Question 1mediummulti select
Full question →mediummulti selectObjective-mapped
A SOC analyst reviews an EDR alert on a finance workstation. The alert shows powershell.exe launched with an encoded command, downloaded a payload into memory, and then spawned rundll32.exe. No new executable was written to disk, but the process later created a scheduled task for persistence. Which two findings most strongly support a fileless attack? Select two.
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Distractor review
the endpoint antivirus quarantined the payload after a signature match
Antivirus quarantine shows the security tool detected something suspicious, but it does not by itself indicate a fileless attack. A signature match could happen with many malware types. This is a response action, not a behavioral indicator of how the attacker executed code.
B
Best answer
powershell.exe launched with an encoded command and executed the payload in memory
Encoded PowerShell is a common fileless technique because the malicious instructions can be hidden inside a command line and run directly in memory. This reduces obvious disk artifacts and can bypass simple file-based detection. In a Security+ scenario, that combination strongly suggests living-off-the-land abuse rather than a traditional dropped executable.
C
Best answer
rundll32.exe was spawned by a script-based process during the attack chain
rundll32.exe is a legitimate Windows binary that attackers often abuse to execute code without introducing a custom executable. When it is launched by a scripting process during suspicious activity, it supports a fileless or living-off-the-land pattern. The process chain matters because it shows trusted tools being repurposed for execution.
D
Distractor review
a new portable executable was written to the user's temporary folder before being run
A new executable dropped to disk is more consistent with traditional malware delivery than fileless execution. Fileless attacks try to minimize or avoid creating obvious files on the system. This option describes a disk-based artifact, which weakens the case for a fileless technique.
E
Distractor review
a USB storage device was inserted shortly before the alert fired
Removable media can be used to deliver malware, but that detail alone does not point to fileless execution. The alert already shows in-memory PowerShell and trusted binary abuse, which are much stronger indicators. USB insertion is possible context, but it is not the key fileless clue here.
Common exam trap
Common exam trap: NAT rules depend on direction and matching traffic
NAT is not only about the public address. The inside/outside interface roles and the ACL or rule that matches traffic are just as important.
Technical deep dive
How to think about this question
NAT questions usually test address translation, overload/PAT behaviour, static mappings and whether the right traffic is being translated. Read the interface direction and address terms carefully.
KKey Concepts to Remember
- Static NAT maps one inside address to one outside address.
- PAT allows many inside hosts to share one public address using ports.
- Inside local and inside global describe the private and translated addresses.
- NAT ACLs identify traffic for translation, not always security filtering.
TExam Day Tips
- Identify inside and outside interfaces first.
- Check whether the scenario needs static NAT, dynamic NAT or PAT.
- Do not confuse NAT matching ACLs with normal packet-filtering intent.
Related practice questions
Related SY0-701 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Security+ social engineering questions
Practise SY0-701 questions linked to Security+ social engineering questions.
Security+ cryptography practice questions
Practise SY0-701 questions linked to Security+ cryptography.
Security+ IAM questions
Practise SY0-701 questions linked to Security+ IAM questions.
Security+ risk management questions
Practise SY0-701 questions linked to Security+ risk management questions.
Security+ incident response questions
Practise SY0-701 questions linked to Security+ incident response questions.
Security+ malware questions
Practise SY0-701 questions linked to Security+ malware questions.
Security+ vulnerability management questions
Practise SY0-701 questions linked to Security+ vulnerability management questions.
Security+ security operations questions
Practise SY0-701 questions linked to Security+ security operations questions.
Security+ zero trust questions
Practise SY0-701 questions linked to Security+ zero trust questions.
Security+ authentication factors questions
Practise SY0-701 questions linked to Security+ authentication factors questions.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A laptop is suspected of being used in a malware incident. It is still powered on and connected to Wi-Fi. What should the responder do before shutting it down?
Question 2
An employee reports a ransomware note on a file server. The server is still powered on, shares are still being accessed, and management wants service restored as quickly as possible. What should the incident response team do first?
Question 3
An employee reports a ransomware note on a finance laptop. The laptop is still powered on, connected to Wi-Fi, and the user says they were just working in a spreadsheet. Management wants the fastest safe response that also preserves evidence. What should the responder do first?
Question 4
You are handed a company laptop suspected in an insider theft case. Legal says the evidence may be needed in court. Which action best preserves admissibility?
Question 5
A developer wants to reduce the risk of SQL injection in a new customer search form. Which two changes are the best mitigations? Select two.
Question 6
A branch office uses a flat LAN, and a compromise on one user workstation could spread quickly to finance systems. Management wants finance workstations isolated from general users, but finance staff still need access to a central finance application and network printer. What is the best design change?
FAQ
Questions learners often ask
What does this SY0-701 question test?
Static NAT maps one inside address to one outside address.
What is the correct answer to this question?
The correct answer is: powershell.exe launched with an encoded command and executed the payload in memory — Fileless attacks rely on legitimate utilities, script engines, and in-memory execution to reduce disk-based evidence. Encoded PowerShell is a classic sign because the payload can be hidden and run without a separate malware file. rundll32.exe is also frequently abused as a trusted Windows binary for execution. Together, these observations strongly fit living-off-the-land tradecraft and are more specific than generic signs of malware presence or detection. Why others are wrong: The other options describe either normal detection activity or unrelated delivery methods. A quarantined file indicates the antivirus found something, but that does not prove the attack was fileless. A USB device may be involved in malware delivery, yet it does not explain the memory-only execution pattern. A dropped executable would actually argue against fileless behavior because it leaves a clear file artifact on disk.
What should I do if I get this SY0-701 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.