analyst-is-investigating-a-potential-exploit-the-r30m0"},{"@type":"ListItem","position":49,"name":"An analyst detects an attack where the attacker uses NTLM authentication with a hashed password instead of the plaintext…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-detects-an-attack-where-the-attacker-uses-ntlm-au-5q5m0"},{"@type":"ListItem","position":50,"name":"An analyst identifies an alert for 'ET TROJAN Win32/DarkComet RAT Beacon'. The analyst confirms the host is infected. Wh…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-identifies-an-alert-for-et-trojan-win32-darkcome-8f9ug"},{"@type":"ListItem","position":51,"name":"In a PCAP, an analyst sees a large outbound data transfer over FTP to an external IP address during non-business hours. …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/in-a-pcap-an-analyst-sees-a-large-outbound-data-transfer-ov-0v2dq"},{"@type":"ListItem","position":52,"name":"In the Cyber Kill Chain, which TWO phases occur after the attacker establishes command and control (C2)?","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/in-the-cyber-kill-chain-which-two-phases-occur-after-the-at-6d26a"},{"@type":"ListItem","position":53,"name":"A network analyst finds a PCAP with a series of DNS queries for subdomains like \"data12345.example.com\" and \"data67890.e…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-network-analyst-finds-a-pcap-with-a-series-of-dns-queries-6zg0k"},{"@type":"ListItem","position":54,"name":"An analyst receives an alert for 'ET WEB_SERVER Possible SQL Injection Attempt' triggered by a URL parameter containing …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-receives-an-alert-for-et-web-server-possible-sql-k46zf"},{"@type":"ListItem","position":55,"name":"An analyst is investigating a PCAP file and wants to reconstruct a conversation between two hosts. Which Wireshark filte…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-is-investigating-a-pcap-file-and-wants-to-reconst-0xauc"},{"@type":"ListItem","position":56,"name":"In a PCAP, an analyst sees an interactive shell session over TCP with irregular command prompts and responses. Which too…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/in-a-pcap-an-analyst-sees-an-interactive-shell-session-over-vgk4j"},{"@type":"ListItem","position":57,"name":"During a PCAP analysis, a security analyst notices an HTTP request with the URI parameter 'id=1 UNION SELECT username,pa…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-a-pcap-analysis-a-security-analyst-notices-an-http-r-grha5"},{"@type":"ListItem","position":58,"name":"During alert triage, an analyst determines that an alert was triggered by legitimate administrative activity. How should…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-alert-triage-an-analyst-determines-that-an-alert-was-ryg2f"},{"@type":"ListItem","position":59,"name":"In the MITRE ATT&CK framework, TTPs are mapped to:","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/in-the-mitre-att-ck-framework-ttps-are-mapped-to-vqygp"},{"@type":"ListItem","position":60,"name":"An analyst observes repeated TCP SYN packets to various ports on a target IP with no SYN-ACK responses. What type of sca…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-observes-repeated-tcp-syn-packets-to-various-port-n9qhs"},{"@type":"ListItem","position":61,"name":"During an intrusion analysis, an analyst identifies that an attacker used a domain generation algorithm (DGA) to resolve…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-an-intrusion-analysis-an-analyst-identifies-that-an-5fzdh"},{"@type":"ListItem","position":62,"name":"An analyst observes a large outbound FTP transfer to an external IP address from a server that normally does not generat…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-observes-a-large-outbound-ftp-transfer-to-an-exte-xc4dr"},{"@type":"ListItem","position":63,"name":"During a SYN scan, an attacker sends a SYN packet to a closed port on a target. What response does the target typically …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-a-syn-scan-an-attacker-sends-a-syn-packet-to-a-close-vqay2"},{"@type":"ListItem","position":64,"name":"In the Cyber Kill Chain model, which phase involves delivering the exploit to the target, such as via email attachment o…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/in-the-cyber-kill-chain-model-which-phase-involves-deliveri-g7mt3"},{"@type":"ListItem","position":65,"name":"An analyst filters PCAP with 'tcp.stream eq 0' and sees an interactive shell session with commands like 'whoami', 'ls -l…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-filters-pcap-with-tcp-stream-eq-0-and-sees-an-i-v02j1"},{"@type":"ListItem","position":66,"name":"An analyst analyzing a PCAP sees a series of TCP connections where the client sends data with interactive patterns and r…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-analyzing-a-pcap-sees-a-series-of-tcp-connections-iqxg4"},{"@type":"ListItem","position":67,"name":"An intrusion detection system alerts on traffic that appears to be a command and control (C2) beacon. Which of the follo…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-intrusion-detection-system-alerts-on-traffic-that-appears-zxkyt"},{"@type":"ListItem","position":68,"name":"An analyst is monitoring network traffic and observes a host making outbound HTTPS connections to a domain that appears …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-is-monitoring-network-traffic-and-observes-a-host-m39yc"},{"@type":"ListItem","position":69,"name":"An analyst examines a PCAP and finds a series of UDP packets sent to multiple ports on a target. The target responds wit…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-examines-a-pcap-and-finds-a-series-of-udp-packets-wnczf"},{"@type":"ListItem","position":70,"name":"Which type of attack is indicated by a series of SMB authentication attempts from one host to multiple other hosts in a …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/which-type-of-attack-is-indicated-by-a-series-of-smb-authent-y0uq8"},{"@type":"ListItem","position":71,"name":"An analyst captures traffic and sees a TCP connection with only a SYN packet and an RST response. No SYN-ACK is observed…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-captures-traffic-and-sees-a-tcp-connection-with-o-3ddvm"},{"@type":"ListItem","position":72,"name":"An analyst detects a large outbound FTP transfer from a sensitive server to an external IP address not previously seen. …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-detects-a-large-outbound-ftp-transfer-from-a-sens-axsku"},{"@type":"ListItem","position":73,"name":"An analyst is investigating a host that is making outbound HTTPS connections to multiple random-looking domains, each wi…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-is-investigating-a-host-that-is-making-outbound-h-xo78t"},{"@type":"ListItem","position":74,"name":"A network analyst is investigating a suspected DNS tunneling attack. Which THREE of the following are indicators of DNS …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-network-analyst-is-investigating-a-suspected-dns-tunneling-c0roz"},{"@type":"ListItem","position":75,"name":"In Wireshark, which filter can be used to quickly find all HTTP requests that contain a specific keyword in the URL?","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/in-wireshark-which-filter-can-be-used-to-quickly-find-all-h-2y79l"}]}

CCNA Cbrops Intrusion Analysis Questions

75 of 99 questions · Page 1/2 · Cbrops Intrusion Analysis topic · Answers revealed

1
MCQeasy

An analyst detects HTTPS traffic to a domain that was registered only 24 hours ago and has no web content. The traffic occurs at odd hours and with consistent packet sizes. What technique is likely being used for C2?

A.DNS tunneling
B.HTTPS beaconing to a malicious domain
C.HTTP POST exfiltration
D.Domain Generation Algorithm (DGA)
AnswerB

HTTPS to a suspicious domain is common C2.

Why this answer

Attackers often use newly registered domains (DGAs or manually registered) for C2 to avoid blacklists. HTTPS provides encryption to hide the beaconing.

2
Multi-Selecthard

A security analyst is investigating a PCAP and sees the following HTTP POST request: POST /login HTTP/1.1 ... username=admin&password=letmein. Which TWO attack indicators are present?

Select 2 answers
A.Cross-site scripting (XSS) payload
B.Buffer overflow attempt
C.SQL injection attack
D.Use of weak or default credentials
E.Credential theft via plaintext transmission
AnswersD, E

The password 'letmein' is a common weak password.

Why this answer

The plaintext credentials in an HTTP POST indicate credential theft (sniffing) and the use of weak or default passwords (common attack vector).

3
MCQmedium

Which of the following is a common indicator of DNS tunneling used for exfiltration?

A.DNS queries with long subdomain strings
B.Frequent DNS queries to known domains
C.DNS responses with large payloads
D.DNS queries using TCP instead of UDP
AnswerA

Correct. Long subdomain strings are a sign of DNS tunneling.

Why this answer

DNS tunneling exploits the DNS protocol to encapsulate non-DNS data within DNS queries and responses. A common indicator is DNS queries with unusually long subdomain strings, as attackers encode exfiltrated data into the query name to bypass network security controls.

Exam trap

Cisco often tests the distinction between a general anomaly (like large DNS responses) and a specific tunneling indicator (long subdomain strings), where candidates mistakenly focus on response size or protocol choice rather than the query structure.

How to eliminate wrong answers

Option B is wrong because frequent DNS queries to known domains are typical of legitimate client behavior (e.g., CDN lookups) and not a specific sign of tunneling. Option C is wrong because while DNS responses can carry large payloads in tunneling, the primary indicator is the query side; moreover, standard DNS responses are limited to 512 bytes (or up to 4096 bytes with EDNS0), so large responses alone are not definitive. Option D is wrong because DNS queries normally use UDP, but tunneling can use TCP for reliability; however, TCP usage is not a common indicator because many legitimate operations (e.g., zone transfers) also use TCP.

4
MCQeasy

A security analyst is investigating an alert that indicates a potential SQL injection attack. Which of the following HTTP request patterns is most indicative of a SQL injection attempt?

A.GET /login?user=admin&pass=password123
B.GET /search?q=<script>alert('XSS')</script>
C.GET /products?id=1 UNION SELECT * FROM users
D.GET /index.html HTTP/1.1
AnswerC

The UNION SELECT statement is a SQL injection technique to extract data from other tables.

Why this answer

SQL injection often involves injecting SQL keywords like UNION or SELECT into parameters. 'id=1 UNION SELECT' is a classic example.

5
Multi-Selectmedium

An analyst identifies a series of SMB authentication attempts from a compromised host to multiple internal servers. The authentication uses NTLM hashes. Which TWO techniques are most likely being used for lateral movement? (Select 2)

Select 2 answers
A.Kerberoasting
B.SMB relay
C.Brute force
D.Golden ticket
E.Pass-the-hash
AnswersB, E

Relays authentication to other hosts.

Why this answer

SMB relay (B) is correct because the attacker can intercept NTLM authentication attempts from the compromised host and relay them to other internal servers, gaining unauthorized access without needing to crack the hash. This technique leverages the SMB protocol's lack of channel binding in older implementations, allowing the relayed hash to authenticate to multiple targets.

Exam trap

Cisco often tests the distinction between 'pass-the-hash' (reusing a hash directly from the compromised host) and 'SMB relay' (forwarding the authentication challenge to another server), which candidates confuse as the same technique.

6
MCQmedium

Which Wireshark filter can be used to extract the full TCP data of a specific conversation from a PCAP?

A.tcp.stream
B.tcp.port
C.http.request
D.ip.addr
AnswerA

Filters by TCP stream index for conversation reconstruction.

Why this answer

The tcp.stream filter allows viewing a specific TCP stream by its number, which is useful for analysis.

7
Multi-Selectmedium

An analyst is examining a PCAP file for signs of lateral movement. Which TWO of the following are typical indicators of lateral movement using pass-the-hash?

Select 2 answers
A.Multiple SMB authentication attempts from a single host to multiple other hosts
B.HTTP requests to a web server
C.ICMP timestamp requests
D.Large file transfers using FTP
E.Use of NTLM authentication without a password, only the hash
AnswersA, E

SMB is commonly used for lateral movement in Windows environments.

Why this answer

Pass-the-hash attacks use NTLM authentication with hashed credentials. Indicators include multiple SMB authentication attempts from one host to many others and the use of NTLM hashes.

8
MCQeasy

During network intrusion analysis, an analyst reviews logs and observes an alert for a TCP SYN scan. Which characteristic of a SYN scan would the analyst look for in packet captures?

A.The scan sends SYN packets and expects ICMP unreachable messages for open ports.
B.The scan sends SYN packets and waits for a timeout on closed ports.
C.The scan sends SYN packets and, upon receiving SYN-ACK, sends RST packets.
D.The scan sends SYN packets and completes the three-way handshake for open ports.
AnswerC

Correct. SYN scan sends RST after SYN-ACK to avoid establishing a full connection.

Why this answer

A SYN scan sends a SYN packet and, upon receiving a SYN-ACK from the target, responds with a RST instead of completing the handshake. This avoids a full connection and is stealthier.

9
MCQeasy

In network forensics, which Wireshark filter would be used to reconstruct a TCP conversation between two hosts?

A.ip.addr
B.http.request
C.tcp.stream eq 0
D.dns.qry.name
AnswerC

Correct. tcp.stream allows viewing the full TCP conversation.

Why this answer

The tcp.stream filter isolates all packets belonging to a specific TCP connection.

10
MCQmedium

An analyst is reviewing PCAP and sees a TCP stream with a Wireshark filter 'tcp.stream eq 0'. The conversation shows an interactive shell session with commands like 'whoami' and 'ls'. This is most likely evidence of what?

A.DNS tunneling
B.Reverse shell
C.SQL injection
D.ARP spoofing
AnswerB

Reverse shell provides command-line access.

Why this answer

An interactive shell session over TCP indicates a reverse shell, allowing the attacker to execute commands remotely.

11
MCQeasy

An analyst is investigating a potential DNS tunneling attack. Which characteristic in DNS traffic would most likely indicate DNS tunneling?

A.DNS queries with long, random-looking subdomains to a single domain.
B.Frequent DNS queries to the same domain at regular intervals.
C.DNS queries for domains that are known to be malicious.
D.DNS query responses with unusually large payload sizes.
AnswerA

Correct. Tunneling encodes data in subdomains, making them long and random.

Why this answer

DNS tunneling often encodes data in subdomains, resulting in long, random-looking domain names that differ from legitimate traffic.

12
MCQeasy

In a PCAP analysis, an analyst uses the filter 'http.request.uri contains "UNION"' and finds multiple HTTP requests with 'SELECT' and 'UNION SELECT' in the URI parameter. Which type of attack is likely occurring?

A.SQL injection
B.Buffer overflow
C.Cross-site scripting
D.Command injection
AnswerA

UNION SELECT is a classic SQL injection pattern.

Why this answer

SQL injection attacks often include SQL keywords like UNION and SELECT in crafted parameters.

13
MCQeasy

Which MITRE ATT&CK tactic corresponds to the Cyber Kill Chain phase 'Actions on Objectives'?

A.Privilege Escalation
B.Impact
C.Command and Control
D.Exfiltration
AnswerB

Impact includes data destruction, denial of service, etc.

Why this answer

In MITRE ATT&CK, the tactic 'Impact' covers actions that disrupt or damage systems, similar to 'Actions on Objectives' where the attacker achieves their goal.

14
Multi-Selectmedium

An analyst identifies HTTP traffic containing the string "<script>alert('XSS')</script>" in the URL parameter. Which TWO attack types are likely being attempted?

Select 2 answers
A.LDAP injection
B.HTML injection
C.Command injection
D.Cross-site scripting (XSS)
E.SQL injection
AnswersB, D

Injecting HTML tags is HTML injection.

Why this answer

The script tag is classic XSS; HTML injection occurs when attacker injects HTML content.

15
MCQmedium

An analyst reviews network logs and sees a large outbound FTP transfer of 500 MB from a workstation to an external IP at 2:00 AM. The workstation regularly sends 10 MB daily. What should the analyst suspect?

A.C2 beaconing
B.Normal backup operation
C.Software update
D.Data exfiltration
AnswerD

Anomalous large transfer is suspicious for exfiltration.

Why this answer

Large outbound data transfers outside normal patterns, especially at odd hours, are typical of data exfiltration.

16
MCQeasy

During alert triage, an analyst determines that an alert fired but no actual attack or malicious activity occurred on the network. How should this alert be classified?

A.True negative
B.False negative
C.True positive
D.False positive
AnswerD

False positive is an alert without an actual attack.

Why this answer

A false positive is an alert that triggers incorrectly when no real attack exists. True positive means attack confirmed, false negative means attack missed, true negative means no alert and no attack.

17
MCQhard

An alert shows a high volume of outbound traffic from an internal host to an external IP using FTP. The data includes files with names matching internal document names. This activity is most likely:

A.C2 beaconing
B.Normal backup operation
C.Port scanning
D.Data exfiltration
AnswerD

Large outbound FTP transfers of internal documents indicate exfiltration.

Why this answer

Exfiltration via FTP is a common technique to steal data by transferring it to an external server.

18
Multi-Selecteasy

Which TWO of the following are valid classifications for alerts during triage?

Select 2 answers
A.Indeterminate
B.True positive
C.True negative
D.False negative
E.False positive
AnswersB, E

Correct. True positive indicates a real attack.

Why this answer

True positive and false positive are standard alert classifications.

19
MCQmedium

An analyst is reviewing alerts from an IDS. A signature matched 'script' and 'alert' in HTTP request parameters. The analyst inspects the packet and sees <script>alert('XSS')</script> in the URI. What is the most accurate classification of this alert?

A.False negative
B.False positive
C.True negative
D.True positive
AnswerD

The attack payload is present, confirming a real attack.

Why this answer

The alert corresponds to a real attack (cross-site scripting) in the traffic, so it is a true positive.

20
Multi-Selecthard

An analyst is examining a PCAP for signs of pass-the-hash attack. Which THREE indicators would be consistent with pass-the-hash?

Select 3 answers
A.Large DNS queries
B.Multiple SMB authentication attempts from the same host to many targets
C.Kerberos ticket requests
D.Successful authentication followed by file access
E.NTLM authentication using a hash instead of a password
AnswersB, D, E

Correct. Lateral movement often uses pass-the-hash across multiple hosts.

Why this answer

Pass-the-hash uses NTLM authentication with a hash, often over SMB, and may show successful authentication without password.

21
MCQmedium

During a network intrusion analysis, a security analyst observes repeated TCP SYN packets sent to a range of ports on a target host, each followed by an RST response. No subsequent ACK packets are observed. Which phase of the Cyber Kill Chain is the attacker most likely executing?

A.Reconnaissance
B.Delivery
C.Weaponization
D.Exploitation
AnswerA

SYN scan is a reconnaissance activity to identify open ports and services.

Why this answer

The SYN scan is a reconnaissance technique used to identify open ports without completing the TCP handshake. The RST response indicates the port is closed, and the lack of ACK means the handshake was intentionally not completed, characteristic of a SYN scan.

22
Multi-Selecthard

An analyst is analyzing a PCAP from a compromised host. Which THREE of the following are common indicators of exploitation attempts in network traffic?

Select 3 answers
A.Return-oriented programming (ROP) gadget chains in data
B.Presence of NOP sleds (e.g., repeated 0x90 bytes) in payload
C.Regular HTTP GET requests to a news website
D.Large blocks of identical data (e.g., 0x0c0c0c0c) sent to a process
E.DNS requests for common websites like google.com
AnswersA, B, D

ROP gadgets bypass DEP and are exploitation indicators.

Why this answer

Exploitation indicators include shellcode patterns (NOP sleds, ROP gadgets) and heap spray (large blocks of similar data).

23
Multi-Selectmedium

An analyst is investigating a potential malware infection. Which TWO of the following are indicators of command and control (C2) communication?

Select 2 answers
A.Large file transfers to a peer host
B.SYN scans to multiple hosts
C.Regular HTTP requests to a known update server
D.DNS queries with long, random subdomains
E.Periodic beaconing to an unusual domain
AnswersD, E

Correct. DNS tunneling often uses long subdomains for C2.

Why this answer

Beaconing at regular intervals and DNS queries with encoded subdomains are classic C2 indicators.

24
Multi-Selecthard

An analyst observes a host making outbound connections to a server on TCP port 443, with traffic patterns showing small packets at regular 60-second intervals. The destination IP is in a country where the company does no business. Which THREE characteristics suggest this is C2 beaconing?

Select 3 answers
A.Small packet sizes at regular 60-second intervals
B.Large file downloads
C.Destination IP in a foreign country with no business presence
D.Use of HTTPS (port 443)
E.DNS queries for internal domains
AnswersA, C, D

Correct. Regular periodic small packets indicate beaconing.

Why this answer

Beaconing often uses HTTPS to evade detection, has periodic regular intervals, and goes to unusual destinations. Small packets at fixed intervals are classic.

25
MCQmedium

An analyst observes a series of DNS queries for subdomains like 'ZGVzdGluYXRpb24= .malicious.com' where the subdomain part appears base64-encoded. The volume of DNS traffic from a single host is unusually high. Which exfiltration technique is most likely in use?

A.FTP exfiltration
B.DNS tunnelling
C.HTTP POST exfiltration
D.Steganography in images
AnswerB

Encoded data in DNS subdomain queries is a hallmark of DNS tunnelling/exfiltration.

Why this answer

DNS exfiltration encodes data in subdomain queries to bypass traditional monitoring.

26
Multi-Selectmedium

A security analyst is investigating a suspected data exfiltration incident. Which TWO of the following indicators are most consistent with exfiltration over DNS?

Select 2 answers
A.DNS responses with unusually large TXT record sizes
B.Large number of ICMP echo requests to external hosts
C.Consistent traffic to a known C2 server on port 443
D.Multiple failed HTTP POST requests to a file-sharing site
E.High volume of DNS queries to an unusual domain with random-looking subdomains
AnswersA, E

Oversized TXT records can be used to deliver exfiltrated data.

Why this answer

DNS exfiltration involves encoding data in subdomain queries, often with high entropy, and can use TXT records to retrieve data.

27
MCQmedium

A network analyst is examining a PCAP file and applies the Wireshark display filter 'http.request'. The results show several POST requests to '/login.php' with parameters containing 'username=admin&password=secret'. What type of attack is indicated?

A.Cross-site scripting (XSS)
B.Brute force attack
C.SQL injection
D.Credential theft via phishing
AnswerD

Plaintext credentials transmitted over HTTP indicate likely credential theft.

Why this answer

Plaintext credentials in HTTP POST bodies indicate credential theft, possibly via phishing or a compromised web form.

28
MCQhard

An analyst reviewing network alerts notices a rule triggered for 'ET SCAN NMAP -sU scan' based on traffic to a Linux server. The packet capture shows multiple UDP packets to various ports, and for closed ports, the server responds with ICMP Destination Unreachable (Port Unreachable). Which type of scan is being performed, and how should the analyst classify this alert?

A.TCP SYN scan; true positive
B.UDP scan; true positive
C.UDP scan; false positive
D.TCP connect scan; true negative
AnswerB

The UDP scan is correctly detected by the alert, so it is a true positive.

Why this answer

UDP scans send UDP packets; closed ports respond with ICMP Port Unreachable. This matches the alert signature, indicating a true positive for a UDP scan.

29
MCQhard

An analyst examines PCAP and sees multiple SMB sessions from internal host 10.1.1.10 to 10.1.1.20, 10.1.1.30, and 10.1.1.40 within seconds. The NTLM authentication contains a hash parameter that is identical across sessions. Which lateral movement technique is most likely being used?

A.Golden ticket
B.Pass-the-hash
C.Kerberoasting
D.Pass-the-ticket
AnswerB

Identical NTLM hash across multiple SMB sessions indicates pass-the-hash.

Why this answer

Pass-the-hash uses the same NTLM hash to authenticate to multiple hosts without knowing the plaintext password.

30
Multi-Selecthard

An analyst is reviewing PCAP from a network intrusion. The attacker used a payload with ROP gadgets and shellcode. Which TWO exploitation indicators are associated with this attack? (Choose two.)

Select 2 answers
A.ROP gadgets
B.NOP sled
C.Heap spray
D.Shellcode
E.DNS tunnelling
AnswersA, D

ROP gadgets are small instruction sequences used to chain calls.

Why this answer

Shellcode is the actual executable code injected; ROP gadgets are used to bypass DEP by chaining existing code.

31
MCQeasy

A security analyst observes repeated ICMP port unreachable responses from a target host. The source IP is sending packets to multiple UDP ports. Which type of scan is most likely being performed?

A.TCP SYN scan
B.UDP scan
C.TCP connect scan
D.Ping sweep
AnswerB

UDP scan sends UDP datagrams; closed ports respond with ICMP port unreachable.

Why this answer

UDP scans elicit ICMP port unreachable messages from closed ports; open ports typically do not respond.

32
MCQmedium

During a network intrusion investigation, an analyst notices repeated SMB authentication attempts from a single host to multiple other hosts using different usernames. Which type of activity does this pattern suggest?

A.Pass-the-hash attack
B.Lateral movement
C.SMB relay attack
D.Brute-force attack on SMB
AnswerB

Correct. Attempting to authenticate to multiple hosts indicates lateral movement.

Why this answer

Lateral movement via SMB involves authenticating to multiple hosts, often with different credentials, to move across the network.

33
Multi-Selecthard

During an incident, an analyst observes the following in PCAP: (1) DNS queries with random-looking subdomains to a known malicious domain, (2) large outbound FTP transfers of .zip files, (3) HTTP POST requests with Base64-encoded data in the body. Which THREE exfiltration techniques are being used? (Select 3)

Select 3 answers
A.ICMP exfiltration
B.FTP exfiltration
C.DNS tunneling
D.Steganography
E.HTTP exfiltration (POST)
AnswersB, C, E

Large FTP transfers.

Why this answer

DNS queries with encoded subdomains indicate DNS tunneling. FTP transfers indicate FTP exfiltration. HTTP POST with Base64 indicates HTTP exfiltration.

34
MCQmedium

A security analyst observes a large number of SYN packets sent to various ports on a target host, receiving RST responses for closed ports and no response for open ports. Which phase of the Cyber Kill Chain does this activity represent?

A.Reconnaissance
B.Weaponisation
C.Exploitation
D.Delivery
AnswerA

Port scanning is a reconnaissance technique to identify vulnerabilities.

Why this answer

The observed behavior—sending a large number of SYN packets to various ports and analyzing RST responses (closed ports) versus no response (open ports)—is a classic port scan, specifically a SYN scan. This activity maps the target's attack surface by identifying live hosts and open ports, which aligns with the Reconnaissance phase of the Cyber Kill Chain, where the adversary gathers information to plan an attack.

Exam trap

Cisco often tests the distinction between Reconnaissance and Weaponisation, where candidates mistakenly think that sending crafted packets (SYN) is part of weaponisation, but weaponisation specifically involves creating the exploit or payload, not the scanning activity.

How to eliminate wrong answers

Option B (Weaponisation) is wrong because weaponisation involves coupling a payload with a delivery mechanism (e.g., creating a malicious document or exploit kit), not scanning for open ports. Option C (Exploitation) is wrong because exploitation requires actively leveraging a vulnerability to gain unauthorized access, whereas a SYN scan only identifies potential targets without attempting to compromise them. Option D (Delivery) is wrong because delivery refers to transmitting the weaponized payload to the target (e.g., via email or USB), not the pre-attack reconnaissance of scanning ports.

35
MCQhard

An analyst identifies a PCAP with a reverse shell session. Which characteristic in the traffic would most likely indicate an interactive shell session?

A.Large file transfers over FTP
B.Bidirectional traffic with small packets and command echo patterns
C.Periodic HTTP GET requests at regular intervals
D.Constant stream of UDP packets
AnswerB

Correct. Interactive shells show bidirectional small packets with commands and responses.

Why this answer

Reverse shells often exhibit bidirectional traffic with interactive patterns, such as small irregular packets and commands echoed.

36
MCQmedium

During an incident response, an analyst extracts a file from a PCAP using Wireshark's 'Export Objects' feature. The file contains shellcode that uses NOP sleds and encodes a reverse shell command. Which Cyber Kill Chain phase does this file represent?

A.Installation
B.Actions on Objectives
C.Delivery
D.Weaponization
AnswerC

The file was delivered over the network, so it is in the delivery phase.

Why this answer

The file contains shellcode and is extracted from network traffic, indicating it was delivered to the target. This aligns with the delivery phase.

37
Multi-Selecthard

A PCAP contains the following patterns: (1) A TCP connection with a complete handshake to an external IP on port 443, (2) periodic data transfers every 60 seconds of approximately 1 KB, (3) the domain name in the TLS SNI field is generated by a DGA. Which THREE indicators are present?

Select 3 answers
A.Beaconing
B.Domain generation algorithm (DGA) usage
C.DNS exfiltration
D.C2 communication over HTTPS
E.Port scanning
AnswersA, B, D

Regular intervals (60s) indicate beaconing.

Why this answer

Beaconing is periodic callbacks, C2 over HTTPS uses port 443, and DGA domains indicate automated C2 infrastructure.

38
MCQhard

During a forensic analysis, an analyst uses NetworkMiner to extract files from a PCAP. One of the extracted files contains a PE executable with a known signature of a malware variant. Which phase of the Cyber Kill Chain does the file transfer most likely represent?

A.Reconnaissance
B.Weaponization
C.Exploitation
D.Delivery
AnswerD

Delivery transfers the weaponized payload.

Why this answer

The file transfer from the PCAP represents the Delivery phase because NetworkMiner extracted a PE executable that was transmitted over the network, likely via HTTP, SMTP, or SMB. In the Cyber Kill Chain, Delivery is the phase where the weaponized payload is transmitted to the target system, which is exactly what a file transfer in a PCAP captures. The presence of a known malware signature confirms the payload was delivered, not yet executed or exploited.

Exam trap

Cisco often tests the distinction between Delivery and Exploitation, where candidates mistakenly choose Exploitation because they see a malware file, but the PCAP only shows the transfer, not the execution or vulnerability trigger.

How to eliminate wrong answers

Option A is wrong because Reconnaissance involves gathering information about the target (e.g., scanning, OSINT) and does not include transferring a malware executable. Option B is wrong because Weaponization is the phase where the attacker creates the malicious payload (e.g., coupling exploit with backdoor), but the file transfer itself is not the creation step. Option C is wrong because Exploitation occurs when the delivered payload triggers a vulnerability to execute code; the PCAP file transfer only shows the delivery, not the execution or trigger.

39
MCQmedium

An analyst notices periodic HTTP GET requests to a suspicious domain every 60 seconds. The payload size is small and consistent. This behavior is characteristic of which phase of the Cyber Kill Chain?

A.Actions on Objectives
B.Command and Control
C.Delivery
D.Installation
AnswerB

Correct. Regular beaconing is typical of C2.

Why this answer

Beaconing is a C2 communication technique where infected hosts periodically contact the command server.

40
MCQmedium

While analyzing a PCAP, an analyst uses the Wireshark filter 'http.request' and finds a URI parameter containing '%27%20UNION%20SELECT%201,2,3%20--'. What type of attack is indicated?

A.Cross-site scripting (XSS)
B.SQL injection
C.Command injection
D.Directory traversal
AnswerB

UNION SELECT is a classic SQL injection technique.

Why this answer

The URL-encoded string decodes to a SQL injection attempt with UNION SELECT. SQL injection often appears in HTTP parameters.

41
MCQmedium

A SOC analyst sees an alert for 'Possible SQL Injection' on a web server. Reviewing the PCAP, the analyst finds the parameter 'id=1 OR 1=1' in the HTTP request. However, the web server returns a normal page with no signs of compromise. What is the correct classification?

A.True negative
B.False negative
C.False positive
D.True positive
AnswerC

The alert triggered but no real attack took place.

Why this answer

The alert fired on a pattern that resembles SQL injection, but the server was not vulnerable or the input was sanitized; thus no actual attack occurred.

42
MCQhard

An intrusion detection system alerts on HTTP traffic containing the string 'UNION SELECT' in the URI parameter. This is most indicative of what type of attack?

A.SQL injection
B.Command injection
C.Cross-site scripting
D.Directory traversal
AnswerA

Correct. UNION SELECT is a classic SQL injection technique.

Why this answer

The alert detects the string 'UNION SELECT' in a URI parameter, which is a classic SQL injection payload used to combine results from multiple database queries. This indicates an attacker is attempting to manipulate SQL queries by injecting malicious SQL code through user input, a hallmark of SQL injection attacks.

Exam trap

Cisco often tests the distinction between injection types by using specific payload strings; the trap here is confusing SQL injection with command injection because both involve 'injection', but the 'UNION SELECT' syntax is unique to SQL and not used in command injection or other attacks.

How to eliminate wrong answers

Option B is wrong because command injection involves executing system commands (e.g., via shell metacharacters like ';' or '|') rather than SQL statements like 'UNION SELECT'. Option C is wrong because cross-site scripting (XSS) typically injects client-side scripts (e.g., JavaScript) into web pages, not SQL syntax in URI parameters. Option D is wrong because directory traversal exploits path traversal sequences (e.g., '../') to access restricted files, not SQL query manipulation.

43
MCQmedium

A PCAP contains an HTTP POST request with a parameter containing "UNION SELECT username, password FROM users". This is evidence of:

A.SQL injection
B.Cross-site scripting
C.Path traversal
D.Command injection
AnswerA

UNION SELECT in a parameter is classic SQL injection.

Why this answer

SQL injection attacks often use UNION SELECT statements to extract data from databases via web application vulnerabilities.

44
MCQmedium

An analyst reviews PCAP traffic and sees a series of HTTP POST requests from an internal host to an external IP at exactly 60-second intervals. The payload size is consistent. Which phase of the Cyber Kill Chain does this activity most likely represent?

A.Delivery
B.Command and Control
C.Actions on Objectives
D.Installation
AnswerB

Beaconing is a hallmark of C2.

Why this answer

The consistent 60-second intervals and uniform payload size of HTTP POST requests from an internal host to an external IP are classic indicators of beaconing activity. In the Cyber Kill Chain, this behavior aligns with the Command and Control (C2) phase, where an established foothold communicates with an external C2 server to receive instructions or exfiltrate data. The use of HTTP POST mimics normal web traffic to evade detection, a common technique in C2 channels.

Exam trap

Cisco often tests the distinction between beaconing (C2) and data exfiltration (Actions on Objectives), where candidates mistakenly associate any external HTTP POST with data theft rather than recognizing the periodic pattern as command-and-control signaling.

How to eliminate wrong answers

Option A is wrong because the Delivery phase involves the initial transmission of the exploit or payload to the target (e.g., via phishing email or malicious download), not periodic beaconing after compromise. Option C is wrong because Actions on Objectives refers to the final goal, such as data exfiltration or system destruction, which would show larger or irregular data transfers, not consistent small beacons. Option D is wrong because Installation is the phase where malware is placed on the system (e.g., writing to disk or registry), which occurs before C2 and does not involve periodic network traffic.

45
MCQmedium

An analyst is reviewing a PCAP and sees multiple HTTP requests with the parameter 'id=1 UNION SELECT username,password FROM users'. What type of attack is being attempted?

A.SQL injection
B.Directory traversal
C.Cross-site scripting (XSS)
D.Command injection
AnswerA

Correct. UNION SELECT is classic SQL injection payload.

Why this answer

The SQL keywords UNION and SELECT in a parameter indicate a SQL injection attempt to extract data from the database.

46
MCQhard

During incident response, an analyst extracts files from a PCAP using Wireshark's Export Objects feature. One extracted file is a PDF that triggers an IDS alert for 'Exploit:PDF/HeapSpray'. Which technique does this alert describe?

A.Return-oriented programming (ROP)
B.Shellcode injection
C.Heap spray
D.Stack buffer overflow
AnswerC

Heap spray loads shellcode into heap memory to hijack execution.

Why this answer

Heap spray is a memory corruption technique where an attacker fills heap memory with shellcode to increase the chance of code execution, often used in PDF exploits.

47
MCQmedium

A security analyst observes periodic outbound HTTPS connections to an unusual domain that resolves to different IP addresses each time. This behavior is most indicative of:

A.Exfiltration via FTP
B.DNS tunnelling
C.Port scanning
D.Beaconing using DGA
AnswerD

Periodic HTTPS connections to DGA domains indicate C2 beaconing.

Why this answer

Domain Generation Algorithms (DGA) are used to generate many domain names to evade blocklists, and C2 servers may use HTTPS with varying IPs.

48
MCQhard

A security analyst is investigating a potential exploit. The PCAP shows a HTTP POST request containing a long string of characters that, when decoded, reveals a series of return-oriented programming (ROP) gadgets. What is the likely purpose of this payload?

A.Lateral movement
B.Privilege escalation
C.Exploitation
D.Persistence
AnswerC

ROP is a code-reuse exploitation technique.

Why this answer

ROP gadgets are used to bypass non-executable memory protections by chaining together small code sequences to execute arbitrary code. This is an exploitation technique.

49
MCQhard

An analyst detects an attack where the attacker uses NTLM authentication with a hashed password instead of the plaintext password. This technique is known as:

A.Password spraying
B.Brute force
C.Kerberos ticket reuse
D.Pass-the-hash
AnswerD

Correct. Pass-the-hash uses the NTLM hash for authentication.

Why this answer

Pass-the-hash allows an attacker to authenticate using the hash of a password without knowing the actual password.

50
Multi-Selectmedium

An analyst identifies an alert for 'ET TROJAN Win32/DarkComet RAT Beacon'. The analyst confirms the host is infected. Which TWO phases of the Cyber Kill Chain have been completed prior to this C2 beacon? (Choose two.)

Select 2 answers
A.Installation
B.Weaponisation
C.Reconnaissance
D.Exploitation
E.Delivery
AnswersD, E

Exploitation allowed the malware to run.

Why this answer

For C2 to occur, the attacker must have delivered the malware and exploited a vulnerability to install it.

51
MCQmedium

In a PCAP, an analyst sees a large outbound data transfer over FTP to an external IP address during non-business hours. The source host is a database server. Which phase of the Cyber Kill Chain does this represent?

A.Installation
B.Actions on Objectives
C.Weaponization
D.Exploitation
AnswerB

Exfiltration is an action on objectives.

Why this answer

The Cyber Kill Chain's 'Actions on Objectives' phase is where the attacker achieves their ultimate goal, such as exfiltrating data. In this scenario, a large outbound FTP transfer from a database server to an external IP during non-business hours directly indicates data theft, which is the final objective of the intrusion. FTP (port 21/20) is used here as the exfiltration protocol, moving sensitive data out of the network.

Exam trap

Cisco often tests the distinction between 'Actions on Objectives' and 'Exploitation' by presenting a post-compromise activity (like data exfiltration) and expecting candidates to recognize it as the final phase, not the initial breach.

How to eliminate wrong answers

Option A is wrong because 'Installation' refers to deploying malware or a backdoor on the target system, not to the actual data exfiltration seen here. Option C is wrong because 'Weaponization' is the phase where the attacker creates a deliverable payload (e.g., coupling an exploit with a dropper), which occurs before delivery and exploitation. Option D is wrong because 'Exploitation' is the phase where a vulnerability is triggered to gain initial access, not the post-compromise data theft activity.

52
Multi-Selecteasy

In the Cyber Kill Chain, which TWO phases occur after the attacker establishes command and control (C2)?

Select 2 answers
A.Exploitation
B.Lateral movement
C.Weaponisation
D.Installation
E.Actions on objectives
AnswersB, E

Lateral movement can occur after C2 to reach more systems.

Why this answer

After establishing command and control (C2), the attacker typically performs lateral movement to pivot within the network and then executes actions on objectives, such as data exfiltration or system disruption. In the Cyber Kill Chain, the phases following C2 are lateral movement and actions on objectives, as the attacker uses the C2 channel to explore the environment and achieve their end goal.

Exam trap

Cisco often tests the order of the Cyber Kill Chain phases, and the trap here is confusing 'installation' (which occurs before C2) with 'lateral movement' (which occurs after C2), leading candidates to incorrectly select installation as a post-C2 phase.

53
MCQhard

A network analyst finds a PCAP with a series of DNS queries for subdomains like "data12345.example.com" and "data67890.example.com" where the subdomain names appear to contain encoded base64 data. This pattern suggests:

A.Port scan via DNS
B.Normal DNS resolution
C.DGA-based C2
D.DNS tunnelling for exfiltration
AnswerD

Encoding data in subdomains for exfiltration is DNS tunnelling.

Why this answer

DNS exfiltration encodes data in subdomain names to bypass security controls, as DNS is often allowed through firewalls.

54
MCQeasy

An analyst receives an alert for 'ET WEB_SERVER Possible SQL Injection Attempt' triggered by a URL parameter containing ' OR 1=1--'. After investigating, the analyst confirms that the web application is not vulnerable to SQL injection and the request was a benign test. How should this alert be classified?

A.False positive
B.True negative
C.False negative
D.True positive
AnswerA

The alert triggered but no attack occurred, so false positive.

Why this answer

The alert triggered but there was no actual attack, so it is a false positive.

55
MCQmedium

An analyst is investigating a PCAP file and wants to reconstruct a conversation between two hosts. Which Wireshark filter would be most appropriate to follow the entire TCP stream?

A.tcp.stream eq 0
B.dns.qry.name
C.ip.addr == 10.0.0.1
D.http.request
AnswerA

Correct. tcp.stream reconstructs the TCP stream.

Why this answer

The 'tcp.stream' filter allows the analyst to follow and reconstruct the full TCP conversation.

56
MCQhard

In a PCAP, an analyst sees an interactive shell session over TCP with irregular command prompts and responses. Which tool was likely used to generate this traffic?

A.File transfer tool
B.Port scanner
C.Reverse shell payload
D.SQL injection tool
AnswerC

Interactive shell over TCP is characteristic of a reverse shell.

Why this answer

Reverse shells create interactive shell sessions over a TCP connection, often used by attackers to control compromised hosts.

57
MCQhard

During a PCAP analysis, a security analyst notices an HTTP request with the URI parameter 'id=1 UNION SELECT username,password FROM users--'. What is the most likely attack being attempted?

A.Command injection
B.Cross-site scripting (XSS)
C.Directory traversal
D.SQL injection
AnswerD

UNION SELECT is a classic SQL injection technique to combine query results.

Why this answer

The presence of UNION and SELECT keywords in a URL parameter indicates a SQL injection attempt, where the attacker tries to extract data from a database.

58
MCQmedium

During alert triage, an analyst determines that an alert was triggered by legitimate administrative activity. How should this alert be classified?

A.True negative
B.False negative
C.True positive
D.False positive
AnswerD

Correct. Legitimate activity causing an alert is a false positive.

Why this answer

A false positive is when an alert is triggered but no actual attack occurred.

59
MCQeasy

In the MITRE ATT&CK framework, TTPs are mapped to:

A.Vulnerability databases
B.Compliance standards
C.Network protocols
D.Real-world threat groups
AnswerD

Correct. TTPs are associated with specific groups.

Why this answer

MITRE ATT&CK maps adversary tactics, techniques, and procedures to real-world threat groups.

60
MCQmedium

An analyst observes repeated TCP SYN packets to various ports on a target IP with no SYN-ACK responses. What type of scan is most likely being performed?

A.UDP scan
B.Ping sweep
C.SYN scan
D.TCP connect scan
AnswerC

Correct. SYN scan sends SYN packets and does not complete the handshake.

Why this answer

A SYN scan sends SYN packets and observes responses; incomplete handshakes indicate scanning.

61
MCQmedium

During an intrusion analysis, an analyst identifies that an attacker used a domain generation algorithm (DGA) to resolve C2 domains. Which of the following traffic patterns is most consistent with DGA?

A.Multiple DNS queries to algorithmically generated domains that result in NXDOMAIN responses
B.Large DNS responses indicating amplification
C.DNS queries to a single domain with high frequency
D.DNS queries with long TTL values
AnswerA

DGA generates many domains, most of which don't exist, causing NXDOMAIN.

Why this answer

DGA generates many random-looking domains, many of which will be non-existent (NXDOMAIN) as the attacker cycles through them.

62
MCQhard

An analyst observes a large outbound FTP transfer to an external IP address from a server that normally does not generate such traffic. This is most likely an indicator of:

A.Persistence
B.Lateral movement
C.C2 communication
D.Exfiltration
AnswerD

Correct. Large outbound transfers are a key exfiltration indicator.

Why this answer

Data exfiltration often involves large transfers to external destinations not typical for the host.

63
MCQmedium

During a SYN scan, an attacker sends a SYN packet to a closed port on a target. What response does the target typically send back?

A.ICMP Port Unreachable
B.RST
C.ACK
D.SYN-ACK
AnswerB

Closed ports respond with RST.

Why this answer

In a SYN scan, a closed port responds with a RST packet to reject the connection attempt.

64
MCQeasy

In the Cyber Kill Chain model, which phase involves delivering the exploit to the target, such as via email attachment or malicious link?

A.Installation
B.Exploitation
C.Weaponization
D.Delivery
AnswerD

Correct. Delivery is the transmission of the weaponized payload.

Why this answer

The delivery phase is where the weaponized payload is transmitted to the victim, e.g., via phishing email or drive-by download.

65
MCQmedium

An analyst filters PCAP with 'tcp.stream eq 0' and sees an interactive shell session with commands like 'whoami', 'ls -la', 'cd /etc'. The session originated from an HTTP POST to a web shell. Which type of attack is this?

A.Reverse shell
B.DNS tunnelling
C.SQL injection
D.Cross-site scripting
AnswerA

Interactive shell over TCP is a reverse shell.

Why this answer

A web shell allows remote command execution over HTTP, essentially a reverse shell.

66
MCQmedium

An analyst analyzing a PCAP sees a series of TCP connections where the client sends data with interactive patterns and receives commands. This is most likely indicative of:

A.Reverse shell
B.Web browsing
C.File transfer
D.DNS query
AnswerA

Correct. Interactive shell sessions over TCP indicate a reverse shell.

Why this answer

A reverse shell provides an interactive command-line session from the victim to the attacker.

67
MCQeasy

An intrusion detection system alerts on traffic that appears to be a command and control (C2) beacon. Which of the following characteristics is most typical of beaconing traffic?

A.Large data transfers to a known cloud provider
B.ICMP echo requests to multiple hosts
C.Random intervals with varying packet sizes
D.Periodic connections at regular intervals to an external IP
AnswerD

Regular intervals are a hallmark of beaconing for C2.

Why this answer

Beaconing is characterized by regular, periodic connections to a C2 server at consistent intervals.

68
MCQmedium

An analyst is monitoring network traffic and observes a host making outbound HTTPS connections to a domain that appears to be generated by a Domain Generation Algorithm (DGA). Which phase of the Cyber Kill Chain best describes this activity?

A.Installation
B.Command and Control (C2)
C.Actions on Objectives
D.Exploitation
AnswerB

Correct. DGA domains are used to locate C2 servers.

Why this answer

After installation, the malware contacts C2 servers to receive commands. DGA domains are used for C2 communication.

69
MCQhard

An analyst examines a PCAP and finds a series of UDP packets sent to multiple ports on a target. The target responds with ICMP 'Destination Unreachable (Port Unreachable)' messages for each port. What type of scan is being performed?

A.UDP scan
B.SYN scan
C.Xmas scan
D.FIN scan
AnswerA

UDP scan uses UDP packets; ICMP unreachable indicates closed port.

Why this answer

UDP scan sends UDP packets to ports. When a port is closed, the target responds with an ICMP port unreachable message. Open or filtered ports may not respond.

70
MCQmedium

Which type of attack is indicated by a series of SMB authentication attempts from one host to multiple other hosts in a short time frame?

A.Lateral movement
B.Port scanning
C.C2 beaconing
D.DNS exfiltration
AnswerA

SMB authentication attempts across hosts is typical of lateral movement.

Why this answer

Lateral movement often involves propagating across hosts using SMB for remote access and authentication.

71
MCQeasy

An analyst captures traffic and sees a TCP connection with only a SYN packet and an RST response. No SYN-ACK is observed. Which scan technique is this?

A.TCP SYN scan
B.Ping sweep
C.UDP scan
D.TCP connect scan
AnswerA

SYN scan uses SYN packets, and RST indicates closed port.

Why this answer

A SYN scan sends a SYN and expects a SYN-ACK; if an RST is received, the port is closed. Incomplete handshake without SYN-ACK indicates a half-open scan.

72
MCQhard

An analyst detects a large outbound FTP transfer from a sensitive server to an external IP address not previously seen. The file being transferred is a compressed archive containing database dumps. Which Cyber Kill Chain phase is most directly indicated?

A.Installation
B.C2
C.Exploitation
D.Actions on Objectives
AnswerD

Exfiltration of data is a key objective in many attacks.

Why this answer

Exfiltration of sensitive data is part of 'Actions on Objectives', where the attacker achieves their goal of stealing data.

73
MCQhard

An analyst is investigating a host that is making outbound HTTPS connections to multiple random-looking domains, each with a short TTL. The domains are not in any threat intelligence feeds. Which technique is most likely being used?

A.Domain Generation Algorithm (DGA)
B.Beaconing
C.DNS tunneling
D.Fast flux DNS
AnswerA

Correct. DGA generates random domains for C2.

Why this answer

Domain Generation Algorithms (DGAs) generate many random domain names to evade blocklists. Short TTLs allow fast changes.

74
Multi-Selectmedium

A network analyst is investigating a suspected DNS tunneling attack. Which THREE of the following are indicators of DNS tunneling?

Select 3 answers
A.DNS queries for well-known domains like google.com
B.Unusually high volume of DNS queries to a single domain
C.DNS queries with long subdomain names containing encoded characters
D.Low volume of DNS queries from internal hosts
E.DNS responses with large TXT record sizes
AnswersB, C, E

High query volume can indicate data exfiltration via DNS.

Why this answer

DNS tunneling often involves high volumes of DNS queries to a single domain, large payloads in TXT records, and encoded data in subdomains to exfiltrate data.

75
MCQmedium

In Wireshark, which filter can be used to quickly find all HTTP requests that contain a specific keyword in the URL?

A.dns.qry.name contains "keyword"
B.tcp.port == 80
C.ip.src == 10.0.0.1
D.http.request.uri contains "keyword"
AnswerD

This filter matches HTTP request URIs containing the keyword.

Why this answer

The http.request filter combined with a contains operator can isolate HTTP requests with specific patterns.

Page 1 of 2 · 99 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cbrops Intrusion Analysis questions.