CCNA Security Operations Questions

75 of 162 questions · Page 1/3 · Security Operations · Answers revealed

1
MCQeasy

Refer to the exhibit. The output is from a Linux system running `netstat -an`. Which of the following ports is likely being used for remote command-and-control communication?

A.54321
B.22
C.53
D.80
AnswerA

High port 54321 used in an established connection to an external IP is anomalous and could be C2.

Why this answer

Port 54321 is a high-numbered ephemeral port that is not associated with any standard service, making it a common choice for malware or remote access tools (RATs) to establish command-and-control (C2) communication. In the netstat -an output, an established connection on a non-standard high port from the local system to a remote IP is a strong indicator of C2 activity, as legitimate services typically use well-known ports.

Exam trap

CompTIA often tests the concept that high-numbered ephemeral ports (above 1024) with no associated standard service are strong indicators of C2 activity, tricking candidates into choosing common service ports like 22, 53, or 80 because they are familiar, even though those are legitimate and monitored.

How to eliminate wrong answers

Option B is wrong because port 22 is the default for SSH, a legitimate remote administration protocol, and while it can be abused for C2, it is not the likely port for covert C2 communication in this context. Option C is wrong because port 53 is used for DNS, which is essential for name resolution; although DNS can be tunnelled for C2, the direct use of port 53 for an established connection (not just queries) is less common and would be more conspicuous. Option D is wrong because port 80 is the standard HTTP port for web traffic; while HTTP can be used for C2, it is a well-known port that is heavily monitored and less likely to be used for stealthy C2 compared to a non-standard high port.

2
MCQhard

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Kerberoasting reconnaissance or ticket harvesting
B.ARP spoofing
C.DNS cache poisoning
D.Pass-the-hash using NTLM only
AnswerA

Unusual TGS-REQ volume across service principals can indicate Kerberoasting activity.

Why this answer

The alert describes a workstation requesting a high number of Kerberos service tickets (TGS-REQ) for many different Service Principal Names (SPNs) without subsequently accessing those services. This pattern is classic for Kerberoasting reconnaissance, where an attacker with valid domain credentials (e.g., a compromised user account) enumerates SPNs to request TGS tickets for accounts that have servicePrincipalName attributes set. The attacker then extracts the encrypted ticket data offline to crack the associated service account passwords.

The lack of corresponding service access confirms the tickets were harvested, not used for legitimate authentication.

Exam trap

The trap here is that candidates may confuse Kerberoasting with other credential-based attacks like pass-the-hash or golden ticket attacks, but the key differentiator is the high volume of TGS requests for multiple SPNs without actual service access, which is unique to Kerberoasting reconnaissance.

How to eliminate wrong answers

Option B is wrong because ARP spoofing is a Layer 2 attack that manipulates the ARP cache to intercept traffic on a local network segment; it does not involve Kerberos service ticket requests or SPN enumeration. Option C is wrong because DNS cache poisoning corrupts DNS resolution data to redirect traffic to malicious hosts; it does not generate Kerberos TGS requests or target SPNs. Option D is wrong because pass-the-hash using NTLM only involves replaying NTLM hashes for authentication without requiring Kerberos tickets; it does not produce a burst of TGS-REQ messages for multiple SPNs.

3
Multi-Selectmedium

An analyst is creating a detection for suspicious PowerShell. Which conditions improve fidelity? (Choose two.)

Select 2 answers
A.PowerShell installed on the endpoint
B.The host has more than one local user profile
C.Outbound network connection shortly after script execution
D.Encoded command execution launched from Office or a browser process
AnswersC, D

Network activity after suspicious execution strengthens the signal.

Why this answer

Option C is correct because an outbound network connection shortly after PowerShell script execution is a strong indicator of post-exploitation activity, such as beaconing to a command-and-control (C2) server or exfiltrating data. This behavioral pattern significantly improves detection fidelity by reducing false positives, as legitimate administrative scripts rarely establish immediate outbound connections.

Exam trap

The trap here is that candidates may confuse common environmental characteristics (like PowerShell being installed or multiple user profiles) with actual suspicious behavior, failing to recognize that fidelity requires indicators of malicious intent rather than mere presence or configuration differences.

4
MCQmedium

During incident reconstruction, firewall events appear five minutes earlier than endpoint events for the same connection. What should the analyst check first? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Time synchronization and timezone normalization across log sources
B.Delete one source from the timeline
C.Assume the firewall logs are falsified
D.Prioritize only the source with the highest EPS
AnswerA

Clock drift and timezone parsing commonly distort event order in SIEM timelines.

Why this answer

The five-minute discrepancy between firewall and endpoint events for the same connection is a classic symptom of clock drift or misconfigured time synchronization. The analyst should first check NTP (Network Time Protocol) settings and timezone normalization across all log sources to ensure timestamps are aligned. Without synchronized time, correlation of events during incident reconstruction is unreliable, making this the foundational step in root-cause analysis.

Exam trap

Cisco often tests the misconception that timestamp discrepancies are due to log falsification or that deleting or prioritizing logs is a valid troubleshooting step, when the correct first action is always to verify time synchronization and normalization across all sources.

How to eliminate wrong answers

Option B is wrong because deleting one source from the timeline removes potentially critical evidence and does not resolve the underlying time discrepancy; it merely hides the symptom. Option C is wrong because assuming the firewall logs are falsified without evidence is a premature conclusion that ignores the more common and plausible cause of clock drift or misconfiguration. Option D is wrong because prioritizing the source with the highest Events Per Second (EPS) does not address timestamp alignment; EPS measures log volume, not temporal accuracy, and could lead to overlooking valid data from lower-volume sources.

5
MCQmedium

A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Search only for successful HTTP 200 responses
B.Delete the host from the SIEM asset inventory
C.Block all DNS traffic from the subnet
D.Correlate DNS query logs with endpoint process and network connection telemetry
AnswerD

The pattern is suspicious, but process and connection context shows whether a host process is repeatedly attempting outbound C2 communication.

Why this answer

Correlating DNS query logs with endpoint process and network connection telemetry (Option D) provides direct evidence of command-and-control (C2) beaconing by linking the algorithmically generated domain (AGD) queries to a specific process initiating outbound connections. This cross-referencing validates whether the DNS activity is part of a malware's C2 channel, as legitimate applications rarely generate hundreds of NXDOMAIN responses at fixed intervals. The SOC analyst can confirm the detection by identifying the parent process (e.g., a suspicious executable) and matching its network connections to the queried domains.

Exam trap

The trap here is that candidates often focus on the DNS NXDOMAIN responses alone and choose a reactive action like blocking traffic (Option C) or deleting the host (Option B), instead of recognizing that correlation with endpoint telemetry is required to validate the detection before any response.

How to eliminate wrong answers

Option A is wrong because searching only for successful HTTP 200 responses ignores the core indicator of C2 beaconing—the repeated NXDOMAIN responses—and would miss malware that uses DNS tunneling or fails to resolve before switching domains. Option B is wrong because deleting the host from the SIEM asset inventory removes visibility into the suspicious activity, destroying evidence and preventing further analysis of the beaconing behavior. Option C is wrong because blocking all DNS traffic from the subnet is an overly disruptive response that would break legitimate network operations and does not help validate the detection; it should only be considered as a containment step after confirmation.

6
Multi-Selectmedium

A SOAR playbook enriches suspicious IP addresses. Which enrichment sources are useful? (Choose two.)

Select 2 answers
A.Threat intelligence reputation and first-seen date
B.Internal asset and previous-seen telemetry
C.Random social media comments about cybersecurity
D.Office chair inventory
AnswersA, B

Reputation and recency help judge maliciousness.

Why this answer

Threat intelligence reputation feeds (e.g., VirusTotal, AlienVault OTX) provide a risk score and first-seen date for an IP, which helps determine if it is known for malicious activity and how recently it became active. Internal asset and previous-seen telemetry (e.g., from a SIEM or asset management database) reveals if the IP belongs to an internal host or has been observed in past incidents, enabling context-aware response. Both sources directly support enrichment by adding authoritative, actionable data to the playbook.

Exam trap

Cisco often tests the distinction between authoritative, structured enrichment sources (threat intel feeds, internal logs) versus irrelevant or untrusted data (social media, physical inventory) to see if candidates understand that SOAR automation requires reliable, machine-readable inputs.

7
MCQmedium

An EDR alert shows powershell.exe launched by winword.exe with an encoded command line and outbound HTTPS shortly after a user opened an email attachment. What is the BEST first analytic pivot? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Close the alert because HTTPS is expected traffic
B.Disable the SIEM parser for PowerShell events
C.Decode the command and inspect the process tree, parent document, and network destination
D.Reimage every workstation in the department
AnswerC

Encoded PowerShell launched by Office is a high-signal chain; decoding and process-tree review confirms intent and scope.

Why this answer

Option C is correct because the encoded PowerShell command is the most direct artifact of the attacker's intent; decoding it reveals the executed payload, while inspecting the process tree confirms the parent-child relationship (winword.exe spawning powershell.exe), the parent document identifies the phishing vector, and the network destination pinpoints the C2 server. This triage provides the evidence needed for containment without destroying forensic data.

Exam trap

Cisco often tests the misconception that HTTPS traffic is inherently safe or that immediate containment (like reimaging) is always the best first step, when in reality the priority is to preserve and analyze volatile evidence before taking irreversible actions.

How to eliminate wrong answers

Option A is wrong because outbound HTTPS from a PowerShell process spawned by winword.exe is highly anomalous—attackers frequently use HTTPS to blend in with legitimate traffic, so closing the alert ignores a clear indicator of compromise. Option B is wrong because disabling the SIEM parser for PowerShell events would blind the security team to all future PowerShell activity, including legitimate administrative tasks, and does nothing to address the current alert. Option D is wrong because reimaging every workstation is an extreme, untargeted response that destroys volatile evidence (e.g., memory, process trees, network connections) and is premature before confirming the scope of the infection.

8
Multi-Selecthard

A SIEM receives endpoint, firewall, identity, and cloud logs for the same incident, but timestamps do not align across sources. Which actions should the analyst take before finalizing the timeline? (Choose two.)

Select 2 answers
A.Assume the latest arriving event happened last
B.Verify time synchronization and timezone parsing for each source
C.Discard every source except the firewall
D.Normalize events to a common timestamp standard such as UTC
AnswersB, D

Clock drift and timezone conversion errors can reorder events.

Why this answer

Option B is correct because without verifying time synchronization (e.g., NTP configuration) and timezone parsing for each log source, the analyst cannot trust the chronological order of events. A SIEM relies on accurate timestamps to correlate logs from endpoints, firewalls, identity systems, and cloud platforms; misaligned timestamps can lead to incorrect incident reconstruction.

Exam trap

Cisco often tests the misconception that you can simply trust the order logs arrive in the SIEM, but the trap is that arrival order does not equal occurrence order due to network latency, buffering, and clock skew.

9
Multi-Selecthard

An analyst suspects DNS tunnelling but wants to avoid over-escalating normal CDN behaviour. Which comparisons help? (Choose two.)

Select 2 answers
A.Baseline query length, entropy, and subdomain uniqueness for the host
B.Compare query rate and destination domains against peer hosts
C.Check whether the user likes the website
D.Count the number of icons on the desktop
AnswersA, B

Tunnelling often creates abnormal label characteristics.

Why this answer

DNS tunnelling encodes non-DNS data (e.g., file exfiltration or C2 commands) into DNS queries, often producing abnormally long, high-entropy subdomains. Comparing current query length, entropy, and subdomain uniqueness against a baseline for the same host helps distinguish tunnelling from legitimate CDN traffic, which typically uses short, predictable subdomains. This approach focuses on the structural characteristics of the queries themselves, avoiding false positives from normal CDN behaviour.

Exam trap

The trap here is that candidates may confuse DNS tunnelling detection with generic anomaly detection, overlooking the need for a host-specific baseline to avoid flagging legitimate CDN traffic that naturally has higher query rates or longer subdomains.

10
MCQhard

A threat hunter wants a portable detection for suspicious rundll32 execution that can be converted for multiple SIEM platforms. Which artefact format best fits this goal? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.CVSS vector string
B.YARA rule
C.Sigma rule
D.OpenIOC package only
AnswerC

Sigma is designed as a generic detection-rule format that can be translated into SIEM-specific queries.

Why this answer

Sigma rules are platform-agnostic, portable detection signatures written in YAML that can be automatically converted into queries for multiple SIEM platforms (Splunk, QRadar, Elastic, etc.). This makes them the ideal choice for a threat hunter who needs a single detection artifact for suspicious rundll32 execution that can be deployed across different SIEM environments without manual rewriting.

Exam trap

Cisco often tests the distinction between endpoint-focused artifacts (YARA, OpenIOC) and SIEM-portable detection formats (Sigma), trapping candidates who confuse YARA's binary pattern matching with log-based SIEM detection.

How to eliminate wrong answers

Option A is wrong because CVSS vector strings describe vulnerability severity (e.g., CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and are not used for detection logic or SIEM conversion. Option B is wrong because YARA rules are designed for file/process memory pattern matching on endpoints, not for portable SIEM query conversion; they lack native support for log field mapping and SIEM syntax translation. Option D is wrong because OpenIOC packages are XML-based and tightly coupled to specific IOC structures (e.g., registry keys, file hashes) and are not as easily converted across diverse SIEM platforms as Sigma rules, which have a dedicated conversion ecosystem (sigmac, pySigma).

11
MCQmedium

Network flow records show one database server sending large encrypted outbound transfers to an unfamiliar autonomous system during off-hours. Which next step gives the BEST triage value? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Disable all outbound internet access for the organisation
B.Delete historical flow records to reduce SIEM cost
C.Correlate flow volume with database audit logs and the destination reputation
D.Assume encryption means the transfer is safe
AnswerC

Flow data identifies suspicious transfer volume; database audit logs and destination context help determine whether sensitive data may have left.

Why this answer

Option C is correct because correlating the outbound flow volume with database audit logs allows you to verify whether the encrypted transfers correspond to legitimate database activity (e.g., scheduled backups or replication) or unauthorized data exfiltration. Checking the destination autonomous system's reputation against threat intelligence feeds (e.g., known C2 infrastructure or bulletproof hosting) provides immediate context on whether the traffic is malicious. This dual-correlation approach gives the highest triage value by confirming or refuting the detection without disrupting operations.

Exam trap

Cisco often tests the misconception that encryption implies safety, but the trap here is that encrypted outbound traffic to an unfamiliar ASN during off-hours is a classic data exfiltration indicator, and the correct triage step is to correlate with internal logs and external reputation before taking action.

How to eliminate wrong answers

Option A is wrong because disabling all outbound internet access is a drastic, disruptive response that violates the principle of least privilege and would halt legitimate business operations; triage should first investigate the specific traffic before taking containment actions. Option B is wrong because deleting historical flow records destroys forensic evidence needed for root cause analysis and compliance, and it does not address the suspicious activity. Option D is wrong because encryption alone does not guarantee safety—attackers commonly use TLS/SSL to conceal data exfiltration (e.g., HTTPS tunnels), and the off-hours timing and unfamiliar ASN are strong indicators of malicious intent.

12
MCQmedium

An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Use only a firewall deny rule for port 443
B.Create a CVE entry
C.Create and test a YARA rule against known-good and known-bad samples
D.Tune DHCP lease duration
AnswerC

YARA rules are suitable for identifying malware families using file strings, byte sequences, and conditions.

Why this answer

YARA rules are specifically designed for malware identification and classification by matching patterns (strings, byte sequences, and regular expressions) in files or processes. Creating and testing a YARA rule against known-good and known-bad samples allows the analyst to detect related files from the same campaign with high precision and low false positives, directly addressing the need to find files sharing unique strings and byte patterns.

Exam trap

Cisco often tests the distinction between network-level controls (firewall rules) and host-level detection methods (YARA), leading candidates to mistakenly choose a network-based option like a firewall rule when the question explicitly asks about file content analysis.

How to eliminate wrong answers

Option A is wrong because a firewall deny rule for port 443 only blocks outbound HTTPS traffic and does not analyze file content or detect malware samples based on strings or byte patterns. Option B is wrong because a CVE entry is a vulnerability identifier for a specific software flaw, not a method for detecting related malware files based on unique strings or byte patterns. Option D is wrong because tuning DHCP lease duration affects IP address assignment and renewal, not file analysis or pattern matching for malware detection.

13
MCQhard

An endpoint is actively beaconing to a known malicious IP and spawning credential-dumping tools. The business owner wants evidence preserved. What is the BEST containment action? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Allow the host to run until the next maintenance window
B.Run disk cleanup to remove temporary files
C.Network-isolate the endpoint through EDR while preserving disk and memory evidence
D.Power off the machine immediately in every case
AnswerC

EDR isolation limits attacker communication without immediately destroying volatile forensic context.

Why this answer

Option C is correct because network-isolating the endpoint via EDR (e.g., using a firewall rule or agent-based isolation) stops the beaconing to the malicious IP and prevents further credential dumping, while preserving the disk and memory evidence needed for forensic analysis. This balances containment with evidence preservation by keeping the system powered on so volatile data (e.g., running processes, network connections) is not lost, unlike a hard shutdown.

Exam trap

CompTIA often tests the misconception that immediate power-off is the safest containment action, but the trap here is that it destroys volatile evidence, and the correct answer requires balancing containment with evidence preservation through network isolation.

How to eliminate wrong answers

Option A is wrong because allowing the host to run until the next maintenance window fails to contain the active threat, risking lateral movement and data exfiltration. Option B is wrong because running disk cleanup removes temporary files that could contain critical forensic artifacts (e.g., cached credentials, malware remnants), destroying evidence. Option D is wrong because powering off the machine immediately in every case destroys volatile memory evidence (e.g., active network connections, encryption keys, running processes) and may cause data loss from unsaved changes, violating the requirement to preserve evidence.

14
MCQmedium

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.DNS tunnelling
B.Password spraying only
C.MFA fatigue or push-bombing attack
D.SSL certificate expiry
AnswerC

Repeated unsolicited prompts that lead to approval are characteristic of MFA fatigue attacks.

Why this answer

Option C is correct because the scenario describes MFA fatigue (also called push-bombing), where an attacker repeatedly sends MFA push notifications to a user until the user, annoyed or confused, approves one. This exploits the human tendency to accept prompts to stop interruptions, bypassing MFA security. The clearest next triage step is to investigate the source IPs and authentication logs for anomalous patterns and immediately revoke the approved session.

Exam trap

Cisco often tests the distinction between credential-based attacks (password spraying) and MFA bypass techniques (push-bombing), trapping candidates who confuse repeated MFA prompts with brute-force login attempts.

How to eliminate wrong answers

Option A is wrong because DNS tunnelling involves encoding data in DNS queries/responses to exfiltrate data or establish C2, not to trigger MFA prompts. Option B is wrong because password spraying only attempts to guess passwords across many accounts without triggering MFA prompts; repeated MFA approvals indicate the attacker already has valid credentials and is exploiting MFA push notifications, not just guessing passwords.

15
MCQmedium

A WAF generates repeated SQL injection alerts against a login endpoint. The application team says the requests returned HTTP 200. What should the analyst do before declaring compromise? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Treat every HTTP 200 as proof of exploitation
B.Ask users to change passwords without checking logs
C.Review application logs for query errors, authentication events, and abnormal database access
D.Disable the WAF rule because it may be noisy
AnswerC

HTTP 200 can occur for blocked, handled, or successful requests; application and database context determine impact.

Why this answer

Option C is correct because a WAF alert indicates a potential SQL injection attempt, but an HTTP 200 response does not confirm exploitation—it could mean the WAF blocked the payload or the application handled the input safely. Reviewing application logs for query errors, authentication events, and abnormal database access provides direct evidence of whether the injection succeeded, such as seeing SQL error messages in the logs or unauthorized data retrieval. This approach separates true positives (actual compromise) from false positives (blocked or harmless attempts), enabling precise tuning without losing detection of real attacks.

Exam trap

Cisco often tests the misconception that an HTTP 200 status code from a WAF-protected endpoint automatically indicates a successful exploit, when in reality it may reflect WAF blocking or application-level error handling, and candidates must remember that application logs are the definitive source for confirming compromise.

How to eliminate wrong answers

Option A is wrong because treating every HTTP 200 as proof of exploitation ignores that the WAF may have blocked the injection (returning a benign 200) or the application may have sanitized input, leading to false positives; this would cause unnecessary incident response and user disruption. Option B is wrong because asking users to change passwords without checking logs bypasses forensic validation, potentially wasting resources on a non-event and failing to identify whether actual credential compromise occurred; it also violates standard incident response procedures that require evidence-based decisions.

16
MCQmedium

A security analyst at a small company notices that several workstations in the finance department are communicating with an external IP address known to be associated with a command-and-control server. The analyst checks the host-based firewall logs and sees that outbound connections to that IP are allowed. Which of the following is the BEST immediate action to take?

A.Disconnect the workstations from the network.
B.Block the IP at the perimeter firewall.
C.Update the antivirus definitions.
D.Run a full antivirus scan on the affected workstations.
AnswerA

Immediate containment stops C2 traffic and lateral movement.

Why this answer

Option B is correct because disconnecting the workstations immediately contains the incident, stopping any ongoing C2 traffic and preventing lateral movement. Option A is wrong because blocking a single IP may not be sufficient if the malware uses multiple IPs or domain generation algorithms. Options C and D are slower and do not address the immediate threat.

17
MCQhard

A forensic analyst is called to acquire data from a live server that is critical to business operations. The server cannot be powered down. Which acquisition method should the analyst use to minimize alteration of volatile data?

A.Perform a full disk image while the system is running.
B.Dump the system RAM and then shut down for disk imaging.
C.Use a forensic bootable USB to perform a live acquisition.
D.Acquire data over the network using a remote forensic tool.
AnswerC

Live acquisition from a forensic USB captures volatile data with minimal impact.

Why this answer

Option C is correct because using a forensic bootable USB allows the analyst to boot the server into a controlled forensic environment without relying on the compromised or running operating system. This method minimizes alteration of volatile data by loading a trusted kernel that captures RAM contents before any write operations occur, preserving the integrity of the evidence.

Exam trap

CompTIA often tests the misconception that a live acquisition via a bootable USB is equivalent to a 'live response' using the native OS tools, but the key distinction is that a forensic bootable USB bypasses the host OS to minimize alteration of volatile data.

How to eliminate wrong answers

Option A is wrong because performing a full disk image while the system is running will modify volatile data (e.g., pagefile, temporary files, registry hives) and may overwrite unallocated space, violating forensic integrity. Option B is wrong because dumping system RAM and then shutting down for disk imaging causes the loss of all volatile data (e.g., network connections, running processes, encryption keys) upon shutdown, and the shutdown process itself alters the disk state. Option D is wrong because acquiring data over the network using a remote forensic tool introduces network latency, potential packet loss, and may trigger anti-forensic mechanisms or alter memory contents due to the tool's agent installation and network stack activity.

18
MCQmedium

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Only the user's browser cache
B.Sign-in logs, MFA result, device details, and mailbox audit events
C.Only DHCP logs from the London office
D.The organisation's public DNS zone file
AnswerB

Impossible travel plus forwarding rule creation is a strong account-compromise pattern; identity and mailbox audit data confirm whether the activity is malicious.

Why this answer

Option B is correct because the detection of a user authenticating from geographically distant locations within 12 minutes strongly suggests credential theft or token replay, and the subsequent mailbox forwarding rule creation indicates a data exfiltration attempt. The analyst must first correlate sign-in logs (to verify the source IPs and timestamps), MFA results (to check if MFA was satisfied or bypassed), device details (to identify if a known or managed device was used), and mailbox audit events (to confirm who created the forwarding rule and when). This combination directly validates or refutes the UEBA alert by providing the evidence needed to distinguish between a legitimate user with a VPN or a compromised account.

Exam trap

Cisco often tests the misconception that a single log source (like DHCP or browser cache) is sufficient to investigate impossible travel and mailbox rule changes, when in reality multiple correlated evidence sources (sign-in logs, MFA, device details, and audit events) are required to confirm or refute the alert.

How to eliminate wrong answers

Option A is wrong because browser cache only stores local web data (cookies, history, cached pages) and cannot provide authentication timestamps, IP geolocation, MFA status, or mailbox audit trails needed to investigate a cross-geography login and rule creation. Option C is wrong because DHCP logs from the London office only record IP address leases and cannot show authentication events, MFA results, device details, or mailbox changes; they are irrelevant to verifying the Singapore login or the forwarding rule creation.

19
MCQmedium

A company is implementing a security monitoring solution for its cloud infrastructure. The security team wants to detect attempts to disable logging on critical instances. Which of the following should be configured?

A.VPC Flow Logs
B.CloudTrail (API logging)
C.Host-based intrusion detection (HIDS)
D.Scheduled vulnerability scans
AnswerB

API logging records management events including changes to logging configuration.

Why this answer

CloudTrail (API logging) is the correct choice because it records all API calls made to the cloud provider's control plane, including actions that modify logging configurations such as disabling or stopping logging on critical instances. By monitoring CloudTrail events, the security team can detect attempts to disable logging via API calls like `StopLogging` or `UpdateTrail`, enabling timely alerting and response.

Exam trap

Cisco often tests the distinction between data plane monitoring (VPC Flow Logs) and control plane monitoring (CloudTrail), leading candidates to choose VPC Flow Logs because they think 'logging' refers to network logs rather than API activity logs.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) at the data plane level, not control plane actions like disabling logging services. Option C is wrong because Host-based intrusion detection (HIDS) monitors system-level activities (file changes, processes) on individual instances, but cannot detect cloud API calls that disable logging at the infrastructure level. Option D is wrong because scheduled vulnerability scans assess known security weaknesses (e.g., missing patches) and do not provide real-time detection of logging configuration changes.

20
MCQmedium

An EDR alert shows powershell.exe launched by winword.exe with an encoded command line and outbound HTTPS shortly after a user opened an email attachment. What is the BEST first analytic pivot? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Disable the SIEM parser for PowerShell events
B.Decode the command and inspect the process tree, parent document, and network destination
C.Reimage every workstation in the department
D.Close the alert because HTTPS is expected traffic
AnswerB

Encoded PowerShell launched by Office is a high-signal chain; decoding and process-tree review confirms intent and scope.

Why this answer

Option B is correct because decoding the encoded PowerShell command reveals the attacker's intent, inspecting the process tree shows the execution chain from winword.exe to powershell.exe, examining the parent document identifies the malicious attachment, and analyzing the network destination uncovers the C2 server. This systematic approach provides the clearest next triage step by correlating the initial infection vector with the subsequent malicious activity, enabling the analyst to contain the threat effectively.

Exam trap

Cisco often tests the candidate's ability to prioritize investigative actions over reactive or destructive measures, trapping those who choose to disable logging or perform mass reimaging instead of conducting a structured forensic analysis.

How to eliminate wrong answers

Option A is wrong because disabling the SIEM parser for PowerShell events would blind the security team to all future PowerShell-based attacks, removing critical visibility without addressing the current alert. Option C is wrong because reimaging every workstation is a drastic, untargeted response that wastes resources and does not help identify the root cause or scope of the incident; it should only be considered after forensic analysis confirms widespread compromise.

21
MCQhard

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.DNS cache poisoning
B.ARP spoofing
C.Pass-the-hash using NTLM only
D.Kerberoasting reconnaissance or ticket harvesting
AnswerD

Unusual TGS-REQ volume across service principals can indicate Kerberoasting activity.

Why this answer

Option D is correct because the SIEM alert describes a workstation requesting a high number of Kerberos service tickets for many Service Principal Names (SPNs) without subsequent service access. This is classic Kerberoasting reconnaissance: the attacker uses a valid domain account to request TGS tickets for services, then extracts and cracks the service account passwords offline. The lack of corresponding service access confirms the tickets were not used for legitimate authentication.

Exam trap

Cisco often tests the distinction between Kerberos-based attacks (Kerberoasting) and NTLM-based attacks (pass-the-hash), so the trap here is assuming any credential reuse attack is NTLM-based, ignoring that Kerberoasting uses Kerberos tickets for offline cracking.

How to eliminate wrong answers

Option A is wrong because DNS cache poisoning manipulates DNS resolution to redirect traffic, not to request Kerberos tickets for SPNs. Option B is wrong because ARP spoofing operates at Layer 2 to intercept traffic on a local subnet and does not involve Kerberos ticket requests. Option C is wrong because pass-the-hash using NTLM only reuses NTLM hashes for authentication, whereas the alert specifically shows Kerberos service ticket requests (TGS-REQ) for multiple SPNs, which is a Kerberos-specific attack.

22
MCQhard

An endpoint is actively beaconing to a known malicious IP and spawning credential-dumping tools. The business owner wants evidence preserved. What is the BEST containment action? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Allow the host to run until the next maintenance window
B.Network-isolate the endpoint through EDR while preserving disk and memory evidence
C.Run disk cleanup to remove temporary files
D.Power off the machine immediately in every case
AnswerB

EDR isolation limits attacker communication without immediately destroying volatile forensic context.

Why this answer

Network-isolating the endpoint through EDR (option B) is the best containment action because it immediately stops the beaconing to the malicious IP and prevents further credential dumping while preserving both disk and memory evidence for forensic analysis. This aligns with incident response best practices where containment must not destroy volatile data (e.g., memory artifacts of running credential-dumping processes) or persistent evidence on disk. EDR isolation typically uses a host-based firewall rule to block all inbound/outbound traffic except to the EDR management channel, ensuring the host is quarantined without powering it off or altering the file system.

Exam trap

Cisco often tests the misconception that 'preserving evidence' means you should not touch the host at all, leading candidates to choose 'allow the host to run' (option A), but the correct priority is to contain the threat immediately while using EDR's isolation feature to preserve both disk and memory evidence without powering down.

How to eliminate wrong answers

Option A is wrong because allowing the host to run until the next maintenance window violates the immediate containment requirement—the host is actively beaconing and dumping credentials, which could lead to lateral movement, data exfiltration, or further compromise of the environment. Option C is wrong because running disk cleanup removes temporary files that may contain critical forensic evidence (e.g., dumped credential hashes, tool artifacts, or malicious scripts), directly contradicting the business owner's requirement to preserve evidence.

23
MCQmedium

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.DNS tunnelling
B.MFA fatigue or push-bombing attack
C.Password spraying only
D.SSL certificate expiry
AnswerB

Repeated unsolicited prompts that lead to approval are characteristic of MFA fatigue attacks.

Why this answer

B is correct because the scenario describes MFA fatigue (also known as push-bombing), where an attacker repeatedly sends MFA push notifications to a user until the user, annoyed or confused, approves one. This is a social engineering technique that exploits human behavior rather than a technical vulnerability in the MFA system itself. The analyst should classify this as an MFA fatigue attack because the user eventually approved a request they did not initiate, which is the hallmark of this attack vector.

Exam trap

Cisco often tests the distinction between technical exploitation (e.g., DNS tunnelling) and social engineering of MFA (e.g., MFA fatigue), so the trap here is that candidates may confuse repeated MFA prompts with a technical attack like password spraying or DNS tunnelling, rather than recognizing it as a user-targeted social engineering tactic.

How to eliminate wrong answers

Option A is wrong because DNS tunnelling involves encoding data in DNS queries and responses to bypass network security controls, which is unrelated to MFA push notifications or user approval behavior. Option C is wrong because password spraying is a brute-force attack where an attacker tries a few common passwords against many accounts, not a technique that triggers repeated MFA prompts to a single user for social engineering purposes.

24
MCQmedium

During incident reconstruction, firewall events appear five minutes earlier than endpoint events for the same connection. What should the analyst check first? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Prioritize only the source with the highest EPS
B.Delete one source from the timeline
C.Assume the firewall logs are falsified
D.Time synchronization and timezone normalization across log sources
AnswerD

Clock drift and timezone parsing commonly distort event order in SIEM timelines.

Why this answer

Time discrepancies between log sources are a classic symptom of clock drift or misconfigured time zones. Before assuming data tampering or prioritizing one source, the analyst must verify that all systems use synchronized time (e.g., NTP) and consistent timezone settings. This ensures the timeline is accurate for proper incident reconstruction.

Exam trap

CompTIA often tests the candidate's ability to resist jumping to conclusions about malicious activity (e.g., log falsification) when a simpler, more common technical issue like time synchronization is the likely cause.

How to eliminate wrong answers

Option A is wrong because prioritizing the source with the highest events per second (EPS) does not address the root cause of time misalignment and could discard valuable evidence. Option B is wrong because deleting a source from the timeline destroys evidence and prevents correlation; the goal is to reconcile timestamps, not remove data. Option C is wrong because assuming firewall logs are falsified without evidence is premature and ignores the more common and benign cause of clock drift or timezone mismatch.

25
MCQhard

An endpoint is actively beaconing to a known malicious IP and spawning credential-dumping tools. The business owner wants evidence preserved. What is the BEST containment action? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Network-isolate the endpoint through EDR while preserving disk and memory evidence
B.Run disk cleanup to remove temporary files
C.Power off the machine immediately in every case
D.Allow the host to run until the next maintenance window
AnswerA

EDR isolation limits attacker communication without immediately destroying volatile forensic context.

Why this answer

Network-isolating the endpoint via EDR (e.g., using a built-in quarantine feature) stops the beaconing to the malicious IP and halts credential dumping while preserving disk and memory evidence for forensic analysis. This is the best containment action because it balances incident response needs (stopping active compromise) with evidence preservation, which is critical for legal or regulatory follow-up. Powering off or deleting files would destroy volatile memory evidence and potentially violate chain-of-custody requirements.

Exam trap

Cisco often tests the misconception that immediate power-off is always the safest containment action, but the trap here is that it destroys volatile evidence and may violate forensic preservation requirements, making network isolation the preferred approach in active incident response.

How to eliminate wrong answers

Option B is wrong because running disk cleanup removes temporary files that may contain critical forensic artifacts (e.g., dumped credentials, malware remnants), destroying evidence and violating preservation requirements. Option C is wrong because powering off the machine immediately destroys volatile memory evidence (e.g., running processes, network connections, injected code) and may trigger anti-forensic mechanisms in malware, whereas network isolation preserves the system state for live analysis.

26
MCQeasy

A company's IDS generated an alert for a potential SQL injection attack on a web application. The security analyst reviews the alert and confirms that the application is protected by a Web Application Firewall (WAF) that filters SQL injection attempts. Which of the following is the best course of action?

A.Block the source IP
B.No action needed
C.Disable the Web Application Firewall
D.Create a custom signature
AnswerB

The WAF is protecting the application, so no action is required.

Why this answer

The WAF is already configured to filter SQL injection attempts, so the alert from the IDS does not indicate a successful attack. Since the WAF is actively blocking the malicious payload, no additional action is required. The IDS alert is a normal byproduct of the WAF's filtering, and the security analyst should confirm that the WAF is functioning correctly rather than taking unnecessary steps.

Exam trap

CompTIA often tests the misconception that any IDS alert requires immediate action, when in fact the presence of compensating controls like a WAF means the alert may be a false positive or a blocked attempt that does not require intervention.

How to eliminate wrong answers

Option A is wrong because blocking the source IP is an overreaction; the WAF is already mitigating the attack, and the source IP may be legitimate or spoofed, leading to potential denial of service for valid users. Option C is wrong because disabling the WAF would remove the protection layer, exposing the application to actual SQL injection attacks. Option D is wrong because creating a custom signature is unnecessary when the WAF's existing signatures are already filtering the SQL injection attempts; custom signatures are typically used for novel or zero-day threats, not for known patterns already covered.

27
MCQmedium

A network sensor must detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Which deployment is BEST? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Inline IPS mode with drop rules for all signatures
B.A vulnerability scanner run once per quarter
C.Suricata or Snort in IDS mode on a monitored network tap or SPAN port
D.Host-based file integrity monitoring only
AnswerC

IDS mode observes traffic and alerts on signatures while avoiding inline blocking impact.

Why this answer

Option C is correct because the requirement is to detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Suricata or Snort in IDS (Intrusion Detection System) mode, deployed on a network tap or SPAN port, passively analyzes packet payloads against signatures and generates alerts without any inline blocking action. This matches the 'detect only, no block' requirement exactly.

Exam trap

Cisco often tests the distinction between IDS and IPS modes, where candidates mistakenly choose inline IPS because they think 'detection' implies blocking, but the key phrase 'without blocking traffic' explicitly rules out any inline deployment.

How to eliminate wrong answers

Option A is wrong because inline IPS mode with drop rules actively blocks traffic, which violates the requirement to 'generate alerts without blocking traffic.' Option B is wrong because a vulnerability scanner run once per quarter is a proactive assessment tool that checks for known vulnerabilities in systems, not a real-time network sensor that detects exploit traffic using packet payload signatures; it cannot generate alerts on live exploit traffic.

28
MCQhard

A company uses a SIEM platform that ingests logs from various sources. The SOC team receives an alert for a high number of failed login attempts (over 100 in 5 minutes) on the domain controller from a single IP address. The analyst investigates and finds that the failed attempts are for multiple different usernames, including some disabled accounts. The source IP is traced to an external VPN service. The analyst also notices that a few accounts had successful logins from the same IP after the failed attempts. Which of the following is the MOST likely attack type?

A.Brute-force attack.
B.Kerberoasting.
C.Password spraying.
D.Pass-the-hash.
AnswerC

Attacker tries common passwords across many accounts to avoid lockout.

Why this answer

The attack involves a single external IP attempting logins with multiple different usernames (including disabled accounts) and eventually succeeding on a few. This is characteristic of a password spraying attack, where an attacker tries a small number of common passwords against many accounts to avoid triggering account lockout policies. The use of an external VPN service indicates the attacker is anonymizing their origin, and the successful logins after failures confirm the attack's objective.

Exam trap

CompTIA often tests the distinction between brute-force (many passwords, one user) and password spraying (one password, many users), and candidates mistakenly choose brute-force because they see 'failed login attempts' without analyzing the username distribution.

How to eliminate wrong answers

Option A is wrong because a brute-force attack typically targets a single username with many password attempts, not multiple usernames with a few attempts each. Option B is wrong because Kerberoasting targets service accounts by requesting Kerberos service tickets (TGS-REP) for offline cracking, not by performing login attempts against a domain controller. Option D is wrong because pass-the-hash uses captured NTLM hashes to authenticate without needing the plaintext password, and would not generate failed login attempts or target multiple disabled accounts.

29
MCQhard

A SOC wants a SOAR playbook for suspected phishing that reduces analyst workload but avoids destructive action before confirmation. Which actions are appropriate for the first automated phase? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Close all similar alerts as duplicates
B.Disable the reporting user's account immediately
C.Automatically delete all messages from the sender across all mailboxes
D.Enrich URLs, detonate attachments in a sandbox, and collect mailbox search counts
AnswerD

Early automation should gather context and evidence while keeping analysts in control of disruptive actions.

Why this answer

Option D is correct because enrichment (URL reputation, sandbox detonation) and mailbox search counts are non-destructive, automated actions that gather threat intelligence without altering systems. This aligns with the SOC's requirement to reduce analyst workload while avoiding destructive actions before confirmation. In the detection engineering phase, tuning to reduce noise without losing signal involves adjusting thresholds or whitelisting benign indicators based on enrichment results.

Exam trap

CompTIA often tests the distinction between investigative actions (enrichment, sandboxing) and destructive actions (deletion, account disablement), where candidates mistakenly choose destructive options thinking they are efficient, but the question explicitly requires avoiding destructive action before confirmation.

How to eliminate wrong answers

Option A is wrong because closing all similar alerts as duplicates without analysis can suppress genuine threats, violating the principle of avoiding destructive action before confirmation and potentially losing signal. Option B is wrong because immediately disabling the reporting user's account is a destructive action that disrupts operations and is premature without confirmation of a threat. Option C is wrong because automatically deleting all messages from the sender across all mailboxes is a destructive action that could remove legitimate emails and is irreversible, contradicting the requirement to avoid destructive action before confirmation.

30
Multi-Selectmedium

A SOC is onboarding endpoint logs into a SIEM. Which fields are most important for process-chain investigations? (Choose three.)

Select 3 answers
A.Parent process name and command line
B.Monitor refresh rate
C.User and host identifiers
D.Child process command line
AnswersA, C, D

Parent context shows how execution began.

Why this answer

Parent process name and command line are critical for process-chain investigations because they establish the lineage of an execution event. In a SIEM, these fields allow analysts to trace how a process was spawned, identifying whether it originated from a legitimate application (e.g., explorer.exe) or a suspicious parent (e.g., wscript.exe launching cmd.exe). Without this context, it is impossible to reconstruct the attack kill chain from initial execution to lateral movement or privilege escalation.

Exam trap

Cisco often tests the distinction between fields that are merely available in logs versus those that are essential for reconstructing process ancestry; candidates mistakenly choose generic fields like 'source IP' or 'timestamp' instead of the specific parent/child process fields required for chain-of-execution analysis.

31
MCQmedium

A company wants to ensure that all servers are patched within 30 days of a critical patch release. The security team must verify compliance without causing downtime. Which of the following is the best approach?

A.Perform manual patch verification on a rotating schedule.
B.Conduct automated vulnerability scanning of the server IP ranges.
C.Deploy an agent-based patch management solution to all servers.
D.Implement network segmentation to isolate unpatched servers.
AnswerB

Automated scanning is non-intrusive and can identify missing patches.

Why this answer

Automated vulnerability scanning provides a non-intrusive method to check patch levels without affecting system availability. Manual checks are inefficient; agent-based solutions are effective but may introduce overhead; network segmentation does not verify patch compliance.

32
Multi-Selecthard

A SOC is tuning a detection for suspected DNS tunnelling. Which evidence points are useful before escalating the alert? (Choose two.)

Select 2 answers
A.The user's monitor size
B.Volume and timing of queries to the same domain or name server
C.Query length and entropy compared with normal DNS traffic
D.The colour scheme of the SIEM dashboard
AnswersB, C

Regular high-volume queries support a tunnelling or beaconing hypothesis.

Why this answer

Option B is correct because DNS tunnelling often relies on a high volume of queries to a single domain or name server to exfiltrate data or establish a command-and-control channel. Anomalous query timing—such as regular, machine-like intervals—combined with an unusual query count per minute compared to baseline user behaviour is a strong indicator of automated tunnelling activity. SOC analysts should correlate volume and timing with other suspicious patterns before escalating.

Exam trap

Cisco often tests the distinction between observable network-level indicators (like query volume, length, and entropy) and irrelevant physical or user-specific attributes, leading candidates to mistakenly consider non-technical options like monitor size as plausible evidence.

33
MCQmedium

During incident response, a team isolates a host but needs to preserve volatile evidence. What should be done first?

A.Capture a memory dump
B.Disconnect from the network
C.Reimage the hard drive
D.Reboot the system
AnswerA

Memory dump preserves volatile evidence.

Why this answer

When a host is isolated during incident response, the first priority is to capture volatile data before it is lost. A memory dump preserves the contents of RAM, which includes running processes, network connections, open files, and encryption keys. This data is critical for forensic analysis and disappears when the system is powered off.

Disconnecting the network (option B) is important but should follow memory capture because network activity is part of the volatile state.

Exam trap

CompTIA often tests the order of volatility (OOV) by making candidates think network isolation is the immediate priority, but the trap is that volatile memory must be captured first because network state is part of that volatile data and disconnecting the network changes the system's state before evidence is collected.

How to eliminate wrong answers

Option B is wrong because disconnecting the network should occur after capturing memory; network state (active connections, IP addresses, ports) is volatile and would be lost if the network cable is pulled first. Option C is wrong because reimaging the hard drive destroys all evidence, including non-volatile data, and is a recovery step, not a preservation step. Option D is wrong because rebooting the system clears RAM, destroying the very volatile evidence you need to preserve, and may trigger anti-forensic mechanisms.

34
MCQhard

You are a senior security analyst at a mid-sized financial company. The SOC has been alerted by the EDR system about anomalous behavior on a domain controller (DC) that runs Windows Server 2019. The alert indicates that a process named 'svchost.exe' spawned a PowerShell process that executed a one-liner to connect to an external IP address (203.0.113.5) over TCP port 443. Further investigation shows that the DC's event logs have gaps of about 10 minutes each, and the local administrator account 'Administrator' was used to log in from a workstation named 'WKSTN-FIN-12' at the time of the event. The company has strict policies: all administrative access must be via dedicated jump hosts, and privileged accounts are monitored. Upon checking, 'WKSTN-FIN-12' is assigned to an employee in the finance department who has no administrative privileges. The employee reports that they did not log in recently. The CISO wants a swift containment and eradication without losing forensic evidence. Based on this scenario, which of the following is the BEST first course of action?

A.Isolate the domain controller from the network by disabling its network interface.
B.Capture a memory dump of the domain controller for offline analysis.
C.Power down the domain controller to prevent further damage.
D.Reset the password for the local Administrator account and revoke the user's access.
AnswerA

Isolation contains the threat while preserving evidence for analysis.

Why this answer

Isolating the domain controller by disabling its network interface is the best first step because it immediately halts any ongoing malicious communication (e.g., C2 traffic over TCP 443) while preserving the volatile state of the system for forensic acquisition. This action prevents further data exfiltration or lateral movement without destroying evidence like memory or logs, which would occur with a power-down. It also aligns with the CISO's requirement for swift containment without losing forensic evidence.

Exam trap

CompTIA often tests the distinction between containment and forensic preservation, trapping candidates who choose memory capture (Option B) as a first step instead of immediate isolation, or who mistakenly think powering down (Option C) preserves evidence when it actually destroys volatile data.

How to eliminate wrong answers

Option B is wrong because capturing a memory dump is a forensic step that should follow containment, not precede it; performing it first could allow the attacker to continue exfiltrating data or executing commands while the dump is taken. Option C is wrong because powering down the domain controller destroys volatile evidence (e.g., memory, active network connections) and may trigger anti-forensic mechanisms, violating the requirement to preserve forensic evidence. Option D is wrong because resetting the password and revoking access does not stop the active malicious process (PowerShell connecting to 203.0.113.5) or the potential persistence mechanism; it only addresses the compromised credential, leaving the threat active.

35
MCQeasy

A small business with 50 employees uses a single Windows Server 2019 as a domain controller and file server. The company recently experienced a ransomware attack that encrypted all files on the server. The IT manager restored the files from a backup that was taken two days before the attack. However, the next day, the files were encrypted again. The analyst suspects the ransomware may have persisted or re-entered. The network is air-gapped from the internet, but employees use USB drives. Which of the following is the MOST likely reason for the re-infection?

A.The backup itself contained the ransomware.
B.An employee inserted an infected USB drive after the restoration.
C.The ransomware was still active in memory on the server.
D.The domain controller was not fully patched.
AnswerB

With air-gap, USB is the only vector for re-introduction.

Why this answer

Option B is correct because the network is air-gapped from the internet, leaving USB drives as the primary vector for reintroducing malware. If an employee inserted an infected USB drive after the restoration, the ransomware could execute and re-encrypt the files. The air-gap eliminates internet-based re-entry, and the backup was clean since it restored files without immediate re-encryption until the next day.

Exam trap

The trap here is that candidates may assume the backup was infected (Option A) or that patching (Option D) is the root cause, but the air-gap and USB vector point directly to physical media reintroduction, not network-based persistence or patch status.

How to eliminate wrong answers

Option A is wrong because if the backup contained the ransomware, the files would have been encrypted immediately upon restoration, not the next day. Option C is wrong because ransomware that persists only in memory would be wiped by a server reboot during the restoration process, and it cannot survive a reboot without writing to disk. Option D is wrong because while an unpatched domain controller is a security risk, the air-gapped network prevents remote exploitation, and the attack vector is local via USB drives, not network-based patching issues.

36
Multi-Selectmedium

A detection engineer is writing a Sigma rule for suspicious rundll32 usage. Which fields should be included? (Choose two.)

Select 2 answers
A.Command line containing unusual DLL path or URL pattern
B.Desk phone extension
C.Laptop battery health
D.Image or process name matching rundll32.exe
AnswersA, D

Command-line arguments distinguish abuse from normal use.

Why this answer

Sigma rules for suspicious rundll32 usage focus on detecting abnormal command-line arguments, such as DLL paths from unusual locations (e.g., temp directories, network shares) or URLs that indicate remote payload retrieval. The 'Command line' field is critical because rundll32.exe is a legitimate Windows binary often abused by attackers to execute malicious DLLs, and anomalous patterns in its arguments are a strong indicator of compromise.

Exam trap

Cisco often tests the distinction between relevant process-level telemetry (command line, parent process) and irrelevant hardware or peripheral data, so candidates must recognize that Sigma rules are strictly for log-based detection of execution artifacts, not system health or inventory fields.

37
Matchingmedium

Match each vulnerability scanning concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Alert on non-existent vulnerability

Missed actual vulnerability

Scan with authenticated access

Scan without authenticated access

Standard severity rating for vulnerabilities

Why these pairings

Understanding these concepts is critical for interpreting scan results.

38
Multi-Selectmedium

A security analyst is reviewing the output of a recent vulnerability scan and correlating it with threat intelligence feeds. Which four of the following actions are most appropriate for an effective security operations workflow? (Choose four.)

Select 4 answers
.Prioritize remediation based on the CVSS score alone.
.Correlate detected vulnerabilities with active exploitation in the wild.
.Verify the scan results by performing manual validation on critical hosts.
.Apply patches to all identified vulnerabilities immediately without testing.
.Assess compensating controls already in place before scheduling remediation.
.Assign vulnerability remediation tasks based on asset criticality and exposure.

Why this answer

Correlating detected vulnerabilities with active exploitation in the wild is correct because it allows the analyst to prioritize vulnerabilities that are currently being used by threat actors, moving beyond theoretical risk to real-world urgency. This aligns with threat-informed defense, where vulnerability management is driven by actual attack patterns rather than static severity scores.

Exam trap

CompTIA often tests the misconception that CVSS score alone is sufficient for prioritization, but the exam emphasizes that effective security operations require contextual factors like active exploitation, asset criticality, and compensating controls.

39
Multi-Selecthard

Which THREE of the following are common indicators of a data exfiltration attempt? (Choose three.)

Select 3 answers
A.Outbound connections to IP addresses associated with known C2 servers
B.DNS queries with high entropy subdomains
C.Increased use of encrypted communication protocols
D.Unusually large outbound data transfers during off-hours
E.Multiple failed login attempts from a single source
AnswersA, B, D

Direct indication of malicious activity.

Why this answer

Option A is correct because outbound connections to IP addresses associated with known command-and-control (C2) servers are a classic indicator of data exfiltration. Once an attacker establishes a C2 channel, they can use it to tunnel stolen data out of the network. Security tools like firewalls and threat intelligence feeds flag these connections based on known malicious IP addresses or domains.

Exam trap

CompTIA often tests the distinction between indicators of exfiltration (data leaving) versus indicators of initial access or lateral movement, so candidates may confuse failed logins (Option E) with exfiltration when it actually points to a different phase of the attack chain.

40
MCQhard

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Kerberoasting reconnaissance or ticket harvesting
B.ARP spoofing
C.Pass-the-hash using NTLM only
D.DNS cache poisoning
AnswerA

Unusual TGS-REQ volume across service principals can indicate Kerberoasting activity.

Why this answer

The SIEM alert describes a workstation requesting a high number of Kerberos service tickets (TGS-REQ) for many different Service Principal Names (SPNs) without subsequent service access. This is classic Kerberoasting reconnaissance: an attacker with valid domain credentials (e.g., after initial compromise) requests TGS tickets for accounts with SPNs, then extracts and cracks the NTLM hash embedded in the ticket offline. The lack of service access confirms the tickets were harvested for offline cracking, not for legitimate use.

Exam trap

Cisco often tests the distinction between Kerberoasting (which uses Kerberos TGS requests and offline cracking) and pass-the-ticket or pass-the-hash attacks, leading candidates to confuse the harvesting phase with credential reuse attacks.

How to eliminate wrong answers

Option B is wrong because ARP spoofing is a Layer 2 attack that manipulates MAC-to-IP mappings to intercept traffic; it does not involve Kerberos service ticket requests or SPN enumeration. Option C is wrong because pass-the-hash using NTLM only reuses an NTLM hash to authenticate without needing Kerberos tickets; it does not generate a burst of TGS-REQ for multiple SPNs, and the alert specifically mentions Kerberos service tickets, not NTLM authentication.

41
Multi-Selectmedium

An IDS signature fires on outbound traffic but analysts suspect a false positive. Which validation steps are appropriate? (Choose two.)

Select 2 answers
A.Assume all signatures are always correct
B.Check whether the destination and application protocol match the rule intent
C.Disable every IDS rule from the same vendor
D.Inspect packet payload or session metadata around the alert
AnswersB, D

Protocol and destination context help identify misfired signatures.

Why this answer

Option B is correct because validating whether the destination and application protocol match the rule intent directly confirms if the IDS signature fired on legitimate traffic or a false positive. For example, if a signature is designed to detect SQL injection over HTTP but the outbound traffic is HTTPS or a different protocol, the alert is likely a false positive. This step aligns with standard validation procedures in security operations, where analysts verify the context of the alert against the signature's defined criteria.

Exam trap

The trap here is that candidates may assume all IDS alerts are accurate or overreact by disabling rules, but Cisco tests the understanding that validation requires contextual verification against the signature's intended scope, not blanket assumptions or drastic actions.

42
MCQeasy

An organization's incident response playbook specifies that after a confirmed malware infection, the infected system should be isolated from the network. Which action best achieves isolation?

A.Uninstall the operating system and reimage.
B.Disable the network interface card (NIC) via software.
C.Pull the power cord from the infected system.
D.Delete the infected user's account.
AnswerB

Disabling the NIC cuts network connectivity while preserving forensic data.

Why this answer

Disabling the network interface card (NIC) via software immediately stops all network traffic to and from the infected system, effectively isolating it from the network while preserving the system's state for forensic analysis. This action aligns with the incident response playbook's requirement for network isolation without destroying volatile data or evidence.

Exam trap

Cisco often tests the distinction between 'isolation' (stopping network communication while preserving the system) and 'eradication' (removing the malware or rebuilding the system), leading candidates to confuse reimaging or power-off actions with proper isolation.

How to eliminate wrong answers

Option A is wrong because uninstalling the OS and reimaging destroys all data on the system, including forensic evidence, and does not achieve immediate network isolation. Option C is wrong because pulling the power cord causes a hard shutdown, which loses volatile memory data (e.g., running processes, network connections) and may prevent proper forensic collection. Option D is wrong because deleting the infected user's account does not stop network traffic from the system itself; the malware can still communicate over the network using other system accounts or services.

43
MCQeasy

A security team is reviewing firewall logs and identifies traffic to a known malicious IP address from an internal workstation running a critical business application that cannot be interrupted. Which of the following is the most appropriate immediate action?

A.Add a firewall rule to block the malicious IP
B.Shut down the workstation
C.Disconnect the network cable
D.Run an antivirus scan
AnswerA

Blocking just the malicious IP minimizes disruption while preventing further communication.

Why this answer

Adding a firewall rule to block the malicious IP is the most appropriate immediate action because it stops the outbound traffic to the known malicious address without disrupting the critical business application running on the workstation. This approach maintains availability (a key CIA triad principle) while mitigating the threat at the network layer, which is faster and less invasive than host-level changes. It also preserves the workstation's state for potential forensic analysis.

Exam trap

CompTIA often tests the principle of 'least disruption' in incident response, where candidates mistakenly choose to shut down or disconnect the system (options B or C) because they focus solely on containment, forgetting the critical business application's availability requirement.

How to eliminate wrong answers

Option B is wrong because shutting down the workstation would interrupt the critical business application, violating availability requirements, and could destroy volatile evidence in memory. Option C is wrong because disconnecting the network cable would also interrupt the application's network connectivity, potentially causing service disruption, and does not provide a targeted block against the specific IP. Option D is wrong because running an antivirus scan is a reactive, host-based step that takes time and may not immediately stop ongoing malicious traffic; it also risks alerting an attacker or interfering with the application's processes.

44
MCQhard

A company uses a centralized logging solution. A security analyst receives a log from a host indicating a user account 'jsmith' was created locally on a server. The analyst suspects this is a backdoor account. Which of the following log sources would provide the most context to confirm the creation method and identify the responsible process?

A.Sysmon Event ID 1 (Process creation)
B.Network logs
C.Application logs
D.Windows Security Event Logs (Event ID 4720)
AnswerA

Sysmon process creation logs include the parent process, providing context for how the account was created.

Why this answer

Sysmon Event ID 1 captures every process creation event with detailed command-line arguments, parent process information, and hashes. This allows the analyst to see exactly which executable (e.g., net.exe, powershell.exe, or a custom script) created the 'jsmith' user account and what command-line parameters were used, providing definitive evidence of the creation method and responsible process.

Exam trap

CompTIA often tests the distinction between detection (Event ID 4720) and forensic attribution (Sysmon Event ID 1), leading candidates to choose the security log that confirms the event occurred rather than the log that reveals how and by what process it was executed.

How to eliminate wrong answers

Option B is wrong because network logs only show traffic flows and IP addresses, not local process execution or user creation commands. Option C is wrong because application logs record events from specific applications (e.g., IIS, SQL Server) and do not capture system-level process creation or local account management activities. Option D is wrong because Windows Security Event Log 4720 only records that a user account was created, but does not reveal the parent process, command line, or the executable responsible for the creation.

45
MCQmedium

During a containment phase of an incident response, the team needs to prevent an infected host from communicating with a command-and-control server. The host is a critical database server that cannot be taken offline. Which of the following containment strategies is most appropriate?

A.Pull the network cable
B.Disable the database service
C.Isolate the host by VLAN
D.Block the C2 IP at the firewall
AnswerD

Blocking only the C2 IP allows legitimate traffic while preventing command-and-control communication.

Why this answer

Blocking the C2 IP at the firewall is the most appropriate strategy because it disrupts the command-and-control communication without taking the critical database server offline. This network-layer containment allows the host to continue serving its database functions while preventing outbound traffic to the malicious IP, aligning with the need for a surgical containment approach.

Exam trap

CompTIA often tests the distinction between network-level containment (firewall block) and host-level isolation (VLAN or cable pull), trapping candidates who think VLAN isolation is always non-disruptive when it often requires port reconfiguration that can drop active sessions.

How to eliminate wrong answers

Option A is wrong because pulling the network cable completely disconnects the host from the network, which would take the critical database server offline and violate the requirement that it cannot be taken offline. Option B is wrong because disabling the database service stops the server's primary function, effectively taking it offline, which contradicts the scenario's constraint. Option C is wrong because isolating the host by VLAN typically requires reconfiguring the switch port or moving the host to a separate VLAN, which can disrupt network connectivity and may not be feasible without taking the host offline or causing significant service interruption.

46
Multi-Selecthard

A Kubernetes audit alert shows a service account creating privileged pods. Which checks are most relevant? (Choose two.)

Select 2 answers
A.The number of comments in application code
B.User profile pictures in the HR system
C.Pod spec fields such as privileged mode, hostPath, and hostNetwork
D.Recent role binding or cluster role binding changes
AnswersC, D

These fields indicate high-risk container privileges.

Why this answer

Option C is correct because privileged pods can bypass container security boundaries, and hostPath or hostNetwork access can lead to host-level compromise. The audit alert specifically flags a service account creating such pods, which violates the principle of least privilege and indicates a potential security incident that requires immediate investigation of the pod spec fields.

Exam trap

Cisco often tests the ability to distinguish between operational metrics (like code comments or HR data) and security-relevant configuration fields, trapping candidates who confuse general IT audit items with Kubernetes-specific security indicators.

47
Multi-Selecteasy

Which TWO of the following are best practices for securing a network firewall configuration? (Choose two.)

Select 2 answers
A.Implement a default deny rule for inbound and outbound traffic
B.Apply least privilege access by restricting ports and IP addresses
C.Enable continuous monitoring of firewall logs
D.Allow all traffic by default and block specific threats
E.Use default vendor passwords for initial access
AnswersA, B

Ensures only explicitly permitted traffic passes.

Why this answer

A default deny rule for inbound and outbound traffic ensures that only explicitly permitted traffic is allowed, which is the foundation of a secure firewall configuration. This approach aligns with the principle of least privilege and prevents unauthorized access or data exfiltration by blocking all traffic that is not specifically required. Without a default deny rule, any misconfiguration or unanticipated traffic could bypass security controls.

Exam trap

CompTIA often tests the distinction between operational practices (like log monitoring) and configuration best practices, leading candidates to mistakenly select continuous monitoring as a configuration control rather than a detection control.

48
MCQmedium

Refer to the exhibit. A security analyst is reviewing firewall logs and notices this entry. What should the analyst do next?

A.Investigate the internal host for possible RDP compromise
B.Escalate to incident response immediately
C.Check if there is a business need for RDP access to the external IP
D.Block all traffic to 203.0.113.50
AnswerA

An outbound RDP connection from an internal host is suspicious and warrants investigation of the host.

Why this answer

The firewall log shows an inbound RDP connection (TCP port 3389) from an external IP (203.0.113.50) to an internal host (192.168.1.10). RDP is a high-risk protocol often targeted for brute-force attacks and remote compromise. The analyst should first investigate the internal host for signs of RDP compromise, such as unauthorized access, lateral movement, or data exfiltration, before taking other actions.

Exam trap

Cisco often tests the principle of 'investigate before escalate'—the trap here is that candidates may jump to blocking or escalating without first verifying the internal host's compromise status, which is the foundational step in incident response.

How to eliminate wrong answers

Option B is wrong because escalating to incident response immediately is premature without first confirming that the RDP connection was unauthorized or malicious; the log entry alone does not indicate a confirmed incident. Option C is wrong because checking for a business need for RDP access to the external IP is irrelevant—the connection is inbound from an external IP to an internal host, and the priority is to assess the internal host's security state, not to justify the external IP's access. Option D is wrong because blocking all traffic to 203.0.113.50 is an overly aggressive response that could disrupt legitimate services and should only be done after investigation confirms malicious intent.

49
MCQmedium

A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Delete the host from the SIEM asset inventory
B.Search only for successful HTTP 200 responses
C.Block all DNS traffic from the subnet
D.Correlate DNS query logs with endpoint process and network connection telemetry
AnswerD

The pattern is suspicious, but process and connection context shows whether a host process is repeatedly attempting outbound C2 communication.

Why this answer

Option D is correct because correlating DNS query logs with endpoint process and network connection telemetry provides direct evidence of command-and-control (C2) beaconing. The algorithmically generated domains (DGA) and NXDOMAIN responses are strong indicators of an infected host attempting to contact a C2 server that is currently offline or unreachable. By linking the DNS queries to the specific process generating them and the subsequent network connections, the analyst can confirm malicious activity rather than benign misconfiguration.

Exam trap

Cisco often tests the misconception that NXDOMAIN responses alone are sufficient to confirm C2, when in fact correlation with endpoint and network telemetry is required to distinguish DGA beaconing from legitimate DNS failures or misconfigured clients.

How to eliminate wrong answers

Option A is wrong because deleting the host from the SIEM asset inventory would remove visibility into the suspicious activity, not validate or investigate it. Option B is wrong because searching only for successful HTTP 200 responses would miss the majority of DGA-based C2 traffic, which often results in NXDOMAIN or other non-200 responses when the C2 server is not reachable. Option C is wrong because blocking all DNS traffic from the subnet is an overly aggressive response that would disrupt legitimate network operations and does not help validate the specific beaconing behavior.

50
Multi-Selectmedium

A security analyst is reviewing logs from a network intrusion detection system (NIDS) and sees the following alert: "ET TROJAN Possible ZeuS/Poison Ivy Activity". The analyst wants to verify if the traffic is malicious. Which TWO of the following actions should the analyst take? (Select two.)

Select 2 answers
A.Disable the NIDS signature to prevent false positives.
B.Perform a packet capture of the session for further analysis.
C.Check the source IP against threat intelligence feeds.
D.Restart the NIDS service.
E.Correlate the alert with other logs (e.g., firewall, proxy).
AnswersC, E

Helps confirm if the source is known malicious.

Why this answer

Option C is correct because checking the source IP against threat intelligence feeds (e.g., AlienVault OTX, VirusTotal, or commercial feeds) allows the analyst to determine if the IP is known for hosting ZeuS/Poison Ivy command-and-control (C2) infrastructure. This action directly validates whether the alert corresponds to a known malicious entity, reducing reliance on signature-based detection alone.

Exam trap

Cisco often tests the distinction between reactive analysis (packet capture) and proactive verification (threat intelligence correlation), trapping candidates who think packet capture is the first step instead of a follow-up action.

51
MCQeasy

A SOC analyst receives an alert about a potential data exfiltration via DNS tunneling. Which of the following tools would best help the analyst investigate the alert?

A.Endpoint Detection and Response (EDR)
B.Antivirus logs
C.NetFlow
D.PCAP capture
AnswerD

Full packet capture allows examination of DNS payloads to detect tunneling.

Why this answer

PCAP capture (D) is the correct tool because DNS tunneling involves encoding data within DNS queries and responses, which can only be fully analyzed by inspecting the raw packet payloads. PCAP files allow the analyst to examine the actual DNS packet contents, including query names, response records, and timing patterns, which are essential for detecting anomalous DNS traffic indicative of tunneling.

Exam trap

Cisco often tests the distinction between metadata-only tools (NetFlow) and full-packet capture (PCAP), expecting candidates to recognize that only PCAP provides the granularity needed for protocol-specific abuse like DNS tunneling.

How to eliminate wrong answers

Option A is wrong because EDR focuses on endpoint-level events (processes, file changes, registry modifications) and cannot directly inspect network-level DNS packet payloads for tunneling patterns. Option B is wrong because antivirus logs primarily detect known malware signatures and file-based threats, not network protocol anomalies like DNS tunneling. Option C is wrong because NetFlow provides metadata (source/destination IPs, ports, byte counts) but lacks the packet-level detail needed to see the actual data being tunneled within DNS queries.

52
MCQhard

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Kerberoasting reconnaissance or ticket harvesting
B.ARP spoofing
C.Pass-the-hash using NTLM only
D.DNS cache poisoning
AnswerA

Unusual TGS-REQ volume across service principals can indicate Kerberoasting activity.

Why this answer

The alert describes a workstation requesting a high number of Kerberos service tickets for many SPNs without subsequent service access. This is characteristic of Kerberoasting reconnaissance, where an attacker with domain credentials (e.g., a compromised user account) requests TGS tickets for service accounts to extract their NTLM hashes offline for cracking. The lack of actual service access confirms the tickets are being harvested, not used for legitimate authentication.

Exam trap

Cisco often tests the distinction between Kerberoasting (Kerberos-based hash harvesting) and pass-the-hash (NTLM hash reuse), leading candidates to confuse the two when the scenario involves Kerberos ticket requests without service access.

How to eliminate wrong answers

Option B is wrong because ARP spoofing is a link-layer attack that manipulates MAC-to-IP mappings to intercept traffic, not a method for requesting Kerberos service tickets or harvesting SPN hashes. Option C is wrong because pass-the-hash using NTLM only involves replaying an NTLM hash to authenticate without knowing the plaintext password, but it does not explain the high volume of Kerberos TGS requests for multiple SPNs, which is specific to Kerberoasting.

53
MCQhard

A security analyst is investigating a potential data breach and needs to collect evidence from a compromised Windows server. The server is still running, and the analyst wants to capture memory, network connections, and process list without writing unnecessary data to disk. Which of the following sequences of commands (tools) should the analyst use to adhere to order of volatility?

A.tasklist, netstat -an, then memory dump
B.memory dump, disk image, then network connections
C.memory dump, netstat -an, then tasklist
D.netstat -an, tasklist, then memory dump
AnswerC

Memory is most volatile, followed by network connections, then process list.

Why this answer

Option C is correct because it follows the order of volatility (OOV) principle, which dictates that the most volatile data (memory) should be captured first, followed by network connections (netstat -an), and then the process list (tasklist). Memory is lost when the system is powered off, so it must be collected before any other evidence. Network connections and process lists are less volatile but still transient, and capturing them after memory ensures minimal data loss while avoiding unnecessary writes to disk that could overwrite evidence.

Exam trap

CompTIA often tests the misconception that network connections or process lists are more volatile than memory, leading candidates to choose options that capture them first, but memory is the most volatile because it is lost on power loss and contains critical runtime artifacts like decrypted data and active malware code.

How to eliminate wrong answers

Option A is wrong because it starts with tasklist and netstat -an before memory dump, violating the order of volatility by capturing less volatile data first while the most volatile evidence (memory) is left until last, risking loss if the system crashes or is shut down. Option B is wrong because it includes disk image, which is non-volatile and should be collected after volatile data; placing it before network connections and after memory dump ignores the OOV hierarchy and wastes time on persistent storage while transient data decays. Option D is wrong because it captures netstat -an and tasklist before memory dump, again violating OOV by prioritizing network and process data over the most critical volatile evidence (memory), which could be lost before it is collected.

54
MCQmedium

A network sensor must detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Which deployment is BEST? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Host-based file integrity monitoring only
B.Inline IPS mode with drop rules for all signatures
C.Suricata or Snort in IDS mode on a monitored network tap or SPAN port
D.A vulnerability scanner run once per quarter
AnswerC

IDS mode observes traffic and alerts on signatures while avoiding inline blocking impact.

Why this answer

Option C is correct because Suricata or Snort configured in IDS (Intrusion Detection System) mode on a monitored network tap or SPAN port passively inspects packet payloads against signatures and generates alerts without blocking traffic. This matches the requirement to detect exploit traffic and alert, not block. IDS mode uses a copy of the traffic, so it cannot drop packets, fulfilling the 'without blocking traffic' constraint.

Exam trap

Cisco often tests the distinction between IDS and IPS modes, where candidates mistakenly choose inline IPS (Option B) thinking it provides better detection, but the question explicitly requires no blocking, making passive IDS the only correct choice.

How to eliminate wrong answers

Option A is wrong because host-based file integrity monitoring (e.g., Tripwire, AIDE) monitors file changes on a single host, not network packet payloads, so it cannot detect exploit traffic traversing the network. Option B is wrong because inline IPS mode with drop rules for all signatures actively blocks traffic, which violates the explicit requirement to 'generate alerts without blocking traffic'; IPS mode sits in the data path and can drop packets, which is the opposite of the passive detection needed.

55
MCQmedium

An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Use only a firewall deny rule for port 443
B.Create a CVE entry
C.Create and test a YARA rule against known-good and known-bad samples
D.Tune DHCP lease duration
AnswerC

YARA rules are suitable for identifying malware families using file strings, byte sequences, and conditions.

Why this answer

YARA rules are specifically designed to identify and classify malware samples based on textual or binary patterns, including unique strings and byte sequences. By creating and testing a YARA rule against known-good and known-bad samples, the analyst can reliably detect related files from the same campaign, as YARA allows for pattern matching across multiple files. This method is the most appropriate for the given task of detecting related files based on unique strings and byte patterns.

Exam trap

Cisco often tests the distinction between network-level controls (like firewall rules) and host-level detection methods (like YARA), leading candidates to mistakenly choose a network-based solution for a file-analysis task.

How to eliminate wrong answers

Option A is wrong because a firewall deny rule for port 443 only blocks traffic on that port and does not perform any file-level pattern matching or detection of related malware samples. Option B is wrong because a CVE entry is a record for a specific vulnerability, not a method for detecting related files based on strings and byte patterns; creating a CVE entry would not help in identifying or correlating malware samples.

56
MCQmedium

Refer to the exhibit. The JSON firewall rule is applied to a network segment. A security analyst needs to ensure that traffic from a new subnet 10.0.1.0/24 to the same destination is also allowed. Which of the following modifications should the analyst make?

A.Change destination_port to 80
B.Add a second rule with source_ip "10.0.1.0/24"
C.Change source_ip to "10.0.0.0/23"
D.Change source_ip to "any"
AnswerC

The /23 subnet encompasses both 10.0.0.0/24 and 10.0.1.0/24.

Why this answer

Option C is correct because changing the source_ip to '10.0.0.0/23' expands the allowed source range to include both the original subnet (likely 10.0.0.0/24) and the new subnet 10.0.1.0/24, as a /23 prefix covers addresses from 10.0.0.0 to 10.0.1.255. This is the most efficient modification, requiring only a single rule change without adding complexity or reducing security posture.

Exam trap

CompTIA often tests the candidate's understanding of CIDR aggregation by presenting a scenario where adding a new subnet is required, and the trap is that candidates may incorrectly choose to add a second rule (Option B) instead of recognizing that a single prefix change (Option C) is the most efficient and secure modification.

How to eliminate wrong answers

Option A is wrong because changing the destination_port to 80 would alter the allowed service, potentially blocking the intended traffic if the original rule was for a different port (e.g., 443), and does not address the source subnet requirement. Option B is wrong because adding a second rule with source_ip '10.0.1.0/24' would work but is less efficient than modifying the existing rule; however, the question asks for a modification to the existing rule, not an addition, and adding a rule could lead to rulebase bloat and order-dependent issues. Option D is wrong because changing source_ip to 'any' would allow traffic from all source IPs, which violates the principle of least privilege and unnecessarily broadens the security risk, potentially allowing malicious traffic from any network.

57
Multi-Selecthard

A cloud workload identity begins accessing secrets outside its normal application scope. Which evidence should be reviewed? (Choose two.)

Select 2 answers
A.Cloud audit logs for secret-read operations
B.Legacy fax transmission logs
C.Recent role assignment or policy changes for the workload identity
D.The colour of the application logo
AnswersA, C

Secret-read events show what was accessed.

Why this answer

Cloud audit logs record all API calls, including secret-read operations. If a workload identity is accessing secrets outside its normal scope, the audit logs will show the specific secret-read API calls (e.g., GetSecretValue in AWS Secrets Manager or accessSecretVersion in Google Cloud Secret Manager) made by that identity. Reviewing these logs directly confirms the anomalous access pattern and identifies which secrets were retrieved, providing the primary evidence of the breach.

Exam trap

Cisco often tests the distinction between 'what happened' (audit logs) and 'why it could happen' (policy changes), and the trap here is that candidates may overlook the policy change evidence because they focus only on the direct access logs, missing the root cause of the permission misconfiguration.

58
Matchingmedium

Match each security tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Network scanning and enumeration

Packet analysis

Exploitation framework

Web application security testing

Intrusion detection and prevention

Why these pairings

These are common tools used in security assessments and defense.

59
MCQhard

A new cloud log source is onboarded, but analytics fail because source IP, user, and action fields are mapped inconsistently. What should the engineer fix? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Move logs to cold storage immediately
B.Disable all enrichment lookups
C.Log normalization and field mapping in the parser
D.Increase the dashboard refresh interval
AnswerC

Detection rules depend on consistent normalized fields across sources.

Why this answer

The correct answer is C because inconsistent mapping of source IP, user, and action fields indicates a parsing or normalization issue. In detection engineering, log normalization and field mapping in the parser ensure that all logs conform to a consistent schema, allowing analytics to correctly correlate and alert on the data. This directly addresses the root cause without discarding or altering the underlying signal.

Exam trap

Cisco often tests the misconception that tuning or storage changes (like cold storage or dashboard intervals) can fix data quality issues, when in fact the root cause is almost always a parsing or normalization problem in the ingestion pipeline.

How to eliminate wrong answers

Option A is wrong because moving logs to cold storage does not fix field mapping inconsistencies; it only archives data, making it inaccessible for real-time analytics and potentially losing the signal. Option B is wrong because disabling all enrichment lookups would remove valuable context (e.g., geo-IP, threat intelligence) that enhances detection, increasing noise and reducing signal quality. Option D is wrong because increasing the dashboard refresh interval only changes how often the UI updates, not the underlying data parsing or mapping; it does not resolve the inconsistency and may delay visibility into alerts.

60
MCQhard

A SOC wants a SOAR playbook for suspected phishing that reduces analyst workload but avoids destructive action before confirmation. Which actions are appropriate for the first automated phase? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Close all similar alerts as duplicates
B.Disable the reporting user's account immediately
C.Automatically delete all messages from the sender across all mailboxes
D.Enrich URLs, detonate attachments in a sandbox, and collect mailbox search counts
AnswerD

Early automation should gather context and evidence while keeping analysts in control of disruptive actions.

Why this answer

Option D is correct because the first automated phase of a SOAR playbook for suspected phishing should focus on enrichment and triage without taking destructive action. Enriching URLs (e.g., via VirusTotal or URL scan APIs), detonating attachments in a sandbox (e.g., using Cuckoo or FireEye), and collecting mailbox search counts (e.g., via EWS or Graph API) provide critical threat intelligence while preserving evidence and avoiding premature containment. This aligns with the containment trade-off phase, where the goal is to balance rapid response with forensic integrity.

Exam trap

Cisco often tests the misconception that immediate destructive actions (like deletion or account disablement) are appropriate for phishing containment, when in fact the correct approach is to use non-destructive enrichment and soft containment to preserve evidence and avoid false positives.

How to eliminate wrong answers

Option A is wrong because closing all similar alerts as duplicates prematurely assumes the phishing is benign, which can suppress legitimate threats and bypass analyst review, violating the principle of avoiding destructive action before confirmation. Option B is wrong because disabling the reporting user's account immediately is a reactive, potentially disruptive action that could lock out a legitimate user and does not address the phishing threat itself, nor does it preserve evidence for investigation. Option C is wrong because automatically deleting all messages from the sender across all mailboxes is a destructive action that removes evidence (e.g., headers, metadata) needed for forensic analysis and could delete legitimate emails if the sender is spoofed or compromised.

61
Multi-Selectmedium

During a threat hunting exercise, a security analyst discovers unusual outbound traffic from a server that typically only communicates internally. Which three of the following are effective actions to validate and respond to this finding? (Choose three.)

Select 3 answers
.Check the server’s process list and running services for unknown or suspicious processes.
.Immediately block all outbound traffic from the server at the network perimeter.
.Review recent DNS logs to identify the domains being queried by the server.
.Perform a vulnerability scan on the server to identify missing patches.
.Compare the outbound traffic against known threat intelligence feeds for malicious destinations.
.Disable the server’s network interface and reimage it immediately.

Why this answer

Checking the server’s process list and running services (Option 1) is effective because it directly identifies any unauthorized or malicious processes that may be generating the unusual outbound traffic. Reviewing recent DNS logs (Option 3) helps correlate the outbound traffic with domain queries, revealing potential command-and-control (C2) destinations. Comparing outbound traffic against threat intelligence feeds (Option 5) validates whether the destination IPs or domains are known malicious indicators, providing context for the anomaly.

Exam trap

CompTIA often tests the distinction between validation/response actions and premature containment or remediation steps; candidates may incorrectly choose immediate blocking or reimaging because they confuse incident response phases (e.g., skipping analysis and jumping to eradication).

62
MCQeasy

An analyst runs a command to check active network connections on a Linux host and sees many ESTABLISHED connections to an external IP on port 443. Which command was most likely used?

A.netstat -anp
B.ipconfig /all
C.nmap -sT
D.tcpdump -i eth0
AnswerA

netstat shows active connections.

Why this answer

The `netstat -anp` command displays all active network connections (`-a`), shows numeric addresses and port numbers (`-n`), and includes the process ID and program name (`-p`). This makes it the correct tool for an analyst to quickly identify established TCP connections to an external IP on port 443, as it directly lists the state (ESTABLISHED), remote address, and associated process.

Exam trap

Cisco often tests the distinction between commands that *show* current connections (like `netstat`) versus commands that *probe* or *capture* network traffic (like `nmap` or `tcpdump`), leading candidates to confuse scanning tools with monitoring tools.

How to eliminate wrong answers

Option B is wrong because `ipconfig /all` is a Windows command that displays network interface configuration (IP address, MAC, DHCP, DNS), not active network connections or their states. Option C is wrong because `nmap -sT` performs a TCP connect scan to probe open ports on a target, but it does not show the host's own current active connections; it is a scanning tool, not a connection monitoring tool. Option D is wrong because `tcpdump -i eth0` captures raw packets on the specified interface, which can show traffic to port 443, but it does not summarize established connections in a human-readable list; it requires further analysis to identify connection states.

63
MCQmedium

An EDR alert shows powershell.exe launched by winword.exe with an encoded command line and outbound HTTPS shortly after a user opened an email attachment. What is the BEST first analytic pivot? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Decode the command and inspect the process tree, parent document, and network destination
B.Disable the SIEM parser for PowerShell events
C.Reimage every workstation in the department
D.Close the alert because HTTPS is expected traffic
AnswerA

Encoded PowerShell launched by Office is a high-signal chain; decoding and process-tree review confirms intent and scope.

Why this answer

Option A is correct because the first analytic pivot in a suspected malware infection via phishing must decode the encoded PowerShell command to understand the attacker's intent, inspect the process tree to confirm parent-child relationships (winword.exe spawning powershell.exe), analyze the parent document for malicious macros or exploits, and examine the network destination to identify potential C2 infrastructure. This approach aligns with the Pyramid of Pain and ensures the analyst gathers actionable intelligence before any containment or tuning decisions.

Exam trap

Cisco often tests the misconception that HTTPS traffic is safe or that encoded commands are too complex to analyze quickly, leading candidates to dismiss the alert or take overly aggressive actions like reimaging without investigation.

How to eliminate wrong answers

Option B is wrong because disabling the SIEM parser for PowerShell events would blind the security team to all PowerShell activity, including legitimate administrative scripts, and would prevent detection of future attacks using similar techniques. Option C is wrong because reimaging every workstation is a drastic, untargeted response that wastes resources and does not address the root cause or provide forensic evidence; it should only be considered after analysis confirms widespread compromise. Option D is wrong because HTTPS traffic is not inherently benign; attackers commonly use HTTPS to encrypt C2 communications and evade network detection, so closing the alert without investigation would miss a potential breach.

64
MCQhard

An endpoint is actively beaconing to a known malicious IP and spawning credential-dumping tools. The business owner wants evidence preserved. What is the BEST containment action? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Power off the machine immediately in every case
B.Network-isolate the endpoint through EDR while preserving disk and memory evidence
C.Run disk cleanup to remove temporary files
D.Allow the host to run until the next maintenance window
AnswerB

EDR isolation limits attacker communication without immediately destroying volatile forensic context.

Why this answer

Network-isolating the endpoint via EDR preserves volatile memory and disk evidence while stopping the active beaconing and credential dumping. This allows forensic acquisition without the risk of the attacker wiping data or triggering anti-forensic mechanisms, which powering off (Option A) would cause by losing memory evidence. The isolation action provides the clearest next triage step because the analyst can then safely collect a memory dump and disk image for analysis.

Exam trap

Cisco often tests the misconception that powering off is the safest containment action, but the trap here is that it destroys volatile evidence and may trigger anti-forensic scripts, making network isolation the correct choice for evidence preservation.

How to eliminate wrong answers

Option A is wrong because powering off the machine destroys volatile memory evidence (e.g., running processes, network connections, decrypted credentials) and may trigger anti-forensic shutdown routines, losing critical forensic data. Option C is wrong because running disk cleanup removes temporary files that could contain evidence of the beaconing or credential dumping, actively destroying forensic artifacts. Option D is wrong because allowing the host to continue until the next maintenance window risks data exfiltration, lateral movement, or the attacker wiping evidence, and violates the principle of immediate containment.

65
Multi-Selecteasy

Which TWO of the following are common indicators of compromise (IOCs) that can be identified through log analysis?

Select 2 answers
A.Unexpected changes to file hashes
B.Expired SSL certificates
C.Scheduled backup completion logs
D.Use of strong passwords
E.Unusual outbound network connections
AnswersA, E

Indicates possible malware modification.

Why this answer

Unexpected changes to file hashes (A) are a key indicator of compromise because they suggest that a file has been modified, potentially by malware or an attacker. Log analysis can detect these changes by comparing current file hashes against a known-good baseline, revealing unauthorized alterations that may indicate a security breach.

Exam trap

CompTIA often tests the distinction between operational anomalies (like expired certificates) and true security indicators (like hash changes), expecting candidates to recognize that only events directly tied to unauthorized access or malicious modification qualify as IOCs.

66
MCQeasy

A security engineer needs to implement a baseline configuration for all new Linux servers. Which of the following should be included in the baseline to reduce the attack surface?

A.Enable strong password policies for all users.
B.Enable comprehensive audit logging.
C.Disable all unnecessary services and daemons.
D.Configure disk encryption for all data volumes.
AnswerC

Reducing services minimizes potential entry points.

Why this answer

Disabling all unnecessary services and daemons directly reduces the attack surface by eliminating potential entry points for exploitation. Each running service represents a vector for attacks, such as buffer overflows or misconfigurations, and removing them minimizes the number of listening ports and active processes. This aligns with the principle of least functionality, a core security baseline for Linux servers.

Exam trap

CompTIA often tests the distinction between preventive controls (reducing attack surface) and detective or corrective controls (logging, encryption), leading candidates to choose strong password policies or audit logging as the primary method to reduce attack surface.

How to eliminate wrong answers

Option A is wrong because enabling strong password policies, while important for user authentication, does not reduce the attack surface of the server itself; it addresses credential security but not the number of exploitable services. Option B is wrong because comprehensive audit logging is a detective control that helps identify incidents after they occur, not a preventive measure that reduces the attack surface. Option D is wrong because configuring disk encryption protects data at rest from physical theft, but it does not reduce the number of running services or network-accessible ports, which is the primary goal of attack surface reduction.

67
MCQhard

A threat hunter wants a portable detection for suspicious rundll32 execution that can be converted for multiple SIEM platforms. Which artefact format best fits this goal? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Sigma rule
B.CVSS vector string
C.OpenIOC package only
D.YARA rule
AnswerA

Sigma is designed as a generic detection-rule format that can be translated into SIEM-specific queries.

Why this answer

Sigma rules are the correct choice because they are designed as a portable, generic detection format that can be converted into queries for multiple SIEM platforms (e.g., Splunk, QRadar, Elastic) without vendor lock-in. This aligns directly with the threat hunter's requirement for a portable detection that can be easily translated across different environments. In contrast, the other options are either scoring systems, forensic artifacts, or file-specific signatures that lack this cross-platform conversion capability.

Exam trap

Cisco often tests the distinction between detection formats (Sigma) and forensic/indicator formats (OpenIOC, YARA) or scoring systems (CVSS), so candidates mistakenly choose OpenIOC or YARA because they associate them with threat hunting, but they lack the SIEM-agnostic conversion capability that Sigma provides.

How to eliminate wrong answers

Option B is wrong because a CVSS vector string is a vulnerability severity scoring metric (based on CVSS v3.1 specification), not a detection artifact for suspicious process execution. Option C is wrong because an OpenIOC package is a forensic indicator format that is primarily used for endpoint detection and response (EDR) tools, not designed for easy conversion across multiple SIEM platforms. Option D is wrong because a YARA rule is a pattern-matching rule for identifying malware based on file or memory characteristics, not a portable detection format for process execution events like rundll32.

68
Multi-Selectmedium

A phishing detection rule looks only for known malicious URLs and misses newly registered lookalike domains. Which improvements help? (Choose two.)

Select 2 answers
A.Add domain age and lookalike/typosquatting checks
B.Use attachment sandboxing and URL detonation results
C.Allow all newly registered domains
D.Trust emails with company logos automatically
AnswersA, B

New and visually similar domains are common phishing indicators.

Why this answer

Option A is correct because phishing detection rules that rely solely on static URL blacklists cannot catch newly registered lookalike domains. By incorporating domain age checks (e.g., domains registered less than 30 days ago are suspicious) and lookalike/typosquatting detection (e.g., using Levenshtein distance or homoglyph analysis), the rule can proactively identify malicious domains that have not yet been reported or blacklisted.

Exam trap

Cisco often tests the misconception that static blacklists are sufficient for phishing detection, when in fact attackers exploit the delay between domain registration and blacklist updates, making proactive checks like domain age and lookalike analysis essential.

69
MCQeasy

Which SIEM component is responsible for centralizing and correlating logs from multiple sources?

A.Data retention system
B.Aggregation tier
C.Normalization component
D.Correlation engine
AnswerD

Correlates events from multiple sources.

Why this answer

The correlation engine is the SIEM component specifically designed to centralize and analyze logs from multiple sources, applying rules and statistical analysis to identify relationships and patterns indicative of security incidents. It ingests normalized data from the aggregation tier and uses correlation rules to detect complex threats like multi-stage attacks or lateral movement across different systems.

Exam trap

The trap here is that candidates confuse the aggregation tier (which centralizes logs) with the correlation engine (which analyzes them), leading them to pick Option B because they focus on the word 'centralizing' without recognizing that correlation is the key function for identifying relationships.

How to eliminate wrong answers

Option A is wrong because the data retention system is responsible for storing historical log data for compliance and forensic analysis, not for centralizing or correlating logs in real-time. Option B is wrong because the aggregation tier collects and consolidates logs from various sources into a central location, but it does not perform the analysis or correlation to identify relationships between events. Option C is wrong because the normalization component converts disparate log formats into a common schema (e.g., CEF or LEEF) to enable consistent processing, but it does not centralize or correlate logs across sources.

70
Multi-Selecthard

A malware alert shows a signed binary performing suspicious actions. Which facts help decide whether it is living-off-the-land abuse? (Choose two.)

Select 2 answers
A.The binary is normally administrative but launched from an unusual parent process
B.The command line performs download, encode, dump, or remote-execution behaviour
C.The binary has a familiar vendor name only
D.The endpoint wallpaper is unchanged
AnswersA, B

Parent context can indicate abuse of legitimate tools.

Why this answer

Option A is correct because living-off-the-land (LotL) abuse often involves legitimate administrative binaries (e.g., PowerShell, certutil, wmic) being executed from an unexpected parent process, such as a Microsoft Office application or a script host. This deviation from the normal process tree (e.g., cmd.exe or explorer.exe spawning the binary) is a strong indicator of malicious intent, as attackers leverage trusted tools to evade detection.

Exam trap

Cisco often tests the misconception that a signed binary from a trusted vendor is inherently safe, but the trap here is that LotL abuse specifically exploits the trust in signed administrative tools, so candidates must focus on behavioral anomalies (parent process, command-line actions) rather than the binary's signature or vendor name.

71
MCQhard

A new cloud log source is onboarded, but analytics fail because source IP, user, and action fields are mapped inconsistently. What should the engineer fix? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Disable all enrichment lookups
B.Increase the dashboard refresh interval
C.Move logs to cold storage immediately
D.Log normalization and field mapping in the parser
AnswerD

Detection rules depend on consistent normalized fields across sources.

Why this answer

Option D is correct because inconsistent field mapping (source IP, user, action) prevents the SIEM from correlating and analyzing log data. The engineer must fix the log parser to normalize these fields into a consistent schema, ensuring that enrichment lookups and analytics function correctly. This aligns with the Security Operations domain focus on data ingestion and parsing.

Exam trap

Cisco often tests the misconception that performance or storage adjustments (like refresh intervals or cold storage) can fix data quality issues, when the real solution is always at the parsing and normalization layer.

How to eliminate wrong answers

Option A is wrong because disabling enrichment lookups would remove valuable context (e.g., threat intelligence, geolocation) and does not address the root cause of inconsistent field mapping. Option B is wrong because increasing the dashboard refresh interval only affects how often the UI updates, not the underlying data quality or parsing issues. Option C is wrong because moving logs to cold storage immediately would archive the data without fixing the parsing problem, making the logs unusable for analytics and triage.

72
MCQhard

A cloud tenant shows an unusual spike in IAM policy changes, access key creation, and failed console logons from a new country. Which telemetry set gives the strongest evidence for control-plane compromise? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Packet captures from user laptops only
B.Cloud audit logs for identity, policy, and key-management API calls
C.Web server access logs from the public website
D.Endpoint antivirus quarantine reports only
AnswerB

Control-plane attacks are best investigated through authoritative audit events that record who changed identity and access configuration.

Why this answer

Control-plane operations in cloud environments are managed through APIs for identity (IAM), policy, and key management. Cloud audit logs (e.g., AWS CloudTrail, Azure Activity Log) capture every API call to these services, including who made the call, from which IP address, and what changes were made. The spike in IAM policy changes, access key creation, and failed console logons from a new country is directly recorded in these logs, making them the strongest evidence for a control-plane compromise.

Exam trap

Cisco often tests the distinction between control-plane and data-plane telemetry, and the trap here is that candidates mistakenly think packet captures or web logs can reveal cloud API activity, when in fact only cloud audit logs provide the necessary API-level detail for identity and policy changes.

How to eliminate wrong answers

Option A is wrong because packet captures from user laptops only show network-layer traffic (e.g., HTTP/HTTPS packets) and cannot capture cloud control-plane API calls made to the cloud provider's endpoints, as those calls are encrypted and the cloud provider's internal audit logs are the authoritative source. Option C is wrong because web server access logs from the public website record only HTTP requests to the tenant's web application (e.g., GET, POST), not IAM policy changes, access key creation, or console logons, which are control-plane operations managed by the cloud provider's identity service.

73
MCQeasy

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant?

A.Office document spawning a script interpreter from a user context
B.A password expiry warning
C.High CPU usage on the print server
D.Successful DHCP renewal
AnswerA

Office-to-script process chains are common initial execution patterns for phishing payloads.

Why this answer

The correct detection logic is 'Office document spawning a script interpreter from a user context' because the scenario describes a classic phishing attack where a malicious macro or embedded script in an invoice document launches wscript.exe (a Windows Script Host interpreter) from the user's profile directory. This behavior is a strong indicator of script-based malware execution, as legitimate Office documents rarely spawn script interpreters directly from user-writable paths. The detection logic specifically targets the parent-child process relationship between an Office application (e.g., WINWORD.EXE, EXCEL.EXE) and wscript.exe, which is a common technique used by attackers to bypass application whitelisting and execute arbitrary code.

Exam trap

Cisco often tests the distinction between process execution anomalies and unrelated system events, so the trap here is that candidates may confuse a script interpreter launch with generic system performance issues or authentication events, missing the critical parent-child process chain that defines the attack vector.

How to eliminate wrong answers

Option B is wrong because a password expiry warning is an authentication-related event (typically logged as Event ID 4738 or 4724 in Windows Security logs) and has no relevance to the process execution chain of an Office document spawning wscript.exe. Option C is wrong because high CPU usage on the print server is a performance metric unrelated to endpoint process behavior; it does not involve user-context script execution or document-based attacks, and would be monitored by system health tools, not security detection logic.

74
MCQmedium

A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Block all DNS traffic from the subnet
B.Search only for successful HTTP 200 responses
C.Correlate DNS query logs with endpoint process and network connection telemetry
D.Delete the host from the SIEM asset inventory
AnswerC

The pattern is suspicious, but process and connection context shows whether a host process is repeatedly attempting outbound C2 communication.

Why this answer

Option C is correct because correlating DNS query logs with endpoint process and network connection telemetry provides direct evidence of command-and-control (C2) beaconing. The algorithmically generated domains (DGA) and NXDOMAIN responses are characteristic of malware that generates many domains to evade static blocklists, but only a few are actually registered by the attacker. By mapping the DNS queries to the specific process that initiated them (via endpoint telemetry) and the subsequent network connections (e.g., to the resolved IP of a successful DGA domain), the analyst can confirm C2 activity rather than just anomalous DNS traffic.

Exam trap

The trap here is that candidates focus on the NXDOMAIN responses as a sign of failure and assume the activity is benign or that blocking DNS is the solution, rather than recognizing that the fixed-interval DGA pattern itself is the key indicator of C2 beaconing that requires cross-telemetry correlation.

How to eliminate wrong answers

Option A is wrong because blocking all DNS traffic from the subnet is a disruptive, non-analytical response that would break legitimate network operations and does not help validate or explain the beaconing behavior. Option B is wrong because searching only for successful HTTP 200 responses is too narrow; C2 traffic often uses non-HTTP protocols, encrypted channels, or different HTTP status codes (e.g., 302 redirects), and many DGA-based C2 channels may not use HTTP at all, so this approach would miss the actual beaconing.

75
MCQhard

During a security assessment, you discover that an organization's web application is vulnerable to SQL injection because it concatenates user input directly into SQL queries. Which of the following is the BEST remediation strategy?

A.Encode all output data.
B.Deploy a web application firewall (WAF).
C.Use parameterized queries or prepared statements.
D.Implement input validation using a whitelist.
AnswerC

Separates SQL logic from data, preventing injection.

Why this answer

Parameterized queries (prepared statements) separate SQL logic from user data by using placeholders, ensuring that user input is always treated as data, not executable code. This directly prevents SQL injection by eliminating the ability to alter the query structure, regardless of the input content.

Exam trap

Cisco often tests the misconception that input validation or a WAF is sufficient to prevent SQL injection, but the exam expects you to recognize that only parameterized queries/prepared statements address the root cause by enforcing data vs. code separation.

How to eliminate wrong answers

Option A is wrong because output encoding (e.g., HTML entity encoding) addresses cross-site scripting (XSS), not SQL injection, which occurs at the database layer before output is generated. Option B is wrong because a web application firewall (WAF) is a reactive, bypassable control that can be evaded with crafted payloads; it does not fix the root cause of insecure code. Option D is wrong because input validation using a whitelist is insufficient as a primary defense—attackers can bypass whitelists with encoding or alternative characters, and it does not guarantee that all malicious input is blocked, whereas parameterized queries provide a deterministic, structural fix.

Page 1 of 3 · 162 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Operations questions.