200-201 · topic practice

Host-Based Analysis practice questions

Use this page to practise Host-Based Analysis questions for this certification. Focus on how the exam tests host-based analysis in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Host-Based Analysis

What the exam tests

What to know about Host-Based Analysis

Host-Based Analysis questions on this certification test your ability to deploy and manage host-based analysis concepts in scenario-based situations.

Core Host-Based Analysis concepts and how they apply in real-world cloud scenarios.

How to deploy host-based analysis correctly and verify the outcome.

Troubleshooting host-based analysis issues by interpreting error output and system state.

Cloud best practices and Host-Based Analysis design trade-offs tested by this certification.

Watch out for

Common Host-Based Analysis exam traps

  • Selecting the most expensive service when a simpler managed option meets the requirement.
  • Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • Choosing a global service fix when the issue is region-specific.
  • Overlooking cost implications of cross-region data transfer in architecture questions.

Practice set

Host-Based Analysis questions

20 questions · select your answer, then reveal the explanation

A security analyst is investigating a host that is suspected of being used as a pivot point in a network intrusion. The analyst needs to identify which process initiated an outbound connection to a known malicious IP address. Which host-based analysis approach should the analyst use to correlate the network connection to the specific process?

Refer to the exhibit. A security analyst is analyzing a Windows host that is communicating with an external server at 192.168.1.50. Based on the output, which process is likely malicious?

Exhibit

Refer to the exhibit.

C:\Users\Admin> tasklist /svc
Image Name                     PID Services
========================= ======== ============================================
svchost.exe                    1236 BrokerInfrastructure, DcomLaunch, PlugPlay
svchost.exe                    1420 RpcSs, LanmanWorkstation, Dhcp, NlaSvc
svchost.exe                    1508 WpnService, WpnUserService
notepad.exe                    2344 N/A
cmd.exe                        2568 N/A
powershell.exe                 2792 N/A

C:\Users\Admin> netstat -anob | findstr 192.168.1.50
  TCP    192.168.1.100:49152    192.168.1.50:443    ESTABLISHED     2792
  TCP    192.168.1.100:49153    192.168.1.50:80     ESTABLISHED     1420

A security analyst is investigating a host that is suspected of being compromised. The analyst runs a series of commands to gather information. Which TWO of the following commands are most useful for collecting volatile data from a live Windows system? (Choose two.)

Refer to the exhibit. A network analyst sees repeated denied attempts from host 10.0.0.2 to 10.0.0.1 on port 23. Based on the log, what type of activity is most likely occurring?

Exhibit

Refer to the exhibit.

Mar  1 10:15:22 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49152) -> 10.0.0.1(23), 1 packet
Mar  1 10:15:23 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49153) -> 10.0.0.1(23), 1 packet
Mar  1 10:15:24 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49154) -> 10.0.0.1(23), 1 packet
Question 5hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst is responding to an incident on a critical Windows server that hosts a database application. The server is running Windows Server 2019 with all current patches. The analyst suspects that a remote attacker gained access and is using living-off-the-land binaries to move laterally. The analyst has captured a memory dump and a full disk image. The analyst needs to determine if the attacker used PowerShell to download additional tools. Which analysis step should the analyst perform first to identify PowerShell usage?

Question 6hardmulti select
Read the full NAT/PAT explanation →

An analyst is investigating a host that is suspected of being compromised. The host's security logs show multiple failed login attempts followed by a successful login from an unusual IP address, and then a series of outbound connections to known malicious destinations. Which TWO actions should the analyst take immediately? (Choose two.)

Refer to the exhibit. An analyst runs the command 'tasklist /svc /fi "PID eq 1234"' on a Windows host and receives the output shown. Which conclusion can the analyst draw from this output?

Exhibit

Refer to the exhibit.

tasklist /svc /fi "PID eq 1234"
Image Name                     PID Services
========================= ======== ============================================
svchost.exe                   1234 CryptSvc, Dnscache, LanmanWorkstation, W32Time

An organization uses Windows 10 Enterprise workstations with standard user accounts (no local admin). Users run daily tasks including web browsing, document editing, and accessing a corporate intranet. Recently, the security team detected anomalous outbound traffic from one workstation to an IP address in a foreign country. The workstation's host-based firewall shows that a process named 'svch0st.exe' initiated the connection. Additionally, a scheduled task named 'UpdateTask' runs every hour with SYSTEM privileges, executing a script from a hidden folder. The user reports no unusual behavior except occasional system slowdowns. The analyst must determine the best immediate course of action. Which action should the analyst take first?

Drag and drop the steps to investigate a security incident using a SIEM into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps to configure a Cisco ASA firewall for basic network access into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each Windows event log type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Logs success/failure audit events

Logs operating system events

Logs events from applications

Logs installation events

Logs events forwarded from other computers

Match each log severity level to its description (syslog).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

System is unusable

Immediate action required

Critical conditions

Error conditions

Warning conditions

Question 13easymultiple choice
Read the full DNS explanation →

A security analyst notices that a workstation is generating multiple DNS queries to a known malicious domain. Which host-based analysis technique would be most effective in confirming the infection?

A SOC analyst is investigating a suspicious file on a Windows host. The file hash matches a known malware variant in a threat intelligence feed. What is the next best step for host-based analysis?

An analyst is examining a Linux host suspected of being compromised. The file /etc/passwd shows unusual entries. Which host-based analysis tool is best for verifying if the accounts are actively being used?

Question 16mediummultiple choice
Read the full NAT/PAT explanation →

During a host-based investigation, an analyst finds a process named 'svchost.exe' consuming high CPU. The process path is 'C:\Windows\Temp\svchost.exe'. What should the analyst conclude?

Question 17hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst is reviewing host-based logs from a compromised system. The Windows Security Event Log shows multiple Event ID 4625 (failed logon) from a single source IP, but no successful logon. The network team confirms that IP is a known scanning host. What is the most likely explanation for the lack of successful logon events?

An analyst is performing host-based analysis on a machine that is part of a botnet. The machine is communicating with a C2 server over HTTPS. Which host-based evidence would be most useful to identify the C2 communication?

Which Windows registry hive is most likely to contain evidence of malware persistence via a service?

Question 20mediummultiple choice
Read the full NAT/PAT explanation →

A host-based analysis tool reports that a file has a digital signature that is valid but from an untrusted publisher. What should the analyst interpret from this?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Host-Based Analysis sessions

Start a Host-Based Analysis only practice session

Every question in these sessions is drawn from the Host-Based Analysis domain — nothing else.

Related practice questions

Related 200-201 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 200-201 exam test about Host-Based Analysis?
Host-Based Analysis questions on this certification test your ability to deploy and manage host-based analysis concepts in scenario-based situations.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Host-Based Analysis questions in a focused session?
Yes — the session launcher on this page draws every question from the Host-Based Analysis domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 200-201 topics?
Use the topic links above to move to related areas, or go back to the 200-201 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 200-201 exam covers. They are not copied from any real exam or dump site.