Threats,Attacks, and Vulnerabilities

Question 1

You have noticed some unusual network traffic outbound from a certain host. The host is communicating with a known malicious server over port 443 using an encrypted TLS tunnel. You ran a full system anti-virus scan of the host with an updated anti-virus signature file, but the anti-virus did not find any infection signs. Which of the following has MOST likely occurred?

A. Session Hijacking
B. Password Spraying
C. Zero Day Attack
D. Directory Traversal

Answer 1

C. Zero Day Attack

Question 2

Which of the following types of attacks are usually used as part of an on-path attack?

A. Spoofing
B. Tailgating
C. Brute Force
D. DDOS

Answer 2

Spoofing

Question 3

You have just received a phishing email disguised to look like it came from support@diontraining.com asking you to send your username and password because your account has been locked out due to inactivity. Which of the following social engineering principles is being used in this email?

A. Intimidation
B. Trust
C. Urgency
D. Consensus

Answer 3

B. Trust

Question 4

Several users have contacted the help desk to report that they received an email from a well-known bank stating that their accounts have been compromised and they need to “click here” to reset their banking password. Some of these users are not even customers of this particular bank, though. Which of the following social engineering principles is being utilized as a part of this phishing campaign?

A. Intimidation
B. Familiarity
C. Urgency
D. Consensus

Answer 4

B. Familiarity

Question 5

The management at Steven’s work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network?

A. A physical Survey
B. Reviewing central admin tool like an endpoint manager
C. A directory scan using port scanner
D. Router and switch based MAC address reporting

Answer 5

D. Router and switch based MAC address reporting

Question 6

A cybersecurity analyst from BigCorp contacts your company to notify them that several of your computers were seen attempting to create a denial of service condition against their servers. They believe your company has become infected with malware, and those machines were part of a larger botnet. Which of the following BEST describes your company’s infected computers?

A. Monster
B. Bugs
C. Zombie
D. Zero Day

Answer 6

C.Zombie

Question 7

A penetration tester hired by a bank began searching for the bank’s IP ranges by performing lookups on the bank’s DNS servers, reading news articles online about the bank, monitoring what times the bank’s employees came into and left work, searching job postings (with a special focus on the bank’s information technology jobs), and even searching the corporate office of the bank’s dumpster. Based on this description, what portion of the penetration test is being conducted?

A. Vulnerability Assessment
B. Active Information Gathering
C. Passive Information Gathering
D. Information Reporting

Answer 7

C. Passive Information Gathering

Question 8

A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output:

A. Password Spraying
B. Directory Traversal
C. SQL Injection
D. XML Injection

Answer 8

B. Directory Traversal

OBJ-1.3: A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various users’ passwords by attempting a compromised password against multiple user accounts.

Question 9

A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst?

A. Network Vulnerability Scan
B. Web Application Vulnerability Scan
C. Port Scan
D. Database Vulnerability Scan

Answer 9

B. Web Application Vulnerability Scan

Question 10

(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.)

A. SYN Flood
B. Ping Flood
C. Smurf Attack
D. DDoS

Answer 10

A.Syn Flood

Question 11

(Sample Simulation – On the real exam for this type of question, you might receive a list of attack vectors and targets. Based on these, you would select the type of attack that occurred.) (1) An attacker has been collecting credit card details by calling victims and using false pretexts to trick them. (2) An attacker sends out to 100,000 random email addresses. In the email the attacker sent, it claims that “Your Bank of America account is locked out. Please click here to reset your password.” What types of attacks have occurred in (1) and (2)?

A. (1)Vishing and (2)Phishing
B. (1)Pharming and (2)Phishing
C. (1)Spearphishing and (2)Pharming
D. (1)Hoax and (2)Spearphishing

Answer 11

A. (1)Vishing and (2)Phishing

Question 12

Which of the following is exploited by an SQL injection to give the attacker access to a database?

A. Web Application
B. Database Server
C. OS
D. Firewall

Answer 12

A. Web Application

Question 13

A computer is infected with malware that has infected the Windows kernel to hide. Which type of malware MOST likely infected this computer?

A. Rootkit
B. Botnet
C. Trojan
D. Ransomeware

Answer 13

A.Rootkit

Question 14

You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the attack’s target?

A.3389
B.389
C.21
D.443

Answer 14

D.443

Question 15

Which of the following best describes the type of attack shown?

A. Smurf
B. Man in the Middle
C. Xmas Tree Attack
D. Ping of Death

Answer 15

A. Smurf

OBJ-1.4: A smurf attack uses a single ping with a spoofed source address sent to the broadcast address of a network. This causes every device within the network to receive a single ping, which appears to come from the device with the spoofed source address. Each network device then responds to the spoofed address, causing the victim (whose address was spoofed) to be overwhelmed with the responses to the initial ping.

Question 16

What kind of attack is an example of IP spoofing?

A. Cross Site Scripting
B. ARP Poisoning
C. On Path Attack
D. SQL Injection

Answer 16

C. On Path Attack

Question 17

A salesperson’s laptop has become unresponsive after attempting to open a PDF in their email. A cybersecurity analyst reviews the IDS and anti-virus software for any alerts or unusual behavior but finds nothing suspicious. Which of the following threats would BEST classify this scenario?

A. Zero Day Malware
B. PII Exfiltration
C. RAT
D. Ping of Death

Answer 17

A. Zero Day Malware

Question 18

An organization is conducting a cybersecurity training exercise. What team is Jason assigned to if he has been asked to monitor and manage the defenders’ and attackers’ technical environment during the exercise?

A. Red Team
B. Purple Team
C. Blue Team
D. White Team

Answer 18

D. White Team

Question 19

Praveen is currently investigating activity from an attacker who compromised a host on the network. The individual appears to have used credentials belonging to a janitor. After breaching the system, the attacker entered some unrecognized commands with very long text strings and then began using the sudo command to carry out actions. What type of attack has just taken place?

A. Session Hijacking
B. Phishing
C. Privilege Escalation
D. Social Engineering

Answer 19

C. Privilege Escalation

Question 20

In 2014, Apple’s implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of?

A. Insufficient Logging and Monitoring
B. Insecure Object Reference
C. Improper Error Handling
D. Use of Insecure Functions

Answer 20

C. Improper Error Handling

Question 21

Dion Training is hiring a penetration testing firm to conduct an assessment of its corporate network. As part of the contract, the company has specified that it will not provide any network details to the penetration testing firm. Instead, the company wants to see how much information about the network can be found by the penetration testers using open-source research and scanning the corporate network. What type of assessment is this considered?

A. Known environment testing
B. Semi trusted environment testing
C. Unknown environment testing
D. Partially Known environment testing

Answer 21

C. Unknown environment testing

Question 22

You are conducting a code review of a program and observe the following calculation of 0xffffffff + 1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program?

A. Impersonation
B. SQL Injection
C. Password Spraying
D. Integer Overflow Attack

Answer 22

D. Integer Overflow Attack

Question 23

You just received a notification that your company’s email servers have been blocklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails?

A. Network flows for the DMZ containing the email servers
B. The full email header from one of the spam messages
C. Firewall logs showing the SMTP connection
D. The SMTP audit log from his company’s email server

Answer 23

B. The full email header from one of the spam messages

Question 24

Your intrusion detection system has produced an alert based on its review of a series of network packets. After analysis, it is determined that the network packets did not contain any malicious activity. How should you classify this alert?

A. True Negative
B. True Positive
C. False Positive
D. False Negative

Answer 24

C. False Positive

Question 25

Nick is participating in a security exercise as part of the network defense team for his organization. Which team is Nick playing on?

A. White Team
B. Blue Team
C. Red team
D. Yellow Team

Answer 25

B. Blue Team

Question 26

Which type of system would classify traffic as malicious or benign based on explicitly defined examples of malicious and benign traffic?

A. Deep Learning
B. Generative Adversiarial Network
C. Machine Learning
D. AI

Answer 26

C. Machine Learning

Question 27

What is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of an adversarial TTP within a network or system called?

A. Informative Assurance
B. Penetration Testing
C. Incident Response
D. Threat Hunting

Answer 27

D. Threat Hunting

Question 28

You are investigating a suspected compromise. You have noticed several files that you don’t recognize. How can you quickly and effectively check if the files have been infected with malware?

A. Submit the files
B. Dissemble the files
C. Run the Strings
D. Scan the files

Answer 28

A. Submit the files

Question 29

While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source?

A. 172.16.1.100
B. 192.168.1.10
C. 10.15.1.100
D. 192.168.1.100

Answer 29

D. 192.168.1.100

Question 30

A cybersecurity analyst notices that an attacker is trying to crack the WPS pin associated with a wireless printer. The device logs show that the attacker tried 00000000, 00000001, 00000002 and continued to increment by 1 number each time until they found the correct PIN of 13252342. Which of the following type of password cracking was being performed by the attacker?

A. Hybrid
B. Dictionary
C. Rainbow Table
D. Brute-Force

Answer 30

D. Brute-Force

Question 31

A security analyst conducts a Nmap scan of a server and found that port 25 is open. What risk might this server be exposed to?

A. Web Portal Data Leak
B. Open file/print sharing
C. Open mail relay
D. Clear text authentication

Answer 31

C. Open mail relay

Question 32

A user has reported that their workstation is running very slowly. A technician begins to investigate the issue and notices a lot of unknown processes running in the background. The technician determines that the user has recently downloaded a new application from the internet and may have become infected with malware. Which of the following types of infections does the workstation MOST likely have?

A. Trojan
B. Keyloggar
C. Rootkit
D. Ransomware

Answer 32

A. Trojan

Question 33

A security analyst is conducting a log review of the company’s web server and found two suspicious entries. Based on source code analysis, which type of vulnerability is this web server vulnerable to?

A. Directory Traversal
B. LDAP Injection
C. Command Injection
D. SQL Injection

Answer 33

D. SQL Injection

OBJ-1.3: Based on the log entries, it appears the attack was successful in conducting a SQL injection. Notice the escape character (‘) used in the log. A connection to the MySQL database is being used in the script, which could be exploited since no input validation is being performed. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. SQL injection is a specific type of command injection. LDAP injection is a code injection technique used to exploit web applications that could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores. Directory traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory.

Question 34

A cybersecurity analyst is working at a college that wants to increase its network’s security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements?

A. Combination of Server-based
B. Active Scanning engine
C. Combination of cloud-based
D. Passive scanning engine

Answer 34

B. Active Scanning engine

Question 35

You have been asked to determine if Dion Training’s web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server?

A. Passive Scan
B. Protocol Analysis
C. Vulnerability Scan
D. Banner Grabbing

Answer 35

D. Banner Grabbing

Question 36

Which attack method is MOST likely to be used by a malicious employee or insider trying to obtain another user’s passwords?

A. Phishing
B. On Path Attack
C. Shoulder Surfing
D. Tailgating

Answer 36

C. Shoulder Surfing

Question 37

Lamont is in the process of debugging a software program. As he examines the code, he discovers that it is miswritten. Due to the error, the code does not validate a variable’s size before allowing the information to be written into memory. Based on Lamont’s discovery, what type of attack might occur?

A. SQL Injection
B. Cross Site Scripting
C. Buffer Overflow
D. Malicious Logic

Answer 37

C. Buffer Overflow

Question 38

Which of the following is a common attack model of an APT attack?

A. Involves sophisticated DDoS Attack
B. Relies on worm to spread laterally
C. Hold an organization data hostage using encryption
D. Quietly gathers information from compromised systems

Answer 38

D. Quietly gathers information from compromised systems

Question 39

Which of the following is a best practice that should be followed when scheduling vulnerability scans of an organization’s data center?

A. Schedule Scans to run during low activity
B. Schedule Scans to run during peak time
C. Schedule Scans to run same time everyday
D. Schedule Scans to be conducted evenly throughout the day

Answer 39

A. Schedule Scans to run during low activity

Question 40

You are reviewing the IDS logs and notice the following log entry: What type of attack is being performed?

A Cross-Site Scripting
B. XML Injection
C. SQL Injection
D. Header Manipulation

Answer 40

C. SQL Injection

OBJ-1.3: SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common SQL injection technique is to insert an always true statement, such as 1 == 1, or in this example, 7 == 7. Header manipulation is the insertion of malicious data, which has not been validated, into an HTTP response header. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. The injection of unintended XML content and/or structures into an XML message can alter the application’s intended logic. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.

Question 41

After analyzing and correlating activity from the firewall logs, server logs, and the intrusion detection system logs, a cybersecurity analyst has determined that a sophisticated breach of the company’s network security may have occurred from a group of specialized attackers in a foreign country over the past five months. Up until now, these cyberattacks against the company network had gone unnoticed by the company’s information security team. How would you best classify this threat?

A. Insider Threat
B. APT(Advance Persistent Test)
C. Spear Phishing
D. Privilege Escalation

Answer 41

B. APT(Advance Persistent Test)

Question 42

(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.)Which of the following types of attacks occurs when an attacker calls up people over the phone and attempts to trick them into providing their credit card information?

A. Spear Phishing
B. Hoax
C. Pharming
D. Phishing
E. Vhishing

Answer 42

E. Vhishing

Question 43

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/../../../../etc/shadow. What type of attack has likely occurred?

A. Buffer Injection
B. SQL Injection
C. Directory Traversal
D. XML Injection

Answer 43

C. Directory Traversal

Question 44

You are conducting threat hunting on your organization’s network. Every workstation on the network uses the same configuration baseline and contains a 500 GB HDD, 4 GB of RAM, and the Windows 10 Enterprise operating system. You know from previous experience that most of the workstations only use 40 GB of space on the hard drives since most users save their files on the file server instead of the local workstation. You discovered one workstation that has over 250 GB of data stored on it. Which of the following is a likely hypothesis of what is happening, and how would you verify it?

A. The host might be used as a command
B. The host might be the victim of remote access trojan
C. The host might use a staging area for data exfiltration
D. The host might be offline and conducted backup locally.

Answer 44

C. The host might use a staging area for data exfiltration

Question 45

(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) Which of the following types of attacks occurs when an attacker sends unsolicited messages over Facebook messenger?

A. Spear Phishing
B. Hoax
C. Pharming
D. Spimming
E. Spamming

Answer 45

D. Spimming

Question 46

What type of malware changes its binary pattern in its code on specific dates or times to avoid detection by antimalware software?

A. Polymorphic Virus
B. Trojan
C. Logic Bomb
D. Ransomware

Answer 46

A. Polymorphic Virus

Question 47

You are working as a penetration tester and have discovered a new method of exploiting a vulnerability within the Windows 10 operating system. You conduct some research online and discover that a security patch against this particular vulnerability doesn’t exist yet. Which type of threat would this BEST be categorized as?

A. Zero Day
B. Spoofing
C. Brute Force
D. DDoS

Answer 47

A. Zero Day

Question 48

An ethical hacker has been hired to conduct a physical penetration test of a company. During the first day of the test, the ethical hacker dresses up like a plumber and waits in the building’s main lobby until an employee goes through the main turnstile. As soon as the employee enters his access number and proceeds to go through the turnstile, the ethical hacker follows them through the access gate. What type of attack did the ethical hacker utilize to access the restricted area of the building?

A. Tailgating
B. Shoulder Surfing
C. Social Engineering
D. Spoofing

Answer 48

A. Tailgating

Question 49

As a cybersecurity analyst conducting vulnerability scans, you have just completed your first scan of an enterprise network comprising over 10,000 workstations. As you examine your findings, you note that you have less than 1 critical finding per 100 workstations. Which of the following statement does BEST explain these results?

A. The scanner was not compatible with devices on network
B. The scanner has an exceptionally strong security posture
C. The scanner failed to connect
D. An uncredited scan of the network was performed

Answer 49

D. An uncredited scan of the network was performed

Question 50

You are conducting threat hunting for an online retailer. Upon analyzing their web server, you identified that a single HTML response returned as 45 MB in size, but an average response is normally only 275 KB. Which of the following categories of potential indicators of compromise would you classify this as?

A. Beaconing
B. Introduction of new accounts
C. Data Exfiltration
D. Unauthorized Privilege

Answer 50

C. Data Exfiltration

Question 51

A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output: What type of attack was most likely being attempted by the attacker?

A. Impersonation
B. Credential Harvesting
C. Password Spraying
D. Brute Force

Answer 51

D. Brute Force

OBJ-1.2: This is an example of a brute force attack. Unlike password spraying that focuses on attempting only one or two passwords per user, a brute force attack focuses on trying multiple passwords for a single user. The goal of this attack is to crack the user’s password and gain access to their account. Password spraying, instead, refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using several different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraudulent purposes. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack the account for their purposes.

Question 52

A macOS user is browsing the internet in Google Chrome when they see a notification that says, “Windows Enterprise Defender: Your computer is infected with a virus, please click here to remove it!” What type of threat is this user experiencing?

A. Worm
B. Rouge Anti Virus
C. Pharming
D. Phishing

Answer 52

B. Rouge Anti Virus

Question 53

A customer brought in a computer that has been infected with a virus. Since the infection, the computer began redirecting all three of the system’s web browsers to a series of malicious websites whenever a valid website is requested. You quarantined the system, disabled the system restore, and then perform the remediation to remove the malware. You have scanned the machine with several anti-virus and anti-malware programs and determined it is now cleaned of all malware. You attempt to test the web browsers again, but a small number of valid websites are still being redirected to a malicious website. Luckily, the updated anti-virus you installed blocked any new malware from infecting the system. Which of the following actions should you perform NEXT to fix the redirection issue with the browsers?

A. Reformate the system and reinstall the OS
B. Install a secondary anti malware solution on the system
C. Verify the host file has not been maliciously modified
D. Perform a system Restore to an earlier date before the infection

Answer 53

C. Verify the host file has not been maliciously modified

Question 54

In which type of attack does the attacker begin with a normal user account and then seek additional access rights?

A. Remote Code Exploitation
B. Privilege Escalation
C. Cross Site Scripting
D. Spear Phishing

Answer 54

B. Privilege Escalation

Question 55

(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) Which of the following types of attacks occurs when an attacker attempts to obtain personal or private information through domain spoofing or poisoning a DNS server?

A. Vishing
B. Phishing
C. Spear Phishing
D. Pharming
E. Hoax

Answer 55

D. Pharming

Question 56

Which of the following would NOT be useful in defending against a zero-day threat?

A. Segmentation
B. Threat Intelligence
C. Allow Listing
D. Patching

Answer 56

D. Patching

Question 57

While investigating a data breach, you discover that the account credentials used belonged to an employee who was fired several months ago for misusing company IT systems. The IT department never deactivated the employee’s account upon their termination. Which of the following categories would this breach be classified as?

A. Insider Threat
B. Advanced Persistence Threat
C. Zero Day
D. Known Threat

Answer 57

A. Insider Threat

Question 58

(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.)Which of the following types of attacks occurs when an attacker specifically targets the CEO, CFO, CIO, and other board members during their attack?

A. Vishing
B. Smishing
C. Whaling
D. Spear Phishing
E. Phishing

Answer 58

C. Whaling

Question 59

Fail to Pass Systems has just become the latest victim in a large-scale data breach by an APT. Your initial investigation confirms a massive exfiltration of customer data has occurred. Which of the following actions do you recommend to the CEO of Fail to Pass Systems in handling this data breach?

A. Conduct notification to all affected customers within 72 hours of the discovery of the breach
B. Provide a statement to the press that minimize the scope of the breach
C. Conduct “hack-back” of the attacker to retrieve the stolen information
D. Purchse cyber insurance

Answer 59

A. Conduct notification to all affected customers within 72 hours of the discovery of the breach

Question 60

An analyst reviews the logs from the network and notices that there have been multiple attempts from the open wireless network to access the networked HVAC control system. The open wireless network must remain openly available so that visitors can access the internet. How can this type of attack be prevented from occurring in the future?

A. Enable WPA2 security
B. Implement a VLAN to separate the HVAC control system from the open wireless network
C. Install a IDS to protect the HVAC System
D. Enable NAC on the open wireless network

Answer 60

B. Implement a VLAN to separate the HVAC control system from the open wireless network

Question 61

Jason has created a new password cracking tool using some Python code. When he runs the program, the following output is displayed:Based on the output, what type of password cracking method does Jason’s new tool utilize?

A. Hybrid Attack
B. Brute Force Attack
C. Rainbow Attack
D. Dictionary Attack

Answer 61

Hybrid Attack

OBJ-1.2: Based on the passwords found in the example, Jason’s new password cracker is most likely using a hybrid approach. All of the passwords found are dictionary words with some additional characters added to the end. For example, Jason’s password of rover123 is made up of the dictionary word “rover” and the number 123. The cracker likely attempted to use a dictionary word (like rover) and the attempted variations on it using brute force (such as adding 000, 001, 002, …122, 123) to the end of the password until found. Combining the dictionary and brute force methods into a single tool is known as a hybrid password cracking approach.

Question 62

You are trying to find a rogue device on your wired network. Which of the following options would NOT help find the device?

A. Port Scanning
B. MAC Validation
C. Site Survey
D. War Walking

Answer 62

D. War Walking

Question 63

Barbara received a phone call from a colleague asking why she sent him an email with lewd and unusual content. Barbara doesn’t remember sending the email to the colleague. What is Barbara MOST likely the victim of?

A. Phishing
B. Spear Phishing
C. Hijacked Email
D. Ransomeware

Answer 63

C. Hijacked Email

Question 64

Which of the following must be combined with a threat to create risk?

A. Exploit
B. Vulnerability
C. Malicious Actor
D. Mitigation

Answer 64

B. Vulnerability

Question 65

An employee contacts the service desk because they cannot open an attachment they receive in their email. The service desk agent conducts a screen-sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. Which of the following is most likely causing this issue?

A. The file contains an embedded link to malicious website
B. The attachment is using a double file extension to mask its identity
C. The email is a form a spam and should be deleted
D. The user doesn’t have a PDF reader installed on their computer

Answer 65

B. The attachment is using a double file extension to mask its identity

Question 66

Which type of threat actor can accidentally or inadvertently cause a security incident in your organization?

A. Organized Crime
B. APT
C. Hacktivist
D. Insider Threat

Answer 66

D. Insider Threat

Question 67

What role does the red team perform during a tabletop exercise (TTX)?

A. System Admin
B. Network Defender
C. Cybersecurity Analyst
D. Adversary

Answer 67

D. Adversary

Question 68

During your annual cybersecurity awareness training in your company, the instructor states that employees should be careful about what information they post on social media. According to the instructor, if you post too much personal information on social media, such as your name, birthday, hometown, and other personal details, it is much easier for an attacker to conduct which type of attack to break your passwords?

A. Brute Force Attack
B. Birthday Attack
C. Cognitive Password Attack
D. Rainbow Table Attack

Answer 68

C. Cognitive Password Attack

Question 69

A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URLs:
What type of vulnerability does this website have?

A. Insecure direct object reference
B. Race Condition
C. Weak or Default configuration
D. Improper Error Handling

Answer 69

A. Insecure direct object reference

OBJ-1.3: Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. An attacker could change the userid number and directly access any user’s profile page in this scenario. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. Weak or default configurations are commonly a result of incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information. Improper handling of errors can reveal implementation details that should never be revealed, such as detailed information that can provide hackers important clues on the system’s potential flaws.

Question 70

An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account’s cached credentials when the user logged into an SSO system?

A. Lateral Movement
B. Pivoting
C. Pass the Hash
D. Golden Ticket

Answer 70

C. Pass the Hash

Question 71

Samantha works in the human resource department in an open floorplan office. She is concerned about the possibility of someone conducting shoulder surfing to read sensitive information from employee files while accessing them on her computer. Which of the following physical security measures should she implement to protect against this threat?

A. Biometric Lock
B. Badge Reader
C. Privacy Screen
D. Hardware token

Answer 71

C. Privacy Screen

Question 72

Dion Training has applied a new Group Policy to all student accounts that will lock out any account in which the student enters their password incorrectly 3 times in a row. Once the account is locked out, the student must wait 15 minutes before they can attempt to log in again. What type of attack is this mitigation strategy trying to prevent?

A. Spoofing
B. Brute Force Attack
C. Privilege Escalation
D. On Path Attack

Answer 72

B. Brute Force Attack

Question 73

A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer’s phone. A hacker loves the game but hates having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased before the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit?

A. Dereferencing
B. Sensitive Data Exposure
C. Race Condition
D. Broken Authentication

Answer 73

C. Race Condition

Question 74

Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect if an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring?

A. Trend
B. Heuristic
C. Behavior
D. Anomaly

Answer 74

C. Behavior

Question 75

(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.)Which of the following types of attacks occurs when an attacker attempts to gain confidential information or login credentials by sending targeted emails to a specific set of recipients within an organization?

A. Vishing
B. Phishing
C. Hoax
D. Pharming
E. Spear Phishing

Answer 75

Spear Phising

Question 76

Which of the following vulnerability scans would provide the best results if you want to determine if the target’s configuration settings are correct?

A. Credential Scan
B. Non Credential Scan
C. Internal Scan
D. External Scan

Answer 76

A. Credential Scan

Question 77

You are performing a web application security test, notice that the site is dynamic, and must be using a back-end database. You decide you want to determine if the site is susceptible to an SQL injection. What is the first character that you should attempt to use in breaking a valid SQL request?

A. Single Quote
B. Double Quote
C. Semicolon
D. Data Mark

Answer 77

A. Single Quote

Question 78

While conducting a penetration test of an organization’s web applications, you attempt to insert the following script into the search form on the company’s website: Then, you clicked the search button, and a pop-up box appears on your screen showing the following text, “This site is vulnerable to an attack!” Based on this response, what vulnerability have you uncovered in the web application?

A. Cross Site Forgery
B. Cross Site Scripting
C. Distributed DoS
D. Buffer Overflow

Answer 78

B. Cross Site Scripting

OBJ-1.3: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user’s interaction or even knowledge. A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. A buffer overflow is an anomaly that occurs when a program overruns the buffer’s boundary and overwrites adjacent memory locations while writing data to a buffer.

Question 79

Tierra works as a cybersecurity analyst for a large multi-national oil and gas company. She responds to an incident at her company in which their public-facing web server has been defaced with the words, “Killers of the Arctic.” She believes this was done in response to her company’s latest oil drilling project in the Arctic Circle. Which threat actor is most likely to blame for the website defacement?

A. Script Kiddie
B. Hacktivist
C. Organized Crime
D. APT

Answer 79

B. Hacktivist

Question 80

Your company’s Security Operations Center (SOC) is currently detecting an ongoing DDoS attack against your network’s file server. A cybersecurity analyst has identified forty internal workstations on the network conducting the attack against your network’s file server. The cybersecurity analyst believes these internal workstations are infected with malware and places them into a quarantined network area. The analyst then submits a service desk ticket to have the workstations scanned and cleaned of the infection. What type of malware was the workstation likely a victim of based on the scenario provided?

A. Spyware
B. Ransomware
C. Botnet
D. Rootkit

Answer 80

C. Botnet

Question 81

You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacon’s behavior on the network?

A. The beacon persistence
B. The beacon interval
C. Removal of known Traffic
D. The Beacon Protocol

Answer 81

D. The Beacon Protocol

Question 82

A vulnerability scanner has reported that a vulnerability exists in the system. Upon validating the report, the analyst determines that this reported vulnerability does not exist on the system. What is the proper term for this situation?

A. True Positive
B. True Negative
C. False Negative
D. False Positive

Answer 82

D. False Positive

Question 83

Ted, a file server administrator at Dion Training, has noticed that many sensitive files have been transferred from a corporate workstation to an IP address outside of the local area network. Ted looks up the IP address and determines that it is located in a foreign country. Ted contacts his company’s security analyst, verifying that the workstation’s anti-malware solution is up-to-date and the network’s firewall is properly configured. What type of attack most likely occurred to allow the exfiltration of the files from the workstation?

A. Zero Day
B. Session hijacking
C. Impersonation
D. Mac Spoofing

Answer 83

A. Zero Day

Question 84

A penetration tester is using a known vulnerability to compromise an Apache webserver. After they gain access to the webserver, what is their next step to pivot to a protected system outside of the screened subnet?

A. Privilege Escalation
B. Installing Addition Tools
C. Vulnerability Scanning
D. Patching

Answer 84

A. Privilege Escalation

Question 85

A cybersecurity analyst has received an alert that sensors continuously observe well-known call home messages at their network boundary. Still, the organization’s proxy firewall is properly configured to successfully drop the messages before leaving the network. Which of the following is MOST likely the cause of the call home messages being sent?

A. Malware is running on a company workstation or server
B. A malicious insider is trying to exfiltration information to a remote network
C. An infected workstation is attempting to reach a command and control server
D. An attacker is performing reconnaissance of the organization workstation

Answer 85

C. An infected workstation is attempting to reach a command and control server

Question 86

What type of malware is designed to be difficult for malware analysts to reverse engineer?

A. Rootkit
B. Trojan
C. Logic Bomb
D. Armored Virus

Answer 86

D. Armored Virus

Question 87

The Security Operations Center Director for Dion Training received a pop-up message on his workstation that said, “You will regret firing me; just wait until Christmas!” He suspects the message came from a disgruntled former employee who may have set up a piece of software to create this pop-up on his machine. The director is now concerned that other code might be lurking within the network that could negatively affect Christmas. He directs his team of cybersecurity analysts to begin searching the network for this suspicious code. What type of malware should they be searching for?

A. Adwere
B. Worm
C. Trojan
D. Logic Bomb

Answer 87

D. Logic Bomb

Question 88

During a penetration test, you find a hash value related to malware associated with an APT. What best describes what you have found?

A. Indicator of Compromise
B. SQL Injection
C. Botnet
D. XSRF

Answer 88

A. Indicator of Compromise

Question 89

An insurance company has developed a new web application to allow its customers to choose and apply for an insurance plan. You have been asked to help perform a security review of the new web application. You have discovered that the application was developed in ASP and used MSSQL for its backend database. You have been able to locate an application’s search form and introduced the following code in the search input field: When you click submit on the search form, your web browser returns a pop-up window that displays Vulnerable_to_Attack. Which of the following vulnerabilities did you discover in the web application?

A. Command Injection
B. Cross Site Scripting
C. SQL Injection
D. Cross Site request Forgery

Answer 89

B. Cross Site Scripting

OBJ-1.3: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user’s interaction or even knowledge. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.

Question 90

Which of the following types of attackers are sophisticated and highly organized people or teams typically sponsored by a nation-state?

A. Hacktivist
B. Advanced Persistence Threat
C. Ethical Hacker
D. Script kiddie

Answer 90

B. Advanced Persistence Threat

Question 91

Recently, you discovered an unauthorized device during a search of your corporate network. The device provides nearby wireless hosts to access the corporate network’s resources. What type of attack is being utilized?

A. Rouge Access point
B. IV Attack
C. Bluejacking
D. Bluesnarfing

Answer 91

A. Rouge Access point

Question 92

On your lunch break, you walked down to the coffee shop on the corner. You open your laptop and connect to their wireless network. After a few minutes of surfing the Internet, a pop-up is displayed on your screen. You close the pop-up, finish your lunch break, shut down the laptop, and put it back into your backpack. When you get back to the office, you take out the laptop and turn it on, but instead of your normal desktop background, you are greeted by a full-screen image with a padlock and a message stating you have to pay 0.1 BTC to regain access to your personal files. What type of malware has infected your laptop?

A. Trojan
B. Rootkit
C. Ransomware
D. Spyware

Answer 92

C. Ransomware

Question 93

You have just received an email that claims to be from the Federal Bureau of Investigation (FBI). The email claims that your computer was identified as part of a botnet being used to distribute pirated copies of a new movie. The email states that you must click the link below and pay a fine of $1000 within 24 hours, or federal agents will be sent to your home to arrest you for copyright infringement. What social engineering principle is this email relying on using?

A. Consensus
B. Intimidation
C. Familiarly
D. Trust

Answer 93

B. Intimidation

Question 94

A new alert has been distributed throughout the information security community regarding a critical Apache vulnerability. What action could you take to ONLY identify the known vulnerability?

A. Perform a scan for the specific vulnerably
B. Perform a unauthenticated vulnerability scan
C. Perform a web vulnerability scan
D. Perform authenticated scan

Answer 94

A. Perform a scan for the specific vulnerably

Question 95

A recent vulnerability scan found several vulnerabilities on an organization’s public-facing IP addresses. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation?

A. A website utilizing a self signed SSL certificate
B. A cryptographically weak encryption
C. A buffer overflow that is known to allow remote code execution
D. An HTTP response that reveals an internet IP address

Answer 95

C. A buffer overflow that is known to allow remote code execution

Question 96

Which type of method is used to collect information during the passive reconnaissance?

A. Social Engineering
B. Reviewing Public Repository
C. Network Traffic sniffing
D. API request and response

Answer 96

B. Reviewing Public Repository

Question 97

Your smartphone begins to receive unsolicited messages while eating lunch at the restaurant across the street from your office. What might cause this to occur?

A. Bluejacking
B. Bluesnarfing
C. Packet Sniffing
D. Geotagging

Answer 97

A. Bluejacking

Question 98

What technique is an attacker using if they review data and publicly available information to gather intelligence about the target organization without scanning or other technical information-gathering activities?

A. Patch Management
B. Passive Reconnaissance
C. Active Scanning
D. Vulnerability Scanning

Answer 98

B. Passive Reconnaissance

Question 99

What type of malicious application does not require user intervention or another application to act as a host to replicate?

A. Trojan
B. Virus
C. Macro
D. Worm

Answer 99

D. Worm

Question 100

A cybersecurity analyst just finished conducting an initial vulnerability scan and is reviewing their results. To avoid wasting time on results that are not related to actual vulnerabilities, the analyst wants to remove any false positives before remediating the findings. Which of the following is an indicator that something in their results would be a false positive?

A. A HTTPS entry
B. A scan result
C. Items Classified by the system
D. A finding that shows the scanners compliance

Answer 100

C. Items Classified by the system

Question 101

You have just finished running a vulnerability scan of the network and are reviewing the results. The first result in the report shows the following vulnerability: You log into the MySQL server and verify that you are currently running version 3.5.3. Based on the item shown on the image, what best describes how you should categorize this finding?

A. True Positive
B. True Negative
C. False Positive
D. False Negative

Answer 101

C. False Positive

OBJ-1.7: You should categorize the results as a false positive. Based on the scenario and output, your server is not vulnerable to a remote code execution for the identified vulnerability. You are already running MySQL v3.5.3 that is greater than v3.3.x or above. This indicates that the vulnerability scanner falsely identified your MySQL version as an earlier and more vulnerable version. The system incorrectly identified a vulnerability, but the vulnerability doesn’t exist on your system. Therefore this is a false positive.

Question 102

(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) Based on the image provided, what type of attack is occurring?

A. Ping Flood
B. SYN Flood
C. DDoS
D. Smurf Attack

Answer 102

A. Ping Flood

Question 103

You are analyzing the following network utilization report because you suspect one of the servers has been compromised. Based on the report above, which of the following servers do you suspect has been compromised and should be investigated further?

A. web01
B. webdev02
C. marketing01
D. dnsvr01

Answer 103

D. dnsvr01

OBJ-1.6: Due to the considerable increase in network utilization on dbsvr01, it should be suspected of compromise and further investigated. The server has a historical average utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB of usage. This increase is nearly 8x more than the previous month when all of the other servers stayed relatively constant. This indicates a possible compromise of the database server (dbsvr01) and a data breach or data exfiltration.

Question 104

You are analyzing the SIEM for your company’s e-commerce server when you notice the following URL in the logs of your SIEM:

A. XML Injection
B. Session hijacking
C. Buffer Overflow
D. SQL Injection

Based on this line, what type of attack do you expect has been attempted?

Answer 104

A. XML Injection

OBJ-1.3: This is an example of an XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter an application’s intended logic. XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server’s XML structure. The original XML structure would be: <addToCart> <item></item> </addToCart>. By using the URL above, this would be modified to the following: <addToCart> <item></item> <item></item> </addToCart>. The result would be that a new line was added in the XML document that could be processed by the server. This line would allow 10 of the product at $0.00 to be added to the shopping cart, while 0 of the product at $50.00 is added to the cart. This defeats the integrity of the e-commerce store’s add to cart functionality through this XML injection. A SQL injection occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. The real key to answering this question is identifying the XML structured code being entered as part of the URL, shown by the bracketed data.

Question 105

You are working as part of a penetration testing team during an assessment of Dion Training’s headquarters. Your boss has requested that you search the company’s recycling bins for any information that might be valuable during the reconnaissance phase of your attack. What type of social engineering method are you performing?

A. Impersonation
B. Whaling
C. Dumpster Diving
D. Phishing

Answer 105

C. Dumpster Diving

Question 106

During a vulnerability scan of your network, you identified a vulnerability on an appliance installed by a vendor on your network under an ongoing service contract. You do not have access to the appliance’s operating system as the device was installed under a support agreement with the vendor. What is your best course of action to remediate or mitigate this vulnerability?

A. Wait 30 days
B. Try to gain access
C. Mark the known vulnerabilities
D. Contact the vendor to provide an update or to remediate the vulnerability

Answer 106

D. Contact the vendor to provide an update or to remediate the vulnerability

Question 107

Which of the following attacks would most likely be used to create an inadvertent disclosure of information from an organization’s database?

A. Buffer Overflow
B. SQL Injection
C. DoS
D. Cross Site Scripting

Answer 107

B. SQL Injection

Question 108

Based on some old SIEM alerts, you have been asked to perform a forensic analysis on a given host. You have noticed that some SSL network connections are occurring over ports other than port 443. The SIEM alerts indicate that copies of svchost.exe and cmd.exe have been found in the host’s %TEMP% folder. The logs indicate that RDP connections have previously connected with an IP address that is external to the corporate intranet, as well. What threat might you have uncovered during your analysis?

A. APT
B. DDoS
C. Software vulnerabilities
D. Ransomware

Answer 108

A. APT

Question 109

A cybersecurity analyst at a mid-sized retail chain has been asked to determine how much information can be gathered from the store’s public webserver. The analyst opens up the terminal on his Kali Linux workstation and uses netcat to gather some information.

What type of action did the analyst perform, based on the command and response above?

A. Querying the whois database
B. SQL Injection
C. Banner Grabbing
D. Cross Site Scripting

Answer 109

C. Banner Grabbing

Question 110

(This is a simulated performance-based question.)
You have been asked to help conduct a known environment penetration test. As part of your preparations, you have been given the source code for the organization’s custom web application.

Which type of vulnerability might be able to exploit the code shown in this image?

A. JavaScript Injection
B. SQL Injection
C. Remote Code Execution
D. Buffer Overflow

Answer 110

D. Buffer Overflow

OBJ-1.2: The function DionCode may be subject to a buffer overflow as the user enters something over 20 characters as their input. In defining the char (character) type array, the programmer only allocated 20 characters worth of memory storage. To solve this problem, the programmer should create proper input validation to ensure that the input is less than 20 characters before passing the user_input variable to the strcpy (string copy) function.

Question 111

Jennifer decided that the licensing cost for a piece of video editing software was too expensive. Instead, she decided to download a keygen program to generate a license key and install a pirated version of the editing software. After she runs the keygen, a license key is created, but her system performance becomes very sluggish, and her antimalware suite begins to display numerous alerts. Which type of malware might her computer be infected with?

A. Trojan
B. Worm
C. Adware
D. Logic Bomb

Answer 111

A. Trojan

Question 112

A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output:
What type of attack was most likely being attempted by the attacker?

A. Impersonation
B. Session Hijacking
C. Password Spraying
D. Credential Stuffing

Answer 112

C. Password Spraying

OBJ-1.2: Password spraying refers to the attack method that takes many usernames and loops them with a single password. We can use multiple iterations using many different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraud. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack the account for their purposes. Session hijacking exploits a valid computer session to gain unauthorized access to information or services in a computer system.

Question 113

Raj is working to deploy a new vulnerability scanner for an organization. He wants to verify the information he gets is the most accurate view of the configurations on the organization’s traveling salespeople’s laptops to determine if any configuration issues could lead to new vulnerabilities. Which of the following technologies would work BEST to collect the configuration information in this situation?

A. Server-Based Scanning
B. Agent-Based Scanning
C. Passive Network Monitoring
D. Non-Credential Scanning

Answer 113

B. Agent-Based Scanning

Question 114

(This is a simulated performance-based question.)
You are working as a help desk technician and received a call from a user who complains about their computer’s performance has slowed down over the last week since they installed a new free video game on the computer. As part of your troubleshooting efforts, you enter the command prompt in Windows and run the following command:
Based on the output provided, what type of malware may have been installed on this user’s computer?

A. Rat
B. Spam
C. Worm
D. Keyloggar

Answer 114

A. Rat

OBJ-1.2: Based on the scenario and the output provided, the best choice is a RAT. A RAT is a Remote Access Trojan, and it is usually installed accidentally by a user when they install free software on their machine that has a RAT embedded into it. The first two output lines show that ports 135 and 445 are open and listening for an inbound connection (typical of a RAT). This is not an example of a worm because the user admitted to installing a free program, and worms can install themselves and continue to send data outbound across the network to continue to spread. There is no indication in the scenario that a keylogger is being used, nor that spam (unsolicited emails) has been received.