CCNA Cysa Security Operations Questions

15 of 165 questions · Page 3/3 · Cysa Security Operations topic · Answers revealed

151
MCQhard

An analyst is reviewing a packet capture and notices a TCP connection with the following sequence: SYN, SYN-ACK, ACK, SYN, ACK. What does this pattern indicate?

A.TCP SYN flood attack
B.TCP session hijacking or MITM attempt
C.TCP port scan
D.Normal TCP retransmission due to packet loss
AnswerB

Correct. A second SYN on an established connection indicates an attempt to hijack the session.

Why this answer

After the three-way handshake, a second SYN (from the same source) with the same sequence number suggests a man-in-the-middle (MITM) attack using TCP injection or session hijacking.

152
MCQeasy

What is the primary purpose of performing credentialed vulnerability scans?

A.Eliminate the need for patch management
B.Reduce network bandwidth usage
C.Avoid detection by the target system
D.Provide deeper insight into the system configuration
AnswerD

With credentials, the scanner can access more detailed system information.

Why this answer

Credentialed scans authenticate to the target system, allowing deeper inspection (e.g., registry, installed software) for a more accurate assessment.

153
Multi-Selectmedium

An analyst is reviewing cloud audit logs from AWS CloudTrail and notices an API call to create an IAM user with administrative privileges from an IP address outside the corporate network. Which TWO actions should the analyst take first? (Select TWO.)

Select 2 answers
A.Ignore the alert because CloudTrail logs are not reliable.
B.Contact the user's manager to verify if the creation was authorized.
C.Review CloudTrail logs for any other suspicious API calls.
D.Disable the IAM user and reset the root user credentials.
E.Delete the newly created IAM user immediately.
AnswersC, D

Correct. Determining the scope is essential.

Why this answer

Disabling the user prevents further actions while preserving the account for investigation. Reviewing CloudTrail logs helps identify the scope and source of the activity.

154
MCQeasy

A security analyst reviews a SIEM alert that fired when a user successfully logged into a server from a remote IP address at 3 AM. The user is a system administrator who often works late. What is the most appropriate initial classification of this alert?

A.False positive
B.True positive
C.True negative
D.False negative
AnswerA

The alert incorrectly flagged a legitimate login as suspicious, making it a false positive.

Why this answer

True positives are alerts that correctly identify malicious activity. In this case, the login is legitimate for the administrator's work pattern, making it a false positive.

155
MCQmedium

A security analyst is configuring a vulnerability scanner for internal network scanning. The analyst wants to ensure the scanner can identify missing patches and software configurations that require administrative privileges to read. Which scan type should the analyst configure?

A.Non-credentialed scan
B.Credentialed scan
C.External scan
D.Passive scan
AnswerB

Credentialed scans log in to systems and can assess patch levels and configurations.

Why this answer

Credentialed scans use administrative credentials to access systems and retrieve detailed configuration information, including missing patches.

156
Multi-Selectmedium

A security analyst is reviewing network traffic and suspects a host is infected with malware that uses a domain generation algorithm (DGA) for C2 communication. Which two of the following indicators are most consistent with DGA activity?

Select 2 answers
A.All DNS queries are to internal DNS servers
B.Frequent DNS queries to domains with random-looking, long subdomains
C.DNS queries to domains with a high Alexa ranking
D.High volume of DNS queries resulting in NXDOMAIN responses
E.Consistent DNS query intervals to a single IP
AnswersB, D

DGA domains appear random.

Why this answer

DGA domains are often algorithmically generated, resulting in random-looking, long domain names. High NXDOMAIN rates occur because many generated domains are not registered at the time of query.

157
Multi-Selecthard

A threat hunter is using osquery to look for persistence mechanisms on a set of Windows endpoints. Which THREE registry keys or scheduled tasks should the hunter check for common persistence?

Select 3 answers
A.HKLM\Software\Microsoft\Windows\CurrentVersion\AppInit_DLLs
B.User's Startup folder
C.HKLM\SYSTEM\CurrentControlSet\Services
D.HKCU\Software\Microsoft\Windows\CurrentVersion\Run
E.Scheduled tasks in Task Scheduler
AnswersC, D, E

Services can be set to auto-start for persistence.

Why this answer

Run keys, scheduled tasks, and services are common persistence locations. Startup folder is also common, but osquery can check Run keys directly. AppInit_DLLs is less common.

158
Multi-Selectmedium

A SOC analyst is investigating an alert from Azure Sentinel indicating a user account logged in from an unfamiliar location. The analyst wants to determine if this is a true positive. Which TWO additional log sources should the analyst correlate to make an informed decision?

Select 2 answers
A.Azure Security Center alerts
B.Azure Network Watcher flow logs
C.Azure Activity Logs
D.Azure Key Vault logs
E.Azure AD sign-in logs
AnswersC, E

Activity Logs show resource changes and can indicate if the account was used for administrative actions.

Why this answer

Azure AD sign-in logs provide authentication details, and Azure Activity Logs provide management plane activity. Correlating these can reveal if the sign-in was part of administrative actions or other anomalies.

159
Multi-Selecthard

A security analyst is analyzing a PCAP file from a network incident and notices a series of TCP connections with unusual flag combinations. Specifically, the SYN flag is set but the ACK flag is not set in the response, and the sequence numbers are not incrementing properly. The analyst suspects a TCP handshake manipulation. Which THREE TCP anomalies should the analyst document?

Select 3 answers
A.Sequence numbers that are out of order
B.FIN packets with no prior data transfer
C.SYN-ACK packets without preceding SYN
D.RST packets with the ACK flag set
E.A high volume of SYN packets to multiple ports
AnswersA, C, E

Improper sequence numbers can indicate injection or hijacking.

Why this answer

SYN-ACK without ACK, inconsistent sequence numbers, and SYN flood patterns are all anomalies that could indicate attacks like SYN flood or TCP hijacking.

160
Multi-Selecteasy

An analyst is configuring correlation rules in a SIEM. Which TWO data sources are essential for detecting lateral movement using pass-the-hash attacks?

Select 2 answers
A.Firewall logs
B.Authentication logs (e.g., Windows Event ID 4624)
C.DNS logs
D.Endpoint process creation logs (e.g., Event ID 4688)
E.Vulnerability scan results
AnswersB, D

Logon events with NTLM can indicate PtH.

Why this answer

Pass-the-hash involves using NTLM hashes to authenticate. Authentication logs show logon events, and endpoint logs show process creation (e.g., wmic, psexec). Firewall logs may show network connections but are not specific to PtH.

161
Multi-Selectmedium

A security analyst is tuning a SIEM rule that generates alerts for any failed login attempt. The rule produces too many alerts, overwhelming the team. Which TWO actions would most effectively reduce false positives while maintaining detection of actual brute-force attacks?

Select 2 answers
A.Exclude failed logins from known service accounts
B.Disable the rule entirely
C.Increase the alert severity to critical for all failed logins
D.Add a correlation rule to trigger on successful login after multiple failures
E.Require a minimum threshold of 5 failed attempts from the same source IP within 10 minutes before alerting
AnswersA, E

Service accounts often have expected failures (e.g., password changes); excluding them reduces noise.

Why this answer

Aggregating alerts by source IP reduces noise; excluding known service accounts eliminates expected failures.

162
MCQmedium

A threat hunter is reviewing osquery data from endpoints and notices that the Windows Registry key 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' contains an entry for 'C:\Users\Public\svchost.exe'. Which of the following best describes the significance of this finding?

A.Confirms a false positive because svchost.exe is always legitimate
B.Indicates a scheduled task has been created
C.Suggests persistence via a malicious binary masquerading as svchost.exe
D.Indicates a legitimate application installed for all users
AnswerC

Correct. The Run key is used for persistence, and the unusual path indicates masquerading.

Why this answer

The Run key is a common persistence mechanism. An executable named svchost.exe in a non-system directory is suspicious and likely malicious.

163
MCQeasy

A security analyst is reviewing a SIEM alert for a single failed login attempt from an internal IP address to a file server. The analyst determines this is a false positive. Which step should the analyst take next?

A.Escalate to a senior analyst
B.Disable the SIEM alert permanently
C.Tune the alert to suppress similar events
D.Create a correlation rule to link with other events
AnswerC

Correct. Tuning reduces false positives.

Why this answer

After confirming a false positive, the analyst should tune the alert to reduce noise. This may involve adjusting thresholds or whitelisting the source.

164
Multi-Selecthard

A security analyst is conducting a proactive threat hunt for lateral movement techniques. The analyst examines EDR data for unusual parent-child process relationships. Which three process chains are indicative of lateral movement? (Select THREE.)

Select 3 answers
A.svchost.exe spawning schtasks.exe
B.explorer.exe spawning cmd.exe
C.services.exe spawning cmd.exe
D.wmiprvse.exe spawning cmd.exe
E.rundll32.exe spawning powershell.exe
AnswersA, C, D

Scheduled tasks can be created remotely for lateral movement.

Why this answer

Lateral movement often involves remote execution tools like PsExec (A), WMI (B), and scheduled tasks (D). Rundll32 alone (C) is not a lateral movement technique, and cmd.exe from explorer (E) is normal user activity.

165
MCQeasy

Which tool would best allow a security analyst to capture and analyze packets in real time to investigate a network anomaly?

A.Metasploit
B.Wireshark
C.Nmap
D.Nikto
AnswerB

Wireshark captures and analyzes packets live.

Why this answer

Wireshark is a network protocol analyzer that captures and inspects packets in real time, making it ideal for real-time traffic analysis.

← PreviousPage 3 of 3 · 165 questions total

Ready to test yourself?

Try a timed practice session using only Cysa Security Operations questions.