CompTIA CySA+ CS0-003 (CS0-003) — Questions 976989

989 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
Multi-Selecthard

A regulator asks for incident evidence after a data exposure. Which items should be coordinated before disclosure? (Choose two.)

Select 2 answers
A.Evidence package with timeline, scope, and affected data categories
B.Unreviewed analyst speculation
C.Passwords for all production systems
D.Legal review of notification obligations
AnswersA, D

A structured package supports accurate reporting.

Why this answer

Option A is correct because a coordinated evidence package ensures that the disclosure to the regulator includes a verified timeline, scope, and affected data categories, which is essential for demonstrating due diligence and compliance with breach notification laws. Without this coordination, the evidence may be incomplete or inconsistent, potentially leading to regulatory penalties or loss of trust.

Exam trap

The CS0-003 exam often tests the distinction between raw, unverified data and coordinated, legally reviewed evidence, so candidates mistakenly choose 'unreviewed analyst speculation' thinking it provides timely insight, but it fails the admissibility and accuracy requirements for regulatory disclosure.

977
MCQeasy

A security analyst is reviewing a SIEM alert for a single failed login attempt from an internal IP address to a file server. The analyst determines this is a false positive. Which step should the analyst take next?

A.Escalate to a senior analyst
B.Disable the SIEM alert permanently
C.Tune the alert to suppress similar events
D.Create a correlation rule to link with other events
AnswerC

Correct. Tuning reduces false positives.

Why this answer

After confirming a false positive, the analyst should tune the alert to reduce noise. This may involve adjusting thresholds or whitelisting the source.

978
MCQmedium

A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Use them internally with only people who need to know and avoid wider redistribution
B.Send the indicators to all customers
C.Publish the indicators on a public GitHub repository
D.Ignore the indicators because TLP markings are optional
AnswerA

TLP:AMBER+STRICT restricts sharing to the recipient organisation on a need-to-know basis.

Why this answer

Option A is correct because TLP:AMBER+STRICT restricts sharing to individuals within the organization who have a specific need to know, and explicitly prohibits redistribution beyond that group. In detection engineering, using these indicators to create tuned detection rules (e.g., SIEM correlation logic) reduces false positives by focusing on verified threat data while preserving the signal by not over-broadening the rule scope.

Exam trap

The trap here is that candidates may think TLP:AMBER+STRICT allows sharing with all internal staff or partners, but the '+STRICT' modifier explicitly restricts distribution to only those with a direct need to know within the same organization.

How to eliminate wrong answers

Option B is wrong because TLP:AMBER+STRICT forbids sharing with all customers; it is limited to internal personnel with a need to know. Option C is wrong because publishing on a public GitHub repository violates the TLP:AMBER+STRICT restriction and could expose sensitive threat intelligence to adversaries. Option D is wrong because TLP markings are mandatory for handling classified threat intelligence; ignoring them would breach trust and potentially violate data-sharing agreements.

979
Multi-Selecthard

A security analyst is conducting a proactive threat hunt for lateral movement techniques. The analyst examines EDR data for unusual parent-child process relationships. Which three process chains are indicative of lateral movement? (Select THREE.)

Select 3 answers
A.svchost.exe spawning schtasks.exe
B.explorer.exe spawning cmd.exe
C.services.exe spawning cmd.exe
D.wmiprvse.exe spawning cmd.exe
E.rundll32.exe spawning powershell.exe
AnswersA, C, D

Scheduled tasks can be created remotely for lateral movement.

Why this answer

Lateral movement often involves remote execution tools like PsExec (A), WMI (B), and scheduled tasks (D). Rundll32 alone (C) is not a lateral movement technique, and cmd.exe from explorer (E) is normal user activity.

980
MCQhard

An analyst is reviewing a vulnerability scan report for a containerized application. The scan identifies a critical vulnerability in a base image used by multiple containers. The application is deployed in a Kubernetes cluster with network policies restricting ingress. The vulnerability has a CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). However, the EPSS score is 0.001 (0.1%). Which of the following should the analyst prioritize?

A.Apply a virtual patch via a web application firewall (WAF)
B.Ignore the vulnerability because it is in a container image
C.Schedule the patch for the next maintenance window because of low EPSS and network controls
D.Immediately patch the vulnerability within 24 hours due to the high CVSS score
AnswerC

Low EPSS and existing network policies lower the risk, allowing normal scheduling.

Why this answer

Despite high CVSS, the EPSS score indicates extremely low likelihood of exploitation in the wild. The business context and compensating controls (network policies) reduce risk. Therefore, remediation can be scheduled in normal patch cycle.

981
MCQhard

A security team is scanning container images with Trivy and finds a vulnerability with CVSS v3.1 vector AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability exists in a container running as a privileged container on a Kubernetes cluster. The team is prioritizing based on risk. Given the CVSS vector, which factor most significantly reduces the likelihood of exploitation in this context?

A.Attack Vector: Local
B.Privileges Required: High
C.Attack Complexity: High
D.User Interaction: None
AnswerA

Local access is required, meaning the attacker must already have a foothold on the system, reducing exploitability from remote.

Why this answer

AV:L (Local) means the attacker must have local access to exploit. AC:H (High) and PR:H (High) are also limiting, but the attack vector being local means remote exploitation is not possible, which is a strong limiting factor. However, the question asks 'most significantly reduces the likelihood'.

While local access is limiting, Attack Complexity High also reduces likelihood. But AV:L is more significant because it restricts the attack source. In the context of a container, local access might be more achievable, but still the vector shows it's not remotely exploitable.

The best answer is Attack Vector: Local.

982
MCQhard

A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Always sort only by CVSS base score
B.Remediate alphabetically by CVE ID
C.Prioritize the KEV/high-EPSS issue after confirming asset exposure
D.Remediate only vulnerabilities with vendor logos in the report
AnswerC

Known exploitation and likelihood can outweigh base CVSS in risk-based prioritization.

Why this answer

Option C is correct because it combines threat intelligence (CISA KEV and high EPSS) with environmental context (asset exposure) to prioritize the vulnerability that is actively exploited and likely to be used in attacks, even though its CVSS base score is medium. This aligns with risk-based vulnerability management, which weights exploitability and business impact over raw severity scores.

Exam trap

The CS0-003 exam often tests the misconception that CVSS base score alone determines priority, but the trap here is that candidates ignore the KEV/EPSS context and choose to remediate high-CVSS issues first, failing to apply risk-based prioritization that accounts for real-world exploitability.

How to eliminate wrong answers

Option A is wrong because sorting only by CVSS base score ignores exploitability context (e.g., KEV, EPSS) and environmental mitigations, leading to wasted effort on high-CVSS but non-exploitable issues. Option B is wrong because remediating alphabetically by CVE ID has no relation to risk, exploitability, or business impact, and is a purely arbitrary ordering. Option D is wrong because vendor logos do not indicate exploitability or risk; a vulnerability with a vendor logo may still be non-exploitable in the environment, while a KEV-listed vulnerability without a logo poses real threat.

983
Multi-Selecthard

A cloud security posture tool reports public access on object storage. Which follow-up checks matter? (Choose two.)

Select 2 answers
A.Whether the storage account name is short
B.Whether sensitive objects were accessed or downloaded
C.Whether the administrator uses dark mode
D.Whether public access is effectively allowed by bucket and account policies
AnswersB, D

Access evidence supports impact assessment.

Why this answer

Option B is correct because the primary concern with public access to object storage is data exposure. Checking whether sensitive objects were accessed or downloaded determines if a breach actually occurred, which is a critical follow-up step in vulnerability management. Without this check, you cannot assess the real-world impact of the misconfiguration.

Exam trap

The trap here is that candidates often focus on the misconfiguration itself (public access) rather than the necessary forensic step of verifying actual data exposure, leading them to pick irrelevant options like account name length or UI settings.

984
Multi-Selectmedium

Which three of the following are key considerations when implementing a vulnerability management lifecycle in an enterprise environment? (Choose three.)

Select 3 answers
.Establishing a remediation prioritization framework based on asset criticality and exploitability
.Scanning all assets with the highest possible scan intensity to ensure no vulnerability is missed
.Integrating threat intelligence feeds to contextualize vulnerabilities and focus on active threats
.Performing vulnerability scans only during off-peak hours to minimize network disruption
.Defining a formal remediation SLA that aligns with organizational risk tolerance
.Using default scan credentials from the vulnerability scanner vendor for consistency

Why this answer

Establishing a remediation prioritization framework based on asset criticality and exploitability is correct because it ensures that vulnerabilities posing the greatest risk to the business are addressed first. This aligns with risk-based vulnerability management, where not all vulnerabilities are equal; prioritizing by asset value and exploitability (e.g., CVSS exploitability metrics or active exploitation evidence) optimizes resource allocation and reduces overall risk exposure.

Exam trap

CompTIA often tests the distinction between operational best practices (like scanning intensity or timing) and strategic lifecycle components (like prioritization frameworks, threat intelligence integration, and SLA definitions), leading candidates to confuse tactical scanning habits with core lifecycle pillars.

985
MCQhard

During a forensic investigation of a compromised Linux server, the analyst needs to acquire memory for analysis. The system is running and the analyst cannot power it off. Which tool is MOST appropriate for acquiring memory in this scenario?

A.LiME
B.FTK Imager
C.WinPmem
D.dd
AnswerA

LiME is a Linux memory acquisition tool that can capture RAM from a live system.

Why this answer

LiME (Linux Memory Extractor) is a tool designed for acquiring memory from Linux systems while they are running, and it can be loaded as a kernel module without shutting down.

986
MCQeasy

Which of the following is the correct order of volatility for digital evidence?

A.Swap, RAM, CPU registers, disk, logs
B.Disk, RAM, swap, CPU registers, logs
C.RAM, CPU registers, swap, disk, logs
D.CPU registers, RAM, swap, disk, logs
AnswerD

This is the correct descending order of volatility.

Why this answer

The order of volatility: CPU registers and cache (most volatile), then RAM, then swap/page file, then disk, then network logs, then archived media (least volatile).

987
MCQeasy

Which tool would best allow a security analyst to capture and analyze packets in real time to investigate a network anomaly?

A.Metasploit
B.Wireshark
C.Nmap
D.Nikto
AnswerB

Wireshark captures and analyzes packets live.

Why this answer

Wireshark is a network protocol analyzer that captures and inspects packets in real time, making it ideal for real-time traffic analysis.

988
Multi-Selecthard

Which actions belong in eradication after a confirmed web-shell compromise? (Choose two.)

Select 2 answers
A.Remove the web shell and close the exploited vulnerability
B.Reconnect the server before checking persistence
C.Rotate credentials exposed to the compromised web server
D.Only block the analyst's IP address
AnswersA, C

Both malicious artefact and entry path must be addressed.

Why this answer

Option A is correct because removing the web shell eliminates the attacker's foothold, and closing the exploited vulnerability (e.g., patching the application, disabling vulnerable functions like `eval()` or `system()`, or updating a CMS plugin) prevents re-exploitation. This aligns with the eradication phase of incident response, which aims to remove all artifacts of the compromise and harden the system against the same attack vector.

Exam trap

The CS0-003 exam often tests the distinction between containment (e.g., isolating the server) and eradication (e.g., removing the threat and fixing the root cause), so candidates may mistakenly choose actions that only contain the incident rather than fully eliminate the attacker's access.

989
MCQeasy

A security analyst is configuring a container image scanning tool to identify vulnerabilities in a Docker image before deployment. Which of the following tools is commonly used for container image scanning?

A.Metasploit
B.Nmap
C.Wireshark
D.Trivy
AnswerD

Correct; Trivy is a container image vulnerability scanner.

Why this answer

Trivy is a popular open-source container image vulnerability scanner. It is widely used for scanning Docker images for known vulnerabilities.

Page 13

Page 14 of 14