CCNA Cbrops Intrusion Analysis Questions

24 of 99 questions · Page 2/2 · Cbrops Intrusion Analysis topic · Answers revealed

76
MCQhard

A threat hunter identifies a binary that uses a Domain Generation Algorithm (DGA) to create domain names like 'eksdghf23.com', 'mzncxv89.net' each day. The malware contacts these domains over HTTPS. Which phase of the Cyber Kill Chain is most directly associated with this technique?

A.Installation
B.Exploitation
C.Command and Control
D.Actions on Objectives
AnswerC

DGA is a C2 technique to evade domain blacklisting.

Why this answer

DGA domains are used to maintain resilient command and control infrastructure, which falls under the C2 phase.

77
MCQhard

An analyst is investigating lateral movement and observes SMB authentication attempts from host A to multiple other hosts using NTLM authentication with a hash value instead of a password. Which attack technique is most likely being used?

A.Pass-the-hash attack
B.Brute force attack
C.Kerberos golden ticket attack
D.SMB relay attack
AnswerA

Using NTLM hashes for authentication across multiple hosts is pass-the-hash.

Why this answer

Pass-the-hash uses NTLM hashes to authenticate without the plaintext password. SMB authentication with hashes is a classic sign.

78
Multi-Selectmedium

An analyst is reviewing alerts from an IDS and needs to classify them. Which THREE of the following are valid alert classification types?

Select 3 answers
A.False negative
B.True positive
C.True negative
D.False positive
E.Indeterminate
AnswersB, C, D

True positive is a correct alert for a real attack.

Why this answer

Alert classifications help analysts prioritize: True Positive (real attack), False Positive (no attack but alert), False Negative (attack missed, but not an alert), True Negative (no attack, no alert).

79
Multi-Selecteasy

Which TWO of the following are typical indicators of a C2 beaconing communication?

Select 2 answers
A.Regular intervals of communication at consistent times
B.Large outbound data transfers to an external IP
C.Multiple failed login attempts from a single source
D.ICMP echo requests to multiple hosts
E.DNS queries for domains that are rarely visited
AnswersA, E

Beaconing often uses fixed intervals to check in with C2 server.

Why this answer

C2 beaconing often involves regular periodic callbacks and communications to unusual domains. These patterns help attackers maintain persistence.

80
MCQeasy

In the Cyber Kill Chain, which phase involves sending a malicious attachment to a targeted user?

A.Exploitation
B.Delivery
C.Weaponization
D.Reconnaissance
AnswerB

Delivery is the phase where the weaponized payload is transmitted to the target.

Why this answer

The delivery phase is when the attacker transmits the weaponized payload to the target, e.g., via email attachment.

81
MCQeasy

During the Cyber Kill Chain, which phase involves sending a malicious attachment to a target user via email?

A.Exploitation
B.Weaponization
C.Delivery
D.Reconnaissance
AnswerC

Correct. Delivery is the phase where the weaponized payload is sent to the victim.

Why this answer

Delivery is the phase where the attacker transmits the weaponized payload to the target, such as via email attachments.

82
MCQmedium

An analyst detects multiple SMB authentication attempts from a single internal host to several other internal hosts using NTLM hashes instead of plaintext passwords. Which technique is most likely being used?

A.Brute force
B.Kerberoasting
C.Golden ticket attack
D.Pass-the-hash
AnswerD

Pass-the-hash uses NTLM hashes for authentication.

Why this answer

Pass-the-hash uses captured NTLM hashes to authenticate to other systems without needing the plaintext password. This is a common lateral movement technique.

83
MCQmedium

During an intrusion analysis, a SOC analyst reviews logs showing an outbound connection from an internal host to an external IP at 03:00 AM every 60 seconds. The traffic is HTTPS to a suspicious domain with a high entropy name. Which phase of the Cyber Kill Chain does this activity represent?

A.Actions on Objectives
B.Delivery
C.Command and Control (C2)
D.Weaponisation
AnswerC

Periodic callbacks to an external domain are typical C2 behaviour.

Why this answer

Regular beaconing to an external domain indicates command and control (C2) communication.

84
Multi-Selectmedium

An analyst reviews a PCAP and sees HTTP requests containing script tags and event handlers such as 'onload' and 'onerror'. Additionally, the URI contains 'alert(1)'. Which TWO types of attacks are indicated? (Select 2)

Select 2 answers
A.Command injection
B.Reflected XSS
C.DOM-based XSS
D.Stored XSS
E.SQL injection
AnswersB, C

Script tags in URI indicate reflected XSS.

Why this answer

The presence of script tags, event handlers like 'onload' and 'onerror', and the URI containing 'alert(1)' indicates that the attacker is injecting client-side script into the HTTP response. Since the payload is reflected in the URI (likely in a query parameter or path) and executed immediately in the browser without being stored on the server, this is Reflected XSS (option B). The same payload can also be executed via client-side JavaScript that manipulates the DOM using untrusted data from the URI, which is characteristic of DOM-based XSS (option C).

Exam trap

Cisco often tests the distinction between Reflected and DOM-based XSS by presenting a payload that appears in the URI but is not reflected in the server's response body, leading candidates to incorrectly assume only one type is present.

85
Multi-Selecthard

A SOC analyst is investigating a suspected data exfiltration. Which THREE indicators in network traffic are most consistent with exfiltration? (Choose three.)

Select 3 answers
A.Large outbound data transfers to an external IP at unusual hours
B.Images with unusual file sizes but normal resolution
C.DNS queries with base64-encoded subdomains
D.Consistent HTTPS traffic to a CDN
E.Increased inbound web traffic
AnswersA, B, C

Anomalous large transfers are typical for exfiltration.

Why this answer

Large outbound data transfers to an external IP at unusual hours (A) are a classic indicator of data exfiltration because attackers often move stolen data during off-peak times to evade detection. This behavior deviates from normal business traffic patterns and can be flagged by network monitoring tools as anomalous. The volume and timing together suggest intentional data theft rather than routine operations.

Exam trap

Cisco often tests the distinction between normal and malicious traffic patterns; the trap here is that candidates may mistake any encrypted or high-volume traffic (like CDN or HTTPS) as suspicious, when in fact exfiltration indicators require specific anomalies like unusual timing, encoding, or file-size discrepancies.

86
Multi-Selectmedium

An analyst is examining network alerts for lateral movement. Which TWO of the following are typical indicators of lateral movement using SMB?

Select 2 answers
A.A single SMB connection to a file server
B.Multiple SMB connection attempts from a single host to many different hosts
C.NTLM authentication using a hash instead of a password
D.DNS queries for internal hostnames
E.HTTP requests to a web server
AnswersB, C

This is a classic lateral movement pattern.

Why this answer

Lateral movement via SMB often involves many SMB connections from one host to others, and pass-the-hash uses NTLM authentication with a hash.

87
Multi-Selecthard

During an incident response, an analyst finds evidence of lateral movement. Which THREE of the following are common techniques used for lateral movement?

Select 3 answers
A.Remote Desktop Protocol (RDP) connections
B.SMB authentication attempts across multiple hosts
C.DNS tunneling
D.Pass-the-hash attacks
E.ICMP echo requests
AnswersA, B, D

Correct. RDP is a common lateral movement vector.

Why this answer

SMB authentication attempts, pass-the-hash, and RDP are common lateral movement techniques.

88
MCQmedium

An analyst reviews an alert that triggered on a network signature for 'shellcode' in a payload. The payload contains a sequence of NOP sleds followed by executable code. Which type of exploitation technique does this indicate?

A.Return-oriented programming (ROP)
B.Heap spray
C.Buffer overflow with NOP sled
D.Format string attack
AnswerC

Correct. NOP sleds are typical in buffer overflow exploits.

Why this answer

A NOP sled is used to increase the chance of landing in the shellcode, commonly used in buffer overflow exploits.

89
Multi-Selecthard

During PCAP analysis, a security analyst observes the following pattern: a series of TCP SYN packets to multiple ports on a target, followed by RST packets from the target for closed ports. Which TWO characteristics describe this scan?

Select 2 answers
A.It uses ICMP echo requests
B.It is a SYN scan
C.It is a UDP scan
D.It completes the TCP three-way handshake
E.It is a stealthy scan that may avoid logging
AnswersB, E

SYN packets are sent to probe ports.

Why this answer

The SYN scan sends SYN packets and listens for SYN-ACK (open) or RST (closed). It is a stealthy scan because it doesn't complete the TCP handshake.

90
MCQmedium

An analyst notices that a DNS query for 'www.attacker.com' contains a long subdomain with Base64-encoded data. This activity is observed every 5 minutes. What exfiltration technique is most likely in use?

A.Steganography
B.DNS tunneling
C.HTTP POST exfiltration
D.FTP exfiltration
AnswerB

DNS tunneling uses DNS queries to exfiltrate data.

Why this answer

DNS exfiltration encodes data in subdomain queries. The data is sent to a DNS server controlled by the attacker, who extracts it from the logs.

91
Multi-Selectmedium

An analyst is triaging alerts and encounters a scenario where an IDS alerted on a network scan, but further investigation reveals the traffic was from a legitimate vulnerability scanner. Which TWO terms best describe this alert?

Select 2 answers
A.True negative
B.Benign trigger
C.False negative
D.False positive
E.True positive
AnswersB, D

Correct. The alert was triggered by legitimate activity.

Why this answer

The alert triggered but there is no actual attack (false positive). Since the scanner is legitimate, it is not malicious.

92
MCQmedium

A security analyst is reviewing PCAP data and sees a TCP stream with interactive shell commands such as 'whoami', 'ls -la', and 'cat /etc/passwd'. The session appears to be bidirectional with a remote IP. Which type of attack is most likely occurring?

A.Reverse shell
B.DNS tunnelling
C.SQL injection
D.Man-in-the-middle attack
AnswerA

Interactive shell commands characterize a reverse shell.

Why this answer

Interactive shell commands over TCP indicate a reverse shell, where the attacker has a command shell on the victim.

93
MCQmedium

Which tool can be used to extract files from a PCAP file for further analysis?

A.Wireshark (Export Objects)
B.Snort
C.tcpdump
D.nmap
AnswerA

Correct. Wireshark's Export Objects feature extracts files from protocols like HTTP.

Why this answer

Wireshark's 'Export Objects' feature allows you to extract files (e.g., HTTP objects, SMB files, or other application-layer payloads) from a PCAP file. This is essential for further analysis of malware or data exfiltration, as it reconstructs the original files from the captured network streams without needing to replay the traffic.

Exam trap

Cisco often tests the distinction between packet capture tools (tcpdump) and protocol analysis tools (Wireshark), leading candidates to mistakenly think tcpdump can extract files because it can read PCAPs, but it only outputs raw packet data without application-layer reconstruction.

How to eliminate wrong answers

Option B (Snort) is wrong because Snort is an intrusion detection/prevention system (IDS/IPS) that analyzes traffic in real-time using rules, but it does not have a built-in feature to extract files from a PCAP for offline analysis. Option C (tcpdump) is wrong because tcpdump is a command-line packet capture tool that can read PCAP files and display packet headers, but it cannot extract application-layer objects like files; it lacks the protocol dissection and reassembly needed for file extraction. Option D (nmap) is wrong because nmap is a network scanning tool used for host discovery and port scanning, not for parsing PCAP files or extracting embedded objects.

94
Multi-Selectmedium

A security analyst is investigating a PCAP that shows multiple failed SMB authentication attempts from a single host to different IP addresses, followed by a successful authentication. Which TWO techniques are likely being used?

Select 2 answers
A.SQL injection
B.SMB brute force
C.ARP spoofing
D.DNS tunnelling
E.Pass-the-hash
AnswersB, E

Brute force attempts multiple credentials until success.

Why this answer

Pass-the-hash uses NTLM hashes for authentication, and SMB brute force involves trying multiple passwords or hashes. Both can produce multiple failed attempts then success.

95
MCQmedium

An analyst detects traffic from an internal host that periodically sends small DNS queries to a domain with high entropy subdomains (e.g., 'a3k9f2.example.com'). The domain is not on any blocklist, and the query intervals are consistent every 60 seconds. Which technique is most likely being used?

A.DNS tunnelling for C2 communication
B.DNS amplification attack
C.Normal DNS resolution for a dynamic DNS service
D.DNS cache poisoning attempt
AnswerA

Encoded data in subdomains with regular intervals is typical of DNS tunnelling for command and control.

Why this answer

DNS tunnelling encodes data in subdomain queries, and periodic beaconing is common for C2. High entropy subdomains and regular intervals suggest DNS tunnelling for C2.

96
MCQeasy

A security analyst receives an alert for a known malware signature in an outbound file transfer. After investigation, the file is confirmed as benign software. This alert is classified as:

A.False positive
B.True positive
C.False negative
D.True negative
AnswerA

Alert triggered but no attack present.

Why this answer

A false positive occurs when an alert is triggered but no actual attack exists. The file is benign, so the alert is incorrect.

97
MCQeasy

An analyst observes an alert triggered by a single SYN packet to a closed port. The packet did not complete a TCP handshake. What type of attack does this most likely indicate?

A.SYN scan
B.TCP connect scan
C.Ping sweep
D.UDP scan
AnswerA

SYN scan sends SYN and expects SYN-ACK for open ports; RST indicates closed.

Why this answer

A SYN scan sends SYN packets to target ports. If a RST is received, the port is closed. The incomplete handshake is characteristic of a SYN scan, not a full connection scan or DoS attack.

98
MCQmedium

During an incident response, an analyst identifies a PCAP containing an HTTP POST request to a suspicious external IP with a large payload. The response is not typical for web applications. What type of activity is most likely occurring?

A.SQL injection attack
B.Normal web browsing
C.Data exfiltration
D.Command and control beaconing
AnswerC

Correct. Large POST to external IP suggests exfiltration.

Why this answer

Large outbound data transfers via HTTP POST to external IPs are indicative of data exfiltration.

99
MCQmedium

An analyst is analyzing a PCAP and sees multiple ICMP port unreachable responses from a target host when scanning UDP ports. What does this indicate about the scanned ports?

A.The ports are closed.
B.The scan is a SYN scan.
C.The ports are filtered by a firewall.
D.The ports are open.
AnswerA

Correct. ICMP port unreachable indicates closed port.

Why this answer

When a UDP scan sends a packet to a closed port, the target responds with an ICMP port unreachable message.

← PreviousPage 2 of 2 · 99 questions total

Ready to test yourself?

Try a timed practice session using only Cbrops Intrusion Analysis questions.

CCNA Cbrops Intrusion Analysis Questions — Page 2 of 2 | Courseiva