Back to CompTIA CySA+ CS0-003 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise CompTIA CySA+ CS0-003 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
CS0-003
exam code
CompTIA
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related CS0-003 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Full question →

An analyst runs the above command on a server. Based on the exhibit, which of the following is the MOST likely scenario?

Exhibit

Refer to the exhibit.

Exhibit:
```
netstat -an | grep 4444
tcp        0      0 0.0.0.0:4444            0.0.0.0:*               LISTEN
tcp        0      0 192.168.1.50:4444       10.0.0.100:56789        ESTABLISHED
```
Question 2easymultiple choice
Full question →

Refer to the exhibit. The output is from a Linux system running `netstat -an`. Which of the following ports is likely being used for remote command-and-control communication?

Exhibit

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 10.0.0.5:54321         198.51.100.20:443        ESTABLISHED
tcp        0      0 192.168.1.10:80         0.0.0.0:*               LISTEN     
udp        0      0 0.0.0.0:53              0.0.0.0:*
Question 3hardmultiple choice
Full question →

Refer to the exhibit. The snippet is from a Windows Security log showing event ID 4688 (Process Creation). Which of the following actions should the analyst take first?

Exhibit

LogName=Security
EventID=4688
NewProcessName=C:\Windows\System32\rundll32.exe
CreatorProcessName=C:\Users\admin\AppData\Local\Temp\svchost.exe
ProcessID=0x1234
CreatorProcessID=0x5678
CommandLine=rundll32.exe shell32.dll,Control_RunDLL
Question 4hardmultiple choice
Full question →

What is the net effect of the policy shown in the exhibit on requests from an IP address in the 10.0.0.0/8 range?

Exhibit

Refer to the exhibit.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::confidential-data/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::confidential-data/*"
    }
  ]
}
```

A security analyst is reviewing an S3 bucket policy for an AWS environment.
Question 5mediummultiple choice
Full question →

Refer to the exhibit. A security analyst is reviewing SIEM logs and notices repeated entries from the same source IP. Which of the following actions should the analyst take NEXT?

Exhibit

2025-02-15 08:23:45 | src=192.168.2.10 | dst=10.0.0.5 | port=443 | action=blocked | signature=ET TROJAN Suspicious Outbound Connection
Question 6hardmultiple choice
Full question →

Refer to the exhibit. A security auditor finds this IAM policy attached to a user account. Which of the following describes the primary security concern?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}
Question 7mediummultiple choice
Full question →

Refer to the exhibit. A security analyst is reviewing firewall logs and notices this entry. What should the analyst do next?

Exhibit

# Firewall Log Entry
Time: 2024-03-15 10:23:45
Source IP: 10.10.1.50
Destination IP: 203.0.113.50
Source Port: 49152
Destination Port: 3389
Protocol: TCP
Action: ALLOW
Bytes Sent: 345678
Pkts Sent: 456
Question 8mediummultiple choice
Full question →

Refer to the exhibit. An analyst reviews the output from a netstat command on a server. Which connection is MOST likely indicative of command and control (C2) activity?

Exhibit

The following output is from a compromised server:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 10.0.0.5:3389           192.168.1.10:54321     TIME_WAIT
tcp        0      0 10.0.0.5:54321          198.51.100.20:4444     ESTABLISHED
tcp        0      0 10.0.0.5:22             10.0.0.1:50001        ESTABLISHED
Question 9hardmultiple choice
Full question →

Refer to the exhibit. A security analyst is reviewing an S3 bucket policy in AWS. What is the primary security misconfiguration?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::company-data/*"
    }
  ]
}
Question 10easymultiple choice
Full question →

Refer to the exhibit. An analyst reviews file access logs and notices the entries above. Which is the MOST likely conclusion?

Exhibit

Log entry:
2025-03-01 14:23:05, user jsmith, action: file_read, file: /shared/HR/payroll.xlsx, source_ip: 192.168.2.100, device: laptop-44, location: office
2025-03-01 03:15:42, user jsmith, action: file_read, file: /shared/HR/payroll.xlsx, source_ip: 10.0.0.55, device: remote-desktop, location: remote
Question 11mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An analyst sees this output from a workstation. Which of the following is the most likely explanation?

Exhibit

C:\> netstat -an
Active Connections
  Proto  Local Address          Foreign Address         State
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
  TCP    192.168.1.100:49152    10.0.0.50:443          ESTABLISHED
  TCP    192.168.1.100:49153    203.0.113.5:4444       ESTABLISHED
  TCP    192.168.1.100:49154    203.0.113.5:4444       ESTABLISHED
  TCP    192.168.1.100:49155    203.0.113.5:4444       ESTABLISHED
  UDP    0.0.0.0:123            *:*
Question 12mediummultiple choice
Full question →

Refer to the exhibit. An analyst sees this alert in the SIEM console. What is the best immediate action?

Exhibit

Dec  5 10:15:30 192.168.1.1 suricata: [1:2000001:1] ET TROJAN Possible Metasploit Payload Detected [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.0.5:4444 -> 10.0.0.1:80
Question 13mediummultiple choice
Full question →

Based on the exhibit, which type of issue is most likely affecting the server's network performance?

Exhibit

Refer to the exhibit.

```
ethtool -S eth0 | grep -E "(rx_crc_errors|rx_fifo_errors|rx_frame_errors)"
rx_crc_errors: 2451
rx_fifo_errors: 12
rx_frame_errors: 892
```

An analyst is investigating network performance issues on a Linux server. The exhibit shows output from ethtool.
Question 14mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. The JSON firewall rule is applied to a network segment. A security analyst needs to ensure that traffic from a new subnet 10.0.1.0/24 to the same destination is also allowed. Which of the following modifications should the analyst make?

Exhibit

{
  "rule_name": "Allow-Web",
  "source_zone": "inside",
  "destination_zone": "DMZ",
  "source_ip": "10.0.0.0/24",
  "destination_ip": "172.16.0.10",
  "destination_port": 443,
  "action": "allow"
}
Question 15hardmultiple choice
Full question →

Based on the exhibit, which vulnerability should the analyst prioritize for remediation?

Exhibit

Refer to the exhibit.

Nmap scan report for 10.10.10.15
Host is up (0.0012s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE      VERSION
22/tcp   open     ssh          OpenSSH 7.4 (protocol 2.0)
80/tcp   open     http         Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips)
443/tcp  open     ssl/http     Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips)
3306/tcp open     mysql        MySQL 5.5.62
8080/tcp open     http-proxy   Squid http proxy 3.5.20

Service Info: OS: Linux

These CS0-003 practice questions are part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style CS0-003 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.