CompTIA CS0-003 CySA+ Exam Dumps and Practice Test Questions Set 6 Q76-90

Visit here for our full CompTIA CS0-003 exam dumps and practice test questions.

Question 76

A SOC analyst observes multiple endpoints executing scripts that establish outbound connections to newly registered domains over non-standard TCP ports. The scripts are obfuscated and attempt to disable local firewall and logging services. What is the most likely threat, and what should the SOC do first?

A) Routine administrative scripts; allow execution.
B) Advanced malware establishing persistent command-and-control channels and evading detection; isolate endpoints, capture network traffic, and perform endpoint forensics.
C) Misconfigured automation; correct scripts.
D) Security testing scripts; notify users.

Answer: B)

Explanation:

Option A assumes normal administrative activity. Administrative scripts are typically signed, predictable, and documented, and they rarely disable firewalls or logging services. Obfuscated scripts communicating with unknown domains on non-standard ports outside normal operating hours indicate malicious activity. Ignoring this behavior could allow attackers to establish covert communication channels, move laterally across the network, and exfiltrate sensitive data.

Option B is correct. Advanced malware often leverages obfuscated scripts to maintain persistence while bypassing detection mechanisms. Establishing outbound connections to newly registered domains over non-standard ports is indicative of command-and-control operations. Immediate response should involve isolating the affected endpoints to prevent further communication and lateral movement, capturing network traffic to analyze the data flow and identify external command-and-control servers, and performing endpoint forensics to examine running processes, memory, and persistence mechanisms. Analysts should investigate which files or scripts were executed and correlate them with SIEM and logging systems to determine the scope of compromise. Remediation includes cleaning infected endpoints, restoring security services, implementing enhanced monitoring, and blocking identified malicious IPs and domains. Preserving forensic evidence is critical for post-incident analysis, regulatory reporting, and strengthening detection capabilities.

Option C assumes misconfigured automation. While misconfigurations can generate unusual network activity, they rarely involve obfuscation, firewall tampering, and communication with newly registered domains on non-standard ports. Assuming benign misconfiguration could leave a persistent threat undetected.

Option D assumes security testing scripts. Legitimate testing is usually documented, predictable, and does not involve disabling security controls or obfuscated execution. Ignoring malicious activity under the assumption of testing could enable compromise and data loss.

Selecting option B ensures proactive containment, forensic investigation, and remediation of sophisticated malware attempting to bypass defenses while preserving critical evidence for incident response and threat analysis.

Question 77

A SOC analyst identifies Linux endpoints repeatedly performing DNS queries to domains with high entropy subdomains that change every few minutes. The domains are newly registered and have no reputation. What is the most likely threat, and what should the SOC do first?

A) Normal DNS resolution; allow traffic.
B) DNS tunneling used for covert data exfiltration or command-and-control; capture traffic, isolate hosts, and decode payloads.
C) Misconfigured DNS servers; update configuration.
D) Antivirus telemetry over DNS; verify vendor.

Answer: B)

Explanation:

Option A assumes normal DNS resolution. Standard DNS queries involve known domains with meaningful subdomains. Persistent queries to newly registered domains with high-entropy, frequently changing subdomains indicate anomalous activity. Allowing this behavior risks covert data exfiltration and remote control by attackers.

Option B is correct. DNS tunneling is a technique used by malware to bypass network security controls by encoding data within DNS queries and responses. High entropy subdomains, frequent changes, and newly registered domains are key indicators. Immediate SOC response should include capturing DNS traffic for decoding and analysis to identify the type of data being transmitted, isolating affected endpoints to prevent further exfiltration, and performing endpoint forensics to identify the scripts or processes responsible. Analysts should correlate findings with network traffic logs and threat intelligence to identify attacker infrastructure. Remediation involves cleaning infected endpoints, updating intrusion detection and prevention systems to detect DNS tunneling patterns, and monitoring other systems for similar activity. Evidence preservation is essential for forensic investigation, reporting, and threat hunting.

Option C assumes misconfigured DNS servers. Misconfigurations usually cause failed resolutions or error responses rather than persistent high-entropy queries to external, unknown domains. Treating this as benign may leave active threats undetected.

Option D assumes antivirus telemetry. Legitimate telemetry typically occurs to known vendor domains and does not use high-entropy, dynamically changing subdomains. Ignoring the threat under this assumption risks allowing covert malware activity.

Selecting option B ensures early detection, containment, and forensic analysis of covert exfiltration mechanisms while preserving evidence for post-incident review and strengthening detection capabilities.

Question 78

A SOC analyst detects Windows endpoints executing PowerShell scripts that disable antivirus services, modify registry keys for persistence, and initiate outbound connections to unknown IPs. No alerts were triggered by endpoint security. What is the most likely threat, and what is the recommended response?

A) Routine administrative scripts; allow execution.
B) Fileless malware leveraging PowerShell for persistence and command-and-control; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured automation scripts; correct scripts.
D) User testing scripts; notify users.

Answer: B)

Explanation:

Option A assumes legitimate administrative activity. Normal administrative scripts are predictable, signed, and documented. Obfuscated scripts that disable security services, modify the registry, and connect to unknown IPs are clear indicators of malicious activity. Ignoring this behavior could allow attackers to maintain persistent access and control over critical systems.

Option B is correct. Fileless malware uses legitimate tools like PowerShell to execute in memory, bypassing traditional detection. Indicators include disabling antivirus services, persistence mechanisms via registry modifications, and communication with unknown external hosts. Immediate SOC response should involve isolating affected endpoints to prevent lateral movement and data exfiltration, capturing memory to analyze active processes and scripts, and reviewing network traffic for command-and-control communications. Analysts should identify the scripts responsible and correlate findings with SIEM logs and threat intelligence. Remediation involves cleaning infected endpoints, restoring security services, updating detection mechanisms, and monitoring the environment for similar behavior. Evidence preservation ensures detailed forensic analysis, regulatory compliance, and improved threat detection.

Option C assumes misconfigured automation. Misconfigurations rarely result in obfuscated scripts that disable security services and initiate unauthorized communications. Treating this as benign could allow malware to persist undetected.

Option D assumes user testing. Legitimate testing is typically documented and does not involve tampering with security services or executing obfuscated scripts. Ignoring such activity could allow persistent compromise.

Selecting option B ensures proactive containment, forensic analysis, and remediation of sophisticated malware, protecting critical endpoints and preserving evidence for future prevention.

Question 79

A SOC analyst observes Linux endpoints establishing persistent outbound SSH connections over non-standard ports to external IP addresses. Unusual processes are executed, and connections continue outside operational hours. What is the most likely threat, and what should the SOC do first?

A) Routine system administration; allow connections.
B) Malicious SSH tunnels used for command-and-control or data exfiltration; isolate endpoints, capture network traffic, and analyze processes.
C) Misconfigured automation scripts; update configuration.
D) Monitoring software; verify with vendor.

Answer: B)

Explanation:

Option A assumes routine administration. Standard administrative SSH activity is predictable, occurs over known ports, and originates from known hosts. Persistent connections to unknown IP addresses over non-standard ports indicate anomalous behavior. Allowing this could enable attackers to exfiltrate data or maintain covert access.

Option B is correct. Malicious SSH tunnels are frequently used to bypass firewall restrictions and establish command-and-control channels or data exfiltration pathways. Key indicators include continuous off-hours connections, execution of unusual processes, and unknown external IPs. Immediate SOC response involves isolating affected endpoints to prevent lateral movement, capturing network traffic for analysis to identify external hosts and transmitted data, and performing endpoint forensics to determine malware or scripts responsible. Threat intelligence may reveal associated attacker infrastructure. Remediation involves cleaning infected systems, updating firewall and monitoring controls, and scanning other endpoints for similar activity. Preserving evidence ensures accurate incident documentation and forensic analysis.

Option C assumes misconfigured automation scripts. Misconfigurations rarely create persistent SSH connections to unknown hosts. Treating this as benign could allow malware to persist.

Option D assumes monitoring software. Legitimate monitoring uses known servers and predictable ports. Off-hours persistent SSH connections are inconsistent with standard monitoring behavior.

Selecting option B ensures containment, forensic investigation, and mitigation of covert malware operations while protecting sensitive data.

Question 80

A SOC analyst identifies endpoints accessing rarely used network shares, reading portions of files, and attempting unauthorized writes outside business hours. What is the most likely threat, and what should the SOC do first?

A) Normal backup activity; allow.
B) Malware performing reconnaissance or lateral movement; isolate endpoints, review access logs, and perform endpoint analysis.
C) Misconfigured scheduled tasks; correct configuration.
D) Legitimate off-hours user activity; notify users.

Answer: B)

Explanation:

Option A assumes normal backup activity. Backups typically involve full file access, scheduled times, and known accounts. Accessing small portions of rarely used shares with unauthorized writes outside business hours is suspicious. Ignoring this could enable malware reconnaissance or lateral movement.

Option B is correct. Malware often probes network shares to map resources, gain credentials, or propagate laterally. Indicators include accessing rarely used shares, reading small portions of files, unauthorized write attempts, and off-hours activity. Immediate SOC response includes isolating affected endpoints to prevent further compromise, reviewing file access logs to determine which files were targeted, and performing endpoint analysis to identify malicious processes or scripts. Remediation involves cleaning infected systems, strengthening access controls, updating monitoring and alerting, and validating account integrity. Preserving forensic evidence ensures effective investigation, reporting, and improvement of threat detection capabilities.

Option C assumes misconfigured tasks. Misconfigurations typically affect a limited scope and do not create anomalous activity across multiple endpoints. Treating this as benign could allow malware to continue reconnaissance.

Option D assumes legitimate off-hours activity. Users rarely access unused shares or attempt unauthorized writes off-hours. Ignoring suspicious activity risks ongoing malware reconnaissance and compromise.

Selecting option B ensures early detection, containment, and remediation, protecting sensitive data and maintaining network integrity.

Question 81

A SOC analyst notices multiple Windows endpoints executing obfuscated PowerShell scripts that download additional payloads from untrusted external servers. The scripts attempt to disable antivirus services and modify registry keys for persistence. What is the most likely threat, and what should the SOC do first?

A) Routine administrative scripts; allow execution.
B) Fileless malware using PowerShell for persistence and command-and-control; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured automation scripts; correct configuration.
D) User testing scripts; notify users.

Answer: B)

Explanation:

Option A assumes legitimate administrative activity. Administrative scripts are usually signed, documented, and predictable. Obfuscated scripts that download external payloads, disable antivirus, and modify registry keys for persistence clearly indicate malicious activity. Ignoring this could allow attackers to establish persistent control, exfiltrate sensitive information, and bypass security monitoring.

Option B is correct. Fileless malware often leverages legitimate tools like PowerShell to execute entirely in memory, making detection challenging. Key indicators include obfuscation, registry modifications to maintain persistence, antivirus service disruption, and outbound communication to untrusted servers. Immediate SOC response involves isolating affected endpoints to prevent further compromise, capturing memory to analyze in-memory execution, and examining scripts to determine functionality and intent. Network traffic analysis can identify external command-and-control servers, while correlating with SIEM logs and threat intelligence can provide insight into attacker infrastructure and tactics. Remediation includes cleaning infected endpoints, restoring security services, updating detection signatures, and monitoring the environment for similar activity. Preserving forensic evidence ensures accurate post-incident investigation, regulatory compliance, and improved detection strategies.

Option C assumes misconfigured automation scripts. While misconfigurations may cause unexpected behavior, they rarely include obfuscation, registry changes, and antivirus disabling. Treating this as benign could allow malware persistence.

Option D assumes user testing. Legitimate testing is typically documented and does not involve disabling security controls or executing obfuscated scripts from untrusted sources. Ignoring such activity risks continued compromise.

Selecting option B ensures early detection, containment, and forensic investigation of sophisticated malware while protecting critical systems and preserving evidence.

Question 82

A SOC analyst observes Linux endpoints performing repeated outbound SSH connections on non-standard ports to unknown external IPs. The endpoints are running unexpected processes, and the activity occurs outside business hours. What is the most likely threat, and what should the SOC do first?

A) Routine system administration; allow.
B) Malicious SSH tunnels for command-and-control or data exfiltration; isolate endpoints, capture network traffic, and analyze processes.
C) Misconfigured automation scripts; update configuration.
D) Monitoring software; verify with vendor.

Answer: B)

Explanation:

Option A assumes normal system administration. Routine SSH connections are predictable, use standard ports, and originate from known sources. Continuous connections over non-standard ports with unusual processes are anomalous and suggest malicious activity. Ignoring this could enable attackers to maintain covert access or exfiltrate sensitive data.

Option B is correct. Malicious SSH tunnels are commonly used to bypass firewalls and establish covert command-and-control channels. Indicators include off-hours persistent connections, execution of unusual processes, and unknown external IPs. Immediate response involves isolating affected endpoints to prevent lateral movement, capturing network traffic to analyze communication patterns, and performing endpoint forensics to identify malware or scripts responsible. Analysts should correlate findings with threat intelligence to identify known malicious infrastructure. Remediation includes cleaning infected endpoints, updating firewall and monitoring controls, and scanning other systems for similar activity. Preserving forensic evidence ensures accurate incident documentation and supports threat intelligence and mitigation efforts.

Option C assumes misconfigured automation scripts. Misconfigurations rarely result in persistent SSH connections to unknown external IPs. Treating this as benign could leave the organization vulnerable.

Option D assumes monitoring software. Legitimate monitoring uses predictable ports and known servers. Off-hours continuous connections to unknown IPs are inconsistent with normal monitoring behavior.

Selecting option B ensures containment, forensic analysis, and mitigation of covert malware activity while protecting sensitive data.

Question 83

A SOC analyst identifies multiple endpoints sending low-volume, continuous ICMP traffic to external IPs with no business relationship. The ICMP payloads are unusually large, and activity occurs outside business hours. What is the most likely threat, and what should the SOC do first?

A) Normal network diagnostics; allow traffic.
B) Reconnaissance activity or ICMP-based tunneling by malware; isolate endpoints, capture traffic, and analyze payloads.
C) Misconfigured monitoring system; update configuration.
D) Temporary network testing; notify users.

Answer: B)

Explanation:

Option A assumes normal diagnostics. Routine ICMP traffic, such as ping tests, is predictable, originates from authorized systems, and typically uses standard payload sizes. Bursts of large ICMP packets to unknown external IPs outside operational hours are inconsistent with normal behavior. Ignoring this activity risks network reconnaissance or covert data exfiltration.

Option B is correct. ICMP tunneling and reconnaissance are common malware techniques to bypass detection. Indicators include off-hours activity, large payloads, repeated requests to unknown IPs, and low-volume persistence. Immediate SOC response involves isolating affected endpoints to prevent further communication, capturing network traffic for analysis, and examining payloads to identify potential exfiltrated data or reconnaissance patterns. Endpoint forensics helps determine which processes initiated the traffic and whether persistence mechanisms exist. Threat intelligence can help identify known malicious infrastructure. Remediation includes cleaning infected endpoints, updating intrusion detection rules, and monitoring for similar anomalous ICMP behavior. Preserving evidence ensures proper forensic investigation, post-incident reporting, and improved detection capabilities.

Option C assumes misconfigured monitoring. Misconfigurations typically result in error messages or predictable patterns, not persistent ICMP bursts to unknown hosts. Treating this as benign could allow attackers to continue reconnaissance.

Option D assumes temporary testing. Legitimate testing is usually scheduled, documented, and predictable. Unplanned ICMP activity with large payloads to unknown IPs is unlikely to be legitimate.

Selecting option B ensures detection, containment, and investigation of covert network-based threats while protecting sensitive information.

Question 84

A SOC analyst notices endpoints executing scripts that modify firewall rules to allow outbound connections to previously blocked IPs and disable logging of network events. The scripts are obfuscated and run under elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine administrative scripts; allow execution.
B) Malware attempting to bypass network defenses and exfiltrate data; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured security policies; update firewall rules.
D) User testing scripts; notify users.

Answer: B)

Explanation:

Option A assumes normal administrative activity. Legitimate scripts are signed, predictable, and documented. Obfuscated scripts that change firewall rules, disable logging, and run under elevated privileges are indicative of malicious activity. Ignoring this could allow covert data exfiltration and persistent compromise.

Option B is correct. Malware frequently modifies firewall rules to bypass detection and establish outbound communication for command-and-control or data exfiltration. Indicators include off-hours execution, obfuscation, elevated privileges, and log suppression. Immediate SOC response involves isolating affected endpoints to prevent further compromise, capturing memory to analyze active processes and scripts, and reviewing network traffic to identify external endpoints. Analysts should examine scripts to determine intent and assess persistence mechanisms. Remediation includes cleaning endpoints, restoring security and logging services, updating detection rules, and monitoring other endpoints for similar activity. Preserving evidence ensures forensic integrity, regulatory compliance, and improved detection for future incidents.

Option C assumes misconfigured security policies. Misconfigurations rarely involve obfuscation, log suppression, or elevated privileges. Treating this as benign could allow malware persistence.

Option D assumes user testing. Legitimate testing is documented and does not involve bypassing security controls. Ignoring malicious activity under this assumption risks ongoing compromise.

Selecting option B ensures containment, forensic investigation, and remediation while strengthening future defenses against malware evasion techniques.

Question 85

A SOC analyst observes endpoints querying newly registered domains over HTTPS with dynamically generated subdomains. Queries are low volume but highly frequent and occur outside business hours. What is the most likely threat, and what is the recommended response?

A) Normal application telemetry; allow.
B) Malware using newly registered domains for command-and-control; capture traffic, isolate endpoints, and analyze for malware.
C) Misconfigured DNS resolver; update configuration.
D) Legitimate cloud service queries; verify with vendor.

Answer: B)

Explanation:

Option A assumes normal telemetry. Telemetry usually involves known domains and predictable patterns. Frequent queries to newly registered domains with dynamically generated subdomains indicate suspicious behavior. Ignoring this could allow command-and-control communications or data exfiltration.

Option B is correct. Malware often uses newly registered domains for command-and-control to evade reputation-based detection. Key indicators include dynamic subdomain generation, off-hours activity, and low-volume but persistent queries. Immediate SOC response involves capturing network traffic for analysis, isolating affected endpoints to prevent further communication, and performing malware analysis to identify responsible scripts or processes. Analysts should correlate network logs with threat intelligence to determine malicious infrastructure. Remediation includes cleaning endpoints, updating detection rules, and monitoring other systems for similar activity. Preserving forensic evidence ensures effective investigation, reporting, and improved detection capabilities.

Option C assumes misconfigured DNS. Misconfigurations rarely produce dynamic subdomain generation patterns to unknown domains. Treating this as benign risks undetected malware activity.

Option D assumes legitimate cloud queries. Cloud services typically connect to known domains with established reputations. Observed behavior is inconsistent with standard operations.

Selecting option B ensures proactive containment, forensic analysis, and mitigation of malware using novel infrastructure while protecting sensitive data.

Question 86

A SOC analyst observes Linux endpoints sending persistent low-volume traffic over unusual ports to external IP addresses that are not part of the business operations. The traffic occurs outside normal hours and is encrypted. What is the most likely threat, and what is the immediate response?

A) Routine system updates; allow traffic.
B) Malware establishing covert command-and-control channels; isolate endpoints, capture traffic, and analyze processes.
C) Misconfigured network services; update configuration.
D) Legitimate cloud synchronization; verify with vendor.

Answer: B)

Explanation:

Option A assumes normal system updates. Standard updates are predictable, occur over known ports, and connect to verified vendor servers. Persistent encrypted traffic over unusual ports to unknown external IPs outside business hours is anomalous and inconsistent with routine updates. Ignoring this could allow attackers to maintain covert access, move laterally, or exfiltrate sensitive data.

Option B is correct. Malware frequently uses non-standard ports and encrypted communication to avoid detection while maintaining command-and-control channels. Indicators include off-hours persistent activity, encryption to unknown IPs, and low-volume continuous traffic. Immediate SOC response involves isolating affected endpoints to prevent further compromise, capturing network traffic to analyze communication patterns, and performing endpoint forensics to identify the processes responsible. Threat intelligence may reveal known malicious infrastructure, while remediation involves cleaning infected endpoints, updating firewall and detection rules, and monitoring other systems for similar behavior. Preserving forensic evidence ensures proper investigation, regulatory compliance, and improved threat detection.

Option C assumes misconfigured network services. Misconfigurations typically result in failed connections or errors, not persistent encrypted traffic to unknown hosts. Treating this as benign could leave a covert malware channel undetected.

Option D assumes legitimate cloud synchronization. Cloud services are predictable, use known domains, and operate on standard ports. Observed behavior is inconsistent with normal operations.

Selecting option B ensures containment, forensic analysis, and mitigation of covert malware while protecting sensitive data and preserving evidence for post-incident review.

Question 87

A SOC analyst detects multiple Windows endpoints creating scheduled tasks that download and execute scripts from untrusted external servers. The tasks run off-hours, obfuscate execution commands, and attempt to disable logging services. What is the most likely threat, and what should the SOC do first?

A) Routine administrative automation; allow execution.
B) Fileless malware establishing persistence and evading detection; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured automation tasks; correct configuration.
D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes legitimate administrative automation. Legitimate scripts are documented, signed, and predictable. Scheduled tasks that download external scripts, run obfuscated commands, and disable logging are indicative of malicious activity. Ignoring this could allow malware to persist undetected and exfiltrate sensitive data.

Option B is correct. Fileless malware often leverages scheduled tasks to maintain persistence while bypassing endpoint detection. Key indicators include off-hours execution, obfuscation, disabling logs, and external downloads. Immediate SOC response includes isolating affected endpoints, capturing memory to analyze in-memory execution, and reviewing scripts to identify malicious behavior. Network traffic analysis can reveal command-and-control servers, and threat intelligence may identify known infrastructure. Remediation involves cleaning infected endpoints, restoring logging and security services, updating detection signatures, and monitoring the network for similar activity. Preserving forensic evidence ensures thorough investigation, regulatory compliance, and enhancement of detection capabilities.

Option C assumes misconfigured tasks. Misconfigurations rarely involve obfuscation, disabling logs, or downloading untrusted scripts. Treating this as benign could allow persistent malware to remain undetected.

Option D assumes user testing. Legitimate testing is documented and does not involve bypassing security controls or executing obfuscated scripts. Ignoring this could result in continued compromise.

Selecting option B ensures early containment, forensic investigation, and remediation while protecting critical systems.

Question 88

A SOC analyst notices Linux endpoints repeatedly querying newly registered domains with high-entropy subdomains. The queries occur off-hours and are highly frequent, but low-volume. What is the most likely threat, and what is the recommended response?

A) Normal DNS resolution; allow.
B) DNS tunneling for covert data exfiltration; capture traffic, isolate hosts, and decode payloads.
C) Misconfigured DNS servers; update configuration.
D) Antivirus telemetry; verify with vendor.

Answer: B)

Explanation:

Option A assumes normal DNS resolution. Legitimate queries involve known domains with predictable subdomains. Frequent queries to newly registered domains with high-entropy subdomains are anomalous and suggest malicious activity. Allowing this could enable attackers to exfiltrate data covertly.

Option B is correct. DNS tunneling encodes data in DNS queries to bypass security controls. Indicators include high-entropy subdomains, newly registered domains, off-hour activity, and low-volume but frequent queries. Immediate SOC response involves capturing DNS traffic for decoding, isolating affected hosts to prevent further exfiltration, and performing endpoint forensics to identify processes responsible. Analysts should correlate findings with SIEM logs and threat intelligence to identify attacker infrastructure. Remediation includes cleaning infected endpoints, updating detection mechanisms for DNS tunneling, and monitoring the network for similar activity. Preserving forensic evidence ensures accurate investigation, regulatory compliance, and improved detection capabilities.

Option C assumes that unusual network activity could be the result of misconfigured DNS servers. DNS misconfigurations are common in enterprise environments, and they can create observable issues such as failed resolutions, repeated attempts to query unreachable domains, or predictable error messages logged in system or server logs. Examples include improperly configured forwarding rules, incorrect zone files, or stale cache entries. These types of misconfigurations tend to produce consistent and recognizable patterns that are straightforward to diagnose and correct. Network administrators can trace the origin of the queries, determine which servers are affected, and identify specific misconfigured entries to resolve the problem. Such issues rarely generate complex, high-entropy queries, nor do they produce communication with previously unknown domains in a sustained, purposeful manner.

In contrast, the scenario described—frequent, high-entropy DNS queries to unknown or newly registered domains—is inconsistent with typical misconfigured DNS behavior. High-entropy queries often contain encoded information, and when directed at dynamic or recently registered domains, they are a strong indicator of covert communication channels, commonly used by malware for command-and-control (C2) purposes or data exfiltration. Malware frequently leverages DNS because it is an essential network service, and communications over DNS are less likely to trigger standard security alerts. These communications may use subdomain generation algorithms (DGAs) to create dynamic domains, making it difficult for defenders to preemptively block malicious destinations. Misclassified as benign, such activity can allow malware to maintain persistence, continue exfiltrating sensitive data, or perform reconnaissance across the network undetected. Unlike simple misconfigurations, which are static and easily traceable, malware uses DNS strategically to obscure its presence and avoid detection by blending with legitimate DNS traffic.

Option D assumes that similar anomalous activity may be attributed to antivirus telemetry. Antivirus and endpoint detection software typically generate telemetry to communicate system health, updates, and threat intelligence back to the vendor. These communications are predictable in both frequency and destination, occurring to known vendor-controlled domains and IP addresses using standard protocols and ports. The content of legitimate telemetry is also standardized and does not contain high-entropy or dynamically generated subdomains, nor does it operate inconsistently outside scheduled hours. When high-entropy queries occur in dynamic domains, especially during off-hours, the behavior deviates sharply from expected telemetry patterns and is inconsistent with legitimate security monitoring.

High-entropy DNS queries to dynamic domains combined with off-hours activity are particularly concerning. Malicious actors deliberately schedule such communications during low-monitoring periods to avoid detection by human administrators or automated alerting systems. They also frequently use dynamically generated subdomains to prevent domain blacklisting and detection by traditional security tools. Unlike routine telemetry, which is designed to be transparent and easily auditable, these techniques allow malware to maintain covert channels, execute commands, and potentially exfiltrate sensitive data without leaving obvious traces. Assuming that such activity is normal, antivirus telemetry could result in critical delays in incident detection and response. The persistence of these queries, the randomness of the domains, and the timing of the activity collectively indicate deliberate malicious behavior rather than benign system operations.

Proper security response requires careful verification of all anomalous DNS activity. Security teams must analyze query patterns, determine the entropy and structure of the requested domains, and correlate these findings with endpoint behavior, system logs, and other indicators of compromise. Forensic investigation may include memory analysis, process inspection, and tracking of network connections to determine whether the queries originate from legitimate services or unauthorized processes. The combination of high-entropy queries to unknown domains, off-hours activity, and unexpected subdomain usage strongly favors the interpretation of malicious activity over simple misconfigurations or routine telemetry.

Both Option C and Option D rely on assumptions that can be dangerously misleading. Misconfigured DNS servers generally produce predictable errors and are unlikely to generate high-entropy, persistent queries to unknown domains. Similarly, legitimate antivirus telemetry is predictable, occurs in known vendor domains, and does not involve dynamic subdomains or off-hours irregularities. Misclassifying these activities as benign risks leaves persistent malware communications undetected, allowing attackers to maintain covert access, exfiltrate sensitive information, and escalate privileges within the network. Accurate verification, detailed analysis of query patterns, and correlation with other indicators of compromise are essential to differentiate between routine system behavior and malicious activity. A proactive approach ensures timely detection, effective containment, and mitigation of threats, protecting organizational assets and maintaining the integrity of critical network infrastructure.

Selecting option B ensures proactive containment, analysis, and remediation of covert exfiltration techniques.

Question 89

A SOC analyst detects endpoints sending repeated outbound HTTPS requests to newly registered domains with dynamically generated subdomains. The requests occur off-hours and are initiated by scripts not documented in IT operations. What is the most likely threat, and what is the recommended response?

A) Normal application telemetry; allow.
B) Malware using newly registered domains for command-and-control; capture traffic, isolate endpoints, and analyze scripts.
C) Misconfigured web services; update configuration.
D) Legitimate cloud service testing; verify with vendor.

Answer: B)

Explanation:

Option A assumes normal telemetry. Legitimate telemetry is predictable, uses known domains, and is documented. Frequent outbound requests to newly registered domains with dynamically generated subdomains are anomalous. Ignoring this behavior risks command-and-control communications and potential data exfiltration.

Option B is correct. Malware often uses dynamically generated subdomains on new domains to communicate with command-and-control servers while evading detection. Indicators include off-hours activity, low-volume but persistent requests, and undocumented scripts initiating connections. Immediate SOC response includes capturing network traffic for analysis, isolating affected endpoints to prevent further communication, and performing script analysis to identify malware. Correlating network logs with threat intelligence helps identify attacker infrastructure. Remediation includes cleaning infected endpoints, updating detection rules, monitoring for similar activity, and validating IT processes to prevent recurrence. Preserving forensic evidence supports investigation, regulatory compliance, and enhancement of threat detection.

Option C suggests that unusual network activity could be attributed to misconfigured web services. Web services, when improperly configured, can indeed produce anomalies such as failed requests, error messages, or unexpected internal traffic. Common misconfigurations include incorrect URL routing, improper permissions, or missing authentication settings, which typically result in predictable and localized errors. For example, a misconfigured web server might repeatedly attempt to access internal resources or log errors when a requested service is unavailable. These behaviors are generally traceable, allowing administrators to identify the root cause and correct the configuration without major disruption to other systems.

However, the scenario described—low-volume, persistent connections to newly registered external domains—does not align with the expected behavior of misconfigured web services. Misconfigurations rarely produce traffic directed toward unknown or newly created domains on the internet, and they are unlikely to maintain steady, long-term connections at low volume. Such activity is more characteristic of deliberate, malicious operations rather than accidental misconfigurations. Malware and advanced persistent threats (APTs) often use low-volume, persistent connections to exfiltrate data or maintain command-and-control channels while avoiding detection. By spreading traffic out over time and keeping volumes minimal, attackers reduce the likelihood of triggering traditional monitoring alerts or network-based intrusion detection systems.

Treating this activity as benign based on an assumption of misconfiguration is dangerous. If security teams dismiss persistent, low-volume connections to unfamiliar domains as routine web service behavior, malware may continue to operate undetected, collecting sensitive information or preparing for lateral movement across the network. Unlike ordinary web service misconfigurations, which generate noticeable errors or predictable internal patterns, malicious activity is designed to be stealthy and evasive. The external nature of the connections, combined with their persistence and targeting of new domains, is a strong indicator of intentional activity rather than random misbehavior.

Proper incident response requires thorough verification. Security teams should analyze network traffic to identify destination domains, check for patterns consistent with exfiltration or command-and-control communications, and correlate these findings with endpoint behavior and system logs. Forensic investigation may involve inspecting memory, processes, and network connections to determine whether these activities are part of a legitimate service or a malicious campaign.

While misconfigured web services can generate anomalies, low-volume persistent connections to newly registered external domains fall outside the scope of typical misconfiguration behavior. Assuming this activity is benign risks leaving malware operational and undetected, potentially enabling ongoing exfiltration, lateral movement, and network compromise. Accurate verification, careful monitoring, and timely mitigation are essential to distinguish between accidental misconfigurations and deliberate malicious activity, protecting organizational systems and sensitive data from persistent threats.

Option D assumes legitimate cloud service testing. Testing is predictable and uses known domains. Observed behavior is inconsistent with legitimate testing practices.

Selecting option B ensures containment, forensic analysis, and remediation of malware infrastructure while protecting sensitive data.

Question 90

A SOC analyst observes endpoints accessing rarely used network shares, reading portions of files, and attempting unauthorized writes outside business hours. Activity is detected across multiple systems simultaneously. What is the most likely threat, and what is the immediate response?

A) Normal backup activity; allow.
B) Malware performing lateral movement or reconnaissance; isolate endpoints, review logs, and perform endpoint analysis.
C) Misconfigured scheduled tasks; correct configuration.
D) Legitimate off-hours user activity; notify users.

Answer: B)

Explanation:

Option A assumes backup activity. Backups are predictable, involve full file access, and use known accounts. Accessing portions of rarely used network shares with unauthorized writes across multiple systems off-hours is anomalous. Allowing this behavior risks lateral movement or reconnaissance by malware.

Option B is correct. Malware performing lateral movement typically probes network shares, attempts partial file access, and writes unauthorized changes to map resources or gain credentials. Immediate SOC response includes isolating affected endpoints to prevent further compromise, reviewing file access logs to determine which files were targeted, and performing endpoint analysis to identify malware or scripts responsible. Correlation with SIEM logs helps identify affected accounts and other impacted systems. Remediation includes cleaning infected endpoints, enforcing stricter access controls, updating monitoring rules, and validating account integrity. Preserving forensic evidence ensures effective investigation, supports regulatory reporting, and enhances threat detection capabilities for similar future attacks.

Option C assumes misconfigured scheduled tasks. Misconfigurations usually affect a limited scope and are predictable. Observed activity across multiple systems is inconsistent with misconfiguration alone.

Option D assumes that unusual activity occurring during off-hours can be considered legitimate, implying that users may be accessing rarely used shares or performing writes outside normal working hours without malicious intent. While some legitimate operations, such as automated backups, system updates, or scheduled maintenance, do occur during off-hours, these activities are typically well-documented, predictable, and follow standard procedures. Legitimate user behavior rarely includes simultaneous access to seldom-used shares and attempts to write to resources for which the user does not have explicit permission. Off-hours activity targeting unusual resources is, therefore, a significant anomaly that warrants scrutiny.

Malware and unauthorized actors often take advantage of off-hours periods to perform reconnaissance, move laterally within the network, or exfiltrate data. The lack of active monitoring and oversight during nights, weekends, or holidays provides attackers with a window to operate undetected. Suspicious activity, such as accessing unused shares combined with unauthorized writes, is a strong indicator that an attacker is exploring the network for sensitive data or attempting to establish persistence. This behavior differs from legitimate operations, which typically involve known resources, follow scheduled scripts, and do not involve circumventing access controls or interacting with rarely accessed shares.

Assuming such off-hours activity is benign introduces substantial risk. Ignoring simultaneous access to uncommon resources and unauthorized write attempts could allow malware or attackers to remain within the network, escalating privileges, modifying or exfiltrating sensitive data, and potentially compromising additional systems. Early detection and investigation are critical to prevent further spread and limit the impact of the compromise. Security teams must establish baseline user behavior to distinguish between normal off-hours operations and anomalous activity. This involves monitoring access patterns, reviewing logs, and correlating unusual events with other indicators of compromise, such as unexpected network connections, cleared logs, or changes to system configurations.

A proactive response is essential. Investigating anomalies ensures that suspicious off-hours activity is either verified as legitimate or identified as malicious, allowing for containment, remediation, and prevention of future incidents. Treating off-hours anomalies as normal without verification undermines the organization’s security posture, potentially resulting in persistent compromise and data exposure. It also diminishes accountability and governance, as uninvestigated anomalies may mask ongoing unauthorized activity.

While legitimate off-hours activity exists, the simultaneous access to rarely used shares and attempts to write to unauthorized locations are highly unusual for normal users. Ignoring such activity based on the assumption of benign behavior risks continued compromise, lateral movement by attackers, and exposure of sensitive information. Careful analysis, behavioral baselines, and verification are critical to differentiating between legitimate operational activity and potential threats, ensuring timely detection and mitigation of security risks while maintaining organizational integrity and data protection.

Selecting option B ensures early detection, containment, and remediation of malware performing reconnaissance or lateral movement, safeguarding sensitive data and maintaining network integrity.