CCNA Casp Security Operations Questions

75 of 147 questions · Page 1/2 · Casp Security Operations topic · Answers revealed

1
MCQhard

An organization uses an EDR solution and wants to detect ransomware that encrypts files and then deletes volume shadow copies. Which EDR detection technique would be most effective for this behavior?

A.Signature-based detection using file hashes
B.Behavioral detection for mass file modifications and vssadmin.exe execution
C.Allowlisting of trusted applications
D.Network traffic analysis to detect C2 communication
AnswerB

Behavioral detection identifies the pattern of file modifications and shadow copy deletion.

Why this answer

Behavioral detection monitors runtime behavior like file encryption and shadow copy deletion, which are indicative of ransomware.

2
MCQeasy

A security team is implementing deception technology to detect attackers inside the network. They plan to deploy fake systems that appear vulnerable and attract attackers. Which of the following is an example of a honeytoken?

A.A network segment with multiple decoy systems
B.A fake DNS entry for a non-existent domain
C.A virtual machine running a vulnerable web server
D.A fake database credential file that triggers an alert when opened
AnswerD

This is a classic honeytoken—a decoy credential file that alerts when accessed.

Why this answer

A honeytoken is a decoy object such as a fake credential, file, or database record that is used to detect unauthorized access. A fake database credential file that triggers an alert when accessed is a typical honeytoken.

3
MCQeasy

Which phase of the incident response lifecycle involves removing the threat from the environment and restoring systems to normal operations?

A.Lessons Learned
B.Containment
C.Eradication
D.Detection
AnswerC

Eradication removes the threat from the environment.

Why this answer

Eradication removes the threat; recovery restores normal operations. The question combines both, but typically 'eradication' is the removal phase.

4
Multi-Selecteasy

A penetration tester is planning a test against a web application. The rules of engagement specify that the tester must not disrupt production services. Which TWO reconnaissance techniques are considered passive and would be appropriate for initial information gathering without impacting the target? (Select TWO.)

Select 2 answers
A.Port scanning the target network
B.Vulnerability scanning
C.Social engineering attacks
D.WHOIS lookup on the domain
E.OSINT gathering from public sources
AnswersD, E

WHOIS queries are passive and use public databases.

Why this answer

OSINT uses publicly available information and WHOIS queries are passive, as they do not interact with the target system directly.

5
MCQmedium

A security operations center (SOC) analyst receives an alert from the SIEM indicating a user has logged into the corporate VPN from an unusual geographic location at 3 AM, which is outside the user's normal working hours. The user has not previously exhibited this behavior. Which advanced SIEM capability is most likely responsible for generating this alert?

A.User Behavior Analytics (UBA)
B.Correlation rule based on static thresholds
C.Signature-based detection
D.Threat intelligence feed correlation
AnswerA

UBA detects deviations from baseline behavior.

Why this answer

User Behavior Analytics (UBA) uses machine learning to establish a baseline of normal user activity and detect anomalies such as unusual login times and locations. This is a core feature of advanced SIEM platforms.

6
MCQeasy

An organization wants to share threat intelligence with industry peers using a standardized format. Which of the following formats is specifically designed for representing structured threat information in a machine-readable way?

A.CyboX
B.TAXII
C.STIX
D.OpenIOC
AnswerC

STIX is the standardized format for structured threat information.

Why this answer

STIX (Structured Threat Information Expression) is a standardized language for representing threat intelligence.

7
MCQmedium

A security analyst is analyzing a memory dump from a compromised host using Volatility. Which Volatility plugin would be most useful to identify a malicious process that is hidden from the standard process listing?

A.pstree
B.malfind
C.psxview
D.pslist
AnswerC

psxview cross-references multiple sources to find discrepancies, revealing hidden processes.

Why this answer

Volatility's psxview plugin uses cross-view techniques to detect hidden processes by comparing process lists from multiple sources (e.g., PsActiveProcessHead, EPROCESS pools, etc.). A process that appears in some lists but not others is likely hidden.

8
MCQmedium

A security analyst is using the MITRE ATT&CK framework to categorize adversary behavior observed in recent incidents. The analyst notes that the adversary used spearphishing with a malicious attachment to gain initial access, then executed a PowerShell script to download additional tools. Which ATT&CK tactic is the PowerShell execution associated with?

A.Defense Evasion
B.Execution
C.Initial Access
D.Command and Control
AnswerB

Execution involves running malicious code.

Why this answer

Execution is the tactic that covers techniques that result in adversary-controlled code running on a system. PowerShell execution is a common technique under the Execution tactic.

9
Multi-Selectmedium

A security analyst is conducting a penetration test for a client. The rules of engagement specify that no social engineering is allowed. Which TWO of the following reconnaissance techniques are permitted under these rules?

Select 2 answers
A.Calling the help desk to obtain credentials
B.Scanning the client's external network for open ports
C.Performing DNS enumeration using public records
D.Sending phishing emails to employees
E.Tailgating into the building
AnswersB, C

Port scanning is active recon but does not involve social engineering.

Why this answer

Passive reconnaissance (OSINT) does not interact with the target and is allowed. Active reconnaissance without social engineering is also typically allowed if specified. Social engineering involves human interaction, which is prohibited.

10
MCQeasy

An organization needs to ensure that evidence collected during a forensic investigation remains intact and admissible in court. Which process is most critical for maintaining the integrity of digital evidence?

A.Storing evidence in a secure locker
B.Maintaining an unbroken chain of custody
C.Using write-blockers when imaging drives
D.Hashing the evidence with SHA-256
AnswerB

Chain of custody is the foundational process for evidence integrity.

Why this answer

Chain of custody documents every person who handled the evidence, from collection to presentation in court, ensuring that evidence has not been tampered with. This is essential for admissibility.

11
MCQmedium

During a digital forensics investigation of a compromised Linux server, the investigator needs to preserve the evidence in a forensically sound manner. The server is still running. Which of the following should the investigator do first?

A.Pull the power cord to preserve the disk state
B.Create a forensic image of the hard drive using dd over a network connection
C.Run the 'history' command to see recent user commands
D.Capture the contents of RAM using a tool like LiME or fmem
AnswerD

Capturing memory first preserves the most volatile data, including running processes and network connections.

Why this answer

According to the order of volatility, volatile data like memory should be captured first. On a running system, capturing memory preserves data that would be lost on shutdown.

12
Multi-Selectmedium

A security team is implementing a threat intelligence program and wants to consume intelligence from various sources. Which TWO of the following are commonly used threat intelligence feeds or sharing mechanisms? (Select TWO.)

Select 2 answers
A.DNS
D.ISACs
E.STIX/TAXII
AnswersD, E

Information Sharing and Analysis Centers are industry-specific sharing communities.

Why this answer

STIX/TAXII is a standard for sharing threat intelligence, and ISACs are industry-specific sharing groups.

13
MCQmedium

A security analyst is reviewing threat intelligence feeds and notices that a known Advanced Persistent Threat (APT) group has been using a specific technique to move laterally within networks. The analyst wants to map this technique to the MITRE ATT&CK framework. Which resource would the analyst use to find the corresponding ATT&CK technique ID?

A.MITRE ATT&CK Navigator or website
B.NIST SP 800-61
C.STIX/TAXII feeds
D.CVE database
AnswerA

The ATT&CK Navigator is a tool for exploring and mapping techniques.

Why this answer

The MITRE ATT&CK framework provides a structured taxonomy of adversary behaviors, including techniques and procedures. The ATT&CK website or database allows mapping observed behaviors to specific technique IDs.

14
MCQmedium

A security analyst is investigating a phishing campaign targeting the organization. The threat intelligence team has provided indicators such as email subject lines, sender domains, and attachment hashes. However, the analyst notices that these IOCs change rapidly and are only effective for a short period. Which type of threat intelligence would provide more durable and actionable information for defending against this campaign?

A.STIX/TAXII feeds
B.IoC-based threat intelligence
C.TTP-based threat intelligence
D.Strategic threat intelligence
AnswerC

TTPs describe adversary behavior and are more durable than IOCs.

Why this answer

TTP-based intelligence focuses on the adversary's behavior, such as tactics, techniques, and procedures, which are more stable over time compared to fast-changing IOCs like hashes and domains. This aligns with the ATT&CK framework.

15
MCQeasy

A vulnerability scanner reports a critical vulnerability on a critical server with a CVSS v3.1 base score of 9.8. The server cannot be patched immediately due to vendor constraints. Which of the following should the security team implement as a compensating control?

A.Disable the server until a patch is available
B.Increase monitoring of the server
C.Isolate the server on a separate network segment with strict firewall rules
D.Apply a workaround provided by the vendor
AnswerC

Network isolation is an effective compensating control.

Why this answer

When a patch cannot be applied, compensating controls such as network segmentation, firewall rules, or WAF can reduce risk. Network isolation is a common compensating control.

16
Multi-Selecthard

A security analyst is reviewing a malware sample in a sandbox environment. The analyst notes that the malware attempts to check for the presence of a debugger and modifies its behavior if one is detected. Additionally, the malware uses encrypted strings and resolves API calls dynamically. Which THREE analysis techniques would be most effective for understanding this malware's capabilities? (Select THREE.)

Select 3 answers
A.Static analysis using a disassembler like IDA Pro to examine the code for anti-debugging and obfuscation techniques
B.Network analysis using Wireshark to capture packets from the sandbox
C.Hash analysis by submitting the malware to VirusTotal
D.Dynamic analysis in a sandbox to observe the malware's behavior after it detects a debugger
E.Memory analysis using Volatility on the sandbox host to capture the malware's process memory
AnswersA, D, E

Static analysis is essential for understanding the code structure and identifying anti-debugging routines.

Why this answer

Static analysis can reveal encrypted strings and dynamic API resolution. Dynamic analysis in a sandbox shows runtime behavior. Debugging or reverse engineering (e.g., using a disassembler) helps understand anti-debugging tricks.

Memory analysis (e.g., with Volatility) can capture the malware in action.

17
MCQeasy

A security team is preparing for a penetration test. Which document defines the scope, rules, and restrictions for the test?

A.Rules of Engagement (RoE)
B.Memorandum of Understanding (MOU)
C.Statement of Work (SoW)
D.Service Level Agreement (SLA)
AnswerA

RoE defines the scope and rules for the penetration test.

Why this answer

The Rules of Engagement (RoE) is a formal document that outlines the scope, permissions, and constraints of a penetration test.

18
Multi-Selectmedium

A security team is deploying deception technology to detect lateral movement within the network. They plan to use honeypots configured to mimic critical servers. Which TWO of the following are essential considerations for the honeypot deployment to be effective? (Choose TWO.)

Select 2 answers
A.Configure the honeypots with the same patch level as production systems
B.Use realistic network services and data to attract attackers
C.Isolate the honeypots from production systems to prevent pivoting
D.Ensure the honeypots are in the same broadcast domain as production servers
E.Disable logging on honeypots to avoid detection by attackers
AnswersB, C

Realistic honeypots are more likely to be interacted with.

Why this answer

Honeypots should be properly isolated to prevent them from being used as a pivot point, and they should be designed to appear realistic to attract attackers. Placing them in the same broadcast domain is not necessary and could increase risk.

19
MCQmedium

During a penetration test, the tester has obtained a foothold on an internal server. The tester wants to identify other systems on the network and find potential targets for lateral movement. Which type of reconnaissance is MOST appropriate in this scenario?

A.Internal network scanning with Nmap
B.OSINT gathering via Shodan
C.Social engineering attacks on employees
D.Passive sniffing with Wireshark
AnswerA

Nmap can scan internal IP ranges to discover live hosts and services.

Why this answer

Active reconnaissance on internal networks (e.g., port scanning, OS fingerprinting) is appropriate after gaining a foothold, as it provides detailed information about adjacent systems. Passive reconnaissance (like sniffing) might be stealthier but active scanning is more effective for mapping.

20
Multi-Selecthard

During a digital forensics investigation, an analyst is examining a Windows system suspected of being compromised. Which THREE of the following artifacts would be most useful for determining the timeline of the attack?

Select 3 answers
A.Registry hives
B.Windows Event Logs
C.Master File Table (MFT)
D.Prefetch files
E.System Resource Utilization Monitor (SRUM)
AnswersB, C, D

Event logs record security and system events.

Why this answer

Timestamps from the MFT (Master File Table), prefetch files, and event logs are key to establishing a timeline. Prefetch shows program execution, MFT shows file access/modification, and event logs record system events. The registry contains configuration data but not as reliable for timeline; SRUM is for resource usage but less direct.

21
MCQmedium

A security operations center (SOC) analyst is investigating an alert from an EDR tool indicating that a workstation executed a suspicious PowerShell command that decoded a base64 string. The decoded string contained a command to download a file from an external IP address. Which stage of the cyber kill chain does this activity most likely represent?

A.Actions on Objectives
B.Reconnaissance
C.Weaponization
D.Exploitation
AnswerD

Exploitation involves triggering the payload to gain access.

Why this answer

The download of additional tools from an external IP after initial execution aligns with the Weaponization or Delivery stage, but in the kill chain, downloading a payload is typically part of Exploitation or Installation. However, the most accurate stage here is Exploitation, as the payload is being delivered to establish a foothold.

22
MCQeasy

A security analyst is reviewing threat intelligence feeds and notices indicators from a known APT group. Which threat intelligence sharing standard is most commonly used to structure and share such cyber threat information in a machine-readable format?

A.CybOX
B.MITRE ATT&CK
C.STIX/TAXII
D.OpenIOC
AnswerC

STIX and TAXII are the standard protocols for sharing cyber threat intelligence in a structured, machine-readable format.

Why this answer

STIX (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Intelligence Information) are the standard protocols for sharing cyber threat intelligence in a structured, machine-readable format. STIX defines the data model, and TAXII defines the transport mechanism.

23
MCQmedium

During an incident response, the team identifies that an attacker gained initial access via a phishing email containing a malicious macro. The macro downloaded a payload from a remote server. Which phase of the incident response lifecycle is currently being executed when the team identifies the phishing email as the attack vector?

A.Containment, eradication, and recovery
B.Preparation
C.Lessons learned
D.Detection and analysis
AnswerD

The team is analyzing the attack vector, which is part of detection and analysis.

Why this answer

Detection and analysis involves identifying the attack and determining its nature. The team has identified the vector, so they are in this phase.

24
MCQhard

A SOC analyst is tuning a SIEM correlation rule to detect lateral movement. The rule currently triggers on a single failed authentication followed by a successful authentication from a new IP address within 5 minutes. Which improvement would best reduce false positives while maintaining detection of pass-the-hash attacks?

A.Require two failed authentications before the success
B.Increase the time window to 30 minutes
C.Add a condition that the source IP is not in the company's IP range
D.Remove the failed authentication requirement and only trigger on successful authentication from a new IP
AnswerA

Two failures reduce the chance of accidental typos, and pass-the-hash often has multiple failures before success.

Why this answer

Pass-the-hash attacks often involve a single failed authentication (due to incorrect hash) followed by a success. However, requiring two failures before the success would reduce false positives from accidental typos while still catching many pass-the-hash attempts. Adding source IP whitelisting can also cut false positives from admins.

25
Multi-Selecteasy

An organization is implementing a threat hunting program. The team plans to use the MITRE ATT&CK framework to structure their hunts. Which THREE of the following are core components of the ATT&CK framework? (Choose THREE.)

Select 3 answers
A.Procedures
B.Indicators of compromise (IOCs)
C.CVSS scores
D.Tactics
E.Techniques
AnswersA, D, E

Procedures are specific implementations of techniques.

Why this answer

ATT&CK includes tactics (the 'why'), techniques (the 'how'), and procedures (specific implementations). Indicators of compromise and CVSS scores are not part of the framework; they are separate concepts.

26
MCQeasy

A security analyst is investigating a malware sample found on a workstation. The analyst wants to determine the malware's capabilities without executing it. Which type of malware analysis involves examining the binary's strings, headers, and structure?

A.Static analysis
B.Dynamic analysis
C.Reverse engineering
D.Memory forensics
AnswerA

Static analysis examines the binary without execution.

Why this answer

Static analysis involves examining the malware's code and structure without running it. This includes looking at strings (e.g., IP addresses, registry keys), PE headers, and imports/exports to understand functionality.

27
MCQhard

During a malware analysis, an analyst runs a suspicious binary in a sandbox and observes that it attempts to communicate with a known malicious IP address, modifies registry keys, and creates a service. The analyst then extracts strings from the binary and finds references to a specific C2 server. Which analysis phase does the extraction of strings represent?

A.Dynamic analysis
B.Reverse engineering
C.Static analysis
D.Memory analysis
AnswerC

String extraction is a static analysis technique.

Why this answer

Static analysis involves examining the binary without executing it, such as extracting strings and PE headers.

28
MCQmedium

An organization is unable to patch a critical vulnerability in a legacy application due to vendor limitations. The risk assessment indicates a high likelihood of exploitation. Which compensating control should the organization implement to reduce the risk?

A.Deploy an additional firewall in front of the application
B.Disable the application until a patch is available
C.Increase the frequency of vulnerability scanning
D.Implement network segmentation to isolate the application
AnswerD

Segmentation reduces exposure and potential lateral movement.

Why this answer

When patching is not possible, compensating controls such as network segmentation, application whitelisting, or strict access controls can mitigate the risk. Network segmentation limits the attack surface by isolating the vulnerable system.

29
MCQmedium

During a security incident, a forensic investigator needs to acquire volatile data from a compromised server. Which of the following is the correct order for collecting volatile data according to the standard digital forensics process?

A.Processes, memory, disk, network connections
B.Disk, memory, network connections, processes
C.Memory, network connections, processes, disk
D.Network connections, memory, disk, processes
AnswerC

This follows the order of volatility: memory is most volatile, then network connections, then processes, then disk.

Why this answer

The standard order of volatility (RFC 3227) recommends collecting data in order of decreasing volatility: memory (RAM) first, then network connections, then process information, then disk. This ensures that the most volatile data is preserved before it changes.

30
MCQhard

A penetration tester is performing an assessment of a web application. During reconnaissance, the tester discovers a publicly accessible Jenkins server with default credentials. The tester gains access and finds a build job that executes arbitrary commands. What is the most effective way for the tester to escalate privileges and move laterally within the network?

A.Use Jenkins to execute a reverse shell and then perform pass-the-hash
B.Exploit a SQL injection vulnerability in the web app
C.Use a vulnerability scanner to find additional CVEs
D.Deploy a ransomware payload to encrypt files
AnswerA

Exploiting Jenkins' execution capability to gain a shell with high privileges is a direct method for lateral movement.

Why this answer

Jenkins can be configured as a Windows service, often running with high privileges (e.g., SYSTEM). Using the Jenkins script console or a build job, the tester can execute commands to extract credentials, install backdoors, or move laterally. This is a common attack path.

31
MCQmedium

A company's incident response team is conducting a post-incident review. They identify that the intrusion was not detected for 72 hours due to insufficient logging on critical servers. Which phase of the incident response lifecycle should be improved to address this gap?

A.Lessons learned
B.Containment
C.Detection
D.Preparation
AnswerD

Preparation involves building detection capabilities like logging.

Why this answer

The preparation phase includes establishing logging and monitoring capabilities. Improving logging is part of preparation for future incidents.

32
Multi-Selectmedium

A SOC analyst is investigating a potential data exfiltration incident. The analyst suspects that an attacker used DNS tunneling to exfiltrate data. Which THREE network traffic indicators would support this hypothesis? (Select THREE.)

Select 3 answers
A.A sudden increase in failed login attempts
B.Large DNS response packets (greater than 512 bytes)
C.Unencrypted HTTP traffic to external IPs
D.DNS queries for domains with long subdomains and random characters
E.An unusually high number of DNS queries from a single host
AnswersB, D, E

Large packets may carry exfiltrated data.

Why this answer

DNS tunneling uses DNS queries to exfiltrate data, often characterized by high volume of queries, unusual domain names, and abnormally large DNS packets. Data sent in clear text (unencrypted) over HTTP is not typical of DNS tunneling.

33
MCQmedium

A security analyst is reviewing a suspicious executable file. The analyst performs static analysis by examining the file's strings and imports. Which of the following findings would most strongly suggest the file is packed or obfuscated?

A.The file imports many Windows API functions
B.The file has a high entropy score
C.The file contains a large number of IP addresses
D.The file has very few readable strings
AnswerD

Few strings suggest packing or obfuscation.

Why this answer

Packed executables often have very few readable strings because the original code is compressed or encrypted. A small number of strings relative to file size is a strong indicator of packing.

34
MCQeasy

Which of the following best describes the purpose of the STIX and TAXII standards in threat intelligence sharing?

A.They are tools for analyzing malware behavior in a sandbox environment
B.They are used to automatically patch vulnerabilities based on threat feeds
C.They provide a framework for conducting incident response exercises
D.They standardize the format and exchange of cyber threat intelligence
AnswerD

STIX defines the data model, TAXII defines the transport mechanism for sharing threat intelligence.

Why this answer

STIX (Structured Threat Information Expression) is a language for describing threat intelligence, and TAXII (Trusted Automated Exchange of Intelligence Information) is a protocol for exchanging that intelligence. Together they enable automated sharing of threat data.

35
MCQmedium

A SOC team is implementing a SOAR platform to automate responses to phishing emails. The team wants to create a playbook that, upon detection of a phishing email, automatically quarantines the email from all mailboxes and blocks the sender's domain. Which type of playbook action is being described?

A.Advisory action
B.Manual action
C.Semi-automated action
D.Automated action
AnswerD

The playbook performs actions automatically without human intervention.

Why this answer

Automated response actions are executed by the SOAR platform without human intervention, such as quarantining and blocking.

36
MCQmedium

A vulnerability management team is prioritizing patches for a large number of vulnerabilities discovered in a quarterly scan. A critical vulnerability in a widely used application has a CVSS base score of 9.8, but it is not currently being exploited in the wild and the application is not directly exposed to the internet. According to CVSS scoring principles, which factors should the team consider to adjust the priority?

A.The number of other vulnerabilities in the same software product
B.The age of the vulnerability since its disclosure
C.Temporal metrics including exploit code maturity and remediation level
D.Environmental metrics such as collateral damage potential and target distribution
AnswerD

Environmental metrics allow customization for the organization's environment, including asset criticality and exposure, which directly affects risk.

Why this answer

CVSS environmental metrics allow organizations to modify the base score based on the specific context, such as the asset's value and exposure. This helps prioritize vulnerabilities that pose the greatest risk to the organization.

37
Multi-Selecteasy

An organization is implementing a vulnerability management program and needs to prioritize patching based on risk. The team has identified multiple vulnerabilities with different CVSS scores. Which THREE factors should be considered when prioritizing patches according to CVSS environmental metrics? (Choose THREE.)

Select 3 answers
A.Confidentiality, integrity, and availability requirements of the affected system
B.Compliance and regulatory obligations
C.Availability of a patch or workaround
D.Asset criticality and business impact
E.Exploit code maturity and remediation level
AnswersA, B, D

These are the security requirements in environmental metrics.

Why this answer

Environmental metrics in CVSS allow customization of the score based on the organization's environment. Key factors include security requirements (confidentiality, integrity, availability), which affect the overall severity. Asset criticality and compliance requirements are also considered.

Patch availability and exploit maturity are temporal metrics, not environmental.

38
Multi-Selecthard

A security operations center (SOC) is evaluating a new EDR solution. Which three capabilities are essential for effective endpoint detection and response? (Select THREE).

Select 3 answers
A.Network firewall management
B.Behavioral analysis to detect anomalies
C.Automated containment of malicious processes
D.Real-time monitoring of endpoint activities
E.Vulnerability scanning of endpoints
AnswersB, C, D

Behavioral analysis helps identify unknown threats.

Why this answer

EDR essentials include real-time monitoring, behavioral analysis, and automated response to contain threats.

39
Multi-Selecthard

During an incident response, a team is prioritizing containment actions. Which THREE of the following actions should be taken to contain the incident effectively?

Select 3 answers
A.Blocking malicious IP addresses at the firewall
B.Notifying law enforcement
C.Collecting forensic images of affected systems
D.Isolating affected systems from the network
E.Disabling compromised user accounts
AnswersA, D, E

This prevents further communication with the attacker.

Why this answer

Containment focuses on stopping the spread and limiting damage. Blocking malicious IPs at the firewall, isolating affected systems from the network, and disabling compromised user accounts are key containment steps. Collecting forensic images is part of evidence preservation, not containment, and notifying law enforcement is optional and not a containment action.

40
MCQeasy

During a penetration test, the tester has gained initial access to a web server and wants to move laterally to a database server. Which technique is most commonly used for lateral movement in a Windows environment?

A.SQL injection
B.Cross-site scripting (XSS)
C.Pass-the-Hash
D.ARP spoofing
AnswerC

Pass-the-Hash enables lateral movement by using harvested password hashes to authenticate to other systems.

Why this answer

Pass-the-Hash allows an attacker to authenticate to other systems using NTLM hashes without knowing the plaintext password, enabling lateral movement.

41
MCQmedium

During a penetration test, the tester successfully gains access to a web server and wants to escalate privileges to domain administrator. The tester discovers that the web server has a service account that is a member of the local administrators group. Which technique would the tester most likely use to move laterally to a domain controller?

A.DNS poisoning
B.ARP spoofing
C.Pass-the-hash
D.SQL injection
AnswerC

Pass-the-hash uses the NTLM hash to authenticate to other systems.

Why this answer

Pass-the-hash allows the tester to use the hash of the service account to authenticate to other systems without the plaintext password, enabling lateral movement.

42
MCQmedium

During a vulnerability assessment, a security analyst discovers a critical vulnerability in a legacy application that cannot be patched due to vendor end-of-life. Which compensating control would best mitigate the risk?

A.Apply a virtual patch via an intrusion prevention system (IPS)
B.Implement network segmentation to isolate the application
C.Increase logging and monitoring for that application
D.Decommission the application immediately
AnswerB

Segmentation is a strong compensating control that limits exposure.

Why this answer

Network segmentation isolates the vulnerable system, reducing the attack surface and preventing lateral movement from a compromised system.

43
MCQmedium

An organization wants to detect attackers who have already breached the network by deploying decoy credentials and data files. Which type of deception technology should they use?

A.Sandbox
B.Honeypot
C.Honeytoken
D.Honeynet
AnswerC

Honeytokens are decoy data objects.

Why this answer

Honeytokens are decoy data objects, such as fake credentials or files, used to detect unauthorized access.

44
MCQeasy

An organization wants to collect threat intelligence from multiple Information Sharing and Analysis Centers (ISACs) relevant to their industry. Which of the following is a primary benefit of participating in an ISAC?

A.Free penetration testing services
B.Access to proprietary threat intelligence feeds
C.Ability to share sensitive information anonymously
D.Timely and relevant threat data from peers
AnswerD

ISACs provide sector-specific, actionable threat intelligence.

Why this answer

ISACs provide a trusted community for sharing threat intelligence, early warnings, and best practices, helping members defend against sector-specific threats.

45
Multi-Selectmedium

A security operations team is developing a SOAR playbook to automate response to a detected ransomware outbreak. The team wants to ensure the playbook can contain the threat quickly while minimizing business disruption. Which TWO actions should the playbook include as automated responses? (Select TWO.)

Select 2 answers
A.Run a full antivirus scan on all systems
B.Restore all systems from the latest backup automatically
C.Power off all affected servers immediately
D.Block outbound traffic to known malicious IP addresses and domains
E.Isolate the affected endpoints from the network
AnswersD, E

Blocking C2 communication can stop the ransomware from encrypting further or exfiltrating data.

Why this answer

Isolating affected systems and blocking communication to known command-and-control (C2) servers are effective containment actions. Isolating prevents lateral movement, and blocking C2 disrupts the ransomware's ability to receive instructions or exfiltrate data.

46
MCQmedium

During a threat hunting exercise, a security analyst hypothesizes that an adversary is using PowerShell to execute malicious scripts. Which approach is the analyst employing?

A.TTP-driven hunting
B.Machine learning-driven hunting
C.IoC-driven hunting
D.Hypothesis-driven hunting
AnswerD

The analyst starts with an assumption about adversary behavior, which is hypothesis-driven.

Why this answer

Hypothesis-driven hunting starts with a specific assumption about adversary behavior, unlike IoC-driven (based on known indicators) or TTP-driven (focused on tactics, techniques, procedures).

47
MCQmedium

A vulnerability management team is prioritizing patches for a large enterprise. They have identified a critical vulnerability in a widely used software with a CVSS base score of 9.8. However, the exploit requires local access and authentication. Which CVSS metric should the team use to adjust the score to reflect the actual risk in their environment?

A.Privileges required metric
B.Temporal score
C.Attack vector metric
D.Environmental score
AnswerD

Environmental score modifies the base score based on the organization's specific context, such as asset criticality and compensating controls.

Why this answer

CVSS temporal metrics adjust the base score based on factors that change over time, such as exploit code maturity and remediation availability. Environmental metrics allow customization for the organization's specific environment, including security controls and asset criticality. The question asks for a metric to reflect actual risk in their environment; that is the environmental metric.

48
MCQeasy

During an incident response engagement, the team has completed containment and eradication. What is the next phase in the incident response lifecycle according to NIST SP 800-61?

A.Recovery
B.Preparation
C.Detection
D.Lessons Learned
AnswerA

Recovery is the phase after eradication.

Why this answer

The NIST incident response lifecycle includes Preparation, Detection & Analysis, Containment, Eradication, Recovery, and Post-Incident Activity (lessons learned). After eradication, recovery follows.

49
MCQmedium

A security team is conducting a penetration test against a client's web application. During the reconnaissance phase, the tester discovers a subdomain that hosts a development version of the application with debug mode enabled. Which type of reconnaissance does this activity represent?

A.Open-source intelligence (OSINT) gathering by examining the target's website source code
B.Social engineering because the tester tricked an employee into revealing the subdomain
C.Active reconnaissance because the tester is sending requests to the target network to identify subdomains
D.Passive reconnaissance because the tester is using publicly available information
AnswerC

Active reconnaissance involves direct interaction with the target, such as DNS enumeration or port scanning.

Why this answer

Active reconnaissance involves directly interacting with the target, such as probing subdomains or services. Discovering a subdomain by scanning or querying DNS is active, as it sends traffic to the target's infrastructure.

50
MCQhard

An organization has a critical vulnerability in a legacy application that cannot be patched due to vendor end-of-life. The application is required for business operations and is accessible only from the internal network. Which compensating control would best reduce the risk of exploitation while maintaining availability?

A.Deploy a host-based intrusion prevention system (HIPS) on the server
B.Apply a vendor-supplied patch
C.Implement network segmentation and strict ACLs to limit access to the application
D.Uninstall the application
AnswerC

This reduces the likelihood of exploitation by restricting access.

Why this answer

Network segmentation and strict ACLs limit access to the vulnerable application, reducing the attack surface without patching.

51
MCQmedium

A SOC team receives an alert from a SOAR platform indicating a potential phishing email. The SOAR playbook automatically quarantines the email, blocks the sender, and opens a ticket. This is an example of which SOAR capability?

A.Response
B.Automation
C.Orchestration
D.Correlation
AnswerB

Automation performs actions automatically based on triggers.

Why this answer

Automation is the ability to execute predefined actions without human intervention, as in automatically quarantining and blocking.

52
MCQhard

During a penetration test, the tester gains access to a web server and wants to escalate privileges to root. The tester discovers that the web application runs with a service account that has the SeImpersonatePrivilege enabled. Which attack is most likely to succeed for privilege escalation?

A.SQL injection
B.Pass-the-hash attack
C.DLL hijacking
D.JuicyPotato attack
AnswerD

JuicyPotato exploits SeImpersonatePrivilege to escalate to SYSTEM.

Why this answer

SeImpersonatePrivilege allows a process to impersonate a user token. Tools like JuicyPotato exploit this privilege to impersonate SYSTEM by forcing a higher-privileged process to authenticate and then stealing its token. This is a common technique for local privilege escalation on Windows.

53
Multi-Selectmedium

A security architect is designing deception technologies to detect and delay attackers. Which TWO of the following are examples of deception technologies that can be deployed? Select TWO.

Select 2 answers
A.Honeytokens
B.Honeypots
C.Security Information and Event Management (SIEM)
D.Vulnerability scanner
E.Intrusion Prevention System (IPS)
AnswersA, B

Honeytokens are fake credentials or data used to detect unauthorized access.

Why this answer

Honeypots and honeytokens are classic deception technologies. Honeypots mimic real systems, and honeytokens are fake data objects.

54
MCQmedium

A company uses a SIEM with User Behavior Analytics (UBA). The UBA generates an alert when a user accesses sensitive data at unusual hours. Which type of correlation rule is being applied?

A.Threshold-based correlation
B.Signature-based correlation
C.Anomaly-based correlation
D.Trend-based correlation
AnswerC

UBA uses anomaly detection to identify deviations from normal behavior.

Why this answer

UBA establishes baselines of normal user behavior and alerts on deviations, which is an anomaly-based detection method.

55
MCQhard

A digital forensics investigator is called to the scene of a potential data breach. The investigator must collect evidence from a live Windows system. Which of the following represents the correct order of volatility when collecting volatile data?

A.Network connections, memory, disk, running processes
B.Memory, network connections, running processes, disk
C.Disk, memory, network connections, running processes
D.Running processes, memory, network connections, disk
AnswerB

Memory is most volatile, then network, then processes, then disk.

Why this answer

The order of volatility dictates that the most volatile data (memory, network connections) should be collected first. The standard order: registers/cache, routing table, ARP cache, process table, kernel statistics, memory, temporary file systems, disk.

56
MCQeasy

Which component of the MITRE ATT&CK framework categorizes the 'why' of an adversary's action, such as initial access or credential access?

A.Tactics
B.Mitigations
C.Procedures
D.Techniques
AnswerA

Tactics represent the adversarial goal or 'why'.

Why this answer

Tactics represent the adversary's goal or reason for performing an action, such as gaining initial access.

57
MCQhard

An incident responder is analyzing a malware sample obtained from an infected host. The responder wants to perform dynamic analysis to observe the malware's behavior in a safe environment. Which of the following is the best approach?

A.Check the PE header for imported functions
B.Disassemble the malware using IDA Pro
C.Run strings on the malware binary
D.Execute the malware in a virtual machine with network monitoring tools
AnswerD

This allows observing behavior safely.

Why this answer

Dynamic analysis involves running the malware in a controlled environment like a sandbox to observe its behavior, including network traffic, file system changes, and registry modifications.

58
MCQhard

During a red team exercise, the team gains access to a workstation and needs to maintain persistence. They modify a registry run key to execute a payload. However, the organization uses EDR that monitors registry changes. Which technique could the red team use to avoid detection?

A.Delete the registry key after execution
B.Change the registry key to a less suspicious name
C.Encrypt the registry key value
D.Use a LOLBin to execute the payload via a scheduled task
AnswerD

LOLBins are less likely to be flagged as malicious by EDR.

Why this answer

Living-off-the-land binaries (LOLBins) use legitimate system tools to execute code, which can blend in with normal activity and avoid EDR detection.

59
MCQhard

A security analyst is reviewing logs from a SIEM and notices that a user account has been successfully authenticated from two different geographic locations within a short time span, which is impossible. The SIEM uses user behavior analytics (UBA). What type of anomaly is this most likely to detect?

A.A credential theft and reuse incident
B.A misconfigured VPN that routes traffic through multiple gateways
C.A brute-force attack on the user account
D.A man-in-the-middle attack intercepting the authentication
AnswerA

Impossible travel indicates the credentials may have been stolen and used by an attacker from a different location.

Why this answer

UBA establishes a baseline of normal user behavior, such as typical login locations and times. An impossible travel event (e.g., logging in from two distant locations within minutes) is a common anomaly that triggers an alert.

60
MCQmedium

An organization is implementing a threat hunting program. The team decides to use a hypothesis-driven approach. Which of the following best describes this methodology?

A.Developing a theory about potential adversary behavior and actively looking for signs
B.Searching for known indicators of compromise from threat feeds
C.Automated scanning of all systems for vulnerabilities
D.Analyzing historical alerts for patterns
AnswerA

This describes hypothesis-driven hunting.

Why this answer

Hypothesis-driven threat hunting starts with a hypothesis based on threat intelligence or risk assessments, then searches for evidence of that hypothesis in the environment.

61
Multi-Selectmedium

A security analyst is reviewing a CVSS score for a vulnerability that affects a critical server. The base score is 7.5, but the analyst needs to adjust for the environment. Which TWO of the following are valid CVSS environmental metrics that can modify the score? (Choose two.)

Select 2 answers
A.Exploit Code Maturity (ECM)
B.Privileges Required (PR)
C.Modified Attack Vector (MAV)
D.Attack Vector (AV)
E.Modified Privileges Required (MPR)
AnswersC, E

Modified Attack Vector is an environmental metric that adjusts the base Attack Vector based on the environment.

Why this answer

CVSS environmental metrics include Confidentiality Requirement, Integrity Requirement, and Availability Requirement (the CIA requirements), as well as Modified Attack Vector, Modified Attack Complexity, etc. The question asks for metrics that modify the score; Modified Attack Vector and Modified Privileges Required are environmental metrics that adjust the base according to the environment.

62
Multi-Selectmedium

A penetration tester is conducting a black-box test on a web application. The tester wants to gather information about the target without directly interacting with the target systems. Which three techniques are considered passive reconnaissance? (Select THREE).

Select 3 answers
A.Searching public social media profiles
B.Port scanning with Nmap
C.WHOIS lookups
D.DNS zone transfers
E.Searching for DNS records in public archives
AnswersA, C, E

Social media is public information gathering.

Why this answer

Passive reconnaissance involves collecting information from public sources without engaging the target.

63
Multi-Selectmedium

A company's incident response team is developing a playbook for ransomware incidents. The playbook should cover the preparation phase. Which THREE of the following are appropriate preparation activities? (Choose THREE.)

Select 3 answers
A.Train employees on how to recognize and report phishing attempts
B.Conduct regular backup testing and ensure offline backups are available
C.Isolate infected systems from the network immediately after detection
D.Develop communication procedures, including legal and PR contacts
E.Perform threat hunting in the network to identify potential threats
AnswersA, B, D

User training helps prevent ransomware infections.

Why this answer

Preparation involves ensuring the team is ready to respond. This includes maintaining backups, training staff, and having communication plans. Threat hunting is a proactive activity, not preparation, and containment is during the response phase.

64
MCQeasy

A security analyst receives an alert from the SIEM indicating a potential phishing email with a malicious attachment. The analyst wants to automatically isolate the affected endpoint and block the sender. Which technology should be used to automate this response?

A.SOAR
B.EDR
C.XDR
D.SIEM
AnswerA

SOAR is designed for automated incident response orchestration.

Why this answer

SOAR (Security Orchestration, Automation, and Response) platforms enable automated response playbooks to handle incidents like phishing.

65
MCQhard

An organization uses a SIEM to collect logs from multiple sources. The security team wants to identify users who are accessing resources outside of normal business hours and exhibiting unusual data transfer patterns. Which advanced SIEM capability would be most effective?

A.Threat intelligence feed integration
B.User and Entity Behavior Analytics (UEBA)
C.Log normalization and aggregation
D.Correlation rules with threshold-based alerts
AnswerB

UEBA uses machine learning to detect deviations from established baselines.

Why this answer

User and Entity Behavior Analytics (UEBA) establishes baselines for user activity and detects anomalies, such as unusual access times and data transfer patterns.

66
Multi-Selectmedium

A security operations center (SOC) is implementing User Behavior Analytics (UBA) to detect insider threats. Which TWO of the following data sources are most critical for establishing a baseline of normal user behavior?

Select 2 answers
A.Authentication logs from Active Directory
B.Threat intelligence feeds
C.Network traffic logs from firewalls and proxies
D.HR records of employee performance reviews
E.Email content and subject lines
AnswersA, C

Authentication logs track login times, locations, and failures.

Why this answer

UBA relies on authentication logs to understand login patterns and network traffic logs to understand communication patterns. HR records and email content are less relevant for technical baselines; threat feeds are external.

67
MCQmedium

Which CVSS metric component is used to reflect the impact of a vulnerability based on the specific environment of an organization?

A.Attack vector metric
B.Temporal metric
C.Environmental metric
D.Base metric
AnswerC

Environmental metric tailors the score to the organization's environment.

Why this answer

The environmental metric allows customization of CVSS score based on the organization's environment, including security requirements and modified base metrics.

68
Multi-Selectmedium

A security operations team is designing a threat hunting program. They want to use the MITRE ATT&CK framework to structure their hunts. Which TWO components of the ATT&CK framework should they focus on to develop hypothesis-driven hunts? (Select TWO.)

Select 2 answers
A.Indicators of Compromise (IOCs)
B.Tactics
C.Procedures
D.Mitigations
E.Techniques
AnswersB, E

Tactics represent the 'why' of an attack, e.g., lateral movement.

Why this answer

Hypothesis-driven hunts are based on tactics (why) and techniques (how). Procedures are specific implementations but too granular for initial hypotheses. IOCs are not part of ATT&CK framework components.

69
MCQmedium

During a forensic investigation, an analyst needs to collect volatile data from a compromised Linux server. Which of the following orders of volatility is correct for collecting the listed data?

A.Processes, memory contents, files on disk, network connections
B.Files on disk, memory contents, processes, network connections
C.Memory contents, network connections, processes, files on disk
D.Network connections, processes, memory contents, files on disk
AnswerC

This is the correct order from most to least volatile.

Why this answer

The order of volatility starts with the most volatile data: memory contents, then network connections, then processes, and finally files on disk. Network connections and processes are both highly volatile but memory is the most volatile.

70
MCQhard

A security operations center (SOC) analyst is tuning a SIEM correlation rule to detect lateral movement using pass-the-hash attacks. The analyst wants to minimize false positives while ensuring detection of true positives. Which approach is most effective for reducing false positives in this scenario?

A.Alert on any use of NTLM authentication
B.Alert on multiple failed logins followed by a successful login from a different workstation
C.Disable NTLM authentication across the network
D.Compare authentication events against a baseline of normal user behavior and alert on anomalies
AnswerD

UBA techniques help identify unusual authentication patterns indicative of pass-the-hash.

Why this answer

Baselining normal authentication behavior and alerting on deviations helps reduce false positives because legitimate pass-the-hash activity is rare.

71
Multi-Selectmedium

A security analyst is triaging a suspicious file. The analyst wants to perform static analysis to gather initial information. Which TWO of the following are static analysis techniques?

Select 2 answers
A.Running the file in a sandbox
B.Disassembling the binary to examine assembly code
C.Checking the file hash against known malware databases
D.Observing network traffic generated by the file
E.Extracting human-readable strings from the binary
AnswersC, E

Hash lookup is a static technique.

Why this answer

Static analysis examines the file without executing it. Checking file hashes against known malware databases and extracting strings from the binary are static techniques. Running in a sandbox is dynamic, and disassembly is more advanced reverse engineering.

72
MCQmedium

A security analyst is using Volatility to analyze a memory dump from a compromised Windows system. The analyst suspects that a rootkit is hiding processes. Which Volatility plugin should the analyst use to detect hidden processes?

A.pslist
B.psxview
C.malfind
D.pstree
AnswerB

psxview cross-references multiple process lists to identify hidden processes.

Why this answer

The 'psxview' plugin compares process listings from different sources (e.g., EPROCESS list, PspCidTable) to find discrepancies, which can reveal hidden processes.

73
MCQhard

During an incident response, a forensic analyst captures the memory of a compromised Windows system. Using Volatility, the analyst runs the 'pslist' command and sees a suspicious process 'svchost.exe' with a parent process 'explorer.exe'. Which Volatility plugin should the analyst use next to detect potential process hollowing?

A.netscan
B.psxview
C.dlllist
D.malfind
AnswerD

malfind detects injected code and process hollowing by scanning for executable memory.

Why this answer

Process hollowing occurs when a legitimate process is created in a suspended state, its memory is unmapped, and malicious code is written. The 'malfind' plugin identifies processes with suspicious memory characteristics (e.g., executable memory not mapped to a file).

74
Multi-Selecthard

A security analyst is using the MITRE ATT&CK framework to map adversarial behaviors. Which THREE of the following are tactics defined by ATT&CK? (Select THREE.)

Select 3 answers
A.Incident response
B.Privilege escalation
C.Persistence
D.Exfiltration
E.Phishing
AnswersB, C, D

Privilege escalation is a tactic.

Why this answer

Persistence, privilege escalation, and exfiltration are all ATT&CK tactics. Phishing is a technique, not a tactic; incident response is a process, not a tactic.

75
MCQmedium

An organization is implementing a SOAR solution to automate responses to common incidents. They want to create a playbook for phishing email handling. Which of the following actions should be automated in the playbook after a user reports a suspicious email?

A.Extract URLs and attachments, query threat intel feeds, and if malicious, block indicators and isolate the affected endpoint
B.Call the user to confirm they clicked the link
C.Send a warning email to all users
D.Immediately delete the email from all user inboxes
AnswerA

This is a standard automated phishing response.

Why this answer

A SOAR playbook for phishing should automate initial triage actions such as extracting indicators and checking against threat intelligence, then isolating the user's system if malicious.

Page 1 of 2 · 147 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Casp Security Operations questions.