\" in the URL parameter. Which TWO…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-identifies-http-traffic-containing-the-string-s-w61pz"},{"@type":"ListItem","position":15,"name":"An analyst reviews network logs and sees a large outbound FTP transfer of 500 MB from a workstation to an external IP at…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-reviews-network-logs-and-sees-a-large-outbound-ft-62zsi"},{"@type":"ListItem","position":16,"name":"During alert triage, an analyst determines that an alert fired but no actual attack or malicious activity occurred on th…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-alert-triage-an-analyst-determines-that-an-alert-fir-5zus4"},{"@type":"ListItem","position":17,"name":"An alert shows a high volume of outbound traffic from an internal host to an external IP using FTP. The data includes fi…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-alert-shows-a-high-volume-of-outbound-traffic-from-an-int-1wy7y"},{"@type":"ListItem","position":18,"name":"Which TWO of the following are valid classifications for alerts during triage?","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/which-two-of-the-following-are-valid-classifications-for-ale-v965b"},{"@type":"ListItem","position":19,"name":"An analyst is reviewing alerts from an IDS. A signature matched 'script' and 'alert' in HTTP request parameters. The ana…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-is-reviewing-alerts-from-an-ids-a-signature-matc-vrmbv"},{"@type":"ListItem","position":20,"name":"An analyst is examining a PCAP for signs of pass-the-hash attack. Which THREE indicators would be consistent with pass-t…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-is-examining-a-pcap-for-signs-of-pass-the-hash-at-hyqgl"},{"@type":"ListItem","position":21,"name":"During a network intrusion analysis, a security analyst observes repeated TCP SYN packets sent to a range of ports on a …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-a-network-intrusion-analysis-a-security-analyst-obse-b1e4r"},{"@type":"ListItem","position":22,"name":"An analyst is analyzing a PCAP from a compromised host. Which THREE of the following are common indicators of exploitati…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-is-analyzing-a-pcap-from-a-compromised-host-whic-fxgf8"},{"@type":"ListItem","position":23,"name":"An analyst is investigating a potential malware infection. Which TWO of the following are indicators of command and cont…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-is-investigating-a-potential-malware-infection-w-2f48q"},{"@type":"ListItem","position":24,"name":"An analyst observes a host making outbound connections to a server on TCP port 443, with traffic patterns showing small …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-observes-a-host-making-outbound-connections-to-a-ktzdy"},{"@type":"ListItem","position":25,"name":"An analyst observes a series of DNS queries for subdomains like 'ZGVzdGluYXRpb24= .malicious.com' where the subdomain pa…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-observes-a-series-of-dns-queries-for-subdomains-l-ffi83"},{"@type":"ListItem","position":26,"name":"A security analyst is investigating a suspected data exfiltration incident. Which TWO of the following indicators are mo…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-security-analyst-is-investigating-a-suspected-data-exfiltr-ok9gy"},{"@type":"ListItem","position":27,"name":"A network analyst is examining a PCAP file and applies the Wireshark display filter 'http.request'. The results show sev…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-network-analyst-is-examining-a-pcap-file-and-applies-the-w-iwxgy"},{"@type":"ListItem","position":28,"name":"An analyst reviewing network alerts notices a rule triggered for 'ET SCAN NMAP -sU scan' based on traffic to a Linux ser…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-reviewing-network-alerts-notices-a-rule-triggered-w38vn"},{"@type":"ListItem","position":29,"name":"An analyst examines PCAP and sees multiple SMB sessions from internal host 10.1.1.10 to 10.1.1.20, 10.1.1.30, and 10.1.1…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-examines-pcap-and-sees-multiple-smb-sessions-from-kovcz"},{"@type":"ListItem","position":30,"name":"An analyst is reviewing PCAP from a network intrusion. The attacker used a payload with ROP gadgets and shellcode. Which…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-is-reviewing-pcap-from-a-network-intrusion-the-a-955sm"},{"@type":"ListItem","position":31,"name":"A security analyst observes repeated ICMP port unreachable responses from a target host. The source IP is sending packet…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-security-analyst-observes-repeated-icmp-port-unreachable-r-md91l"},{"@type":"ListItem","position":32,"name":"During a network intrusion investigation, an analyst notices repeated SMB authentication attempts from a single host to …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-a-network-intrusion-investigation-an-analyst-notices-t9x19"},{"@type":"ListItem","position":33,"name":"During an incident, an analyst observes the following in PCAP: (1) DNS queries with random-looking subdomains to a known…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-an-incident-an-analyst-observes-the-following-in-pca-yp5y4"},{"@type":"ListItem","position":34,"name":"A security analyst observes a large number of SYN packets sent to various ports on a target host, receiving RST response…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-security-analyst-observes-a-large-number-of-syn-packets-se-3w8v6"},{"@type":"ListItem","position":35,"name":"An analyst identifies a PCAP with a reverse shell session. Which characteristic in the traffic would most likely indicat…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-identifies-a-pcap-with-a-reverse-shell-session-w-pp0ed"},{"@type":"ListItem","position":36,"name":"During an incident response, an analyst extracts a file from a PCAP using Wireshark's 'Export Objects' feature. The file…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-an-incident-response-an-analyst-extracts-a-file-from-89dr6"},{"@type":"ListItem","position":37,"name":"A PCAP contains the following patterns: (1) A TCP connection with a complete handshake to an external IP on port 443, (2…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-pcap-contains-the-following-patterns-1-a-tcp-connection-1w13s"},{"@type":"ListItem","position":38,"name":"During a forensic analysis, an analyst uses NetworkMiner to extract files from a PCAP. One of the extracted files contai…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-a-forensic-analysis-an-analyst-uses-networkminer-to-e4m8x"},{"@type":"ListItem","position":39,"name":"An analyst notices periodic HTTP GET requests to a suspicious domain every 60 seconds. The payload size is small and con…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-notices-periodic-http-get-requests-to-a-suspiciou-r55dk"},{"@type":"ListItem","position":40,"name":"While analyzing a PCAP, an analyst uses the Wireshark filter 'http.request' and finds a URI parameter containing '%27%20…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/while-analyzing-a-pcap-an-analyst-uses-the-wireshark-filter-vmy9z"},{"@type":"ListItem","position":41,"name":"A SOC analyst sees an alert for 'Possible SQL Injection' on a web server. Reviewing the PCAP, the analyst finds the para…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-soc-analyst-sees-an-alert-for-possible-sql-injection-on-lha9u"},{"@type":"ListItem","position":42,"name":"An intrusion detection system alerts on HTTP traffic containing the string 'UNION SELECT' in the URI parameter. This is …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-intrusion-detection-system-alerts-on-http-traffic-contain-8qpm0"},{"@type":"ListItem","position":43,"name":"A PCAP contains an HTTP POST request with a parameter containing \"UNION SELECT username, password FROM users\". This is e…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-pcap-contains-an-http-post-request-with-a-parameter-contai-v5wph"},{"@type":"ListItem","position":44,"name":"An analyst reviews PCAP traffic and sees a series of HTTP POST requests from an internal host to an external IP at exact…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-reviews-pcap-traffic-and-sees-a-series-of-http-po-0mbpo"},{"@type":"ListItem","position":45,"name":"An analyst is reviewing a PCAP and sees multiple HTTP requests with the parameter 'id=1 UNION SELECT username,password F…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-is-reviewing-a-pcap-and-sees-multiple-http-reques-0mifc"},{"@type":"ListItem","position":46,"name":"During incident response, an analyst extracts files from a PCAP using Wireshark's Export Objects feature. One extracted …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-incident-response-an-analyst-extracts-files-from-a-p-e9v71"},{"@type":"ListItem","position":47,"name":"A security analyst observes periodic outbound HTTPS connections to an unusual domain that resolves to different IP addre…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-security-analyst-observes-periodic-outbound-https-connecti-wmbq4"},{"@type":"ListItem","position":48,"name":"A security analyst is investigating a potential exploit. The PCAP shows a HTTP POST request containing a long string of …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-security-analyst-is-investigating-a-potential-exploit-the-r30m0"},{"@type":"ListItem","position":49,"name":"An analyst detects an attack where the attacker uses NTLM authentication with a hashed password instead of the plaintext…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-detects-an-attack-where-the-attacker-uses-ntlm-au-5q5m0"},{"@type":"ListItem","position":50,"name":"An analyst identifies an alert for 'ET TROJAN Win32/DarkComet RAT Beacon'. The analyst confirms the host is infected. Wh…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-identifies-an-alert-for-et-trojan-win32-darkcome-8f9ug"},{"@type":"ListItem","position":51,"name":"In a PCAP, an analyst sees a large outbound data transfer over FTP to an external IP address during non-business hours. …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/in-a-pcap-an-analyst-sees-a-large-outbound-data-transfer-ov-0v2dq"},{"@type":"ListItem","position":52,"name":"In the Cyber Kill Chain, which TWO phases occur after the attacker establishes command and control (C2)?","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/in-the-cyber-kill-chain-which-two-phases-occur-after-the-at-6d26a"},{"@type":"ListItem","position":53,"name":"A network analyst finds a PCAP with a series of DNS queries for subdomains like \"data12345.example.com\" and \"data67890.e…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-network-analyst-finds-a-pcap-with-a-series-of-dns-queries-6zg0k"},{"@type":"ListItem","position":54,"name":"An analyst receives an alert for 'ET WEB_SERVER Possible SQL Injection Attempt' triggered by a URL parameter containing …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-receives-an-alert-for-et-web-server-possible-sql-k46zf"},{"@type":"ListItem","position":55,"name":"An analyst is investigating a PCAP file and wants to reconstruct a conversation between two hosts. Which Wireshark filte…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-is-investigating-a-pcap-file-and-wants-to-reconst-0xauc"},{"@type":"ListItem","position":56,"name":"In a PCAP, an analyst sees an interactive shell session over TCP with irregular command prompts and responses. Which too…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/in-a-pcap-an-analyst-sees-an-interactive-shell-session-over-vgk4j"},{"@type":"ListItem","position":57,"name":"During a PCAP analysis, a security analyst notices an HTTP request with the URI parameter 'id=1 UNION SELECT username,pa…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-a-pcap-analysis-a-security-analyst-notices-an-http-r-grha5"},{"@type":"ListItem","position":58,"name":"During alert triage, an analyst determines that an alert was triggered by legitimate administrative activity. How should…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-alert-triage-an-analyst-determines-that-an-alert-was-ryg2f"},{"@type":"ListItem","position":59,"name":"In the MITRE ATT&CK framework, TTPs are mapped to:","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/in-the-mitre-att-ck-framework-ttps-are-mapped-to-vqygp"},{"@type":"ListItem","position":60,"name":"An analyst observes repeated TCP SYN packets to various ports on a target IP with no SYN-ACK responses. What type of sca…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-observes-repeated-tcp-syn-packets-to-various-port-n9qhs"},{"@type":"ListItem","position":61,"name":"During an intrusion analysis, an analyst identifies that an attacker used a domain generation algorithm (DGA) to resolve…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-an-intrusion-analysis-an-analyst-identifies-that-an-5fzdh"},{"@type":"ListItem","position":62,"name":"An analyst observes a large outbound FTP transfer to an external IP address from a server that normally does not generat…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-observes-a-large-outbound-ftp-transfer-to-an-exte-xc4dr"},{"@type":"ListItem","position":63,"name":"During a SYN scan, an attacker sends a SYN packet to a closed port on a target. What response does the target typically …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/during-a-syn-scan-an-attacker-sends-a-syn-packet-to-a-close-vqay2"},{"@type":"ListItem","position":64,"name":"In the Cyber Kill Chain model, which phase involves delivering the exploit to the target, such as via email attachment o…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/in-the-cyber-kill-chain-model-which-phase-involves-deliveri-g7mt3"},{"@type":"ListItem","position":65,"name":"An analyst filters PCAP with 'tcp.stream eq 0' and sees an interactive shell session with commands like 'whoami', 'ls -l…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-filters-pcap-with-tcp-stream-eq-0-and-sees-an-i-v02j1"},{"@type":"ListItem","position":66,"name":"An analyst analyzing a PCAP sees a series of TCP connections where the client sends data with interactive patterns and r…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-analyzing-a-pcap-sees-a-series-of-tcp-connections-iqxg4"},{"@type":"ListItem","position":67,"name":"An intrusion detection system alerts on traffic that appears to be a command and control (C2) beacon. Which of the follo…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-intrusion-detection-system-alerts-on-traffic-that-appears-zxkyt"},{"@type":"ListItem","position":68,"name":"An analyst is monitoring network traffic and observes a host making outbound HTTPS connections to a domain that appears …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-is-monitoring-network-traffic-and-observes-a-host-m39yc"},{"@type":"ListItem","position":69,"name":"An analyst examines a PCAP and finds a series of UDP packets sent to multiple ports on a target. The target responds wit…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-examines-a-pcap-and-finds-a-series-of-udp-packets-wnczf"},{"@type":"ListItem","position":70,"name":"Which type of attack is indicated by a series of SMB authentication attempts from one host to multiple other hosts in a …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/which-type-of-attack-is-indicated-by-a-series-of-smb-authent-y0uq8"},{"@type":"ListItem","position":71,"name":"An analyst captures traffic and sees a TCP connection with only a SYN packet and an RST response. No SYN-ACK is observed…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-captures-traffic-and-sees-a-tcp-connection-with-o-3ddvm"},{"@type":"ListItem","position":72,"name":"An analyst detects a large outbound FTP transfer from a sensitive server to an external IP address not previously seen. …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-detects-a-large-outbound-ftp-transfer-from-a-sens-axsku"},{"@type":"ListItem","position":73,"name":"An analyst is investigating a host that is making outbound HTTPS connections to multiple random-looking domains, each wi…","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/an-analyst-is-investigating-a-host-that-is-making-outbound-h-xo78t"},{"@type":"ListItem","position":74,"name":"A network analyst is investigating a suspected DNS tunneling attack. Which THREE of the following are indicators of DNS …","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/a-network-analyst-is-investigating-a-suspected-dns-tunneling-c0roz"},{"@type":"ListItem","position":75,"name":"In Wireshark, which filter can be used to quickly find all HTTP requests that contain a specific keyword in the URL?","url":"https://courseiva.com/questions/cisco/cisco-cyberops-associate/in-wireshark-which-filter-can-be-used-to-quickly-find-all-h-2y79l"}]}
An analyst detects HTTPS traffic to a domain that was registered only 24 hours ago and has no web content. The traffic occurs at odd hours and with consistent packet sizes. What technique is likely being used for C2?
Attackers often use newly registered domains (DGAs or manually registered) for C2 to avoid blacklists. HTTPS provides encryption to hide the beaconing.
A security analyst is investigating a PCAP and sees the following HTTP POST request: POST /login HTTP/1.1 ... username=admin&password=letmein. Which TWO attack indicators are present?
Select 2 answers
A.Cross-site scripting (XSS) payload
B.Buffer overflow attempt
C.SQL injection attack
D.Use of weak or default credentials
E.Credential theft via plaintext transmission
AnswersD, E
The password 'letmein' is a common weak password.
Why this answer
The plaintext credentials in an HTTP POST indicate credential theft (sniffing) and the use of weak or default passwords (common attack vector).
Correct. Long subdomain strings are a sign of DNS tunneling.
Why this answer
DNS tunneling exploits the DNS protocol to encapsulate non-DNS data within DNS queries and responses. A common indicator is DNS queries with unusually long subdomain strings, as attackers encode exfiltrated data into the query name to bypass network security controls.
Exam trap
Cisco often tests the distinction between a general anomaly (like large DNS responses) and a specific tunneling indicator (long subdomain strings), where candidates mistakenly focus on response size or protocol choice rather than the query structure.
How to eliminate wrong answers
Option B is wrong because frequent DNS queries to known domains are typical of legitimate client behavior (e.g., CDN lookups) and not a specific sign of tunneling. Option C is wrong because while DNS responses can carry large payloads in tunneling, the primary indicator is the query side; moreover, standard DNS responses are limited to 512 bytes (or up to 4096 bytes with EDNS0), so large responses alone are not definitive. Option D is wrong because DNS queries normally use UDP, but tunneling can use TCP for reliability; however, TCP usage is not a common indicator because many legitimate operations (e.g., zone transfers) also use TCP.
A security analyst is investigating an alert that indicates a potential SQL injection attack. Which of the following HTTP request patterns is most indicative of a SQL injection attempt?
An analyst identifies a series of SMB authentication attempts from a compromised host to multiple internal servers. The authentication uses NTLM hashes. Which TWO techniques are most likely being used for lateral movement? (Select 2)
Select 2 answers
A.Kerberoasting
B.SMB relay
C.Brute force
D.Golden ticket
E.Pass-the-hash
AnswersB, E
Relays authentication to other hosts.
Why this answer
SMB relay (B) is correct because the attacker can intercept NTLM authentication attempts from the compromised host and relay them to other internal servers, gaining unauthorized access without needing to crack the hash. This technique leverages the SMB protocol's lack of channel binding in older implementations, allowing the relayed hash to authenticate to multiple targets.
Exam trap
Cisco often tests the distinction between 'pass-the-hash' (reusing a hash directly from the compromised host) and 'SMB relay' (forwarding the authentication challenge to another server), which candidates confuse as the same technique.
An analyst is examining a PCAP file for signs of lateral movement. Which TWO of the following are typical indicators of lateral movement using pass-the-hash?
Select 2 answers
A.Multiple SMB authentication attempts from a single host to multiple other hosts
E.Use of NTLM authentication without a password, only the hash
AnswersA, E
SMB is commonly used for lateral movement in Windows environments.
Why this answer
Pass-the-hash attacks use NTLM authentication with hashed credentials. Indicators include multiple SMB authentication attempts from one host to many others and the use of NTLM hashes.
During network intrusion analysis, an analyst reviews logs and observes an alert for a TCP SYN scan. Which characteristic of a SYN scan would the analyst look for in packet captures?
A.The scan sends SYN packets and expects ICMP unreachable messages for open ports.
B.The scan sends SYN packets and waits for a timeout on closed ports.
C.The scan sends SYN packets and, upon receiving SYN-ACK, sends RST packets.
D.The scan sends SYN packets and completes the three-way handshake for open ports.
AnswerC
Correct. SYN scan sends RST after SYN-ACK to avoid establishing a full connection.
Why this answer
A SYN scan sends a SYN packet and, upon receiving a SYN-ACK from the target, responds with a RST instead of completing the handshake. This avoids a full connection and is stealthier.
An analyst is reviewing PCAP and sees a TCP stream with a Wireshark filter 'tcp.stream eq 0'. The conversation shows an interactive shell session with commands like 'whoami' and 'ls'. This is most likely evidence of what?
In a PCAP analysis, an analyst uses the filter 'http.request.uri contains "UNION"' and finds multiple HTTP requests with 'SELECT' and 'UNION SELECT' in the URI parameter. Which type of attack is likely occurring?
A.SQL injection
B.Buffer overflow
C.Cross-site scripting
D.Command injection
AnswerA
UNION SELECT is a classic SQL injection pattern.
Why this answer
SQL injection attacks often include SQL keywords like UNION and SELECT in crafted parameters.
Which MITRE ATT&CK tactic corresponds to the Cyber Kill Chain phase 'Actions on Objectives'?
A.Privilege Escalation
B.Impact
C.Command and Control
D.Exfiltration
AnswerB
Impact includes data destruction, denial of service, etc.
Why this answer
In MITRE ATT&CK, the tactic 'Impact' covers actions that disrupt or damage systems, similar to 'Actions on Objectives' where the attacker achieves their goal.
An analyst identifies HTTP traffic containing the string "<script>alert('XSS')</script>" in the URL parameter. Which TWO attack types are likely being attempted?
Select 2 answers
A.LDAP injection
B.HTML injection
C.Command injection
D.Cross-site scripting (XSS)
E.SQL injection
AnswersB, D
Injecting HTML tags is HTML injection.
Why this answer
The script tag is classic XSS; HTML injection occurs when attacker injects HTML content.
An analyst reviews network logs and sees a large outbound FTP transfer of 500 MB from a workstation to an external IP at 2:00 AM. The workstation regularly sends 10 MB daily. What should the analyst suspect?
A.C2 beaconing
B.Normal backup operation
C.Software update
D.Data exfiltration
AnswerD
Anomalous large transfer is suspicious for exfiltration.
Why this answer
Large outbound data transfers outside normal patterns, especially at odd hours, are typical of data exfiltration.
During alert triage, an analyst determines that an alert fired but no actual attack or malicious activity occurred on the network. How should this alert be classified?
A.True negative
B.False negative
C.True positive
D.False positive
AnswerD
False positive is an alert without an actual attack.
Why this answer
A false positive is an alert that triggers incorrectly when no real attack exists. True positive means attack confirmed, false negative means attack missed, true negative means no alert and no attack.
An alert shows a high volume of outbound traffic from an internal host to an external IP using FTP. The data includes files with names matching internal document names. This activity is most likely:
A.C2 beaconing
B.Normal backup operation
C.Port scanning
D.Data exfiltration
AnswerD
Large outbound FTP transfers of internal documents indicate exfiltration.
Why this answer
Exfiltration via FTP is a common technique to steal data by transferring it to an external server.
An analyst is reviewing alerts from an IDS. A signature matched 'script' and 'alert' in HTTP request parameters. The analyst inspects the packet and sees <script>alert('XSS')</script> in the URI. What is the most accurate classification of this alert?
A.False negative
B.False positive
C.True negative
D.True positive
AnswerD
The attack payload is present, confirming a real attack.
Why this answer
The alert corresponds to a real attack (cross-site scripting) in the traffic, so it is a true positive.
During a network intrusion analysis, a security analyst observes repeated TCP SYN packets sent to a range of ports on a target host, each followed by an RST response. No subsequent ACK packets are observed. Which phase of the Cyber Kill Chain is the attacker most likely executing?
A.Reconnaissance
B.Delivery
C.Weaponization
D.Exploitation
AnswerA
SYN scan is a reconnaissance activity to identify open ports and services.
Why this answer
The SYN scan is a reconnaissance technique used to identify open ports without completing the TCP handshake. The RST response indicates the port is closed, and the lack of ACK means the handshake was intentionally not completed, characteristic of a SYN scan.
An analyst is analyzing a PCAP from a compromised host. Which THREE of the following are common indicators of exploitation attempts in network traffic?
Select 3 answers
A.Return-oriented programming (ROP) gadget chains in data
B.Presence of NOP sleds (e.g., repeated 0x90 bytes) in payload
An analyst observes a host making outbound connections to a server on TCP port 443, with traffic patterns showing small packets at regular 60-second intervals. The destination IP is in a country where the company does no business. Which THREE characteristics suggest this is C2 beaconing?
Select 3 answers
A.Small packet sizes at regular 60-second intervals
B.Large file downloads
C.Destination IP in a foreign country with no business presence
Correct. Regular periodic small packets indicate beaconing.
Why this answer
Beaconing often uses HTTPS to evade detection, has periodic regular intervals, and goes to unusual destinations. Small packets at fixed intervals are classic.
An analyst observes a series of DNS queries for subdomains like 'ZGVzdGluYXRpb24= .malicious.com' where the subdomain part appears base64-encoded. The volume of DNS traffic from a single host is unusually high. Which exfiltration technique is most likely in use?
A security analyst is investigating a suspected data exfiltration incident. Which TWO of the following indicators are most consistent with exfiltration over DNS?
Select 2 answers
A.DNS responses with unusually large TXT record sizes
B.Large number of ICMP echo requests to external hosts
C.Consistent traffic to a known C2 server on port 443
D.Multiple failed HTTP POST requests to a file-sharing site
E.High volume of DNS queries to an unusual domain with random-looking subdomains
AnswersA, E
Oversized TXT records can be used to deliver exfiltrated data.
Why this answer
DNS exfiltration involves encoding data in subdomain queries, often with high entropy, and can use TXT records to retrieve data.
A network analyst is examining a PCAP file and applies the Wireshark display filter 'http.request'. The results show several POST requests to '/login.php' with parameters containing 'username=admin&password=secret'. What type of attack is indicated?
A.Cross-site scripting (XSS)
B.Brute force attack
C.SQL injection
D.Credential theft via phishing
AnswerD
Plaintext credentials transmitted over HTTP indicate likely credential theft.
Why this answer
Plaintext credentials in HTTP POST bodies indicate credential theft, possibly via phishing or a compromised web form.
An analyst reviewing network alerts notices a rule triggered for 'ET SCAN NMAP -sU scan' based on traffic to a Linux server. The packet capture shows multiple UDP packets to various ports, and for closed ports, the server responds with ICMP Destination Unreachable (Port Unreachable). Which type of scan is being performed, and how should the analyst classify this alert?
The UDP scan is correctly detected by the alert, so it is a true positive.
Why this answer
UDP scans send UDP packets; closed ports respond with ICMP Port Unreachable. This matches the alert signature, indicating a true positive for a UDP scan.
An analyst examines PCAP and sees multiple SMB sessions from internal host 10.1.1.10 to 10.1.1.20, 10.1.1.30, and 10.1.1.40 within seconds. The NTLM authentication contains a hash parameter that is identical across sessions. Which lateral movement technique is most likely being used?
A.Golden ticket
B.Pass-the-hash
C.Kerberoasting
D.Pass-the-ticket
AnswerB
Identical NTLM hash across multiple SMB sessions indicates pass-the-hash.
Why this answer
Pass-the-hash uses the same NTLM hash to authenticate to multiple hosts without knowing the plaintext password.
An analyst is reviewing PCAP from a network intrusion. The attacker used a payload with ROP gadgets and shellcode. Which TWO exploitation indicators are associated with this attack? (Choose two.)
A security analyst observes repeated ICMP port unreachable responses from a target host. The source IP is sending packets to multiple UDP ports. Which type of scan is most likely being performed?
During a network intrusion investigation, an analyst notices repeated SMB authentication attempts from a single host to multiple other hosts using different usernames. Which type of activity does this pattern suggest?
A.Pass-the-hash attack
B.Lateral movement
C.SMB relay attack
D.Brute-force attack on SMB
AnswerB
Correct. Attempting to authenticate to multiple hosts indicates lateral movement.
Why this answer
Lateral movement via SMB involves authenticating to multiple hosts, often with different credentials, to move across the network.
During an incident, an analyst observes the following in PCAP: (1) DNS queries with random-looking subdomains to a known malicious domain, (2) large outbound FTP transfers of .zip files, (3) HTTP POST requests with Base64-encoded data in the body. Which THREE exfiltration techniques are being used? (Select 3)
DNS queries with encoded subdomains indicate DNS tunneling. FTP transfers indicate FTP exfiltration. HTTP POST with Base64 indicates HTTP exfiltration.
A security analyst observes a large number of SYN packets sent to various ports on a target host, receiving RST responses for closed ports and no response for open ports. Which phase of the Cyber Kill Chain does this activity represent?
A.Reconnaissance
B.Weaponisation
C.Exploitation
D.Delivery
AnswerA
Port scanning is a reconnaissance technique to identify vulnerabilities.
Why this answer
The observed behavior—sending a large number of SYN packets to various ports and analyzing RST responses (closed ports) versus no response (open ports)—is a classic port scan, specifically a SYN scan. This activity maps the target's attack surface by identifying live hosts and open ports, which aligns with the Reconnaissance phase of the Cyber Kill Chain, where the adversary gathers information to plan an attack.
Exam trap
Cisco often tests the distinction between Reconnaissance and Weaponisation, where candidates mistakenly think that sending crafted packets (SYN) is part of weaponisation, but weaponisation specifically involves creating the exploit or payload, not the scanning activity.
How to eliminate wrong answers
Option B (Weaponisation) is wrong because weaponisation involves coupling a payload with a delivery mechanism (e.g., creating a malicious document or exploit kit), not scanning for open ports. Option C (Exploitation) is wrong because exploitation requires actively leveraging a vulnerability to gain unauthorized access, whereas a SYN scan only identifies potential targets without attempting to compromise them. Option D (Delivery) is wrong because delivery refers to transmitting the weaponized payload to the target (e.g., via email or USB), not the pre-attack reconnaissance of scanning ports.
An analyst identifies a PCAP with a reverse shell session. Which characteristic in the traffic would most likely indicate an interactive shell session?
During an incident response, an analyst extracts a file from a PCAP using Wireshark's 'Export Objects' feature. The file contains shellcode that uses NOP sleds and encodes a reverse shell command. Which Cyber Kill Chain phase does this file represent?
A.Installation
B.Actions on Objectives
C.Delivery
D.Weaponization
AnswerC
The file was delivered over the network, so it is in the delivery phase.
Why this answer
The file contains shellcode and is extracted from network traffic, indicating it was delivered to the target. This aligns with the delivery phase.
A PCAP contains the following patterns: (1) A TCP connection with a complete handshake to an external IP on port 443, (2) periodic data transfers every 60 seconds of approximately 1 KB, (3) the domain name in the TLS SNI field is generated by a DGA. Which THREE indicators are present?
During a forensic analysis, an analyst uses NetworkMiner to extract files from a PCAP. One of the extracted files contains a PE executable with a known signature of a malware variant. Which phase of the Cyber Kill Chain does the file transfer most likely represent?
A.Reconnaissance
B.Weaponization
C.Exploitation
D.Delivery
AnswerD
Delivery transfers the weaponized payload.
Why this answer
The file transfer from the PCAP represents the Delivery phase because NetworkMiner extracted a PE executable that was transmitted over the network, likely via HTTP, SMTP, or SMB. In the Cyber Kill Chain, Delivery is the phase where the weaponized payload is transmitted to the target system, which is exactly what a file transfer in a PCAP captures. The presence of a known malware signature confirms the payload was delivered, not yet executed or exploited.
Exam trap
Cisco often tests the distinction between Delivery and Exploitation, where candidates mistakenly choose Exploitation because they see a malware file, but the PCAP only shows the transfer, not the execution or vulnerability trigger.
How to eliminate wrong answers
Option A is wrong because Reconnaissance involves gathering information about the target (e.g., scanning, OSINT) and does not include transferring a malware executable. Option B is wrong because Weaponization is the phase where the attacker creates the malicious payload (e.g., coupling exploit with backdoor), but the file transfer itself is not the creation step. Option C is wrong because Exploitation occurs when the delivered payload triggers a vulnerability to execute code; the PCAP file transfer only shows the delivery, not the execution or trigger.
An analyst notices periodic HTTP GET requests to a suspicious domain every 60 seconds. The payload size is small and consistent. This behavior is characteristic of which phase of the Cyber Kill Chain?
A.Actions on Objectives
B.Command and Control
C.Delivery
D.Installation
AnswerB
Correct. Regular beaconing is typical of C2.
Why this answer
Beaconing is a C2 communication technique where infected hosts periodically contact the command server.
While analyzing a PCAP, an analyst uses the Wireshark filter 'http.request' and finds a URI parameter containing '%27%20UNION%20SELECT%201,2,3%20--'. What type of attack is indicated?
A.Cross-site scripting (XSS)
B.SQL injection
C.Command injection
D.Directory traversal
AnswerB
UNION SELECT is a classic SQL injection technique.
Why this answer
The URL-encoded string decodes to a SQL injection attempt with UNION SELECT. SQL injection often appears in HTTP parameters.
A SOC analyst sees an alert for 'Possible SQL Injection' on a web server. Reviewing the PCAP, the analyst finds the parameter 'id=1 OR 1=1' in the HTTP request. However, the web server returns a normal page with no signs of compromise. What is the correct classification?
A.True negative
B.False negative
C.False positive
D.True positive
AnswerC
The alert triggered but no real attack took place.
Why this answer
The alert fired on a pattern that resembles SQL injection, but the server was not vulnerable or the input was sanitized; thus no actual attack occurred.
An intrusion detection system alerts on HTTP traffic containing the string 'UNION SELECT' in the URI parameter. This is most indicative of what type of attack?
A.SQL injection
B.Command injection
C.Cross-site scripting
D.Directory traversal
AnswerA
Correct. UNION SELECT is a classic SQL injection technique.
Why this answer
The alert detects the string 'UNION SELECT' in a URI parameter, which is a classic SQL injection payload used to combine results from multiple database queries. This indicates an attacker is attempting to manipulate SQL queries by injecting malicious SQL code through user input, a hallmark of SQL injection attacks.
Exam trap
Cisco often tests the distinction between injection types by using specific payload strings; the trap here is confusing SQL injection with command injection because both involve 'injection', but the 'UNION SELECT' syntax is unique to SQL and not used in command injection or other attacks.
How to eliminate wrong answers
Option B is wrong because command injection involves executing system commands (e.g., via shell metacharacters like ';' or '|') rather than SQL statements like 'UNION SELECT'. Option C is wrong because cross-site scripting (XSS) typically injects client-side scripts (e.g., JavaScript) into web pages, not SQL syntax in URI parameters. Option D is wrong because directory traversal exploits path traversal sequences (e.g., '../') to access restricted files, not SQL query manipulation.
An analyst reviews PCAP traffic and sees a series of HTTP POST requests from an internal host to an external IP at exactly 60-second intervals. The payload size is consistent. Which phase of the Cyber Kill Chain does this activity most likely represent?
A.Delivery
B.Command and Control
C.Actions on Objectives
D.Installation
AnswerB
Beaconing is a hallmark of C2.
Why this answer
The consistent 60-second intervals and uniform payload size of HTTP POST requests from an internal host to an external IP are classic indicators of beaconing activity. In the Cyber Kill Chain, this behavior aligns with the Command and Control (C2) phase, where an established foothold communicates with an external C2 server to receive instructions or exfiltrate data. The use of HTTP POST mimics normal web traffic to evade detection, a common technique in C2 channels.
Exam trap
Cisco often tests the distinction between beaconing (C2) and data exfiltration (Actions on Objectives), where candidates mistakenly associate any external HTTP POST with data theft rather than recognizing the periodic pattern as command-and-control signaling.
How to eliminate wrong answers
Option A is wrong because the Delivery phase involves the initial transmission of the exploit or payload to the target (e.g., via phishing email or malicious download), not periodic beaconing after compromise. Option C is wrong because Actions on Objectives refers to the final goal, such as data exfiltration or system destruction, which would show larger or irregular data transfers, not consistent small beacons. Option D is wrong because Installation is the phase where malware is placed on the system (e.g., writing to disk or registry), which occurs before C2 and does not involve periodic network traffic.
An analyst is reviewing a PCAP and sees multiple HTTP requests with the parameter 'id=1 UNION SELECT username,password FROM users'. What type of attack is being attempted?
A.SQL injection
B.Directory traversal
C.Cross-site scripting (XSS)
D.Command injection
AnswerA
Correct. UNION SELECT is classic SQL injection payload.
Why this answer
The SQL keywords UNION and SELECT in a parameter indicate a SQL injection attempt to extract data from the database.
During incident response, an analyst extracts files from a PCAP using Wireshark's Export Objects feature. One extracted file is a PDF that triggers an IDS alert for 'Exploit:PDF/HeapSpray'. Which technique does this alert describe?
A.Return-oriented programming (ROP)
B.Shellcode injection
C.Heap spray
D.Stack buffer overflow
AnswerC
Heap spray loads shellcode into heap memory to hijack execution.
Why this answer
Heap spray is a memory corruption technique where an attacker fills heap memory with shellcode to increase the chance of code execution, often used in PDF exploits.
A security analyst observes periodic outbound HTTPS connections to an unusual domain that resolves to different IP addresses each time. This behavior is most indicative of:
A security analyst is investigating a potential exploit. The PCAP shows a HTTP POST request containing a long string of characters that, when decoded, reveals a series of return-oriented programming (ROP) gadgets. What is the likely purpose of this payload?
A.Lateral movement
B.Privilege escalation
C.Exploitation
D.Persistence
AnswerC
ROP is a code-reuse exploitation technique.
Why this answer
ROP gadgets are used to bypass non-executable memory protections by chaining together small code sequences to execute arbitrary code. This is an exploitation technique.
An analyst detects an attack where the attacker uses NTLM authentication with a hashed password instead of the plaintext password. This technique is known as:
A.Password spraying
B.Brute force
C.Kerberos ticket reuse
D.Pass-the-hash
AnswerD
Correct. Pass-the-hash uses the NTLM hash for authentication.
Why this answer
Pass-the-hash allows an attacker to authenticate using the hash of a password without knowing the actual password.
An analyst identifies an alert for 'ET TROJAN Win32/DarkComet RAT Beacon'. The analyst confirms the host is infected. Which TWO phases of the Cyber Kill Chain have been completed prior to this C2 beacon? (Choose two.)
Select 2 answers
A.Installation
B.Weaponisation
C.Reconnaissance
D.Exploitation
E.Delivery
AnswersD, E
Exploitation allowed the malware to run.
Why this answer
For C2 to occur, the attacker must have delivered the malware and exploited a vulnerability to install it.
In a PCAP, an analyst sees a large outbound data transfer over FTP to an external IP address during non-business hours. The source host is a database server. Which phase of the Cyber Kill Chain does this represent?
A.Installation
B.Actions on Objectives
C.Weaponization
D.Exploitation
AnswerB
Exfiltration is an action on objectives.
Why this answer
The Cyber Kill Chain's 'Actions on Objectives' phase is where the attacker achieves their ultimate goal, such as exfiltrating data. In this scenario, a large outbound FTP transfer from a database server to an external IP during non-business hours directly indicates data theft, which is the final objective of the intrusion. FTP (port 21/20) is used here as the exfiltration protocol, moving sensitive data out of the network.
Exam trap
Cisco often tests the distinction between 'Actions on Objectives' and 'Exploitation' by presenting a post-compromise activity (like data exfiltration) and expecting candidates to recognize it as the final phase, not the initial breach.
How to eliminate wrong answers
Option A is wrong because 'Installation' refers to deploying malware or a backdoor on the target system, not to the actual data exfiltration seen here. Option C is wrong because 'Weaponization' is the phase where the attacker creates a deliverable payload (e.g., coupling an exploit with a dropper), which occurs before delivery and exploitation. Option D is wrong because 'Exploitation' is the phase where a vulnerability is triggered to gain initial access, not the post-compromise data theft activity.
In the Cyber Kill Chain, which TWO phases occur after the attacker establishes command and control (C2)?
Select 2 answers
A.Exploitation
B.Lateral movement
C.Weaponisation
D.Installation
E.Actions on objectives
AnswersB, E
Lateral movement can occur after C2 to reach more systems.
Why this answer
After establishing command and control (C2), the attacker typically performs lateral movement to pivot within the network and then executes actions on objectives, such as data exfiltration or system disruption. In the Cyber Kill Chain, the phases following C2 are lateral movement and actions on objectives, as the attacker uses the C2 channel to explore the environment and achieve their end goal.
Exam trap
Cisco often tests the order of the Cyber Kill Chain phases, and the trap here is confusing 'installation' (which occurs before C2) with 'lateral movement' (which occurs after C2), leading candidates to incorrectly select installation as a post-C2 phase.
A network analyst finds a PCAP with a series of DNS queries for subdomains like "data12345.example.com" and "data67890.example.com" where the subdomain names appear to contain encoded base64 data. This pattern suggests:
An analyst receives an alert for 'ET WEB_SERVER Possible SQL Injection Attempt' triggered by a URL parameter containing ' OR 1=1--'. After investigating, the analyst confirms that the web application is not vulnerable to SQL injection and the request was a benign test. How should this alert be classified?
A.False positive
B.True negative
C.False negative
D.True positive
AnswerA
The alert triggered but no attack occurred, so false positive.
Why this answer
The alert triggered but there was no actual attack, so it is a false positive.
An analyst is investigating a PCAP file and wants to reconstruct a conversation between two hosts. Which Wireshark filter would be most appropriate to follow the entire TCP stream?
In a PCAP, an analyst sees an interactive shell session over TCP with irregular command prompts and responses. Which tool was likely used to generate this traffic?
A.File transfer tool
B.Port scanner
C.Reverse shell payload
D.SQL injection tool
AnswerC
Interactive shell over TCP is characteristic of a reverse shell.
Why this answer
Reverse shells create interactive shell sessions over a TCP connection, often used by attackers to control compromised hosts.
During a PCAP analysis, a security analyst notices an HTTP request with the URI parameter 'id=1 UNION SELECT username,password FROM users--'. What is the most likely attack being attempted?
A.Command injection
B.Cross-site scripting (XSS)
C.Directory traversal
D.SQL injection
AnswerD
UNION SELECT is a classic SQL injection technique to combine query results.
Why this answer
The presence of UNION and SELECT keywords in a URL parameter indicates a SQL injection attempt, where the attacker tries to extract data from a database.
An analyst observes repeated TCP SYN packets to various ports on a target IP with no SYN-ACK responses. What type of scan is most likely being performed?
During an intrusion analysis, an analyst identifies that an attacker used a domain generation algorithm (DGA) to resolve C2 domains. Which of the following traffic patterns is most consistent with DGA?
A.Multiple DNS queries to algorithmically generated domains that result in NXDOMAIN responses
An analyst observes a large outbound FTP transfer to an external IP address from a server that normally does not generate such traffic. This is most likely an indicator of:
A.Persistence
B.Lateral movement
C.C2 communication
D.Exfiltration
AnswerD
Correct. Large outbound transfers are a key exfiltration indicator.
Why this answer
Data exfiltration often involves large transfers to external destinations not typical for the host.
An analyst filters PCAP with 'tcp.stream eq 0' and sees an interactive shell session with commands like 'whoami', 'ls -la', 'cd /etc'. The session originated from an HTTP POST to a web shell. Which type of attack is this?
An analyst analyzing a PCAP sees a series of TCP connections where the client sends data with interactive patterns and receives commands. This is most likely indicative of:
An intrusion detection system alerts on traffic that appears to be a command and control (C2) beacon. Which of the following characteristics is most typical of beaconing traffic?
An analyst is monitoring network traffic and observes a host making outbound HTTPS connections to a domain that appears to be generated by a Domain Generation Algorithm (DGA). Which phase of the Cyber Kill Chain best describes this activity?
A.Installation
B.Command and Control (C2)
C.Actions on Objectives
D.Exploitation
AnswerB
Correct. DGA domains are used to locate C2 servers.
Why this answer
After installation, the malware contacts C2 servers to receive commands. DGA domains are used for C2 communication.
An analyst examines a PCAP and finds a series of UDP packets sent to multiple ports on a target. The target responds with ICMP 'Destination Unreachable (Port Unreachable)' messages for each port. What type of scan is being performed?
UDP scan sends UDP packets to ports. When a port is closed, the target responds with an ICMP port unreachable message. Open or filtered ports may not respond.
An analyst captures traffic and sees a TCP connection with only a SYN packet and an RST response. No SYN-ACK is observed. Which scan technique is this?
SYN scan uses SYN packets, and RST indicates closed port.
Why this answer
A SYN scan sends a SYN and expects a SYN-ACK; if an RST is received, the port is closed. Incomplete handshake without SYN-ACK indicates a half-open scan.
An analyst detects a large outbound FTP transfer from a sensitive server to an external IP address not previously seen. The file being transferred is a compressed archive containing database dumps. Which Cyber Kill Chain phase is most directly indicated?
A.Installation
B.C2
C.Exploitation
D.Actions on Objectives
AnswerD
Exfiltration of data is a key objective in many attacks.
Why this answer
Exfiltration of sensitive data is part of 'Actions on Objectives', where the attacker achieves their goal of stealing data.
An analyst is investigating a host that is making outbound HTTPS connections to multiple random-looking domains, each with a short TTL. The domains are not in any threat intelligence feeds. Which technique is most likely being used?
High query volume can indicate data exfiltration via DNS.
Why this answer
DNS tunneling often involves high volumes of DNS queries to a single domain, large payloads in TXT records, and encoded data in subdomains to exfiltrate data.