CompTIA CySA+ CS0-003 (CS0-003) — Questions 601675

989 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
Multi-Selecthard

Which signals strengthen an alert for Kerberoasting activity? (Choose two.)

Select 2 answers
A.Unusual volume of TGS requests for many service principals
B.Requests from a workstation that does not normally administer services
C.A user changing their desktop wallpaper
D.Successful DHCP lease renewal
AnswersA, B

Kerberoasting often generates broad service-ticket requests.

Why this answer

Kerberoasting involves requesting Ticket-Granting Service (TGS) tickets for service principals (SPNs) to crack their passwords offline. An unusual volume of TGS requests for many SPNs is a strong indicator because attackers typically enumerate SPNs and request tickets in bulk, which deviates from normal user behavior.

Exam trap

The CS0-003 exam often tests the distinction between benign user actions (like wallpaper changes) and actual Kerberos-related attack indicators, trapping candidates who confuse general system changes with authentication-specific anomalies.

602
MCQmedium

During a vulnerability assessment, a security analyst runs a scan using OpenVAS and reviews the results. One finding indicates a plugin with ID 12345 that detects a missing patch for CVE-2023-1234 on a Linux server. The server is a critical domain controller. Which step of the vulnerability lifecycle is the analyst currently performing?

A.Remediation
B.Prioritization
C.Discovery
D.Verification
AnswerC

Running a scan and reviewing results is part of discovering vulnerabilities.

Why this answer

The analyst is identifying vulnerabilities via scanning, which is the discovery phase. Prioritization, remediation, and verification come later.

603
MCQhard

A laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible?

A.Only the laptop colour
B.Only the ticket priority
C.Only the user's job title
D.Who collected it, when, where, hash values, transfer details, and storage location
AnswerD

Chain of custody records evidence handling and integrity from collection onward. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because proper chain of custody documentation is critical for evidence admissibility in legal proceedings. The responder must record who collected the evidence, the exact date and time, the physical location, cryptographic hash values (e.g., SHA-256) to verify integrity, transfer details (e.g., chain-of-custody forms), and the secure storage location. This ensures the evidence is not tampered with and can be defended in court.

Exam trap

The CS0-003 exam often tests the misconception that only superficial details (like colour or job title) are sufficient for documentation, when in fact the full chain of custody—including collector identity, timestamps, hashes, and storage—is mandatory for evidence admissibility.

How to eliminate wrong answers

Option A is wrong because documenting only the laptop colour provides no forensic value—it does not establish chain of custody, integrity, or provenance of the evidence. Option B is wrong because the ticket priority is an administrative metric unrelated to forensic acquisition; it does not help prove the evidence was handled properly or securely. Option C is wrong because the user's job title is irrelevant to the technical acquisition process; it does not record who collected the evidence, when, or how it was preserved.

604
MCQmedium

An incident responder is called to a server room where a critical database server is exhibiting signs of compromise. The responder must preserve evidence while preventing further damage. Which of the following is a short-term containment strategy that also preserves evidence?

A.Reboot the server into safe mode.
B.Disconnect the network cable from the server.
C.Power off the server to freeze the system state.
D.Run a memory dump with WinPmem before any action.
AnswerB

This isolates the server while preserving the current system state for forensics.

Why this answer

Disconnecting the network cable (Option B) is the correct short-term containment strategy because it immediately isolates the compromised database server from the network, preventing further lateral movement or data exfiltration, while preserving the volatile system state (memory, running processes, open network connections) for forensic analysis. This action stops active network-based attacks without altering the contents of RAM or disk, which is critical for evidence integrity.

Exam trap

Cisco often tests the distinction between containment and evidence preservation, and the trap here is that candidates confuse 'preserving evidence' with 'freezing the system state' (Option C) or 'acquiring memory first' (Option D), not realizing that immediate network isolation is the only action that both stops active damage and preserves volatile data without modification.

How to eliminate wrong answers

Option A is wrong because rebooting into safe mode will overwrite volatile memory (RAM) and modify system logs, destroying critical forensic evidence such as active network connections, running malware processes, and encryption keys. Option C is wrong because powering off the server causes a hard shutdown that erases all volatile memory data and may trigger anti-forensic mechanisms (e.g., self-deleting scripts), losing the most time-sensitive evidence. Option D is wrong because running a memory dump with WinPmem before any containment action is a forensic acquisition step, not a containment strategy; it takes time and does not stop ongoing damage or network-based attacks.

605
MCQeasy

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Authenticated scanning with a test account and session handling
B.Reduce the scan to only the landing page
C.Disable all application authentication
D.Treat absence of findings as proof of security
AnswerA

DAST needs valid authentication and session management to test protected functionality.

Why this answer

DAST scanners analyze live web applications by sending HTTP requests and inspecting responses. When authentication is required to access protected pages, the scanner must maintain a valid session to reach those endpoints. Configuring authenticated scanning with a test account and proper session handling (e.g., using cookies, tokens, or form-based login) allows the scanner to traverse authenticated pages, ensuring the scan covers the full attack surface and reports findings from restricted areas.

Exam trap

The CS0-003 exam often tests the misconception that disabling authentication or reducing scope is an acceptable workaround, when the correct approach is to configure the scanner to properly handle the existing authentication mechanism.

How to eliminate wrong answers

Option B is wrong because reducing the scan to only the landing page would intentionally ignore all other pages, including authenticated ones, which directly contradicts the goal of improving result quality by reaching more content. Option C is wrong because disabling all application authentication would fundamentally alter the application's security posture, potentially breaking business logic and causing the scanner to test a non-representative environment, rather than properly handling the existing authentication mechanism.

606
MCQmedium

A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Publish the indicators on a public GitHub repository
B.Send the indicators to all customers
C.Ignore the indicators because TLP markings are optional
D.Use them internally with only people who need to know and avoid wider redistribution
AnswerD

TLP:AMBER+STRICT restricts sharing to the recipient organisation on a need-to-know basis.

Why this answer

Option D is correct because TLP:AMBER+STRICT restricts sharing to individuals within the organization who have a specific need to know, and explicitly prohibits redistribution beyond that group. The SOC must honor this marking to protect the confidentiality of the indicators and avoid violating the trust model established by the Traffic Light Protocol (TLP), as defined by FIRST.

Exam trap

CompTIA often tests the distinction between TLP:AMBER and TLP:AMBER+STRICT, where candidates mistakenly assume 'AMBER' allows sharing within the entire organization, but the '+STRICT' suffix explicitly narrows that to only those with a direct need to know.

How to eliminate wrong answers

Option A is wrong because publishing TLP:AMBER+STRICT indicators on a public GitHub repository violates the core TLP restriction against any external sharing, potentially exposing sensitive threat intelligence to adversaries. Option B is wrong because sending the indicators to all customers, even if they are internal, exceeds the 'need to know' principle of TLP:AMBER+STRICT, which limits distribution to only those individuals directly involved in the response. Option C is wrong because TLP markings are mandatory, not optional; ignoring them would break the trust framework and could lead to mishandling of sensitive intelligence.

607
MCQeasy

Which of the following is the BEST description of configuration drift?

A.A planned change to a system's configuration
B.The process of reverting a system to its baseline configuration
C.The gradual deviation of a system's configuration from the intended baseline
D.A vulnerability that is patched and then reappears
AnswerC

Drift is unplanned configuration changes over time.

Why this answer

Configuration drift refers to the gradual change in system configurations over time, causing deviations from the baseline or security standards.

608
MCQeasy

A security analyst is reviewing vulnerability scan results and notices that several critical vulnerabilities have been reported on the same web server for three consecutive months. The server owner states that the patches cannot be applied due to application compatibility issues. Which of the following is the BEST course of action?

A.Escalate the issue to senior management and move on
B.Remove the web server from service until patches are applied
C.Schedule a rescan to verify if the vulnerabilities still exist
D.Implement compensating controls to reduce the risk
AnswerD

Compensating controls mitigate the risk when patching is not possible.

Why this answer

Option D is correct because when a known vulnerability cannot be patched due to application compatibility issues, the standard risk management approach is to implement compensating controls. These controls (e.g., Web Application Firewall rules, network segmentation, or host-based IPS) reduce the likelihood or impact of exploitation without modifying the vulnerable application. This aligns with the NIST SP 800-40 Rev. 4 guidance on vulnerability handling, which explicitly recommends compensating controls when patching is not feasible.

Exam trap

The CS0-003 exam often tests the misconception that rescanning (Option C) is the correct next step, but the trap here is that rescanning does not change the risk posture—it only confirms what is already known, while the question requires a risk-reducing action.

How to eliminate wrong answers

Option A is wrong because simply escalating to senior management without taking any action to reduce risk is a passive approach that leaves the vulnerability exploitable; the analyst must still recommend or implement compensating controls. Option B is wrong because removing the web server from service is an extreme measure that may not be justified if compensating controls can adequately mitigate the risk, and it could cause unnecessary business disruption. Option C is wrong because rescanning will only confirm the same vulnerabilities still exist (since patches were not applied), wasting time without addressing the underlying risk.

609
MCQmedium

During dynamic malware analysis in a sandbox, an analyst observes that the malware attempts to connect to a remote IP address on port 443, modifies the Windows registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and drops a DLL in the system32 folder. Which type of IOC is most indicative of persistence?

A.The registry modification to the Run key
B.The network connection over port 443
C.The remote IP address
D.The dropped DLL file hash
AnswerA

Run keys are classic persistence indicators.

Why this answer

The registry modification to HKCU\Software\Microsoft\Windows\CurrentVersion\Run is the most indicative of persistence because this specific key is designed to automatically launch programs when a user logs in. By adding a value here, the malware ensures it executes on every system startup, which is the definition of persistence. In contrast, network connections and file drops are common during execution but do not inherently guarantee re-execution after a reboot.

Exam trap

Cisco often tests the distinction between indicators of activity (network connections, file drops) and indicators of persistence (registry Run keys, scheduled tasks, services), and the trap here is that candidates confuse a common malware behavior (like connecting to a C2 server) with a mechanism that ensures the malware runs again after reboot.

How to eliminate wrong answers

Option B is wrong because a network connection over port 443 (HTTPS) indicates command-and-control communication or data exfiltration, not a mechanism to survive a reboot. Option C is wrong because the remote IP address is merely a destination for network activity and provides no information about automatic re-execution. Option D is wrong because the dropped DLL file hash is a file-based indicator of compromise (IOC) that identifies the malware sample, but the file alone does not ensure it will be loaded again after a restart without a persistence mechanism like a Run key or service.

610
MCQmedium

An analyst is investigating a suspected data breach and needs to preserve network logs. Which of the following actions is MOST appropriate?

A.Delete old logs to free space for new logs
B.Perform a packet capture (pcap) and store it on write-protected media
C.Forward logs to a remote syslog server
D.Copy the log files to a USB drive and analyze them
AnswerB

Creating a pcap and storing on write-protected media preserves the evidence in its original state.

Why this answer

To preserve network logs, the analyst should create a forensic copy (e.g., using netflow or packet capture) and store it on write-once media to prevent tampering.

611
MCQmedium

A security analyst is configuring a vulnerability scanner for a new deployment. The scanner must be able to authenticate to targets to perform deep configuration audits against CIS Benchmarks. Which type of scan should the analyst configure?

A.Credentialed scan
B.Unauthenticated scan
C.Passive scan
D.External scan
AnswerA

Credentialed (authenticated) scans allow the scanner to log in and check configurations.

Why this answer

Authenticated scans use credentials to access the target and perform deep configuration checks, such as CIS Benchmark compliance.

612
MCQmedium

An incident report includes a section that details the sequence of events from initial compromise to containment. Which component of the incident report does this describe?

A.Impact assessment
B.Root cause
C.Lessons learned
D.Timeline
AnswerD

Timeline records events in order.

Why this answer

The timeline component chronologically documents the incident's progression.

613
MCQhard

A large e-commerce site is under a DDoS attack targeting its web servers. The incident response team is activated. Which goal should receive the HIGHEST priority during the response?

A.Maintain availability of the service.
B.Implement attribution.
C.Identify the attacker's identity.
D.Quantify the financial loss.
AnswerA

Preserving service availability is the primary goal in a DDoS scenario.

Why this answer

During a DDoS attack targeting web servers, the highest priority is maintaining availability of the service because the primary goal of incident response in this scenario is to preserve business continuity and minimize disruption to legitimate users. The incident response team must first focus on mitigating the attack (e.g., rate-limiting, blackholing traffic, or scaling resources) before any forensic or attribution steps, as service downtime directly impacts revenue and customer trust.

Exam trap

The CS0-003 exam often tests the principle that during an active incident, the priority is containment and recovery (availability) over forensic activities like attribution or identification, which are handled in later phases of the incident response lifecycle.

How to eliminate wrong answers

Option B is wrong because attribution (identifying the source of the attack) is a secondary goal that typically occurs after the immediate threat is contained; focusing on attribution during the active attack can delay mitigation and prolong downtime. Option C is wrong because identifying the attacker's identity is a forensic objective that is rarely achievable in real-time during a DDoS attack (attackers often use spoofed IPs, botnets, or reflection techniques), and it does not help restore service availability. Option D is wrong because quantifying financial loss is a post-incident activity that should be performed after the attack is mitigated; prioritizing it during the response would divert resources from stopping the attack and restoring service.

614
MCQmedium

An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Tune DHCP lease duration
B.Use only a firewall deny rule for port 443
C.Create a CVE entry
D.Create and test a YARA rule against known-good and known-bad samples
AnswerD

YARA rules are suitable for identifying malware families using file strings, byte sequences, and conditions.

Why this answer

YARA rules are specifically designed to identify and classify malware samples based on textual or binary patterns, including unique strings and byte sequences. By testing the rule against known-good and known-bad samples, the analyst can validate its accuracy and reduce false positives, making it the most appropriate method for detecting related files from the same campaign.

Exam trap

CompTIA often tests the distinction between detection methods (YARA) and containment or remediation actions (firewall rules, DHCP changes), leading candidates to confuse operational security controls with forensic analysis techniques.

How to eliminate wrong answers

Option A is wrong because tuning DHCP lease duration affects network address allocation and does not help in detecting malware based on strings or byte patterns. Option B is wrong because using only a firewall deny rule for port 443 blocks HTTPS traffic indiscriminately, which would not identify related malware files and could disrupt legitimate business operations. Option C is wrong because creating a CVE entry is a process for documenting a vulnerability, not a method for detecting or classifying malware samples based on unique patterns.

615
MCQmedium

During a patch management process, a security analyst is testing a critical security patch in a staging environment. The patch causes a regression in a key business application. Which of the following should the analyst do next?

A.Apply the patch to production but roll back if issues occur
B.Skip the patch and accept the risk
C.Deploy the patch to production and monitor for issues
D.Report the regression to the vendor and wait for a fixed patch
AnswerD

Proper procedure is to inform vendor and obtain a corrected patch.

Why this answer

If regression occurs, the patch should not be deployed to production. The analyst should report the issue to the vendor and seek a fix. Deploying anyway could cause outages.

Skipping the patch might leave systems vulnerable, but the regression must be addressed first.

616
MCQeasy

In a regulated payment environment, a laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible? which action best reduces risk without losing evidence?

A.Only the laptop colour
B.Only the ticket priority
C.Only the user's job title
D.Who collected it, when, where, hash values, transfer details, and storage location
AnswerD

Chain of custody records evidence handling and integrity from collection onward. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because legal and regulatory requirements demand a complete chain of custody for digital evidence. Documenting who collected the laptop, when, where, hash values (e.g., SHA-256), transfer details, and storage location ensures the evidence is admissible and tamper-proof. This aligns with NIST SP 800-86 and ISO 27037 forensic best practices.

Exam trap

The trap here is that candidates may think minimal documentation (like color or job title) is sufficient, but Cisco tests that only a complete chain-of-custody record satisfies legal admissibility and regulatory compliance.

How to eliminate wrong answers

Option A is wrong because documenting only the laptop color provides no forensic value and fails to establish chain of custody or evidence integrity. Option B is wrong because recording only the ticket priority is irrelevant to evidence handling and does not capture any forensic metadata. Option C is wrong because noting only the user's job title omits critical details like collection time, location, and hash verification, making the evidence legally indefensible.

617
MCQhard

Based on the scan output, which vulnerability should be prioritized first for remediation?

A.CVE-2019-16905
B.CVE-2020-15778
C.CVE-2020-12060
D.Both A and B equally.
AnswerB

Highest CVSS score (9.8).

Why this answer

CVE-2020-15778 is a critical command injection vulnerability in OpenSSH's scp utility (CVE-2020-15778) that allows an unauthenticated remote attacker to execute arbitrary commands on the target system by crafting a malicious scp source path. This vulnerability has a CVSS score of 8.8 (High) and is remotely exploitable without authentication, making it the highest priority for remediation over the other listed CVEs.

Exam trap

CompTIA often tests the principle that remote code execution (RCE) vulnerabilities with no authentication requirement should always be prioritized over local privilege escalation or denial-of-service vulnerabilities, even if the latter have higher CVSS scores in some categories.

How to eliminate wrong answers

Option A is wrong because CVE-2019-16905 is a privilege escalation vulnerability in the Linux kernel's eBPF subsystem (bpf_skb_change_head) that requires local access to exploit, making it less critical than a remotely exploitable command injection. Option C is wrong because CVE-2020-12060 is a denial-of-service (DoS) vulnerability in the Linux kernel's NFSv4.2 implementation that requires specific conditions and only causes a system crash, not remote code execution. Option D is wrong because both A and C are not equally critical; CVE-2020-15778 is the only one that allows unauthenticated remote command execution, which is a higher severity and should be prioritized first.

618
MCQeasy

Which of the following tools is specifically designed for compliance scanning against security benchmarks such as CIS and STIG?

A.OpenVAS
B.Nessus
C.OpenSCAP
D.Trivy
AnswerC

OpenSCAP is used for security compliance checking.

Why this answer

OpenSCAP is a compliance scanning tool that can assess systems against SCAP content, including CIS and STIG benchmarks.

619
MCQhard

A threat hunter wants a portable detection for suspicious rundll32 execution that can be converted for multiple SIEM platforms. Which artefact format best fits this goal? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.CVSS vector string
B.Sigma rule
C.OpenIOC package only
D.YARA rule
AnswerB

Sigma is designed as a generic detection-rule format that can be translated into SIEM-specific queries.

Why this answer

Sigma rules are the correct choice because they are a vendor-agnostic, YAML-based format designed specifically for writing detection logic that can be converted into multiple SIEM query languages (e.g., Splunk SPL, Elastic EQL, QRadar AQL). This portability directly meets the threat hunter's goal of creating a single detection for suspicious rundll32 execution that works across different SIEM platforms.

Exam trap

The CS0-003 exam often tests the distinction between artifact formats (like OpenIOC) and detection rule formats (like Sigma), trapping candidates who confuse forensic artifact sharing with portable detection engineering.

How to eliminate wrong answers

Option A is wrong because CVSS vector strings describe vulnerability severity (e.g., CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and are not used for detection logic or SIEM queries. Option C is wrong because OpenIOC packages are XML-based and primarily used for forensic artifact sharing in tools like Mandiant IOC Editor, but they are not as easily convertible across multiple SIEM platforms as Sigma rules, and they lack the standardized mapping to SIEM query languages that Sigma provides.

620
MCQmedium

During a post-compromise review, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which action should be prioritized before closure?

A.Wait to see whether charges increase
B.Disable or rotate the key and review actions performed with it
C.Block the developer's laptop from Wi-Fi
D.Ask the developer to delete the commit only
AnswerB

The exposed credential must be invalidated and its use scoped through audit logs. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because the immediate priority is to invalidate the compromised credential (rotate or disable the key) to prevent further unauthorized access, and then review the actions performed with it to assess the scope of the breach. This aligns with the NIST SP 800-61 incident response lifecycle, specifically the containment phase, where stopping the attacker's access is paramount before eradication or closure.

Exam trap

The CS0-003 exam often tests the distinction between containment and eradication, where candidates mistakenly choose an eradication step (like blocking a laptop) before completing the critical containment action of revoking the compromised credential.

How to eliminate wrong answers

Option A is wrong because waiting to see whether charges increase is a passive, reactive approach that allows the attacker continued access, potentially leading to more damage and higher costs; it violates the principle of immediate containment. Option C is wrong because blocking the developer's laptop from Wi-Fi addresses a non-issue (the developer's local network access) and does nothing to revoke the cloud access key that is already exposed and being used from an unfamiliar IP; it confuses endpoint security with credential compromise.

621
Multi-Selecthard

Which THREE activities are typically performed during the post-incident activity phase of the incident response lifecycle?

Select 3 answers
A.System restoration from backups.
B.Root cause analysis.
C.Implementation of new security awareness training.
D.Evidence retention for potential legal action.
E.Lessons learned meeting.
AnswersB, D, E

Identifying the root cause is a key post-incident activity.

Why this answer

Root cause analysis (B) is performed during the post-incident activity phase to identify the underlying vulnerability or misconfiguration that allowed the incident to occur. This analysis informs remediation steps and helps prevent recurrence, making it a core activity of this phase.

Exam trap

CompTIA often tests the distinction between recovery-phase actions (e.g., system restoration) and post-incident analysis activities, leading candidates to mistakenly include restoration as a post-incident task.

622
MCQhard

During memory analysis of a compromised host, an analyst finds a process that appears to be 'svchost.exe' but with an unusual parent process (not 'services.exe'). The process also has injected code in its memory. What is the most likely explanation?

A.The process is a legitimate svchost.exe but spawned by a different service
B.The svchost.exe is a hollowed process used for malicious purposes
C.The process is a DLL injection into svchost.exe
D.The svchost.exe process is a false positive due to a known Windows bug
AnswerB

Correct. Process hollowing replaces legitimate process memory.

Why this answer

Svchost.exe should always have services.exe as parent. A different parent suggests process hollowing where an attacker replaced the legitimate process memory.

623
Multi-Selectmedium

A security analyst needs to communicate the findings of a penetration test to the IT operations team and the CISO. Which three of the following actions best support effective reporting and communication? (Choose three.)

Select 3 answers
.Customize the level of detail in the report for each audience
.Include raw command outputs and exploit code in the executive summary
.Prioritize findings based on risk to the organization’s mission
.Provide actionable remediation steps with ownership assignments
.Delay the report until all findings are fully verified with no uncertainty
.Submit the report as a confidential document without any verbal briefing

Why this answer

Customizing the level of detail for each audience ensures that technical teams receive the operational depth they need (e.g., raw findings, exploit paths) while executives get a high-level summary focused on business risk and strategic impact. This aligns with the principle of audience-aware reporting in penetration testing, where the CISO requires risk context and the IT operations team needs actionable technical details.

Exam trap

CompTIA often tests the misconception that including all raw technical data in the executive summary is thorough, when in fact it violates audience-specific communication best practices and can overwhelm non-technical readers.

624
MCQhard

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected?

A.Kerberoasting reconnaissance or ticket harvesting
B.DNS cache poisoning
C.Pass-the-hash using NTLM only
D.ARP spoofing
AnswerA

Unusual TGS-REQ volume across service principals can indicate Kerberoasting activity.

Why this answer

A high volume of Kerberos service ticket requests for many SPNs, followed by no actual service access, is characteristic of Kerberoasting reconnaissance. In this attack, an adversary with valid domain credentials requests TGS tickets for service accounts to extract the NTLM hash embedded in the ticket, which can then be cracked offline. The lack of subsequent service access confirms the tickets were obtained solely for offline brute-force cracking, not legitimate use.

Exam trap

The CS0-003 exam often tests the distinction between reconnaissance (ticket harvesting without access) and actual exploitation; the trap here is confusing Kerberoasting with pass-the-ticket or golden ticket attacks, which involve ticket reuse or forgery rather than offline hash cracking.

How to eliminate wrong answers

Option B is wrong because DNS cache poisoning involves corrupting DNS resolver caches to redirect traffic to malicious IPs, which does not generate Kerberos TGS requests or SPN enumeration. Option C is wrong because pass-the-hash using NTLM only exploits NTLM authentication by reusing captured NTLM hashes to authenticate, not by requesting Kerberos service tickets; the described behavior specifically involves Kerberos AS-REQ/TGS-REQ traffic, not NTLM.

625
MCQhard

A security analyst reviews this S3 bucket policy. Which vulnerability is present?

A.Missing encryption
B.Cross-site scripting
C.Insecure direct object reference
D.Public read access to all objects
AnswerD

Principal '*' with Allow effect grants public access to all objects in the bucket.

Why this answer

The S3 bucket policy grants public read access to all objects via the `Principal: "*"` and `Action: "s3:GetObject"` statement. This means any unauthenticated user on the internet can list and download objects in the bucket, exposing sensitive data. The vulnerability is explicitly public read access, not missing encryption or application-layer flaws.

Exam trap

CompTIA often tests the distinction between a misconfigured access control policy (like public read) and other vulnerability types (like encryption or injection), so candidates mistakenly choose 'missing encryption' because they see a lack of security controls, but the policy itself does not address encryption at all.

How to eliminate wrong answers

Option A is wrong because missing encryption (e.g., server-side encryption not enforced) is a compliance or data-at-rest risk, but the policy shown does not disable encryption—it simply allows public reads. Option B is wrong because cross-site scripting (XSS) is a web application vulnerability involving injection of malicious scripts into web pages, not a misconfiguration in an S3 bucket policy. Option C is wrong because insecure direct object reference (IDOR) is an access control flaw where a user can access unauthorized resources by manipulating identifiers (e.g., object keys), but the policy here grants blanket public access to all objects, not a per-object IDOR issue.

626
MCQmedium

During a post-compromise review, a server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible? which action should be prioritized before closure?

A.Volatile memory and active network/process state
B.Marketing screenshots
C.Archived monthly reports
D.The office seating plan
AnswerA

Fileless malware may reside in memory; volatile evidence disappears when the system is powered off. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

In a post-compromise review of a server suspected of running fileless malware, volatile memory (RAM) and active network/process state must be captured first because fileless malware resides only in memory and leaves no persistent artifacts on disk. Capturing this evidence preserves the malware's code, running processes, network connections, and other transient data that would be lost on reboot or shutdown, enabling forensic analysis of the attack.

Exam trap

The CS0-003 exam often tests the principle of order of volatility (OOV), where candidates mistakenly prioritize disk-based evidence over volatile memory, forgetting that fileless malware exists only in RAM and is destroyed on power loss.

How to eliminate wrong answers

Option B is wrong because marketing screenshots are irrelevant to forensic evidence collection and provide no technical data about fileless malware or system compromise. Option C is wrong because archived monthly reports are historical and non-volatile, containing no real-time process, memory, or network state needed to detect and analyze fileless malware that exists only in memory.

627
MCQhard

A cloud tenant shows an unusual spike in IAM policy changes, access key creation, and failed console logons from a new country. Which telemetry set gives the strongest evidence for control-plane compromise? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Endpoint antivirus quarantine reports only
B.Packet captures from user laptops only
C.Cloud audit logs for identity, policy, and key-management API calls
D.Web server access logs from the public website
AnswerC

Control-plane attacks are best investigated through authoritative audit events that record who changed identity and access configuration.

Why this answer

Option C is correct because cloud audit logs (e.g., AWS CloudTrail, Azure Activity Log) capture control-plane API calls such as IAM policy changes, key creation, and authentication failures. These logs directly record the identity and resource management actions that indicate a compromise of the cloud management plane, whereas endpoint or network telemetry only reflects data-plane activity and cannot see API-level administrative actions.

Exam trap

The trap here is that candidates often confuse data-plane telemetry (endpoint AV, packet captures) with control-plane telemetry, failing to recognize that only cloud audit logs can capture administrative API calls like IAM policy changes and key creation.

How to eliminate wrong answers

Option A is wrong because endpoint antivirus quarantine reports only detect malware or file-based threats on individual devices; they cannot capture cloud control-plane API calls like IAM policy changes or access key creation. Option B is wrong because packet captures from user laptops only show network traffic at the data plane (e.g., HTTP, SSH sessions) and cannot log cloud management API requests that occur between the client and the cloud provider's control-plane endpoints.

628
MCQeasy

A vulnerability scan identifies a critical unauthenticated remote-code-execution flaw on an internet-facing VPN appliance that is actively exploited in the wild. Several internal-only medium vulnerabilities are also present. What should be remediated first? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Patch or mitigate the VPN appliance immediately and verify exposure is removed
B.Remediate only low-risk internal findings to improve closure rate
C.Start with the oldest medium vulnerability
D.Defer all remediation until the monthly patch window
AnswerA

Internet exposure plus active exploitation makes this the highest-risk item despite other findings.

Why this answer

The VPN appliance's critical unauthenticated remote-code-execution flaw is actively exploited in the wild, posing an immediate and severe risk to the entire network perimeter. Remediating this first aligns with the vulnerability management principle of prioritizing by risk severity and exploitability, as an internet-facing device with a known active exploit bypasses all authentication controls and can lead to full compromise. Patching or mitigating it directly removes the exposure without obscuring the risk, unlike compensating controls that might hide the underlying weakness.

Exam trap

The CS0-003 exam often tests the misconception that all vulnerabilities should be remediated in order of CVSS score alone, but here the trap is that candidates might choose a lower-severity internal finding because it is 'older' or 'easier to fix,' ignoring the criticality of an actively exploited, internet-facing RCE that demands immediate action regardless of other metrics.

How to eliminate wrong answers

Option B is wrong because focusing on low-risk internal findings to improve closure rate ignores the critical external threat; closure rate metrics are secondary to actual risk reduction, and this approach would leave the most dangerous vulnerability unaddressed. Option C is wrong because prioritizing by age (oldest medium vulnerability) disregards severity and active exploitation; a medium internal flaw, regardless of age, poses far less risk than a critical unauthenticated RCE on an internet-facing device that is already being exploited in the wild.

629
MCQeasy

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Office document spawning a script interpreter from a user context
B.Successful DHCP renewal
C.High CPU usage on the print server
D.A password expiry warning
AnswerA

Office-to-script process chains are common initial execution patterns for phishing payloads.

Why this answer

The correct detection logic is 'Office document spawning a script interpreter from a user context' because the scenario describes a classic malware execution chain: a user opens an invoice document (likely a malicious Office file with embedded macros or exploits), which then launches wscript.exe (a Windows Script Host interpreter) from the user's profile. This behavior is a strong indicator of a script-based attack, such as a macro virus or a downloader, and is directly relevant to detection engineering for endpoint security.

Exam trap

The CS0-003 exam often tests the distinction between process-level behavioral detection (e.g., script interpreter spawned by Office) and unrelated system or network metrics, so candidates may mistakenly choose a generic performance or network event instead of recognizing the specific attack chain.

How to eliminate wrong answers

Option B is wrong because successful DHCP renewal is a routine network event that does not involve script execution or user-initiated document processing, and it would not generate noise relevant to the described attack chain. Option C is wrong because high CPU usage on the print server is a performance metric unrelated to endpoint script execution from an Office document, and it would not help detect or tune for the specific threat of wscript.exe being spawned from a user context.

630
Drag & Dropmedium

Order the steps for deploying a new security patch to a production environment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Patch deployment involves download/verification, testing, backup, rollout, and monitoring.

631
MCQeasy

Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For validation, Which action should be taken before closing or downgrading the finding?

A.Asset criticality, exposure, and business impact
B.The colour of the scanner dashboard
C.The number of installed fonts
D.Whether the hostname is shorter
AnswerA

The same CVE can represent different risk depending on where it exists and what the asset supports.

Why this answer

Remediation priority is determined by risk, which is a function of asset criticality, exposure, and business impact. The public payment API has high asset criticality (handles sensitive financial data), high exposure (accessible from the internet), and high business impact (breach could cause regulatory fines and revenue loss), whereas the isolated lab server has low exposure and minimal business impact. This aligns with the CVSS environmental score modifiers and NIST SP 800-30 risk assessment methodology.

Exam trap

The CS0-003 exam often tests the misconception that all vulnerabilities with the same CVE should be patched with equal urgency, ignoring the criticality of the asset and its exposure to threats.

How to eliminate wrong answers

Option B is wrong because the colour of the scanner dashboard is a cosmetic UI element and has no bearing on risk-based prioritization; vulnerability management decisions must be data-driven, not based on visual indicators. Option C is wrong because the number of installed fonts is irrelevant to security posture or remediation priority; it does not affect exploitability, exposure, or business impact.

632
Multi-Selectmedium

A security analyst is preparing a post-incident report for a recent data breach. The report must be tailored for multiple audiences, including executive leadership, legal counsel, and the technical remediation team. Which four of the following best practices should the analyst follow to ensure effective communication and reporting? (Choose four.)

Select 4 answers
.Including a high-level executive summary with business impact and risk exposure for the C-suite.
.Providing detailed technical indicators of compromise (IOCs) and remediation steps for the technical team.
.Including legal hold notices and chain-of-custody documentation for legal counsel.
.Using a single, standardized report format for all stakeholders to ensure consistency.
.Omitting the root cause analysis to avoid liability concerns in the legal review.
.Adding a timeline of events and actions taken for the incident response team.

Why this answer

Including a high-level executive summary with business impact and risk exposure is correct because executive leadership requires a non-technical overview that focuses on financial, legal, and reputational consequences. This aligns with the NIST SP 800-61 Rev. 2 recommendation to tailor incident reports to the audience, ensuring the C-suite can make informed strategic decisions without being bogged down by technical details.

Exam trap

CompTIA often tests the misconception that a single standardized report is efficient, but the trap is that it ignores the distinct information needs of different stakeholders, leading to ineffective communication and potential compliance failures.

633
MCQmedium

During a forensic investigation, an analyst creates a disk image using dd with a SHA256 hash. Later, the analyst needs to verify the integrity of the image before analysis. Which command should the analyst use to compare the original hash with a newly computed hash?

A.md5sum original.dd
B.dd if=image.dd | sha256sum
C.sha256sum image.dd
D.chksum -a sha256 image.dd
AnswerC

Computing the SHA256 hash of the image and comparing with the original ensures integrity.

Why this answer

Recomputing the hash with sha256sum and comparing it to the original verifies that the image has not been altered.

634
MCQmedium

A cloud security analyst reviews AWS CloudTrail logs and notices multiple 'RunInstances' API calls from a single IAM user creating EC2 instances with public IP addresses in an unusual region. What is the most likely concern?

A.The user's credentials may be compromised and used for cryptomining
B.The user is performing legitimate scaling operations
C.The user is provisioning resources for a new project
D.The user is testing disaster recovery procedures
AnswerA

Cryptominers often use compromised accounts to launch instances in regions with cheap compute resources.

Why this answer

Creating instances in unusual regions with public IPs could indicate compromised credentials being used for cryptomining or other malicious activity.

635
MCQeasy

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For validation, Which action should be taken before closing or downgrading the finding?

A.Disable all application authentication
B.Treat absence of findings as proof of security
C.Authenticated scanning with a test account and session handling
D.Reduce the scan to only the landing page
AnswerC

DAST needs valid authentication and session management to test protected functionality.

Why this answer

DAST scanners require authenticated sessions to crawl and test pages behind login forms. Configuring authenticated scanning with a test account and proper session handling (e.g., cookie-based or token-based authentication) allows the scanner to maintain state and reach protected endpoints. Without this, the scanner only sees public content, missing vulnerabilities in authenticated areas.

Exam trap

The CS0-003 exam often tests the misconception that disabling authentication or ignoring missing findings is acceptable, when the correct approach is to configure authenticated scanning to ensure comprehensive coverage of the attack surface.

How to eliminate wrong answers

Option A is wrong because disabling all application authentication would remove the security controls protecting sensitive pages, potentially exposing the application to unauthorized access and violating security requirements. Option B is wrong because treating the absence of findings as proof of security is a false sense of confidence; the scanner simply did not test the authenticated pages, so no conclusions about their security can be drawn.

636
MCQeasy

Which of the following is the primary audience for a strategic threat intelligence report?

A.System administrators
B.SOC analysts
C.Executive leadership
D.Incident responders
AnswerC

Strategic intelligence is for executives.

Why this answer

Strategic intelligence is high-level and intended for executive leadership to inform business decisions.

637
MCQeasy

A vulnerability scan report shows a critical vulnerability on a web server with a CVSS score of 9.8. The IT manager wants to know the risk to the organization. Which of the following factors should the analyst consider FIRST?

A.The asset value and business criticality
B.The vendor's patch release schedule
C.The number of exploit attempts in the logs
D.The number of other vulnerabilities on the server
AnswerA

The impact of exploitation depends on how critical the server is.

Why this answer

The CVSS score of 9.8 indicates a critical severity vulnerability, but risk is a function of both severity and business context. The analyst must first assess the asset value and business criticality of the web server because a critical vulnerability on a non-essential server poses lower risk than the same vulnerability on a server handling sensitive data or core business processes. Without this context, the organization cannot prioritize remediation effectively.

Exam trap

CompTIA often tests the distinction between vulnerability severity (CVSS) and organizational risk, trapping candidates who confuse a high CVSS score with automatically high risk without considering asset context.

How to eliminate wrong answers

Option B is wrong because the vendor's patch release schedule is an operational consideration for remediation timing, not the primary factor for determining risk; risk assessment must first establish the impact on the organization. Option C is wrong because the number of exploit attempts in logs indicates current threat activity, but risk is evaluated based on potential impact and likelihood, not solely on observed attacks; a vulnerability with no current exploits can still pose high risk if the asset is critical. Option D is wrong because the number of other vulnerabilities on the server is irrelevant to the risk of this specific vulnerability; each vulnerability must be assessed independently based on asset criticality and exposure.

638
Multi-Selectmedium

A vulnerability management analyst is reviewing the results of an authenticated scan. The analyst identifies several medium-severity vulnerabilities that have been present for over a year. Which of the following are the best actions to take? (Choose two.)

Select 2 answers
A.Verify the vulnerabilities are still relevant by re-scanning.
B.Escalate to the asset owner for remediation.
C.Accept the risk if the system is no longer in use.
D.Remove the system from the network.
E.Increase the severity rating to high to ensure remediation.
AnswersA, B

Re-scanning confirms current status.

Why this answer

Option A is correct because re-scanning verifies whether the vulnerabilities are still present or have been remediated by other means (e.g., patching, configuration changes). Over a year, the environment may have changed, and the original scan results could be stale. An authenticated scan provides deeper visibility, but a fresh scan is the only way to confirm current relevance before taking further action.

Exam trap

CompTIA often tests the misconception that old vulnerabilities should automatically be escalated or reclassified, when in fact the first step is always to re-verify the finding with a current scan to avoid wasting resources on false positives or already-remediated issues.

639
MCQhard

An organization uses a SIEM with a rule that triggers when a user fails to authenticate five times within 10 minutes. Last night, the rule fired for a service account from an internal IP. What should be the first triage step?

A.Disable the service account immediately
B.Block the internal IP address at the firewall
C.Review the account's recent activity and correlate with system logs
D.Reset the service account password
AnswerC

Determines if failures are legitimate or malicious.

Why this answer

Option B is correct. The analyst should check the account's normal behavior; service accounts may have automated login attempts. Disabling could cause outages.

Blocking IP may be premature. Resetting password might lock out legitimate use.

640
MCQeasy

Which of the following best describes the purpose of the CISA Known Exploited Vulnerabilities (KEV) catalog in vulnerability management?

A.It lists vulnerabilities that are known to have been exploited in the wild
B.It provides a framework for conducting penetration tests
C.It provides a scoring system for vulnerability severity
D.It offers a database of configuration baselines for operating systems
AnswerA

KEV catalog focuses on actively exploited vulnerabilities.

Why this answer

The KEV catalog is a list of vulnerabilities that have been actively exploited in the wild, published by CISA to help organizations prioritize patching.

641
MCQhard

A security analyst discovers a critical vulnerability in a web application that allows an attacker to trigger server-side requests from the application server. Which OWASP Top 10 category does this vulnerability belong to?

A.Broken Access Control
B.Security Misconfiguration
C.Injection
D.Server-Side Request Forgery (SSRF)
AnswerD

The description matches SSRF.

Why this answer

Server-Side Request Forgery (SSRF) is a distinct category in OWASP Top 10 (A10:2021).

642
MCQmedium

A network sensor must detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Which deployment is BEST? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.A vulnerability scanner run once per quarter
B.Host-based file integrity monitoring only
C.Suricata or Snort in IDS mode on a monitored network tap or SPAN port
D.Inline IPS mode with drop rules for all signatures
AnswerC

IDS mode observes traffic and alerts on signatures while avoiding inline blocking impact.

Why this answer

Suricata or Snort in IDS mode on a monitored network tap or SPAN port is the correct deployment because it passively inspects packet payloads against exploit signatures without blocking traffic, generating alerts only. This matches the requirement for detection without inline blocking, as IDS mode operates out-of-band on a copy of the traffic.

Exam trap

The CS0-003 exam often tests the distinction between IDS and IPS modes, where candidates mistakenly choose an inline IPS deployment (e.g., with iptables rules) because they assume detection requires blocking, but the question explicitly requires no blocking.

How to eliminate wrong answers

Option A is wrong because a vulnerability scanner run once per quarter is a periodic assessment tool that identifies system weaknesses, not a real-time network sensor that detects exploit traffic via packet payload signatures; it cannot generate alerts on live traffic. Option B is wrong because host-based file integrity monitoring only detects changes to files on a host, not network-level exploit payloads in packets; it lacks the ability to inspect network traffic payloads.

643
MCQhard

What is the net effect of the policy shown in the exhibit on requests from an IP address in the 10.0.0.0/8 range?

A.Allows all S3 actions from the 10.0.0.0/8 range and denies from other IPs.
B.Denies all S3 actions from all IP addresses.
C.Denies all S3 actions except GetObject from the 10.0.0.0/8 range.
D.Allows GetObject requests from the 10.0.0.0/8 range and denies all other S3 actions.
AnswerB

The Deny statement applies to all resources and does not have a condition, so it denies all actions on the bucket. The Allow is effectively overridden.

Why this answer

The exhibit shows an AWS S3 bucket policy with a Deny effect for all S3 actions (s3:*) from any IP address (the condition block uses a NotIpAddress condition with the value 10.0.0.0/8, meaning the deny applies to all IPs that are NOT in that range). However, because the policy explicitly denies all actions for all IPs not in 10.0.0.0/8, and there is no corresponding Allow statement for the 10.0.0.0/8 range, the net effect is that all S3 actions are denied from all IP addresses, including those in 10.0.0.0/8. This is because AWS IAM policies default to implicit deny, and an explicit deny overrides any allow, so without an explicit allow for the 10.0.0.0/8 range, the deny applies universally.

Exam trap

CompTIA often tests the misconception that a Deny statement with a NotIpAddress condition effectively allows traffic from the specified IP range, when in reality it only denies traffic from outside that range, and without an explicit Allow, all traffic is denied.

How to eliminate wrong answers

Option A is wrong because the policy does not contain an Allow statement for the 10.0.0.0/8 range; it only has a Deny statement that denies all S3 actions from IPs not in 10.0.0.0/8, which does not implicitly allow actions from that range. Option C is wrong because the policy denies all S3 actions (s3:*) without exception for GetObject, and there is no condition that would allow GetObject from any IP range. Option D is wrong because the policy does not allow GetObject from 10.0.0.0/8; it denies all S3 actions from IPs outside that range, but without an explicit allow, requests from 10.0.0.0/8 are also denied by default.

644
MCQmedium

An organization is preparing for an audit to demonstrate compliance with GDPR. The compliance officer needs to provide evidence of data protection controls. Which of the following would be the BEST evidence to include?

A.The organization's risk register
B.Copies of recent vulnerability scan reports and access review logs
C.Email communications about security incidents
D.A summary of security policies and procedures
AnswerB

These are concrete evidence of controls.

Why this answer

Log exports, configuration reports, vulnerability scans, and access reviews are typical evidence for GDPR audits.

645
MCQhard

A SOC analyst notices a spike in outbound traffic from a server that normally only serves web pages. The signature-based IDS did not alert. What should the analyst do next?

A.Query threat intelligence for the destination IPs
B.Disable the server immediately
C.Check for zero-day vulnerabilities
D.Increase the IDS sensitivity threshold
AnswerA

Helps determine if traffic is malicious.

Why this answer

Querying threat intelligence for the destination IPs is the correct next step because the spike in outbound traffic from a web server suggests a potential data exfiltration attempt or command-and-control (C2) communication. Since the signature-based IDS did not alert, the traffic may be using non-standard ports or encrypted channels that evade known signatures. Threat intelligence can reveal if the destination IPs are associated with known malicious actors, botnets, or recent threat campaigns, providing context to determine if the traffic is benign or malicious.

Exam trap

CompTIA often tests the misconception that a signature-based IDS failing to alert means the traffic is safe, leading candidates to incorrectly choose increasing IDS sensitivity or checking for zero-days, rather than recognizing that the analyst must pivot to threat intelligence to identify unknown or evasive threats.

How to eliminate wrong answers

Option B is wrong because immediately disabling the server is a drastic, reactive measure that could disrupt legitimate services without first confirming malicious activity; a SOC analyst should investigate and contain, not blindly shut down. Option C is wrong because checking for zero-day vulnerabilities is premature and unrelated to the immediate symptom of outbound traffic spikes; zero-day checks are part of vulnerability management, not real-time traffic analysis. Option D is wrong because increasing the IDS sensitivity threshold would likely generate more false positives and does not address the root cause—the IDS missed the traffic because it was not signature-based, not because of sensitivity settings.

646
Multi-Selectmedium

A security team is responding to a suspected data breach involving exfiltration of customer data via email. During the containment phase, which TWO actions should the team perform to preserve evidence while preventing further data loss?

Select 2 answers
A.Disable the compromised user account.
B.Take a memory dump of the email server.
C.Rebuild the email server from backup.
D.Notify all customers immediately.
E.Apply all available patches to the email server.
AnswersA, B

Disabling the account stops further unauthorized access and data exfiltration.

Why this answer

Preserving email server logs is crucial for forensic analysis, and blocking the suspected email account stops further exfiltration.

647
MCQhard

In a regulated payment environment, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which action best reduces risk without losing evidence?

A.Ignore it if MFA is enabled
B.Delete all emails from the mailbox
C.Only reset the user's Windows password
D.Revoke the app grant, review mailbox access, and identify other users who consented
AnswerD

OAuth consent abuse can persist without password access; revoking grants and scoping exposure contains the incident. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority is to revoke the malicious OAuth app grant to stop ongoing unauthorized access, then review the mailbox for any data exfiltration or tampering, and finally identify other users who may have consented to the same app to contain a broader compromise. This aligns with the NIST SP 800-61 incident response process for detection and analysis, where the most defensible decision is to remove the attacker's foothold while preserving evidence for forensic analysis. Revoking the grant directly addresses the OAuth consent attack vector, which bypasses traditional password-based controls and MFA.

Exam trap

The CS0-003 exam often tests the misconception that MFA or password resets are sufficient to stop OAuth-based attacks, when in reality OAuth grants operate outside the authentication boundary and require explicit revocation of the app's permissions.

How to eliminate wrong answers

Option A is wrong because ignoring the incident despite MFA being enabled is a critical mistake — OAuth consent grants allow the app to access the mailbox without requiring the user's password or MFA, so MFA provides no protection against this type of attack. Option B is wrong because deleting all emails from the mailbox destroys potential evidence of data exfiltration, mailbox rules created by the attacker, or other indicators of compromise, violating the principle of preserving evidence during incident response. Option C is wrong because resetting the user's Windows password does not invalidate the OAuth access token or refresh token already issued to the malicious app; the app retains mailbox access via its own credentials, making the password reset ineffective.

648
Multi-Selectmedium

An analyst is preparing a vulnerability report for management. Which THREE sections should be included to effectively communicate findings and remediation? (Select THREE.)

Select 3 answers
A.Executive summary
B.Incident response procedures
C.Network topology diagram
D.Findings by severity
E.Remediation timeline
AnswersA, D, E

Provides high-level overview for management.

Why this answer

A vulnerability report typically includes an executive summary for leadership, findings by severity to prioritize, and a remediation timeline for action. Risk acceptance may be part of findings but not always a separate section; here the three essential sections are those listed.

649
MCQhard

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Only monthly vulnerability scan summaries
B.Only user password age reports
C.Only physical datacenter access logs
D.Container runtime events, Kubernetes audit logs, and network flow from the pod
AnswerD

Runtime, orchestration, and network telemetry together show process execution, privilege context, and external communication.

Why this answer

Container runtime events (e.g., from containerd or CRI-O) capture process spawns like an unexpected shell, Kubernetes audit logs record API calls that could indicate a compromised pod mounting the host filesystem, and network flow logs from the pod (e.g., via eBPF or Calico) reveal outbound connections to an unknown IP. Together, these three telemetry sources provide direct, real-time evidence of the three suspicious behaviors described, making them the most useful for detection and investigation.

Exam trap

CompTIA often tests the distinction between passive, periodic compliance artifacts (vulnerability scans, password reports) and active, real-time telemetry (runtime events, audit logs, network flows) that directly capture the sequence of malicious actions in a containerized environment.

How to eliminate wrong answers

Option A is wrong because monthly vulnerability scan summaries are point-in-time snapshots of known CVEs and cannot detect real-time anomalous behavior like a shell spawn, filesystem mount, or outbound connection. Option B is wrong because user password age reports are identity and access management artifacts unrelated to runtime container activity or network flows. Option C is wrong because physical datacenter access logs track human entry to facilities, not container-level process or network events, and cannot refute or support a workload compromise.

650
MCQmedium

An analyst reviews AWS CloudTrail logs and detects multiple 'CreateNetworkAclEntry' API calls from a user who does not typically perform network administration. What type of activity is this?

A.Cloud misconfiguration
B.Privilege escalation or lateral movement
C.Normal administrative activity
D.Data exfiltration via NACL
AnswerB

Correct. Unauthorized network changes could indicate privilege escalation.

Why this answer

Unusual API calls from a user outside their normal role may indicate privilege abuse or a compromised account.

651
MCQmedium

An organization has been experiencing repeated phishing attacks that bypass email filters. The incident response team wants to enhance detection by creating rules based on characteristics of the phishing emails. Which of the following IOCs would be most effective for detecting similar phishing campaigns?

A.Registry keys modified by the payload
B.File hashes of attached malware
C.IP addresses of the phishing servers
D.Email subject lines and sender domain
AnswerD

These are common across phishing campaigns and can be used to filter emails.

Why this answer

Email indicators such as subject lines, sender addresses, or embedded URLs are directly observable in emails and help identify phishing patterns.

652
MCQhard

A security analyst is tasked with performing a risk assessment for a new web application. The application will handle sensitive customer data. Which of the following should the analyst do FIRST to identify vulnerabilities specific to the application?

A.Run a network vulnerability scan against the application server.
B.Perform a penetration test on the application.
C.Perform a source code review.
D.Conduct a threat model of the application.
AnswerD

Threat modeling identifies threats and vulnerabilities early.

Why this answer

Option C is correct because a threat model helps identify potential vulnerabilities early in the development lifecycle. Option A is wrong because a network scan is too broad. Option B is wrong because a penetration test is performed later.

Option D is wrong because a code review may be part of the process but threat modeling comes first.

653
MCQmedium

An analyst is creating a compliance dashboard for management. Which of the following is the most relevant metric to include regarding patch management?

A.Number of antivirus alerts
B.Phishing simulation click rate
C.Mean time to detect incidents
D.Patch SLA compliance %
AnswerD

This metric shows compliance with patching deadlines.

Why this answer

Patch SLA compliance percentage directly measures how well the organization meets patch deadlines, which is a key compliance metric.

654
Multi-Selecteasy

A security analyst is reviewing IOCs from a threat intelligence feed. The analyst wants to enrich the IOCs using open-source tools. Which THREE tools are commonly used for IOC enrichment? (Select three.)

Select 3 answers
A.WHOIS
B.Wireshark
C.VirusTotal
D.Shodan
E.Nmap
AnswersA, C, D

WHOIS looks up domain registration data.

Why this answer

VirusTotal provides file and URL reputation. Shodan gives information about exposed services. WHOIS reveals domain registration details.

These are standard enrichment sources.

655
Multi-Selectmedium

Which items help make a post-incident report useful for technical teams? (Choose two.)

Select 2 answers
A.Generic motivational slogans
B.Unrelated financial forecasts
C.Root cause and exploited control gaps
D.Specific remediation tasks with owners and validation steps
AnswersC, D

Technical teams need to know what failed.

Why this answer

Option C is correct because a post-incident report must include the root cause and exploited control gaps to enable technical teams to implement targeted remediation. Without identifying the specific vulnerability (e.g., unpatched CVE, misconfigured firewall rule, weak authentication mechanism) and the control failure that allowed the exploit, the report lacks actionable intelligence for hardening defenses.

Exam trap

The CS0-003 exam often tests the misconception that a post-incident report should include broad business or motivational content, but the exam expects candidates to recognize that only technical, actionable details (like root cause and control gaps) are useful for remediation teams.

656
MCQmedium

An organization is experiencing a DDoS attack targeting its web servers. Which of the following is the BEST short-term containment strategy?

A.Rebuild the web servers from backups.
B.Implement rate limiting on the firewall.
C.Reroute traffic through a DDoS mitigation service.
D.Disable the web server accounts.
AnswerC

This is a common short-term containment for DDoS attacks.

Why this answer

Short-term containment for DDoS often involves rerouting traffic through a scrubbing center or cloud-based DDoS mitigation service that filters malicious traffic.

657
MCQmedium

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.A scheduled password rotation completed successfully
B.The file share requires more storage capacity
C.Credential access or lateral movement activity that warrants high-priority investigation
D.The SIEM parser is always broken
AnswerC

Use of a honey credential is a high-fidelity signal because legitimate workflows should not touch it.

Why this answer

The presence of a deception credential in a file share that is used to authenticate to a server, with no legitimate user knowing it, strongly indicates that an attacker has discovered and used the credential to gain unauthorized access. This is a classic sign of credential access (stealing credentials) followed by lateral movement (using them to authenticate to another system). Such activity is a high-priority incident because it suggests the attacker has moved beyond initial compromise and is actively expanding their foothold, which requires immediate containment and investigation.

Exam trap

The CS0-003 exam often tests the distinction between benign administrative actions (like password rotation) and malicious credential abuse; the trap here is that candidates may dismiss the credential usage as a routine operation rather than recognizing it as a high-priority indicator of compromise.

How to eliminate wrong answers

Option A is wrong because a scheduled password rotation completing successfully would not involve a credential that no legitimate user should know; password rotations are planned events that update credentials for authorized use, not create unknown credentials used for authentication. Option B is wrong because the file share requiring more storage capacity is a capacity planning issue unrelated to security events; it does not explain why a credential unknown to legitimate users is being used to authenticate to a server.

658
MCQhard

During forensic analysis of a compromised server, the analyst finds that the attacker deleted the system logs. Which data source is most likely to still contain relevant evidence?

A.Memory dump from before the attack
B.Endpoint detection and response (EDR) telemetry
C.Network flow logs
D.Backup tapes
AnswerB

EDR typically records process creations and network connections off-host.

Why this answer

EDR telemetry is the most reliable source because it captures process creation, network connections, file modifications, and registry changes in real-time, storing them off-host. Even if an attacker deletes local system logs, the EDR agent's telemetry stream remains intact on the central management server, providing a forensic timeline of the attacker's actions.

Exam trap

CompTIA often tests the misconception that backup tapes are the ultimate forensic source, but the trap here is that attackers often delete logs during the incident, and only real-time, off-host telemetry (like EDR) preserves the sequence of events that occurred on the compromised host.

How to eliminate wrong answers

Option A is wrong because a memory dump from before the attack would not contain evidence of the attack itself; it captures a snapshot of the system state at that earlier time, not the attacker's activities. Option C is wrong because network flow logs (e.g., NetFlow, IPFIX) only record metadata like source/destination IPs, ports, and byte counts, not the actual system-level events (e.g., log deletion, process execution) that occurred on the compromised server. Option D is wrong because backup tapes contain point-in-time copies of files and system state, but they are typically taken on a schedule (e.g., nightly) and may not include the logs that were deleted during the attack window; moreover, restoring from backup is time-consuming and may overwrite current evidence.

659
MCQeasy

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Office document spawning a script interpreter from a user context
B.High CPU usage on the print server
C.A password expiry warning
D.Successful DHCP renewal
AnswerA

Office-to-script process chains are common initial execution patterns for phishing payloads.

Why this answer

Option A is correct because the scenario describes a classic phishing attack where a malicious macro or embedded script in an Office document (the invoice) executes wscript.exe from the user's profile. This behavior matches the detection logic of 'Office document spawning a script interpreter from a user context,' which is a key indicator of script-based malware execution. The root-cause analysis would identify the malicious document as the initial vector, directly explaining the subsequent process execution.

Exam trap

The CS0-003 exam often tests the distinction between a security detection logic (process ancestry) and unrelated operational metrics (CPU usage, password expiry) to see if candidates can focus on the direct cause of a security incident rather than being distracted by noise.

How to eliminate wrong answers

Option B is wrong because high CPU usage on the print server is unrelated to the endpoint execution of wscript.exe from a user profile; it describes a performance issue, not a security event involving script execution. Option C is wrong because a password expiry warning is an administrative notification that does not explain the execution of a script interpreter from a user context; it is a separate operational concern, not a root cause for malicious process spawning.

660
MCQmedium

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.DNS tunnelling
B.SSL certificate expiry
C.MFA fatigue or push-bombing attack
D.Password spraying only
AnswerC

Repeated unsolicited prompts that lead to approval are characteristic of MFA fatigue attacks.

Why this answer

The scenario describes MFA fatigue (also called push-bombing), where an attacker repeatedly sends MFA push notifications to a user until the user, annoyed or confused, approves one. This is a social engineering technique that exploits human behavior, not a technical vulnerability. Option C correctly identifies this attack pattern, which is a known tactic in credential-stuffing and account-takeover campaigns.

Exam trap

The CS0-003 exam often tests the distinction between technical exploits (like DNS tunnelling) and human-factor attacks (like MFA fatigue), so candidates may mistakenly choose a technical-sounding option when the question describes user behavior rather than a protocol-level attack.

How to eliminate wrong answers

Option A is wrong because DNS tunnelling encodes data in DNS queries/responses to exfiltrate data or establish C2 channels; it does not involve repeated MFA prompts or user approval. Option B is wrong because SSL certificate expiry causes browser warnings or connection failures, not repeated MFA push notifications; it is a certificate lifecycle issue, not an authentication attack.

661
MCQmedium

An analyst is creating a YARA rule to detect a specific malware family that uses the string 'evil' in its PE file. Which of the following rule structures is correct?

A.rule detect_malware { strings: $a = "evil" condition: $a }
B.rule detect_malware { strings: "evil" condition: $a }
C.rule detect_malware { condition: $a = "evil" }
D.if "evil" in file then alert
AnswerA

Correct structure: rule name, strings section with identifier, condition using identifier.

Why this answer

The standard YARA rule structure includes rule name, meta section, strings section, and condition section. The condition must reference the string.

662
Multi-Selectmedium

A security team is tuning a SIEM rule that alerts on all outbound connections to IP addresses classified as 'high risk' by threat intelligence. The rule generates many false positives because some legitimate services use these IPs. Which two actions should the analyst take to reduce false positives? (Select TWO.)

Select 2 answers
A.Ignore the false positives and continue
B.Increase the risk score threshold to only alert on very high risk IPs
C.Expand the rule to include all risky IPs
D.Add known legitimate IP addresses to an exclusion list
E.Disable the rule
AnswersB, D

Raising the threshold reduces alerts from borderline IPs.

Why this answer

Allowlisting known legitimate IPs (A) and increasing the risk threshold (D) reduce false positives without disabling the rule. Disabling the rule (B) removes detection, ignoring alerts (C) is not proper tuning, and expanding to all risky IPs (E) would increase false positives.

663
MCQmedium

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.The SIEM parser is always broken
B.A scheduled password rotation completed successfully
C.Credential access or lateral movement activity that warrants high-priority investigation
D.The file share requires more storage capacity
AnswerC

Use of a honey credential is a high-fidelity signal because legitimate workflows should not touch it.

Why this answer

A deception credential that no legitimate user should know being used to authenticate to a server is a classic indicator of credential theft and lateral movement. In the alert triage phase, this finding warrants high-priority investigation because it suggests an attacker has successfully extracted the credential from the file share and is using it to move laterally within the network, which is a critical security incident.

Exam trap

The CS0-003 exam often tests the concept that deception credentials are specifically designed to detect credential theft and lateral movement, and candidates may mistakenly think this indicates a benign process like password rotation or a SIEM misconfiguration.

How to eliminate wrong answers

Option A is wrong because a broken SIEM parser would typically cause missing or malformed logs, not the generation of a specific, actionable alert about a deception credential being used for authentication. Option B is wrong because a scheduled password rotation would update the credential on the server, not trigger an authentication event using the old deception credential; password rotation does not involve authentication attempts with the credential being rotated.

664
MCQmedium

A WAF generates repeated SQL injection alerts against a login endpoint. The application team says the requests returned HTTP 200. What should the analyst do before declaring compromise? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Review application logs for query errors, authentication events, and abnormal database access
B.Disable the WAF rule because it may be noisy
C.Ask users to change passwords without checking logs
D.Treat every HTTP 200 as proof of exploitation
AnswerA

HTTP 200 can occur for blocked, handled, or successful requests; application and database context determine impact.

Why this answer

Option A is correct because the WAF alerts indicate potential SQL injection attempts, but HTTP 200 responses do not rule out successful exploitation. The analyst must review application logs for actual query errors, authentication anomalies, or unauthorized database access to confirm whether the injection succeeded. Without log correlation, the analyst cannot determine if the WAF blocked the attack or if the payload bypassed it and executed on the backend.

Exam trap

The CS0-003 exam often tests the misconception that HTTP 200 means no compromise occurred, when in fact SQL injection can succeed while returning a normal status code, especially with blind injection or when the application catches errors gracefully.

How to eliminate wrong answers

Option B is wrong because disabling the WAF rule without investigation removes a critical security control and ignores the possibility that the alerts represent real attacks that bypassed detection or were partially blocked. Option C is wrong because forcing password changes without verifying logs fails to address the root cause and may cause unnecessary user disruption; it assumes compromise without evidence, which violates the principle of validate-before-remediate.

665
MCQeasy

A critical vulnerability affected the customer portal, but no evidence of exploitation was found. What should the executive summary emphasize? If the primary audience is SOC manager, which content choice is most appropriate?

A.Business risk, customer impact assessment, remediation status, and remaining exposure
B.Every command the scanner executed
C.Raw packet captures from the scan
D.A list of analyst shift times only
AnswerA

Executives need business impact and risk posture, not raw technical noise. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

Option A is correct because an executive summary for a SOC manager must focus on business risk, customer impact, remediation status, and remaining exposure. Since no exploitation was found, the emphasis shifts to the potential impact and the steps taken to mitigate the vulnerability, aligning with the SOC manager's need to communicate risk to leadership and prioritize resources.

Exam trap

The CS0-003 exam often tests the distinction between technical detail and executive-level reporting, trapping candidates who think raw data or scan logs are appropriate for a summary aimed at a SOC manager who needs actionable risk insights, not raw output.

How to eliminate wrong answers

Option B is wrong because listing every command the scanner executed is too technical and granular for an executive summary; it belongs in a detailed technical report for analysts, not a high-level overview for a SOC manager. Option C is wrong because raw packet captures from the scan are irrelevant to an executive summary; they provide no context on business risk or remediation and are only useful for deep forensic analysis, not for communicating the vulnerability's status to management.

666
MCQmedium

A security analyst is using Qualys to perform a vulnerability scan on a public-facing web server. The scan results show that the server is running an outdated version of Apache HTTP Server with multiple known vulnerabilities. The analyst checks the vendor security advisories and finds that a patch was released three months ago. However, the server is in a staging environment and not yet in production. What should the analyst recommend?

A.Only patch if the vulnerability is rated critical.
B.Patch the server immediately because it poses a risk to the staging network.
C.Do not patch because the server is not in production.
D.Wait until the server moves to production to patch.
AnswerB

Staging environments can be attacked and should be secured.

Why this answer

Even in staging, vulnerabilities should be patched to maintain security posture and to ensure that when the server moves to production, it is secure. Staging environments should mirror production security.

667
MCQeasy

A medium-sized company has experienced a ransomware attack that encrypted critical file servers. The incident response team has contained the outbreak and restored data from backups. The CISO has requested a post-incident report. The report must include a timeline, root cause analysis, lessons learned, and recommendations. The security team is currently overwhelmed with recovery tasks. The CISO wants the report delivered in 24 hours. Which of the following is the BEST course of action for the security analyst assigned to write the report?

A.Wait until all recovery tasks are complete to ensure accurate information
B.Delegate the report writing to a junior analyst while focusing on technical recovery
C.Use the incident response playbook template to draft the report immediately, incorporating available information and noting gaps
D.Request an extension from the CISO due to resource constraints
AnswerC

Allows for a timely draft that can be refined later, meeting the deadline while documenting what is known.

Why this answer

Option C is correct because the CISO needs a timely post-incident report within 24 hours, and using the incident response playbook template allows the analyst to immediately draft the report with available information while noting gaps. This approach balances the urgency of the deadline with the need for structured documentation, even though recovery tasks are ongoing. It ensures that critical findings are captured promptly without waiting for full recovery, which could delay lessons learned and recommendations.

Exam trap

CompTIA often tests the tension between thoroughness and timeliness in incident reporting, and the trap here is that candidates may choose to wait for complete data (Option A) or delegate (Option B) instead of using a structured template to meet the deadline while acknowledging information gaps.

How to eliminate wrong answers

Option A is wrong because waiting until all recovery tasks are complete would likely exceed the 24-hour deadline, delaying the CISO's required report and potentially missing the window for actionable recommendations. Option B is wrong because delegating to a junior analyst without proper oversight could introduce inaccuracies in the timeline, root cause analysis, and lessons learned, especially if the junior lacks incident response experience. Option D is wrong because requesting an extension due to resource constraints may not be feasible given the CISO's explicit deadline, and it fails to leverage available templates and existing data to meet the requirement.

668
MCQmedium

A vulnerability scanner reports a finding with a CVSS v3.1 base score of 7.5 and vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. What does this indicate about the vulnerability?

A.It has high impact on integrity
B.It requires authentication to exploit
C.It has high impact on confidentiality
D.It has high impact on availability
AnswerD

A:H indicates high availability impact.

Why this answer

The vector shows high impact to availability (A:H) and no impact to confidentiality or integrity, so the vulnerability primarily affects availability.

669
MCQmedium

A security team is responding to a phishing incident that led to credential compromise. Which of the following is the BEST short-term containment action to prevent further damage?

A.Disable the compromised user account.
B.Rebuild the user's workstation.
C.Block the phishing email's source IP at the firewall.
D.Rotate all domain admin passwords.
AnswerA

This immediately stops any further access using the compromised credentials.

Why this answer

Short-term containment aims to stop the attack quickly. Disabling the compromised account prevents the attacker from using the stolen credentials to access resources.

670
MCQmedium

A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Correlate DNS query logs with endpoint process and network connection telemetry
B.Search only for successful HTTP 200 responses
C.Block all DNS traffic from the subnet
D.Delete the host from the SIEM asset inventory
AnswerA

The pattern is suspicious, but process and connection context shows whether a host process is repeatedly attempting outbound C2 communication.

Why this answer

Option A is correct because correlating DNS query logs with endpoint process and network connection telemetry directly validates command-and-control (C2) beaconing. The algorithmically generated domains (AGDs) and NXDOMAIN responses are classic indicators of a domain generation algorithm (DGA) attempting to resolve a C2 server that may be offline or blocked. By linking the DNS queries to specific processes and network connections on the endpoint, the analyst can confirm whether the workstation is executing malicious code that generates these queries, rather than benign software or a false positive.

Exam trap

The CS0-003 exam often tests the misconception that NXDOMAIN responses are irrelevant or that blocking all traffic is a safe containment step, when in reality the key is to correlate multiple data sources to confirm malicious activity without prematurely destroying evidence.

How to eliminate wrong answers

Option B is wrong because searching only for successful HTTP 200 responses would miss the majority of DGA-based C2 traffic, which often results in NXDOMAIN responses when the C2 server is not yet active or has been sinkholed; C2 beaconing frequently relies on failed DNS resolutions as part of its algorithm. Option C is wrong because blocking all DNS traffic from the subnet would immediately disrupt network operations for all hosts, potentially alerting the adversary and destroying volatile evidence such as active network connections and process memory, violating the containment trade-off principle of preserving forensic data before taking disruptive action.

671
MCQeasy

Which of the following is the MOST volatile data according to the order of volatility?

A.Disk storage
B.Swap space
C.RAM
D.CPU registers and cache
AnswerD

Correct. Registers are the most volatile.

Why this answer

CPU registers and cache are the most volatile because they store data only while the system is powered on and actively executing instructions. Unlike RAM, which retains data for a short time after power loss, registers and cache lose their contents almost instantly when power is removed, making them the highest priority in the order of volatility (OOV) for forensic acquisition.

Exam trap

Cisco often tests the misconception that RAM is the most volatile data source, but the correct answer is CPU registers and cache because they are cleared the instant the CPU halts or loses power.

How to eliminate wrong answers

Option A is wrong because disk storage (e.g., HDD/SSD) is non-volatile and retains data even after power loss, making it the least volatile. Option B is wrong because swap space is a region on disk used as virtual memory; while it may contain data from terminated processes, it persists on disk and is less volatile than RAM or CPU registers. Option C is wrong because RAM is volatile but less so than CPU registers and cache; RAM data decays over seconds to minutes after power loss, whereas registers and cache are cleared immediately when the CPU stops executing.

672
MCQhard

A cloud tenant shows an unusual spike in IAM policy changes, access key creation, and failed console logons from a new country. Which telemetry set gives the strongest evidence for control-plane compromise? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Web server access logs from the public website
B.Endpoint antivirus quarantine reports only
C.Cloud audit logs for identity, policy, and key-management API calls
D.Packet captures from user laptops only
AnswerC

Control-plane attacks are best investigated through authoritative audit events that record who changed identity and access configuration.

Why this answer

Option C is correct because cloud audit logs (e.g., AWS CloudTrail, Azure Monitor, GCP Cloud Audit Logs) capture control-plane API calls such as IAM policy changes, access key creation, and failed console logons. These logs directly record identity and access management operations, providing the strongest evidence of control-plane compromise by showing who made the changes, from which source IP, and at what time.

Exam trap

The CS0-003 exam often tests the distinction between data-plane logs (e.g., web server logs) and control-plane logs (e.g., cloud audit logs), tricking candidates into choosing web logs because they seem more familiar, even though they cannot capture IAM or key management events.

How to eliminate wrong answers

Option A is wrong because web server access logs from a public website only record HTTP requests to the application layer (e.g., GET/POST to a web app), not IAM policy changes or key creation, which are control-plane operations. Option B is wrong because endpoint antivirus quarantine reports only detect malware on individual hosts, not cloud-level identity or policy changes; they are irrelevant to control-plane API calls.

673
MCQmedium

Which of the following is a key component of a vulnerability report that provides a high-level overview for management?

A.Remediation timeline
B.Executive summary
C.Findings by severity
D.Risk acceptance
AnswerB

The executive summary is designed for management.

Why this answer

The executive summary condenses findings for management to quickly understand the state of vulnerabilities.

674
MCQmedium

During a threat hunting exercise, the hunter creates a hypothesis based on recent threat intelligence about a new ransomware variant that uses scheduled tasks for persistence. Which ATT&CK technique should the hunter focus on?

A.T1566.001 (Spearphishing Attachment)
B.T1059.001 (PowerShell)
C.T1053.005 (Scheduled Task)
D.T1547.001 (Registry Run Keys)
AnswerC

Correct. This is the ATT&CK technique for persistence via scheduled tasks.

Why this answer

Scheduled tasks are a persistence technique (T1053.005). The hunter should focus on the persistence tactic and the specific technique for scheduled tasks.

675
MCQhard

An analyst is reviewing a memory dump from a compromised workstation and finds a process that appears to be a legitimate system process but has a different parent process and is running from a non-standard location. Which analysis technique is most appropriate?

A.Perform a YARA scan on the process memory
B.Compare the process's command line with baseline
C.Analyze network connections from the process
D.Check the process's digital signature
AnswerA

YARA rules can detect malicious code injected into the process memory, even if the binary itself is signed.

Why this answer

Process hollowing is a technique where an attacker creates a legitimate process in a suspended state, replaces its memory with malicious code, and resumes it. The process may appear legitimate but with anomalies in parent and path.

Page 8

Page 9 of 14

Page 10
CompTIA CySA+ CS0-003 CS0-003 Questions 601–675 | Page 9/14 | Courseiva