Threats, Vulnerabilities, and Mitigations

A security analyst is reviewing web server logs from an e-commerce application. The logs show repeated requests containing URLs with appended strings such as: `' OR '1'='1' --` and `'; DROP TABLE Users; --`. The application returned HTTP 200 responses with unexpected data in several instances. Which type of attack is most likely being attempted?

A security analyst is reviewing the source code of a custom network service written in C. The service allocates a 256-byte buffer and uses the strcpy() function to copy incoming data into that buffer without verifying the length of the input. If an attacker sends a specially crafted payload that exceeds 256 bytes, which security control would be most effective at detecting and preventing the resulting exploitation at runtime?

A CFO at a mid-sized company receives an urgent email that appears to come from the CEO's email address, requesting an immediate wire transfer of $50,000 to a new vendor for a time-sensitive project. The email address displayed is 'ceo@cornpany.com' instead of the legitimate 'ceo@company.com'. The CFO follows the instruction and initiates the transfer. Later, the real CEO denies sending such a request. Which of the following security controls would have been MOST effective in preventing this type of attack from succeeding?

A user receives a phone call from someone who claims to be a member of the company's IT support team. The caller states that the user's account has been compromised and requests the user's username, password, and the current multi-factor authentication (MFA) code to 'verify identity and secure the account.' Which type of social engineering attack is being attempted?

A security analyst is reviewing the source code of a custom authentication service. The service uses a function that compares a user-supplied password to the stored password hash by iterating through each byte and returning false immediately upon the first mismatch. The analyst measures the function's execution time and discovers it varies measurably depending on how many initial bytes match. Which type of attack is this vulnerability most likely to facilitate?

A security analyst is reviewing the results of a dynamic application security test (DAST) on a new e-commerce application. The report indicates that the application's product search functionality is vulnerable to blind SQL injection. The analyst is tasked with recommending a remediation to the development team. The developers currently concatenate user input directly into SQL queries. Which of the following recommendations would most effectively and permanently mitigate this vulnerability?

A security analyst is reviewing authentication logs from a corporate web application. The logs show thousands of failed login attempts over the past hour. Each attempt uses a different username, but all attempts use the same password 'Spring2024!'. The source IP addresses are widely distributed across several different geographic regions. Which type of attack is the analyst most likely observing?

A security analyst is investigating a series of alerts from the web application firewall. Users are reporting that when they view a product review page on the company's e-commerce site, their browser automatically redirects to a malicious website. The analyst examines the database and finds that a product review submitted by a user contains a <script> tag that loads a JavaScript file from an external domain. Which type of attack has occurred?

A security analyst is reviewing the session management implementation of a web application. The application generates session tokens by computing the MD5 hash of the concatenation of the username and the current server timestamp rounded to the nearest hour. An attacker has obtained a valid session token for her own account and discovers that she can forge tokens for other users by simply substituting the username in the hash calculation with a known target username. Which type of attack is the web application most vulnerable to?

A security analyst is reviewing the source code of a custom web application. The application receives JSON data from users, which includes a 'type' field. The application uses the 'type' field to determine which Java class to instantiate, and then calls a method on that object. The application does not validate or sanitize the 'type' field. An attacker sends a crafted JSON payload that causes the application to instantiate an unexpected class, leading to remote code execution. Which type of vulnerability does this example describe?

A security analyst is investigating a phishing campaign that specifically targets senior executives in a company. The emails appear to come from the CEO and request urgent wire transfers to a fraudulent account. Which of the following best describes this type of attack?

A security analyst discovers that an organization's web application is vulnerable to SQL injection. The application uses a legacy database driver that does not support parameterized queries. Which of the following is the BEST mitigation to prevent this vulnerability?

A security analyst reviews authentication logs and discovers hundreds of failed login attempts from a single external IP address within a five-minute window. All attempts target the same username 'jsmith' but use different passwords. Which type of password attack does this pattern most likely indicate?

A security analyst discovers that an attacker maintained persistent access to a corporate network for six months, moving laterally between systems and exfiltrating sensitive data. The attacker used custom malware that evaded antivirus and established multiple backdoors. Which of the following best describes this type of threat actor and their campaign?

A security analyst reviews authentication logs and notices multiple failed login attempts using various usernames from a single IP address over several hours. Eventually, a successful login occurs using a username that had many failed attempts. The organization requires multi-factor authentication (MFA). Which type of attack is most likely indicated by this pattern?

A security analyst receives an alert from the email security gateway about a message sent to an employee. The email has an attachment named 'Invoice_Q4_2024.exe'. The employee claims they did not open the attachment, and the email appears to come from a known vendor's domain but the sender address has a slight typo. Which type of attack is most likely being attempted?

A security analyst notices that several employees have received an email with the subject line 'Urgent: Password Reset Required'. The email contains a link to a website that mimics the company's internal login portal. The email was sent from an external domain and addresses recipients by 'Dear Employee' rather than their actual names. Which type of social engineering attack is being described?

A security analyst receives an alert about a user account attempting to access multiple network shares in rapid succession within a short time frame. The analyst reviews the logs and sees that the IP address originates from the internal network, but the user is currently on leave. Which type of attack is most likely occurring?

A security analyst receives a phone call from an individual claiming to be a member of the IT help desk. The caller states that an emergency security update requires the analyst's password immediately, and the request sounds urgent. The analyst notices the caller's voice is unfamiliar and the background noise is inconsistent with an office environment. Which type of social engineering attack is being attempted?

A security analyst is investigating a web application that allows users to input a filename to view its contents. The application passes the user input directly to a system command without sanitization. An attacker submits the input 'file.txt; cat /etc/passwd' and successfully retrieves the contents of the password file. Which type of attack occurred?

A security analyst receives reports that several employees are being redirected to a fraudulent login page after typing the correct URL for a company application into their browser. Further investigation reveals that the company's internal DNS server has been compromised. Which type of attack best describes this scenario?

A security analyst is reviewing logs after a successful phishing attack. The attacker used a fake login page that mimicked the company's single sign-on portal to harvest usernames and passwords. The attacker then used the stolen credentials to access the corporate email system. Which type of attack best describes the initial compromise?

A security analyst observes repeated outbound traffic from a single workstation to a known malicious IP address. The workstation's anti-malware software has reported no alerts, and the user claims to have only downloaded software from the company's approved application store. Which type of malware most likely explains this behavior?

Based on the exhibit, what should the employee do first?

An employee receives an email that appears to come from the company's payroll provider. It says payroll documents will be deleted today unless the employee signs in through the included link. What is the best first action?

A help desk technician reports several workstations are suddenly showing lots of pop-up ads and browser redirects after users installed a free media player. What type of unwanted software is most likely present?

A threat intelligence feed says an adversary rotates domains daily, uses cloud VPS hosting, and reuses the same malware sample across several campaigns. Analysts want the indicator that remains useful even when the domain changes. What should they prioritize?

Based on the exhibit, what type of social engineering attack is the caller using?

A user says their files suddenly have a new extension and a note appears demanding payment to restore access. Which type of malware is most likely involved?

An employee receives a text message from an unknown number pretending to be IT. It includes a shortened URL for "urgent MFA re-enrollment" and says the account will be locked in 15 minutes. What is the best response?

A security tool reports repeated DNS requests for long, random-looking subdomains under the same domain name. What is the most likely explanation?

EDR alerts show a finance laptop spawning an unsigned executable from %AppData%, attempting to read LSASS memory, and making outbound HTTPS connections to a rare domain. The user says they only opened a spreadsheet attachment. What is the best immediate action?

An attacker calls the service desk claiming to be a traveling contractor whose phone was stolen. They know the contractor's manager name and ask for an MFA reset to a new number 'just for today.' Which control would best reduce the success of this attack?

A caller claims to be from the company's SaaS provider and says a tenant migration will fail unless the help desk reads back a one-time verification code sent to an administrator's phone. The caller knows the admin's name and ticket number. What attack technique is being used?

Threat intelligence shows an attacker changes the domain name every day, but the malware file hash stays the same across incidents. What should defenders prioritize for blocking?

Finance staff receive an email from the 'CFO' using a lookalike domain. The message requests an urgent gift-card purchase, says the recipient must keep it confidential, and pressures them to skip normal approval steps. What attack is this most likely?

Based on the exhibit, which indicator should the security team prioritize for endpoint detection and hunting? The attacker rotates infrastructure frequently, but one artifact has remained consistent across recent investigations.

A support portal lets users upload files and name them manually. During review, a tester submits a filename containing path traversal sequences, and logs later show the application trying to access files outside the intended upload folder. Which two changes best address the flaw? Select two.

A finance manager gets a phone call from someone claiming to be the CEO's assistant, urgently requesting a wire transfer before a board meeting. What type of attack is this?

A threat report says an attacker changes domains daily and rehosts infrastructure in cloud VPS environments, but the phishing email wording, login-page flow, and PowerShell download behavior remain the same. What type of information is most useful for a durable detection rule?

A workstation opens an attachment labeled as an invoice and then begins creating scheduled tasks, disabling security services, and contacting a known malicious IP address. What is the best first containment action?

A user's laptop suddenly shows encrypted .docx files, a ransom note, and the EDR console reports mass file renames and shadow copy deletion. The device is still online and connected to the corporate VPN. What is the best immediate action?

A caller says they are from the help desk and need the employee's MFA code to "complete a password reset". Which social engineering technique is being used?

A vulnerability scan finds two issues: a critical deserialization flaw on a non-production lab server behind a VPN, and a high-severity privilege escalation flaw on the production jump server that administrators use to reach the rest of the environment. Which should be remediated first?

A report generator accepts a user-supplied report name and then passes it into a shell command to convert a file. During testing, a malicious value causes the server to run an unexpected system command. Which two changes best mitigate this issue while keeping the feature usable? Select two.

Based on the exhibit, what is the BEST fix for the vulnerability being exploited? A user with a standard account can retrieve documents by changing the `docId` value in the request. The application returns another employee's file without any authorization error.

A vulnerability scan finds a critical flaw on an internet-facing SFTP gateway with public exploit code, and a high-severity flaw on an internal lab server that is only reachable from a restricted subnet. Which should be remediated first?

A file server used by a shared service account begins renaming documents, deleting shadow copies, and creating outbound SMB connections to many internal hosts. The SOC suspects the malware may be spreading while also encrypting data. Which two actions are the best immediate containment steps? Select two.

A workstation suddenly begins making SMB connections to many internal servers within a few minutes. What is the best immediate response?

A vulnerability scan finds a critical flaw on an internet-facing VPN appliance and says public exploit code is already available. Which issue should be remediated first?

Based on the exhibit, what is the MOST likely activity taking place on the network? A user opened a spreadsheet shortly before unusual internal connection patterns began. The same account is now authenticating to many hosts in rapid succession.

A development team wants to allow users to search orders by customer name and date range. Logs show the team currently concatenates the filter values into SQL strings. Which change best reduces SQL injection risk without removing the search feature?

Based on the exhibit, what type of malware is most likely present?

A file-sharing portal uses a download URL like /download?file=12345. A tester changes the value to 12346 and can access another department's document without logging in again. Which control most directly prevents this issue?

An EDR alert shows a finance workstation launching rundll32 from %AppData%, creating a scheduled task, and making repeated HTTPS beacons to a rare domain. The user still has open accounting files, and the SOC wants to slow spread without losing evidence. What two actions should be taken first? Select two.

An employee receives an email that appears to come from payroll and asks them to open a link to "confirm direct deposit details". The link goes to a site with a slightly misspelled company name. What should the employee do first?

Based on the exhibit, which indicator should defenders prioritize for detecting future activity from this campaign?

A scan reports a critical remote code execution vulnerability on an internet-facing VPN appliance with public proof-of-concept exploit code available. It also reports a critical local privilege escalation on an isolated lab workstation. Patch windows are limited this week. Which should be remediated first?

A user's laptop suddenly starts renaming many files and showing a ransom note. The laptop is still connected to Wi-Fi. What is the best immediate action?

Based on the exhibit, what is the BEST remediation for the application flaw shown? A user-controlled parameter is being passed to a shell command on the server. The application is intended to test connectivity to approved internal hosts only.

NetFlow shows one workstation opening SMB connections to a dozen internal servers and then attempting many WinRM connections. What is the most likely explanation?

A user reports receiving repeated MFA push requests even though they are not logging in. Later, someone calls and claims to be IT, asking the user to approve one prompt so support can finish a password reset. Which control would best reduce the success of this attack?

During testing, a login form returns all user records when the tester enters ' OR '1'='1 in a username field. What is the best fix for this issue?

A scan returns five findings. Which two should be remediated first based on real-world risk? Select two. A) Internet-facing SSO gateway, CVSS 8.8, public exploit code, and auth bypass impact. B) Internal print server, CVSS 9.8, no known exploit, isolated VLAN, no sensitive data. C) File server with regulated customer records, CVSS 6.5, active exploitation in the wild, reachable from VPN. D) Lab hypervisor, CVSS 7.5, no exploit, scheduled retirement next month, used only by testers. E) Dev wiki, CVSS 5.0, no exploit, no sensitive data.

NetFlow shows one user workstation making authenticated SMB and WinRM connections to more than 40 internal hosts within 15 minutes, starting shortly after the user opened a spreadsheet attachment. No approved admin tool was running on the device. What is the best initial response?

SIEM alerts show one workstation making SMB connections to 30 internal hosts within 10 minutes, followed by remote service creation and repeated access attempts to admin shares. The workstation also begins authenticating with several privileged accounts. What is the most likely activity?

During testing, entering ' OR '1'='1 into a login field returns all user records instead of rejecting the input. What is the best fix to address this flaw?

After a new search feature goes live, logs show requests containing `UNION SELECT` and the application returns database error messages. Security testing confirms attackers can retrieve rows from other tables by modifying the query string. Which fix is best?

Threat intelligence reports that an adversary changes domains daily and uses disposable cloud hosting, but the malware binary hash and a unique mutex name remain unchanged across incidents. Which indicator is the best candidate for immediate detection rule creation?

A user's laptop starts renaming many documents, and a ransom note appears on the desktop. What is the best immediate action for the help desk to recommend?

Based on the exhibit, what is the BEST immediate containment action? The workstation is still powered on, and the user reports that files are being renamed and the system is running very slowly. The security analyst confirms malicious activity is in progress.

During triage, you see a legitimate browser process spawning powershell.exe with an encoded command, followed by an outbound connection to a newly registered domain. No new executable is written to disk. Which malware characteristic best fits this behavior?

A user reports that their laptop is showing frequent pop-up ads, the browser homepage keeps changing, and the system has become noticeably slower. What is the most likely immediate containment action?

NetFlow shows one workstation initiating SMB and WinRM sessions to 25 internal servers within 12 minutes, followed by a spike in Kerberos authentication requests and attempts to access admin shares. The user says they only opened an invoice spreadsheet. What is the most likely attacker objective?

A scan finds two issues: a critical vulnerability on an internet-facing VPN appliance with public exploit code, and a medium-severity issue on an internal test server. Which should be fixed first?

Threat intelligence shows an attacker changes domains every day, but the malware file itself stays the same across incidents. Which indicator would be the best to block immediately if you find it in your environment?

Threat intelligence reports a campaign that rotates domains daily and repacks the malware for each delivery. Analysts also observe the same TLS certificate fingerprint, the same mutex name, and the same JA3 client fingerprint across multiple samples. Which three indicators are most useful to prioritize for hunting or blocking? Select three.

Analysts see a malware campaign that changes its command-and-control domain every day, but the executable hash and a unique registry value remain the same across incidents. Which indicator is the best candidate for hunting?

A worker receives a text message from someone claiming to be the company's HR partner. The message says a benefits portal issue will be fixed only if the worker clicks a link and logs in right away. What type of attack is this most likely?

A procurement clerk receives a text message from someone claiming to be a supplier account manager. The message says a recent payment failed and asks the clerk to update bank details through a link to a secure portal. What should the clerk do first?

Based on the exhibit, which issue should be remediated FIRST? The team can only fully fix one issue today. Management wants the choice that best reduces real-world risk, not just the highest severity score.

A SIEM alert shows one workstation connecting to many internal systems over SMB in a short period of time, followed by attempts to access administrative shares. What is the best response?

An accounts payable clerk receives an email that appears to come from a long-time vendor. The message asks for an urgent change to bank routing information, says the CFO is traveling, and requests that no one call back because the matter is confidential. The display name looks legitimate, but the reply-to address is different from the sender identity. Which three findings most strongly indicate a pretexting or business email compromise attempt? Select three.

Based on the exhibit, what is the MOST likely explanation for the network traffic? The affected host is not showing a large amount of internet-bound traffic, but its DNS behavior is highly unusual.

A scan finds two issues: a critical flaw on a lab server reachable only through VPN, and a high-severity flaw on an internet-facing file transfer appliance with active exploitation in the wild. Which should be remediated first?

Based on the exhibit, what is the BEST response by the employee? The message appears to come from a trusted internal support team, but the sender details and request do not align with normal procedures.

A security team suspects a rootkit after seeing hidden processes, boot-time persistence, and altered system files on a laptop. What is the best next step after confirming the suspicion?

A web form stores a user's comment and later displays it to other users. A tester submits <script>alert(1)</script> and the script runs in the browser. What vulnerability is this?

An employee receives an email from someone claiming to be from IT. The message says the employee must read back a one-time verification code so their mailbox can be 'repaired.' What social engineering technique is being used?

NetFlow and authentication logs show one workstation opening SMB and WinRM sessions to many internal hosts within ten minutes. The same source also generates a sharp rise in Kerberos service-ticket requests and attempts to access administrative shares. Which three observations most strongly support lateral movement rather than normal admin activity? Select three.

A Java web service accepts a Base64-encoded `profile` object from the browser. During testing, changing a serialized field from `role=user` to `role=admin` causes a deserialization error unless the original signed blob is reused. When a captured valid blob is modified only slightly, the application reconstructs a different class and then exposes an internal admin page. Which attack pattern is most likely?

A help desk technician reviews a ticket where a user says they logged out of the payroll portal, but another employee who found the session cookie in a browser debug log could still access the account until the session expired. Which attack best matches this behavior?

A web login form uses unsanitized input in the backend query. When an attacker enters `' OR '1'='1'--` into the username field, the application grants access without a valid password. Which attack pattern is being used?

A public-facing file transfer server is running an appliance firmware version that is now end-of-life. The vendor has stated that no further security patches will be released. Management wants the best long-term fix before the next audit. What should be done?

A forum lets users save a profile signature. One user enters a string containing script code, and later other users who view that profile see the script run in their browsers. What attack is this?

During troubleshooting, several hosts in VLAN 20 lose access to the default gateway at random. Their ARP caches now map the gateway IP to a workstation MAC address, and traffic briefly flows through that workstation before timing out. What attack is most likely?

Based on the exhibit, what type of malware behavior is most likely occurring?

A vulnerability scan reports that a public web server is running an operating system version that no longer receives security updates. Which issue is present?

After a switch reboot in a conference room, several laptops obtain valid IP addresses in the correct subnet, but their default gateway changes to 10.20.40.50, which is not the legitimate router. Packet capture shows DHCP offers coming from a MAC address that does not belong to the approved DHCP server, and the rogue device responds faster than the real server. What attack is most likely occurring?

Based on the exhibit, what type of web attack is most likely taking place?

A web portal builds its database query by directly appending a user's search input. When the user types a single quote, the application returns a database error. Which attack is most likely?

At a conference, employees connect to a Wi-Fi network named "CorpGuest" and then see certificate warnings in their browsers. The network has a stronger signal than the hotel's legitimate guest Wi-Fi. What attack is this?

Based on the exhibit, what security issue is most likely present?

A user enters `<script>alert('test')</script>` into a public comment field, and other visitors see the script run in their browsers. What attack is this?

Based on the exhibit, what network attack is most likely occurring on the office LAN?

A SaaS portal issues signed JWTs in a browser cookie. The help desk confirms a user logged out at 09:10, but SIEM logs show the same token was accepted from a different IP at 09:12 and continued working until the token expired. The application does not keep a server-side revocation list. What weakness is most likely being abused?

An employee receives a text message from "IT Help" saying their account will be disabled unless they tap a link and enter a one-time code. Five minutes later, someone calls claiming to be from IT and asks the employee to read back the same code. Which two social engineering delivery methods are used? Select two.

A customer service application shows the same session ID being used from two countries within five minutes. The legitimate user did not report a password change, but an order shipping address was modified successfully without reauthentication. What attack pattern is most likely?

After installing a free utility from an unofficial website, a user's laptop starts quietly sending browsing data to an unknown server. What type of malware is most likely present?

A vulnerability scan finds an administrative SSH service listening on 0.0.0.0 on a server that should be managed only from the internal network. What is the main security issue?

Based on the exhibit, which malware type is most likely involved?

A scan of a web server hosting an internal help-desk portal reports these findings: `/var/www/uploads` is world-writable by the application account, PHP files in that directory are executed by Apache, and the app allows users to upload images without content-type validation. Which issue should be remediated first to most reduce the chance of remote code execution?

Several employees receive a text message that says their payroll deposit failed and they must tap a link to verify account details. The link opens a fake login page. What type of attack is this?

A SOC analyst sees repeated encoded PowerShell launched by mshta.exe. No new executable is written to disk, but the host makes periodic outbound connections to the same IP. Which malware characteristic is most likely?

After a user installs a free PDF converter from an unofficial site, the browser homepage changes, the endpoint protection agent stops launching, and the system begins making periodic outbound connections to the same unfamiliar IP address. No exploit was used during installation, and the installer appeared legitimate. What type of malware best matches this behavior?

Based on the exhibit, which social engineering attack is most likely?

EDR on a workstation shows winword.exe spawning powershell.exe with hidden, no-profile, and encoded arguments. No new executable is written to disk. Minutes later, a scheduled task creation is blocked, but the same host continues making HTTPS requests to a cloud IP address. Which malware category best fits this behavior?

A file server suddenly renames documents with a new extension and displays a note demanding payment in cryptocurrency to restore access. What type of malware is most likely involved?

Users in a warehouse report an SMS claiming a missed delivery. The link opens a login page that closely matches the company portal, and several users later receive unauthorized password reset emails. What attack is most likely?

During a conference, several employees connect to a wireless network named the same as the hotel's guest Wi-Fi. Shortly after connecting, they receive certificate warnings when accessing the company portal, and packet capture shows a nearby laptop advertising the same SSID and relaying traffic. What type of attack is most likely?

A SOC analyst investigates a host after an employee opens an invoice attachment. The endpoint shows PowerShell running in a hidden window, no new executable files are created on disk, and the same suspicious activity returns after a reboot. What is the most likely attack type?

An employee receives a text message saying their payroll account is locked and asks them to tap a link and enter a one-time passcode. What type of attack is this?

A web login form returns access after a tester enters `' OR '1'='1'--` into the username field. What type of attack is this?

An accounts payable clerk receives an email that continues a real vendor conversation from last week. The sender domain is only one character different from the vendor's real address. The message says the invoice is overdue and asks the clerk to update the payment account before the end of the day. What is the best next action?

After a user installs a free PDF converter from an unofficial website, the laptop starts making periodic outbound connections to an unknown server, the browser homepage changes, and a new program launches at logon. What is the most likely malware type?

A finance laptop is opened to review an invoice attachment. EDR then shows winword.exe launching powershell.exe with hidden, no-profile, and base64-encoded arguments. No executable is written to disk, network beacons begin from memory, and after a reboot the activity disappears unless the document is opened again. What type of malware behavior is most likely?

Based on the exhibit, what vulnerability is the application most likely suffering from?

After an endpoint cleanup, an EDR agent shows inconsistent results: a suspicious process does not appear in normal task listings, a file in System32 is hidden from user-mode tools, and some security logs stop recording events at the same time. Which malware type best matches these symptoms?

After installing a free PDF-to-Word utility from an unofficial website, a user's laptop starts sending data to an unknown server and the security agent is disabled. Which malware type best fits?

A customer enters `<script>alert('test')</script>` into a public forum signature field. Later, other users who view that signature see the script execute in their browsers. What attack is this?

A help desk technician receives an email that appears to come from the payroll provider. The message says the employee's direct deposit will be suspended unless they verify their account through a link. What type of attack is this?

An accounts payable specialist receives a reply inside an existing vendor email thread. The message uses the real invoice number, matches the vendor's usual tone, and asks the specialist to change payment instructions to a new bank account before the end of the day. The vendor later confirms its mailbox was compromised. What type of attack is most likely?

A VPN concentrator shows that an authentication request from a user was accepted twice, even though the user insists they approved only one login. Packet analysis reveals that the second successful attempt reused the same authentication blob and arrived shortly after the first. Which attack is the best fit?

A remote user's laptop begins launching a legitimate-looking "System Update" application at login. After the update window appears, the browser homepage changes, outbound traffic increases, and the user later reports that saved passwords are being used in unauthorized logins. Which malware type is the most likely primary infection?

A vulnerability scan of a Linux application server reports these findings: OpenSSL 3.0.7 is flagged with a critical CVE, but the distribution vendor note says the fix was backported. Port 8443 is bound to all interfaces, yet a firewall blocks it from the internet. The internal admin console on that port still uses the default admin/admin credentials and is reachable from the corporate VLAN. Which issue should be remediated first?

A help desk technician reviews a voicemail in which the caller claims to be from the security team, says the user will be locked out unless they read back a one-time passcode, and leaves a callback number. What type of attack is this?

A file server suddenly renames documents, creates ransom notes, and users can no longer open their files. Which malware type is most likely involved?

After a suspected compromise, a server's local tools report sshd listening on port 22, but netstat and the EDR console fail to show the process that owns the socket. A reboot does not remove the issue, and firmware integrity checks pass. Which malware type is most likely installed?

A web application lets users save a profile "display name." One employee enters a value that contains script code, and later other users who view that profile start seeing pop-ups and redirects to a fake login page. Which attack is most likely occurring?

An employee receives a text message that says, "Your MFA enrollment expired. Tap here now to re-activate access or your account will be locked." What should the employee do first?

Users can reach the correct website name, but their browsers are redirected to a fake server after the local DNS cache is altered. What attack is most likely?

A help desk agent receives a phone call from someone claiming to be a regional sales manager who says they are locked out before a customer demo. The caller knows a few employee names and asks the agent to reset the account and temporarily bypass MFA. What attack is most likely?

Based on the exhibit, what type of malware is the most likely issue on the workstation?

A vulnerability scan of a branch-office print server finds that its administrative web console is reachable from the internet. The appliance is still using the vendor's default password, and no access control list limits management access to the office subnet or VPN. Which remediation would reduce risk the most with the least disruption?

A small business web server still allows remote administration from the internet on port 3389, and the administrator password has never been changed from the vendor default. Which two issues should the security team prioritize first? Select two.

A user opens an attached document, and the endpoint security tool shows PowerShell running from memory with no new executable file written to disk. What type of attack is most likely?

An accounts payable clerk receives an email that appears to continue an existing thread with a shipping vendor. The sender name, signature block, and invoice number all match a real open order, and the message asks the clerk to use a "new payment portal" and confirm bank details before 3 PM to avoid delayed shipment. The email contains no attachments and only one URL. Which attack type is most likely?

A vulnerability scan finds that an administrative SSH service on a Linux server is listening on 0.0.0.0 and is reachable from the internet. The server is meant to be managed only from the internal admin subnet. What is the best remediation?

A SaaS dashboard invalidates passwords after a forced reset, but a stolen bearer token from a browser cookie still works from a VPN exit node for several hours. SIEM logs show the same token value used from two countries within five minutes, and no MFA prompt appears because the token is already accepted. What attack is most likely?

A person wearing a contractor badge asks reception to let them into the office because they forgot their access card and say they are expected for a server maintenance visit. What social engineering technique is most likely?

A help desk technician receives a phone call from someone claiming to be a contractor. The caller says their MFA app was lost, asks the technician to enroll a new device immediately, and pressures them to ignore policy. What type of attack is this?

A facilities manager receives an SMS from "FedEx Delivery" saying a shipment for the research lab cannot clear security until the recipient verifies the package by signing in. The message includes the manager's initials and the warehouse code, and the link opens a cloned sign-in page. Which attack is most likely?

A company portal lets employees save a short profile bio. One employee enters a string containing script code, and later other users who view that profile are redirected to a fake sign-in page. What vulnerability best explains this behavior?

A finance analyst receives an email that appears to come from the CFO. It references a real project, asks for an urgent wire transfer to a "new vendor account," and says to avoid the normal approval workflow because the deal is time-sensitive. What is the best immediate response?

A Java-based internal portal accepts a serialized object during profile import. After a recent test upload, the server made outbound LDAP calls and created a new local account. What attack pattern best explains this behavior?

A login form sends user input directly into a database query. When a tester enters a single quote character, the application returns a database error. What attack is most likely?

Based on the exhibit, what type of attack is most likely being used against the accounts payable team?

A help desk technician receives a call from someone claiming to be a new contractor whose MFA app failed during travel. The caller knows the company org chart, names the technician's supervisor, and says the technician should use a callback number included in a text message they just sent. What is the safest first action?

Users on a wired subnet report intermittent outages when reaching an internal application. A packet capture shows the default gateway IP address repeatedly mapped to a different workstation MAC address, and traffic is being forwarded through that workstation. What attack is most likely occurring?

A Linux server is missing expected security-agent processes, but users can still connect to the application. Local command output does not show a suspicious daemon that another monitoring tool says is listening on port 4444. A raw disk scan reveals a kernel module loaded at boot, and several files appear only when viewed outside the normal operating system tools. What malware type is most likely?

A user's workstation suddenly renames documents with a new extension, displays a ransom note, and blocks access to a shared drive. Which two indicators support ransomware? Select two.

Users on a branch VLAN intermittently reach a fake login page even though DNS records have not changed. A packet capture shows the default gateway MAC address changing every 60 seconds, and the switch logs list repeated unsolicited ARP replies from one workstation. Which attack is most likely?

A tester enters a crafted search term into an internal web application and sees no error message, but the page response always delays by exactly five seconds when the input includes a single quote followed by a conditional sleep function. The returned results look normal, so the tester repeats the request several times and the timing remains consistent. Which attack is most likely being attempted?

After a workstation reboot, users see many files renamed with random extensions. A ransom note demands cryptocurrency, and Volume Shadow Copies were deleted from the machine. What malware type is most likely?

Based on the exhibit, which security issue should the analyst report first?

After a facilities outage, multiple employees report that their phones automatically joined a network named "CorpWiFi" in the lobby even though the legitimate access point was offline. A nearby attacker device then captured the captive portal login traffic. What attack is most likely?

Based on the exhibit, which social engineering attack is most likely?

An EDR alert shows PowerShell launching from a scheduled task, downloading encoded commands, and running them in memory. No suspicious executable is written to disk. What kind of attack is this?

A laptop user reports that many files now have strange extensions, a ransom note appears on the desktop, and the files cannot be opened. Which malware is most likely responsible?

A caller says they are from IT support and asks a user to read back the one-time MFA code that just arrived on their phone. What type of attack is this most likely?

A vulnerability scanner reports a critical issue on a Linux server. The administrator checks the application and confirms the vulnerable package is installed, but the affected feature is not enabled anywhere in production. What should the security team do next?

Based on the exhibit, what wireless threat is most likely occurring?

Users on one VLAN report that their traffic to the default gateway is intermittently slow and sometimes reaches the wrong device. A packet capture shows unsolicited ARP replies claiming to be the gateway. Which two actions are the best mitigations on managed switches? Select two.

Based on the exhibit, which control should be enabled to mitigate this issue?

A help desk technician receives a phone call from someone who claims to be the CFO. The caller knows the executive team structure, says they are traveling, and insists the technician reset MFA to 'avoid delaying a wire transfer.' Which social engineering technique is the caller primarily using?

Based on the exhibit, what type of malware is most likely present?

A SOC analyst reviews an alert on a workstation where PowerShell launched from a scheduled task, downloaded an encoded command from a remote server, and then spawned rundll32.exe. Traditional antivirus did not flag any files on disk, and the activity stops after rebooting the host. Which type of malware behavior best fits this event?

A help desk technician receives a call from a user who says many of their documents now have strange file extensions and a ransom note appeared on the desktop. The files will not open. What type of malware is the user most likely experiencing?

A cloud-hosted image-processing API accepts a URL parameter so it can download a picture and generate a thumbnail. Logs show a user submitting `http://169.254.169.254/latest/meta-data/` and receiving instance credentials in the response. Which attack is being used?

Based on the exhibit, what type of threat is the security team most likely seeing on the workstation?

A help desk technician receives a phone call from someone who claims to be the CFO. The caller says they are traveling, cannot access their MFA app, and needs the technician to reset the account immediately. They also ask the technician to read back the one-time code sent to the executive's phone so they can "verify identity." What type of attack is this most likely?

A cloud-hosted application allows users to submit a URL for image processing. Logs show repeated requests such as `http://169.254.169.254/latest/meta-data/` and `http://localhost/admin`. The server is making outbound requests on behalf of the user input. What is the best defensive control to implement?

A web service begins experiencing severe latency. Netflow shows thousands of short DNS queries leaving the attacker network, while a much larger volume of DNS responses is arriving at the victim’s public IP address from many open resolvers. Which attack is most likely occurring?

Employees in a lobby report that their phones automatically connected to a wireless network named "CorpWiFi." Soon after, they were prompted to sign in through a web page that did not look like the normal company portal. What attack is most likely?

An employee gets a text message saying their mobile carrier will suspend service unless they tap a link and verify their account details. What type of attack is this?

A public website is overwhelmed by a flood of DNS responses arriving from many open resolvers after the attacker sends small forged queries to those resolvers. The target bandwidth is saturated and the source IPs vary widely. What kind of attack is being used?

A help desk technician receives an SMS claiming to be from the mobile carrier. The message says the user's corporate number will be suspended unless they open a link and confirm an MFA code. The user has not reported any account issues. What attack is this?

A support portal has a search field that accepts customer last names. After a tester enters a single quote, the application returns a database syntax error. Which attack is the tester most likely trying to verify?

Based on the exhibit, which attack is the developer most likely observing?

A SOC analyst reviews an EDR alert on a finance workstation. The alert shows powershell.exe launched with an encoded command, downloaded a payload into memory, and then spawned rundll32.exe. No new executable was written to disk, but the process later created a scheduled task for persistence. Which two findings most strongly support a fileless attack? Select two.

A customer portal has a form that submits a money-transfer request with the user’s existing session cookie. Security testing shows that if a user visits a malicious site while logged in, the portal will submit the transfer request without any additional verification. Which control would best reduce this risk?

An employee receives an email that appears to come from the HR team. It says their payroll account will be suspended unless they click a link and sign in within 30 minutes. What type of attack is this most likely?

An EDR console shows PowerShell launching from a scheduled task, decoding a command from memory, and spawning rundll32.exe. No suspicious executable is written to disk, and the activity stops when the process ends. Which threat best fits this behavior?

A support portal searches customer records by last name. When a tester enters a single quote into the search field, the application returns a database syntax error. Which attack is most likely possible?

After a routine dependency update, a development team notices that the customer portal begins making outbound connections to an unfamiliar domain during startup. The domain is not part of the application design, and the behavior started immediately after the third-party library was updated. Which threat is most likely?

Several employees in a branch office report that their laptops automatically connected to a network named "CorpWiFi" even though they were away from the office. Shortly afterward, a few users saw a captive portal asking them to re-enter company credentials. Which threat best explains this situation?

Based on the exhibit, which supply-chain threat is most likely?

A development team updates a third-party software library used by its web application. After the release, new deployments begin making unexpected outbound connections to an unfamiliar domain. What type of threat is most likely?

A public-facing web service suddenly becomes very slow. NetFlow shows a high volume of small DNS queries leaving attacker-controlled systems and much larger DNS responses arriving at the victim's IP address from many different resolvers. Which attack is taking place?

A security team can patch only one system today. Which asset should be remediated first?

A scanner reports a critical vulnerability on an internal Linux server. The administrator confirms the vulnerable package is installed, but the affected feature is only enabled when an optional module is loaded, and that module is currently disabled. The server also requires downtime for patching. What is the best next step?

A scanner reports a critical vulnerability on an internal Linux server. The administrator verifies the package is installed, but the vulnerable code path is only present in a plugin that has been disabled and removed from the service startup. The server cannot be patched until a vendor maintenance window next month. What is the best next step?

Based on the exhibit, what is the most likely issue with the software component being built?

Based on the exhibit, which vulnerability is being exploited?

Employees in a lobby say their phones automatically connected to a wireless network named CorpWiFi, even though the legitimate access point was offline. They were then shown a fake sign-in page. What threat is this?

A file-conversion API accepts a URL to generate a preview image. An attacker submits a URL for the cloud metadata service at 169.254.169.254 and receives instance credentials in the preview output. What attack is this?

An administrator notices that a finance file share remained normal for weeks after a former contractor left the company. This morning, multiple PDFs and spreadsheets were deleted, and a scheduled task created months ago is now executing a script that wipes files in the shared folder. Which malware type is most consistent with this behavior?

A help desk technician receives a phone call from someone claiming to be the VP of Finance. The caller says they are in an airport, forgot their phone, and need a password reset immediately. They also ask the technician to skip callback verification because a meeting starts in five minutes. Which two details are the strongest indicators of a pretexting or vishing attempt? Select two.

Based on the exhibit, which finding should be remediated first?

Several users on the same subnet report intermittent inability to reach the default gateway. A packet capture shows ARP replies mapping the gateway IP to a different MAC address, and the same host keeps sending those replies every few seconds. What attack is most likely?

Based on the exhibit, what is the most likely explanation for the suspicious workstation activity?

A support portal searches customers by last name using a parameter called q. After one user enters a single quote, the app returns a SQL syntax error. A tester then submits `test' OR '1'='1` and sees every customer record. Which control most directly prevents this issue?

Based on the exhibit, which attack is most likely occurring on the local network?

Based on the exhibit, which attack is most likely being attempted against the application?

A finance application works normally for weeks after a contractor leaves the company. On the first business day of the quarter, a hidden task runs, deletes archived reports, and then removes itself from the scheduled task list. What type of malware behavior is this?

Several users on the same subnet report that their traffic to the default gateway is intermittently slow and sometimes reaches the wrong device. A packet capture shows ARP replies that map the gateway IP to a different MAC address. What attack is most likely occurring?

A vulnerability scan reports a critical finding on a legacy application server. The security team verifies that the flagged package is installed, but the vulnerable code path is disabled by configuration and cannot be exploited in the current deployment. The vendor will not support a patch until next quarter. What is the best next step?

Several users on the same subnet report intermittent loss of access to the default gateway. A packet capture shows repeated unsolicited ARP replies mapping the gateway IP address to a different MAC address. Traffic is occasionally sent through an unknown workstation. What attack is most likely occurring?

Based on the exhibit, which finding should the security team remediate first?

Based on the exhibit, which malware type best explains the behavior?

A SOC analyst reviews an EDR alert on a Windows workstation. PowerShell was launched by a scheduled task, downloaded an encoded command from an external server, and then spawned rundll32.exe. No suspicious executable was written to disk. Which type of threat best fits this activity?

A help desk analyst receives a ticket stating that an employee got an urgent text message from someone claiming to be the CEO. The message asked the employee to buy gift cards and send the redemption codes immediately. What attack is most likely taking place?

During testing of a shopping portal, a POST request to /api/address/update succeeds even when the anti-CSRF token is removed. In a separate test, changing customerId=1842 to customerId=1843 in a GET request returns another user's invoice data. Which two vulnerabilities are present? Select two.

During a workstation review, analysts find a process injecting into explorer.exe and reading keyboard and clipboard events. They also see repeated outbound HTTPS beacons to a domain registered two days ago. The host is not renaming files or displaying a ransom note. Which two findings are most consistent with spyware? Select two.

A vulnerability scan reports three findings: a critical remote code execution issue on an internet-facing VPN appliance with a public exploit, a high-severity local privilege escalation on an isolated lab PC, and a medium-severity outdated browser plug-in on a workstation used for training. Which finding should be remediated first?

A branch office reports intermittent failures reaching internal sites. DHCP logs show clients receiving leases from an unknown MAC address, and DNS responses for intranet.example resolve to an address owned by the same device. Which two attacks best match the evidence? Select two.

A vulnerability scan produces these results: - Finding 1: High severity, internet-facing VPN appliance, known exploit available, no compensating controls - Finding 2: Critical severity, internal development workstation, requires authenticated local access - Finding 3: Medium severity, test server, no public exploit and not reachable from outside Which finding should be remediated first?

Users on the internal Wi-Fi report that the finance portal suddenly resolves to a different IP address, and the browser shows a fake login page that closely matches the real site. The DNS resolver cache on the network also contains unexpected entries for that host name. What attack is most likely?

A support agent notices that changing `invoiceId=8842` to `invoiceId=8843` in a portal URL returns another customer's invoice PDF without any additional login prompt. The user is already authenticated to the application. Which vulnerability is most likely present?

A SOC analyst reviews a suspicious email about an overdue invoice. The display name matches a known supplier, but the envelope sender is from a free webmail domain, and the Reply-To address uses a look-alike domain with one swapped letter. The message also includes a company logo and a PDF attachment. Which two findings are the strongest indicators of a phishing attempt? Select two.

A firewall analyst reviews logs and sees one external IP address sending connection attempts to TCP ports 22, 80, 139, 445, and 3389 on dozens of internal hosts every few seconds. No payloads are delivered and no sessions are established. What is the most likely activity?

An endpoint investigation shows winword.exe launching powershell.exe with -nop -w hidden -enc arguments. The same host also has a newly created WMI permanent event subscription, and no new executable has appeared in Downloads or Program Files. Which two findings are most consistent with a fileless compromise and persistence mechanism? Select two.

Users on the same VLAN report that their browser occasionally reaches a fake internal portal, and packet captures show one host sending forged ARP replies that claim to be the default gateway. Traffic from nearby systems begins flowing through that host. Which attack is occurring?

An EDR console shows `mshta.exe` launching `powershell.exe` from a user profile directory, followed by a script that never writes a new executable to disk. Minutes later, the host begins making regular outbound HTTPS connections to an unfamiliar IP address. What type of malware behavior is most likely being observed?

A file server suddenly shows renamed files with a new extension, users see a ransom note demanding cryptocurrency, and shadow copies are deleted from the host. Which malware family is the best match?

A packet capture from a branch office shows the default gateway IP mapped to a MAC address that does not belong to the router. The same suspicious MAC also answers for the DNS server IP, and gratuitous ARP replies appear every 30 seconds. Which two attacks best match this evidence? Select two.

A help desk analyst receives a phone call from someone claiming to be the CFO, who says their phone was lost while traveling and requests an immediate MFA reset and temporary bypass for payroll access. The caller knows the CFO's last name and the company name, but cannot answer the callback verification question. What attack technique is most likely being used?

A workstation starts failing security checks. The antivirus service no longer appears in the running process list, a known driver's hash does not match the vendor's value, and a task manager view shows fewer processes than expected. The user also reports that local admin tools behave inconsistently. What type of malware is most likely present?

A finance clerk reports a call from a person who claimed to be from the bank's fraud department. The caller knew the employee's name, referenced a recent invoice, and asked the employee to read back a one-time MFA code to stop a supposed payment block. Which attack is most likely?

An EDR alert shows powershell.exe launching with an encoded command, no new executable written to disk, and a registry run key added for persistence. Outbound HTTPS traffic then begins to a rare external domain. Which type of malware behavior is most likely?

Several employees report receiving SMS messages that appear to come from the corporate service desk. The text says, 'Your password expires today. Review the notice here,' followed by a shortened link that opens a fake sign-in page on a phone browser. Which type of attack is this?

An API log shows repeated requests such as `GET /api/orders?orderId=105%20OR%201=1--` followed by responses containing many customers' order records instead of one record. Which attack is most likely?

A resolver log shows multiple clients querying the correct internal host name, but the DNS server starts returning an unexpected public IP address after a burst of unsolicited DNS responses from outside the network. Users are sent to a lookalike login page. What type of attack is most likely occurring?

A user forwards an email that says their payroll account will be disabled today unless they click a link and verify their password. The message uses the company logo, but the sender address is from a free webmail domain and the link goes to a look-alike login page. What type of attack is this?

A user forwards an email that says a shared document is available and must be reviewed within 10 minutes. The display name looks like a trusted vendor, but the Reply-To address points to a free webmail account. Which two details are strongest indicators that this is a phishing attempt? Select two.

A user receives an SMS from 'IT Service Desk' saying their MFA enrollment expires today and includes a shortened link. Five minutes later, the user gets a phone call from the same number asking them to read back the code shown in the authenticator app so the ticket can be closed. Which two attack channels are used in this campaign? Select two.

A public web server becomes unreachable during an outage. Netflow shows a large number of DNS responses arriving from many open resolvers, while the server itself only sent tiny spoofed DNS queries with the victim's address as the source. What type of attack is this?

A SOC analyst sees many login attempts against one SaaS account from hundreds of IPs over 20 minutes. Most passwords are valid-looking, but only a few result in successful logons, and the successful attempts use a password pattern that was exposed in a public breach list. What is the best mitigation to reduce this attack?

A developer wants to reduce the risk of SQL injection in a new customer search form. Which two changes are the best mitigations? Select two.

A finance team receives emails that appear to come from the CEO's assistant and ask them to review a document. Several users entered their passwords on a fake login page, and the attackers then signed in from a new country using the same credentials. Which control most directly reduces successful account takeover if a password is stolen?

A developer reports that a search field returns all customer records when they enter a single quote followed by OR 1=1. Security confirms the web app concatenates user input directly into SQL statements. Which remediation is best?

A vulnerability scan reports that a Windows file share has SMB signing disabled and anonymous read access is permitted to one directory containing payroll exports. No exploitation has been observed yet. Which action best reduces exposure with minimal business impact?

A file server suddenly shows many encrypted files with a new extension, and endpoint tools report that Volume Shadow Copy Service was disabled minutes earlier. A note on the desktop demands payment in cryptocurrency. What should the security team do first?

An internal file server has an administrative web console exposed on the same network as all user laptops. A scan shows that any authenticated employee can reach the console, and several failed login attempts are coming from a workstation that should never manage servers. What is the best hardening action?

An EDR alert shows a Windows workstation used certutil.exe to download an encoded script, then created a scheduled task named UpdateCheck that runs every 15 minutes. The machine is also making short HTTPS connections to the same external IP. What is the best description of what the attacker is doing?

An employee reports a suspicious email that appears to be from the help desk. Which two details are the strongest signs of phishing? Select two.

A cloud-hosted API lets users supply a URL for the service to fetch an image. Shortly after release, logs show requests to 169.254.169.254 and internal admin addresses. What control best reduces this risk?