CySA+ (CS0-003) [Picture Deck]

Question 1

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

[IMAGE #1]

Which of the following tuning recommendations should the security analyst share?

A. Set an HttpOnly flag to force communication by HTTPS
B. Block requests without an X-Frame-Options header
C. Configure an Access-Control-Allow-Origin header to authorized domains
D. Disable the cross-origin resource sharing header

Answer 1

Correct Answer: C

This recommendation helps control which domains can access resources on the web server, enhancing security by preventing unauthorized cross-origin requests.

Question 2

A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script:

[IMAGE #2]

Which of the following scripting languages was used in the script?

A. PowerShell
B. Ruby
C. Python
D. Shell script

Answer 2

Correct Answer: A

The scripting language used in the script shown in the image is PowerShell. This can be identified by the use of cmdlets like
- Get-Content
- Get-ADUser
- Add-ADGroupMember

which are specific to PowerShell, as well as the syntax such as the foreach loop and the use of curly braces {}.

Question 3

The analyst reviews the following endpoint log entry:

[IMAGE #4]

Which of the following has occurred?

A. Registry change
B. Rename computer
C. New account introduced
D. Privilege escalation

Answer 3

Correct Answer: C

Based on the log entry, it appears that a new user account was created. The log shows a command executed to add a new user with the username “invoke_u1” by the “Administrator” account.

Question 4

The security team reviews a web server for XSS and runs the following Nmap scan:

[IMAGE #3]

Which of the following most accurately describes the result of the scan?

A. An output of characters > and “ as the parameters used m the attempt
B. The vulnerable parameter ID http://172.31.15.2/1.php?id-2 and unfiltered characters returned
C. The vulnerable parameter and unfiltered or encoded characters passed > and “ as unsafe
D. The vulnerable parameter and characters > and “ with a reflected XSS attempt

Answer 4

Correct Answer: D

The scan indicates that the web server reflects the characters ‘>’ and ‘”’ in the parameter ‘id’ at the URL

http://172.31.15.2/1.php?id=2

suggesting a potential XSS vulnerability.

Question 5

Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output:

[IMAGE #5]

Which of the following choices should the analyst look at first?

A. wh4dc-748gy.lan (192.168.86.152)
B. officerckuplayer.lan (192.168.86.22)
C. imaging.lan (192.168.86.150)
D. xlaptop.lan (192.168.86.249)
E. p4wnp1_aloa.lan (192.168.86.56)

Answer 5

Correct Answer: E

Based on the Nmap scan results, the analyst should look at E. p4wnp1_aloa.lan (192.168.86.56) first. The hostname “p4wnp1” is associated with a Raspberry Pi-based penetration testing tool, which could potentially be used for unauthorized activities on a corporate network. This makes it a high-priority target for further investigation.

Question 6

An analyst is reviewing a vulnerability report for a server environment with the following entries:

[IMAGE #6]

Which of the following systems should be prioritized for patching first?

A. 10.101.27.98
B. 54.73.225.17
C. 54.74.110.26
D. 54.74.110.228

Answer 6

Correct Answer: D

Given this information, D (54.74.110.228) should be prioritized for patching first due to its high CVSS score and its status as a Crown Jewel, making it critically important to protect. Thanks for the correction!

A. Does not have an Exploit available.
B. Does not have an Exploit available.
C. While it does also have a high CVSS score, it is not listed as a Crown Jewel.

In this context, a Crown Jewel refers to a system or asset that is critically important to the organization’s operations. These systems are often essential for business continuity, contain highly sensitive data, or support key business functions. Because of their importance, vulnerabilities in Crown Jewel systems are prioritized for patching to ensure they remain secure and operational.

Question 7

A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities:

[IMAGE #7]

Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?

A. InLoud:
Cobain: Yes -
Grohl: No -
Novo: Yes -
Smear: Yes -
Channing: No

B. TSpirit:
Cobain: Yes -
Grohl: Yes -
Novo: Yes -
Smear: No -
Channing: No

C. ENameless:
Cobain: Yes -
Grohl: No -
Novo: Yes -
Smear: No -
Channing: No

D. PBleach:
Cobain: Yes -
Grohl: No -
Novo: No -
Smear: No -
Channing: Yes

Answer 7

Correct Answer: B

TSpirit should be patched first as it has ‘Yes’ for all three key metrics (Cobain, Grohl, Novo), indicating it is exploitable by malware, externally facing, and has an exploit proof of concept available.

Question 8

A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment:

[IMAGE #8]

Which of the following should be completed first to remediate the findings?

A. Ask the web development team to update the page contents
B. Add the IP address allow listing for control panel access
C. Purchase an appropriate certificate from a trusted root CA
D. Perform proper sanitization on all fields

Answer 8

Correct Answer: D

Based on the table provided, the most critical issue to address first is the acceptance of all user input on forms, which has a high impact and low complexity. Therefore, the best course of action would be:

D. Perform proper sanitization on all fields

This step is crucial to prevent various types of attacks, such as SQL injection, and ensures the security of the web server.

Question 9

A zero-day command injection vulnerability was published. A security administrator is analyzing the following logs for evidence of adversaries attempting to exploit the vulnerability:

[IMAGE #12]

Which of the following log entries provides evidence of the attempted exploit?

A. Log entry 1
B. Log entry 2
C. Log entry 3
D. Log entry 4

Answer 9

Correct Answer: A

The log entry that provides evidence of an attempted exploit for a zero-day command injection vulnerability is:

A. Log entry 1

This entry contains an injected command (java.lang.Runtime@getRuntime().exec(“nslookup example.com”)) within a URL, which is indicative of an attempt at command injection. This type of attack involves executing arbitrary commands on the host system.

Question 10

[IMAGE #9]

A cryptocurrency service company is primarily concerned with ensuring the accuracy of the data on one of its systems. A security analyst has been tasked with prioritizing vulnerabilities for remediation for the system. The analyst will use the following CVSSv3.1 impact metrics for prioritization:

Which of the following vulnerabilities should be prioritized for remediation?

A. 1
B. 2
C. 3
D. 4

Answer 10

Correct Answer: D

Based on the CVSSv3.1 impact metrics provided in the image, the vulnerabilities should be prioritized based on their potential impact on confidentiality (C), integrity (I), and availability (A) of the system’s data.

Given the company’s primary concern is the accuracy of the data (integrity), the vulnerability with the highest impact on integrity should be prioritized.

• Vulnerability 4 has an impact metric of C:L/I:H/A:L, indicating a high impact on integrity.
  Therefore, the correct answer is D. 4.

Question 11

Patches for two highly exploited vulnerabilities were released on the same Friday afternoon. Information about the systems and vulnerabilities is shown in the tables below:

[IMAGE #10]

[IMAGE #11]

Which of the following should the security analyst prioritize for remediation?

A. rogers
B. brady
C. brees
D. manning

Answer 11

Correct Answer: B

Based on the information provided:

• brady has the “inter.drop” vulnerability (Remote Code Execution) on an external network segment.
• rogers has both “slow.roll” (Denial of Service) and “inter.drop” vulnerabilities on an isolated VLAN.
• manning has the “inter.drop” vulnerability on an internal network segment.
• brees has the “inter.drop” vulnerability on an internal network segment.

Given that Remote Code Execution (RCE) is a critical vulnerability and brady is on an external network segment, it should be prioritized for remediation due to the higher risk of external attacks.

Answer: B. brady

Question 12

An incident response team member is triaging a Linux server. The output is shown below:

[IMAGE #14]

Which of the following is the adversary most likely trying to do?

A. Create a backdoor root account named zsh.
B. Execute commands through an unsecured service account.
C. Send a beacon to a command-and-control server.
D. Perform a denial-of-service attack on the web server.

Answer 12

Correct Answer: A

Based on the provided image, the adversary is most likely trying to create a backdoor root account named zsh (Option A).

The unusual shell access given to the ‘nobody’ account, which typically does not have login shell access, suggests an attempt to establish persistent access with elevated privileges. This is a common tactic used to maintain unauthorized access to a system.

B. Execute commands through an unsecured service account.
- The logs and the /etc/passwd file do not indicate any activity related to executing commands through an unsecured service account. The unusual shell access given to the ‘nobody’ account is more indicative of an attempt to create a backdoor rather than exploiting an unsecured service account.

C. Send a beacon to a command-and-control server.
- There is no evidence in the logs or the /etc/passwd file that suggests communication with a command-and-control server. Typically, such activity would involve network traffic logs or specific indicators of compromise (IOCs) related to outbound connections, which are not present in the provided output.

D. Perform a denial-of-service attack on the web server.
- The logs show Java exception errors related to file upload and parsing requests, but there is no indication of a denial-of-service attack. A denial-of-service attack would likely result in logs showing repeated, high-volume requests or server resource exhaustion, which is not evident here.

The unusual shell access given to the ‘nobody’ account is the key indicator pointing towards the creation of a backdoor root account, making option A the most likely scenario.

Question 13

Question #84
A security analyst is reviewing the following alert that was triggered by FIM on a critical system:

[IMAGE #13]

Which of the following best describes the suspicious activity that is occurring?

A. A fake antivirus program was installed by the user.
B. A network drive was added to allow exfiltration of data.
C. A new program has been set to execute on system start.
D. The host firewall on 192.168.1.10 was disabled.

Answer 13

Correct Answer: C

Based on the alert details from the image, the best description of the suspicious activity is:

C. A new program has been set to execute on system start.

This is indicated by the addition of a key in the registry path

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

which is typically used to set programs to run at startup.

Question 14

A technician is analyzing output from a popular network mapping tool for a PCI audit:

[IMAGE #15]

Which of the following best describes the output?

A. The host is not up or responding.
B. The host is running excessive cipher suites.
C. The host is allowing insecure cipher suites.
D. The Secure Shell port on this host is closed.

Answer 14

Correct Answer: C

The output from the network mapping tool indicates that the host is allowing certain cipher suites, including some that are considered insecure. This is evident from the presence of accepted cipher suites like

TLS_RSA_WITH_AES_128_CBC_SHA, which are flagged as insecure.

Question 15

Question #112
A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The security analyst uses the snippet below:

[IMAGE #16]

Which of the following vulnerability types is the security analyst validating?

A. Directory traversal
B. XSS
C. XXE
D. SSRF

Answer 15

Correct Answer: C

The code snippet in the image shows an XML DOCTYPE declaration with an ENTITY element attempting to access a system file (“/etc/shadow”). This indicates the security analyst is validating an XXE (XML External Entity) vulnerability.

Question 16

Question #134
The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting workstations that are used within the company:

[IMAGE #18]

Which of the following vulnerabilities should the analyst be most concerned about, knowing that end users frequently click on malicious links sent via email?

A. Vulnerability A
B. Vulnerability B
C. Vulnerability C
D. Vulnerability D

Answer 16

Correct Answer: A

Given that end users frequently click on malicious links sent via email, the analyst should be most concerned about Vulnerability A. This vulnerability has a network attack vector, low attack complexity, no authentication required, and user interaction is required. This makes it highly relevant to scenarios where users might click on malicious links, as it can be exploited over the network with minimal effort.

Question 17

An organization’s email account was compromised by a bad actor. Given the following information:

[IMAGE #17]

Which of the following is the length of time the team took to detect the threat?

A. 25 minutes
B. 40 minutes
C. 45 minutes
D. 2 hours

Answer 17

Correct Answer: B

The detection time is typically considered from the moment the incident is first identified to when the appropriate team is aware and can take action.

While the help desk was notified at 8:45 a.m., the formal detection is often marked by when the incident is escalated to the team responsible for handling such threats—in this case, the IRT at 9:10 a.m. This is because the IRT is the team that can officially confirm and respond to the threat.

So, the 40 minutes is calculated from the start of the incident (8:30 a.m.) to when the IRT was informed (9:10 a.m.).

Question 18

Question #136
A company recently removed administrator rights from all of its end user workstations. An analyst uses CVSSv3.1 exploitability metrics to prioritize the vulnerabilities for the workstations and produces the following information:

[IMAGE #19]

Which of the following vulnerabilities should be prioritized for remediation?

A. nessie.explosion
B. vote.4p
C. sweet.bike
D. great.skills

Answer 18

Correct Answer: D

Lower complexity (AC:L) and does not require special privileges (PR:N) or user interaction (UI:N), making it more likely to be exploited.

Question 19

Question #148
A new zero-day vulnerability was released. A security analyst is prioritizing which systems should receive deployment of compensating controls deployment first. The systems have been grouped into the categories shown below:

[IMAGE #21]

Which of the following groups should be prioritized for compensating controls?

A. Group A
B. Group B
C. Group C
D. Group D

Answer 19

Correct Answer: C

Based on the information provided in the image:

Group A: No vulnerability present, no mitigating controls, high asset value.
Group B: Vulnerability present, mitigating controls in place, medium asset value.
Group C: Vulnerability present, no mitigating controls, medium asset value.
Group D: Vulnerability present, mitigating controls in place, high asset value.

The group that should be prioritized for compensating controls is Group C.

This group has an active vulnerability without any mitigating measures in place, making it the most urgent to address.

Question 20

Question #138
A security analyst at a company is reviewing an alert from the file integrity monitoring indicating a mismatch in the login. html file hash. After comparing the code with the previous version of the page source code, the analyst found the following code snippet added:

[IMAGE #20]

Which of the following best describes the activity the analyst has observed?

A. Obfuscated links
B. Exfiltration
C. Unauthorized changes
D. Beaconing

Answer 20

Correct Answer: C

The code snippet in the image shows a jQuery ajax function making a POST request to a suspicious URL, “evil.com,” and sending email and password data. This indicates that the login.html file has been altered to capture and send user credentials to an unauthorized entity.

The best description of this activity is C. Unauthorized changes. This is because the code was added without authorization, potentially compromising user data.

Question 21

Question #156
A security analyst performs a vulnerability scan. Based on the metrics from the scan results, the analyst must prioritize which hosts to patch. The analyst runs the tool and receives the following output:

[IMAGE #23]

Which of the following hosts should be patched first, based on the metrics?

A. host01
B. host02
C. host03
D. host04

Answer 21

Correct Answer: C

Based on the metrics provided in the scan results, host03 should be patched first. This host has a Remote Code Execution (RCE) vulnerability and is marked as a High-Value Target (HVA). RCE vulnerabilities are critical because they allow attackers to execute arbitrary code on the affected system, potentially leading to full system compromise. The HVA designation indicates that this host contains sensitive information or critical functionality, making it a priority for patching.

Question 22

A vulnerability scanner generates the following output:

[IMAGE #22]

The company has an SLA for patching that requires time frames to be met for high-risk vulnerabilities. Which of the following should the analyst prioritize first for remediation?

A. Oracle JDK
B. Cisco Webex
C. Redis Server
D. SSL Self-signed Certificate

Answer 22

Correct Answer: A

Based on the image provided, the analyst should prioritize A. Oracle JDK for remediation. This vulnerability has a CVSS score of 10, indicating it is the highest risk among the listed vulnerabilities. Addressing the most critical vulnerabilities first aligns with the company’s SLA for patching high-risk vulnerabilities.

Question 23

Question #158
A company has the following security requirements:

• No public IPs
• All data secured at rest
• No insecure ports/protocols

After a cloud scan is completed a security analyst receives reports that several misconfigurations are putting the company at risk. Given the following cloud scanner output:

[IMAGE #24]

Which of the following should the analyst recommend be updated first to meet the security requirements and reduce risks?

A. VM_PRD_DB
B. VM_DEV_DB
C. VM_DEV_Web02
D. VM_PRD_Web01

Answer 23

Correct Answer: A

Based on the cloud scanner output and the company’s security requirements, the analyst should recommend updating VM_PRD_DB first. This VM lacks encryption, which violates the requirement for all data to be secured at rest. Ensuring encryption is a fundamental aspect of data security and should be prioritized.

Question 24

A web developer reports the following error that appeared on a development server when testing a new application:

[IMAGE #25]

Which of the following tools can be used to identify the application’s point of failure?

A. OpenVAS
B. Angry IP scanner
C. Immunity debugger
D. Burp Suite

Answer 24

Correct Answer: C

The error message in the image indicates that the process w3wp.exe (a web server process) has stopped working. To identify the application’s point of failure, the most appropriate tool would be C. Immunity Debugger. This tool is designed for debugging and can help pinpoint the exact cause of the crash in the application.

Question 25

A security analyst scans a host and generates the following output:

[IMAGE #28]

Which of the following best describes the output?

A. The host is unresponsive to the ICMP request.
B. The host is running a vulnerable mail server.
C. The host is allowing unsecured FTP connections.
D. The host is vulnerable to web-based exploits.

Answer 25

Correct Answer: D

The output from the scan shows that the host has an open HTTP service running Apache httpd 2.4.29 on Ubuntu. This version of Apache could potentially have known vulnerabilities that can be exploited through web-based attacks.

Question 26

An analyst is reviewing system logs while threat hunting:

[IMAGE #26]

Which of the following hosts should be investigated first?

A. PC1
B. PC2
C. PC3
D. PC4
E. PC5

Answer 26

Correct Answer: C

Based on the system logs, PC3 should be investigated first.

It shows a parent process explorer.exe running a potentially suspicious child process:

“procdunp.exe”

This could indicate unusual or unauthorized activity.

Question 27

A penetration tester is conducting a test on an organization’s software development website. The penetration tester sends the following request to the web interface:

[IMAGE #27]

Which of the following exploits is most likely being attempted?

A. SQL injection
B. Local file inclusion
C. Cross-site scripting
D. Directory traversal

Answer 27

Correct Answer: A

Based on the request shown in the image, the penetration tester is most likely attempting an SQL injection (Option A).

The presence of the “UNION SELECT” statement in the URL parameter is a strong indicator of an SQL injection attempt.

This type of attack involves injecting SQL queries into input fields to manipulate the backend database.

Question 28

The security team at a company, which was a recent target of ransomware, compiled a list of hosts that were identified as impacted and in scope for this incident. Based on the following host list:

[IMAGE #29]

Which of the following systems was most pivotal to the threat actor in its distribution of the encryption binary via Group Policy?

A. SQL01
B. WK10-Sales07
C. WK7-Plant01
D. DCEast01
E. HQAdmin9

Answer 28

Correct Answer: D

Based on the host list provided, the system most pivotal to the threat actor in distributing the encryption binary via Group Policy is DCEast01. This system is a Domain Controller running Windows Server 2016, which is crucial for managing Group Policy across the network.

Question 29

A security analyst is trying to validate the results of a web application scan with Burp Suite. The security analyst performs the following:

[IMAGE #30]

Which of the following vulnerabilities is the security analyst trying to validate?

A. SQL injection
B. LFI
C. XSS
D. CSRF

Answer 29

Correct Answer: B

Based on the image, the security analyst is trying to validate a Local File Inclusion (LFI) vulnerability.

The URL in the GET request includes a path to a server file (e.g., /var/log/apache2/access.log), which is a common indicator of an LFI attack.

Question 30

An analyst investigated a website and produced the following:

[IMAGE #31]

Which of the following syntaxes did the analyst use to discover the application versions on this vulnerable website?

A. nmap -sS -T4 -F insecure.org
B. nmap -C insecure.org
C. nmap -sV -T4 -F insecure.org
D. nmap -A insecure.org

Answer 30

Correct Answer: C

The correct answer is C. nmap -sV -T4 -F insecure.org.

The -sV option in Nmap is used for service version detection, which matches the output shown in the image where specific versions of services (like Apache httpd 2.4.6) are identified. This indicates that the analyst used the -sV flag to discover the application versions on the website.

Question 31

A security analyst reviews the following Arachni scan results for a web application that stores PII data:

[IMAGE #32]

Which of the following should be remediated first?

A. SQL injection
B. RFI
C. XSS
D. Code injection

Answer 31

Correct Answer: A

Based on the Arachni scan results and considering the web application stores Personally Identifiable Information (PII), SQL injection (Option A) should be remediated first. SQL injection vulnerabilities can lead to unauthorized access to the database, potentially exposing sensitive PII data. This type of attack poses a significant risk to data integrity and confidentiality.

Question 32

A company has decided to expose several systems to the internet. The systems are currently available internally only. A security analyst is using a subset of CVSS3.1 exploitability metrics to prioritize the vulnerabilities that would be the most exploitable when the systems are exposed to the internet. The systems and the vulnerabilities are shown below:

[IMAGE #33]

Which of the following systems should be prioritized for patching?

A. brown
B. grey
C. blane
D. sullivan

Answer 32

Correct Answer: C

Based on the CVSS3.1 exploitability metrics provided in the image, the system that should be prioritized for patching is C. blane.

Attack Vector (AV): Network (AV:N) - can be exploited remotely.
Attack Complexity (AC): Low (AC:L) - easier to exploit.
Availability Impact (A): High (A:H) - significant impact if exploited.
This combination makes ‘blane’ the most susceptible to being exploited once exposed to the internet.

Question 33

A security analyst reviews the following extract of a vulnerability scan that was performed against the web server:

[IMAGE #34]

Which of the following recommendations should the security analyst provide to harden the web server?

A. Remove the version information on http-server-header.
B. Disable tcp_wrappers.
C. Delete the /wp-login.php folder.
D. Close port 22.

Answer 33

Correct Answer: A

A. Remove the version information on http-server-header.

This is because revealing version information can help attackers identify specific vulnerabilities associated with the software versions in use. The other options are less relevant based on the scan results:

• B. Disable tcp_wrappers: Not mentioned as a vulnerability.
• C. Delete the /wp-login.php folder: Would disable legitimate WordPress admin access.
• D. Close port 22: SSH access might be necessary for administration.

Question 34

A security analyst receives an alert for suspicious activity on a company laptop. An excerpt of the log is shown below:

[IMAGE #36]

Which of the following has most likely occurred?

A. An Office document with a malicious macro was opened.
B. A credential-stealing website was visited.
C. A phishing link in an email was clicked.
D. A web browser vulnerability was exploited.

Answer 34

Correct Answer: A

Based on the log excerpt, it appears that Microsoft Word initiated Microsoft Outlook, which is unusual behavior. This suggests that an Office document with a malicious macro was likely opened, leading to the suspicious activity.

Question 35

A threat hunter seeks to identify new persistence mechanisms installed in an organization’s environment. In collecting scheduled tasks from all enterprise workstations, the following host details are aggregated:

[IMAGE #38]

Which of the following actions should the hunter perform first based on the details above?

A. Acquire a copy of taskhw.exe from the impacted host.
B. Scan the enterprise to identify other systems with taskhdw.exe present.
C. Perform a public search for malware reports on the taskhw.exe.
D. Change the account that runs the taskhw.exe scheduled task.

Answer 35

Correct Answer: C

A. Acquire a copy of taskhw.exe from the impacted host.
- Threat Hunter Perspective: Acquiring the file can help in analyzing its behavior and understanding if it introduces any vulnerabilities or persistence mechanisms.
- Why it’s not the first action: Before spending resources on acquiring and analyzing the file, it’s more efficient to first check if it’s already known to be malicious.

B. Scan the enterprise to identify other systems with taskhw.exe present.
- Threat Hunter Perspective: Scanning the enterprise helps in assessing the spread and impact of the potential threat, which is crucial for understanding the scope of the vulnerability.
- Why it’s not the first action: This step should follow the confirmation of the file’s malicious nature to avoid unnecessary scans if the file is benign.

C. Perform a public search for malware reports on the taskhw.exe.
- Threat Hunter Perspective: This step quickly provides context and background on the file, helping the threat hunter determine if it is a known threat and if it introduces any vulnerabilities.
- Why it’s the first action: It is the most efficient way to gather initial information, guiding further actions based on whether the file is identified as malicious.

D. Change the account that runs the taskhw.exe scheduled task.
- Threat Hunter Perspective: Changing the account can mitigate the immediate risk if the task is malicious, but it doesn’t help in identifying new persistence mechanisms or understanding the vulnerability.
- Why it’s not the first action: This action should be taken after confirming the file’s malicious nature and understanding its behavior to avoid disrupting legitimate tasks.

In summary, the reasoning behind each option is tailored to the threat hunter’s goal of identifying and understanding new persistence mechanisms and vulnerabilities. The first step should be to gather information efficiently, which is why performing a public search for malware reports on taskhw.exe is the recommended initial action.

Question 36

A security analyst received an alert regarding multiple successful MFA log-ins for a particular user. When reviewing the authentication logs, the analyst sees the following:

[IMAGE #35]

Which of the following are most likely occurring, base on the MFA logs? (Choose two.)

A. Dictionary attack
B. Push phishing
C. Impossible geo-velocity
D. Subscriber identity module swapping
E. Rogue access point
F. Password spray

Answer 36

Correct Answer: B, C

Based on the MFA logs provided in the image, the most likely occurrences are:

C. Impossible geo-velocity: The logs show logins from geographically distant locations (United States and Russia) within a short time frame, which is not physically possible.

B. Push phishing: Multiple successful MFA log-ins suggest that someone might be tricking the user into approving authentication requests.

Push phishing is a better option because it aligns more closely with the observed pattern of multiple successful MFA log-ins from different locations, suggesting the user might be unknowingly approving fraudulent requests. SIM swapping would not account for the impossible geo-velocity observed in the logs.

Question 37

A company brings in a consultant to make improvements to its website. After the consultant leaves a web developer notices unusual activity on the website and submits a suspicious file containing the following code to the security team:

[IMAGE #39]

Which of the following did the consultant do?
A. Implanted a backdoor
B. Implemented privilege escalation
C. Implemented clickjacking
D. Patched the web server

Answer 37

Correct Answer: A

The consultant implanted a backdoor in the website. The suspicious file contains PHP code that allows command execution via a GET request (exec($_GET[‘cmd’])). This backdoor could be exploited maliciously to control or access the website without proper authorization. The presence of this code suggests unauthorized access and potential security risks.

Question 38

HOTSPOT
A company recently experienced a security incident. The security team has determined a user clicked on a link embedded in a phishing email that was sent to the entire company. The link resulted in a malware download,
which was subsequently installed and run.

INSTRUCTIONS
- Part 1: Review the artifacts associated with the security incident. Identify the name of the malware, the malicious IP address, and the date and time when the malware executable entered the organization.
- Part 2: Review the kill chain items and select an appropriate control for each that would improve the security posture of the organization and would have helped to prevent this incident from occurring. Each control may only be used once, and not all controls will be used.

Firewall log: [IMAGE #41] [IMAGE #42]
File integrity Monitoring Report: [IMAGE #43] [IMAGE #44]
Malware domain list: [IMAGE #45] [IMAGE #46] [IMAGE #47] [IMAGE #48]
Hot Area: [IMAGE #49]

KILL CHAIN ITEM:
- Phishing Email: [Select Control]
- Active Links: [Select Control]
- Malicious Website: [Select Control]
- Malware Download: [Select Control]
- Malware Install: [Select Control]
- Malware Execution: [Select Control]
- File Encryption: [Select Control]

KILL CHAIN CONTROL ITEM:
- Firewall File Type Filter
- Honeypot
- MFA
- MAC Filtering
- Restricted Local User Permissions
- Email Filtering
- Disk Level Encryption
- Updated Antivirus
- Network Segmentation
- Plain Text Email Format
- VPN
- IP Blocklist
- Backups

IDENTIFY THE FOLLOWING:
Malicious Executable: [Select Option]
- invoice.exe
- resume1.docx
- resume2.docx
- payroll.xlsx

Malicious IP Address: [Select Option]
- 81.161.63.103
- 81.161.63.253
- 171.25.193.20
- 185.220.101.194
- 192.168.2.1
- 171.25.193.25
- 10.1.1.238

Date/Time Malware Entered Organization: [Select Option]
- 1 Dec 2019 11:24:16
- 1 Dec 2019 14:03:19
- 1 Dec 2019 14:03:55
- 30 Nov 2019 12:05:34
- 1 Dec 2019 14:25:30
- 1 Dec 2019 13:59::25
- 30 Nov 2019 12:25:13

Answer 38

Answer Area:

[IMAGE #50]

KILL CHAIN ITEM:
- Phishing Email: [EMAIL FILTERING]
- Active Links: [MFA]
- Malicious Website: [IP BLOCKLIST]
- Malware Download: [FIREWALL FILE TYPE FILTER]
- Malware Install: [RESTRICTED LOCAL USER PERMS]
- Malware Execution: [UPDATED ANTIVIRUS]
- File Encryption: [BACKUPS]

IDENTIFY THE FOLLOWING:
- Malicious Executable: [payroll.xlsx]
- Malicious IP Address: [81.161.63.103]
- Date/Time Malware Entered Organization: [1 Dec 2019 14:03:19]

Question 39

HOTSPOT
The developers recently deployed new code to three web servers. A daffy automated external device scan report shows server vulnerabilities that are failure items according to PCI DSS.

If the venerability is not valid, the analyst must take the proper steps to get the scan clean.

If the venerability is valid, the analyst must remediate the finding.
After reviewing the information provided in the network diagram, select the STEP 2 tab to complete the simulation by selecting the correct Validation Result and Remediation Action for each server listed using the drop-down options.

INTRUCTIONS:

The simulation includes 2 steps.
- STEP 1: Review the information provided in the network diagram and then move to the STEP 2 tab. [IMAGE #51]
- STEP 2: Given the Scenario, determine which remediation action is required to address the vulnerability.

Hot Area: [IMAGE #52]

SYSTEM
- WEB_SERVER01
- WEB_SERVER02
- WEB_SERVER03

VALIDATE RESULT
- False Positive
- False Negative
- True Positive
- True Negative

REMEDIATION ACTION
- Encrypt Entire Session
- Encrypt All Session Cookies
- Implement Input Validation
- Submit as Non-Issue
- Emply Unique Token in Hidden Field
- Avoid Using Redirects and Forwards
- Disable HTTP
- Request Certificate from a Public CA
- Renew the Current Certificate

WEB_SERVER01
- Validate Result: [Select Option]
- Remediation Action: [Select Option]

WEB_SERVER02
- Validate Result: [Select Option]
- Remediation Action: [Select Option]

WEB_SERVER03
- Validate Result: [Select Option]
- Remediation Action: [Select Option]

Answer 39

Answer Area:
[IMAGE #53]

WEB_SERVER01
- Validate Result: [True Positive]
- Remediation Action: [Encrypt entire session]

WEB_SERVER02
- Validate Result: [False Positive]
- Remediation Action: [Submit as non-issue]

WEB_SERVER03
- Validate Result: [True Positive]
- Remediation Action: [Request certificate from a public CA]

Question 40

An analyst is evaluating the following vulnerability report:

[IMAGE #54]

Which of the following vulnerability report sections provides information about the level of impact on data confidentiality if a successful exploitation occurs?
A. Payloads
B. Metrics
C. Vulnerability
D. Profile

Answer 40

Correct Answer: B

The section that provides information about the level of impact on data confidentiality if a successful exploitation occurs is B. Metrics. This section includes the CVSS (Common Vulnerability Scoring System) score, which details the confidentiality impact among other metrics.

Question 41

An analyst views the following log entries:

[IMAGE #55]

The organization has a partner vendor with hosts in the 216.122.5.x range. This partner vendor is required to have access to monthly reports and is the only external vendor with authorized access. The organization prioritizes incident investigation according to the following hierarchy: unauthorized data disclosure is more critical than denial of service attempts. Which are more important than ensuring vendor data access.

Based on the log files and the organization’s priorities, which of the following hosts warrants additional investigation?
A. 121.19.30.221
B. 134.17.188.5
C. 202.180.158.22
D. 216.122.5.5

Answer 41

Correct Answer: A

Based on the log entries and the organization’s priorities, host 121.19.30.221 warrants additional investigation. This IP address is attempting to access monthly report data but is not within the authorized 216.122.5.x range, indicating a potential unauthorized data disclosure, which is the highest priority for investigation.

Question 42

A security analyst performs various types of vulnerability scans. Review the vulnerability scan results to determine the type of scan that was executed and if a false positive occurred for each device.
Instructions:

Select the Results Generated drop-down option to determine if the results were generated from a credentialed scan, non-credentialed scan, or a compliance scan.
For ONLY the credentialed and non-credentialed scans, evaluate the results for false positives and check the findings that display false positives.

NOTE: If you would like to uncheck an option that is currently selected, click on the option a second time.

Lastly, based on the vulnerability scan results, identify the type of Server by dragging the Server to the results.
The Linux Web Server, File-Print Server and Directory Server are draggable.
If at any time you would like to bring back the initial state of the simulation, please select the Reset All button.
When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.

Answer 42

Explanation:

Critical (10.0) 13852 Microsoft Windows Task Schedular Remote Overflow (841873)
* Credentialed

Critical (10.0) 11890 Ubuntu 5.04/5.10/6.06 LTS : Buffer Overrun in Messenger Service (CVE-2016-8035)
* Non-Credentialed

WARNING (1.0.1) Systems cryptography. Force strong key protection for user keys stored on the computer . Prompt the user each time a key is first used.
* Compliance.