CompTIA CS0-003 CySA+ Exam Dumps and Practice Test Questions Set 12 Q166-180

Visit here for our full CompTIA CS0-003 exam dumps and practice test questions.

Question 166

A SOC analyst notices endpoints attempting to send encrypted traffic to unknown external IPs outside business hours. The traffic is generated by undocumented scripts running with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine encrypted communications; allow traffic.
B) Malware performing covert data exfiltration; isolate endpoints, capture traffic, and analyze scripts.
C) Misconfigured encryption policies; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine encrypted communications. Legitimate encrypted communications occur with known endpoints, use approved protocols, and follow documented schedules. Off-hours traffic to unknown external IPs originating from undocumented scripts indicates anomalous behavior. Allowing this could permit malware to exfiltrate sensitive data, maintain persistent access, or evade detection. Routine encrypted communication is predictable and auditable, unlike unexpected off-hours activity.

Option B is correct. Malware often uses encrypted channels to exfiltrate data while avoiding detection. Indicators include off-hours activity, connections to unknown external IPs, execution by undocumented scripts, and elevated privilege execution. Immediate SOC response involves isolating affected endpoints to prevent further exfiltration, capturing network traffic for analysis, and performing endpoint forensics to identify malicious scripts and potential exfiltrated data. Remediation includes cleaning endpoints, blocking malicious IPs, updating monitoring rules for unusual encrypted traffic, and auditing sensitive systems. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and improves threat intelligence. Ignoring this activity could lead to undetected exfiltration of sensitive information, prolonged malware persistence, and network compromise.

Option C assumes misconfigured encryption policies. Misconfigurations typically produce failed or error traffic, not repeated off-hours encrypted connections to unknown IPs. Treating this as a benign risk, persistent malware activity, and data exfiltration.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, undocumented scripts sending encrypted traffic to unknown IPs are inconsistent with legitimate testing. Misclassification risks data compromise, persistent malware activity, and evasion of detection.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining network security and data integrity.

Question 167

A SOC analyst observes Linux endpoints executing scripts that attempt to modify firewall rules to allow traffic to unknown external IPs. These scripts run during off-hours with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine firewall updates; allow activity.
B) Malware attempting to bypass security controls; isolate endpoints, capture traffic, and analyze scripts.
C) Misconfigured firewall settings; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine firewall updates. Legitimate updates are scheduled, documented, and executed using signed scripts. Off-hours scripts modifying firewall rules to allow unknown traffic are anomalous. Allowing this could enable malware to bypass network security controls, establish persistence, and exfiltrate data undetected. Routine updates do not involve unknown external IPs or unsigned scripts.

Option B is correct. Malware frequently modifies firewall rules to evade detection and establish unauthorized access channels. Indicators include off-hours execution, elevated privileges, and communication with unknown external IPs. Immediate SOC response involves isolating affected endpoints to prevent lateral movement, capturing network traffic for analysis, and analyzing scripts to identify malware behavior and potential C2 infrastructure. Remediation includes restoring proper firewall rules, cleaning endpoints, updating monitoring rules, and auditing all systems for similar activity. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to maintain persistence, evade detection, and compromise network integrity.

Option C assumes misconfigured firewall settings. Misconfigurations generally result in failed or restricted access rather than deliberate off-hours modifications to allow unknown traffic. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hour, undocumented scripts modifying firewall rules are inconsistent with legitimate testing. Misclassification could result in persistent malware activity, security evasion, and data compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining firewall integrity and network security.

Question 168

A SOC analyst detects Windows endpoints creating new scheduled tasks that execute unsigned scripts during off-hours. The scripts attempt to disable antivirus software. What is the most likely threat, and what should the SOC do first?

A) Routine maintenance; allow execution.
B) Malware establishing persistence and evading detection; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured scheduled tasks; update configuration.
D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine maintenance. Legitimate scheduled tasks are scheduled, documented, and use signed scripts. Off-hours execution of unsigned scripts attempting to disable antivirus software is anomalous. Allowing this could enable malware to establish persistence, evade detection, and compromise endpoints. Routine maintenance does not involve unsigned scripts or attempts to disable security software.

Option B is correct. Malware often uses scheduled tasks to persist across reboots and evade detection. Indicators include off-hours execution, execution by unsigned scripts, attempts to disable antivirus software, and elevated privileges. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to identify malware behavior and persistence mechanisms. Remediation includes removing malicious scheduled tasks, restoring antivirus functionality, cleaning endpoints, updating monitoring rules, and auditing similar systems for anomalies. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, evade detection, and potentially exfiltrate sensitive data.

Option C assumes misconfigured scheduled tasks. Misconfigurations usually produce errors or failed executions, not off-hours unauthorized script execution. Treating this as a benign risk of malware persistence.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, unsigned scripts disabling antivirus software are inconsistent with legitimate testing. Misclassification risks persistent malware activity, evasion, and endpoint compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security.

Question 169

A SOC analyst observes Linux endpoints generating repeated low-volume HTTPS requests to dynamically generated domains during off-hours. The traffic originates from undocumented scripts. What is the most likely threat, and what should the SOC do first?

A) Routine telemetry; allow traffic.
B) Malware using dynamically generated domains for command-and-control; isolate endpoints, capture traffic, and analyze scripts.
C) Misconfigured web services; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine telemetry. Legitimate telemetry originates from known endpoints, uses approved protocols, and follows a predictable schedule. Off-hours low-volume HTTPS requests to dynamically generated domains are anomalous. Allowing this could enable malware to maintain command-and-control channels and exfiltrate data undetected. Routine telemetry is auditable and predictable, unlike undocumented scripts.

Option B is correct. Malware frequently uses dynamically generated domains to communicate with command-and-control servers covertly. Indicators include off-hours activity, low-volume traffic, execution by undocumented scripts, and high-entropy domain names. Immediate SOC response involves isolating affected endpoints, capturing network traffic for analysis, and performing endpoint forensics to identify malicious scripts and associated C2 infrastructure. Remediation includes cleaning endpoints, updating detection rules, and monitoring for similar anomalous behavior. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist and maintain covert communication channels, potentially exfiltrating sensitive data.

Option C assumes misconfigured web services. Misconfigurations generally produce predictable errors rather than off-hours high-entropy traffic from undocumented scripts. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours undocumented scripts generating anomalous HTTPS traffic are inconsistent with legitimate testing. Misclassification could result in persistent malware and covert C2 activity.

Selecting option B ensures immediate containment, forensic analysis, and remediation while protecting network and data integrity.

Question 170

A SOC analyst detects multiple endpoints attempting to access sensitive internal file shares with unauthorized credentials during off-hours. Unknown scripts execute these attempts across several systems. What is the most likely threat, and what should the SOC do first?

A) Routine backup activity; allow access.
B) Malware performing lateral movement and reconnaissance; isolate endpoints, review logs, and analyze scripts.
C) Misconfigured file permissions; update configuration.
D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine backup activity. Legitimate backups use authorized accounts, follow scheduled intervals, and target known paths. Off-hours unauthorized access attempts from unknown scripts across multiple systems indicate anomalous activity. Allowing this could permit malware to enumerate resources, perform lateral movement, and exfiltrate sensitive data. Routine backups are auditable and predictable, unlike undocumented scripts.

Option B is correct. Malware often probes internal file shares for reconnaissance, lateral movement, or exfiltration purposes. Indicators include off-hours activity, unauthorized credentials, multi-system targeting, and execution by undocumented scripts. Immediate SOC response involves isolating affected endpoints, reviewing file access logs, and performing endpoint forensics to identify malicious processes. Remediation includes cleaning endpoints, restoring file permissions, updating monitoring rules, and auditing access across the network. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to map internal resources, move laterally, and compromise sensitive data.

Option C assumes misconfigured file permissions. Misconfigurations typically cause predictable errors or limited access issues and do not explain repeated off-hours unauthorized attempts. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours unauthorized access by unknown scripts is inconsistent with legitimate testing. Misclassification risks persistent malware activity, data compromise, and lateral movement.

Selecting option B ensures containment, forensic analysis, and remediation while maintaining file share integrity.

Question 171

A SOC analyst notices Windows endpoints executing unsigned scripts that attempt to disable security logging and create hidden scheduled tasks during off-hours. What is the most likely threat, and what should the SOC do first?

A) Routine system maintenance; allow execution.
B) Malware attempting persistence and evasion; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured logging policies; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine system maintenance. Legitimate maintenance is scheduled, uses signed scripts, and follows documented procedures. Off-hours execution of unsigned scripts, disabling security logging, and creating hidden scheduled tasks indicate anomalous behavior. Allowing this could enable malware to evade detection, persist on endpoints, and compromise sensitive systems. Routine maintenance is predictable and auditable, unlike unauthorized scripts.

Option B is correct. Malware frequently disables logging and creates hidden scheduled tasks to maintain persistence and evade security monitoring. Indicators include off-hours activity, execution by unsigned scripts, elevated privileges, and attempts to conceal activity. Immediate SOC response involves isolating affected endpoints to prevent lateral movement or further compromise, capturing memory and system logs for forensic analysis, and analyzing scripts to identify malware behavior and persistence mechanisms. Remediation includes restoring logging policies, removing malicious scheduled tasks, cleaning endpoints, updating monitoring rules, and auditing similar systems for anomalies. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, evade detection, and potentially exfiltrate sensitive information.

Option C assumes misconfigured logging policies. Misconfigurations typically produce errors or alerts, but do not explain off-hour, unsigned scripts disabling security logging. Treating this as s benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours execution of unsigned scripts, disabling logging, is inconsistent with legitimate testing. Misclassification risks persistent malware activity and evasion.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security.

Question 172

A SOC analyst detects Linux endpoints executing scripts that attempt to connect to external IPs on non-standard ports during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine system monitoring; allow traffic.
B) Malware establishes covert communication channels; isolates endpoints, captures traffic, and analyzes scripts.
C) Misconfigured network services; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine system monitoring. Legitimate monitoring uses known endpoints, approved ports, and follows documented schedules. Off-hours external connections on non-standard ports initiated by undocumented scripts indicate anomalous behavior. Allowing this could enable malware to maintain covert communication, exfiltrate data, or persist undetected. Routine monitoring does not involve unknown ports or undocumented scripts.

Option B is correct. Malware often uses non-standard ports to evade detection and maintain covert channels for command-and-control or data exfiltration. Indicators include off-hours activity, execution by undocumented scripts, elevated privileges, and connections to unknown external IPs. Immediate SOC response involves isolating affected endpoints, capturing network traffic for analysis, and performing endpoint forensics to identify malware behavior and communication methods. Remediation includes cleaning endpoints, blocking malicious IPs, updating monitoring rules, and auditing network connections for anomalies. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and enhances threat intelligence. Ignoring this activity allows malware to persist, evade detection, and compromise sensitive systems.

Option C assumes misconfigured network services. Misconfigurations usually generate predictable errors or failed connections and do not explain off-hours activity on non-standard ports. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours undocumented scripts connecting to external IPs on unusual ports are inconsistent with legitimate testing. Misclassification risks covert malware communication and potential exfiltration.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining network integrity and endpoint security.

Question 173

A SOC analyst notices endpoints executing scripts that attempt to access sensitive cloud storage accounts using unauthorized credentials during off-hours. The scripts run across multiple systems. What is the most likely threat, and what should the SOC do first?

A) Routine cloud maintenance; allow access.
B) Malware or insider attempting credential theft; isolate endpoints, review logs, and analyze scripts.
C) Misconfigured cloud authentication; update configuration.
D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine cloud maintenance. Legitimate maintenance uses approved credentials, scheduled procedures, and follows documented processes. Off-hours access attempts with unauthorized credentials across multiple systems are anomalous. Allowing this could enable malware or malicious insiders to harvest credentials, move laterally, and exfiltrate data. Routine maintenance is auditable and predictable, unlike undocumented scripts.

Option B is correct. Malware or malicious insiders often target cloud accounts for credential harvesting and unauthorized access. Indicators include off-hours activity, repeated access attempts, execution by undocumented scripts, and targeting of multiple accounts. Immediate SOC response involves isolating affected endpoints, reviewing authentication logs, and performing endpoint forensics to identify malicious processes. Remediation includes cleaning endpoints, resetting impacted accounts, enforcing multi-factor authentication, updating monitoring rules, and auditing cloud access policies. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity risks credential compromise, data exfiltration, and potential regulatory violations.

Option C assumes misconfigured authentication. Misconfigurations usually impact specific accounts or generate predictable errors, not repeated multi-system off-hours attempts. Treating this as a benign risk of persistent unauthorized access.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours access attempts by undocumented scripts are inconsistent with legitimate testing. Misclassification risks persistent malware activity, credential theft, and data compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while protecting cloud account integrity.

Question 174

A SOC analyst detects Windows endpoints executing off-hours scripts attempting to modify system services and disable security tools. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine administrative updates; allow activity.
B) Malware attempting persistence and evasion; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured system services; update configuration.
D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine administrative updates. Legitimate updates are scheduled, documented, and use signed tools. Off-hours, unsigned scripts modifying system services and disabling security tools indicate anomalous activity. Allowing this could permit malware to maintain persistence, evade detection, and compromise endpoints. Routine updates are predictable and auditable.

Option B is correct. Malware frequently modifies system services and disables security tools to persist undetected. Indicators include off-hours execution, unsigned scripts, elevated privileges, and attempts to evade monitoring. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to identify malware behavior and persistence mechanisms. Remediation includes restoring system services, cleaning endpoints, restoring security tools, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, evade detection, and compromise additional systems.

Option C assumes misconfigured system services. Misconfigurations typically produce predictable errors or failures and do not explain off-hours, unsigned scripts targeting security controls. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, unsigned scripts modifying system services and disabling security tools are inconsistent with legitimate testing. Misclassification risks malware persistence and endpoint compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint and system security.

Question 175

A SOC analyst observes Linux endpoints executing off-hours scripts that attempt to install unsigned software and create unauthorized cron jobs. The scripts run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine software updates; allow activity.
B) Malware attempting persistence and evasion; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured cron jobs; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine software updates. Legitimate updates use signed packages, approved repositories, and documented procedures. Off-hours, unsigned software installation and unauthorized cron jobs are anomalous. Allowing this could enable malware to persist, evade detection, and compromise endpoints. Routine updates are predictable and auditable.

Option B is correct. Malware often uses cron jobs and unsigned software to maintain persistence and evade detection. Indicators include off-hours execution, elevated privileges, execution by undocumented scripts, and installation of unsigned packages. Immediate SOC response involves isolating endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to identify malware behavior, persistence mechanisms, and potential exfiltration paths. Remediation includes removing unauthorized cron jobs, cleaning endpoints, enforcing signed software policies, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, evade detection, and compromise additional systems.

Option C assumes misconfigured cron jobs. Misconfigurations generally produce errors or failed executions, not off-hours, unsigned scripts creating jobs. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours execution of unauthorized cron jobs and unsigned software installation is inconsistent with legitimate testing. Misclassification risks persistent malware, evasion, and endpoint compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security and system integrity.

Question 176

A SOC analyst detects Windows endpoints executing unsigned scripts that attempt to access sensitive network shares using unauthorized credentials during off-hours. What is the most likely threat, and what should the SOC do first?

A) Routine backup activity; allow access.
B) Malware performing lateral movement and credential theft; isolate endpoints, review logs, and analyze scripts.
C) Misconfigured network permissions; update configuration.
D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine backup activity. Legitimate backups are scheduled, use authorized credentials, and target known shares. Off-hours unauthorized access attempts by unsigned scripts indicate anomalous activity. Allowing this could enable malware to move laterally, steal credentials, or exfiltrate sensitive data. Routine backup activity is auditable and predictable, unlike unauthorized scripts.

Option B is correct. Malware often attempts lateral movement by accessing network shares with stolen or unauthorized credentials. Indicators include off-hours activity, execution by unsigned scripts, repeated attempts on sensitive shares, and targeting multiple systems. Immediate SOC response involves isolating affected endpoints, reviewing network access logs, and performing endpoint forensics to identify the responsible processes. Remediation includes cleaning endpoints, restoring proper permissions, resetting compromised credentials, updating monitoring rules, and auditing all network shares. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to propagate, compromise sensitive data, and maintain persistence across the network.

Option C assumes misconfigured network permissions. Misconfigurations typically result in limited access failures and predictable errors, not off-hours execution of unauthorized scripts targeting multiple sensitive shares. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours unauthorized access attempts by unknown scripts are inconsistent with legitimate testing. Misclassification risks persistent malware, credential theft, and lateral movement.

Selecting option B ensures immediate containment, forensic analysis, and remediation while protecting network integrity and sensitive information.

Question 177

A SOC analyst observes Linux endpoints executing scripts that attempt repeated failed SSH login attempts to multiple internal servers during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine SSH administration; allow activity.
B) Malware attempting lateral movement and privilege escalation; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured SSH policies; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine SSH administration. Legitimate SSH connections are scheduled, documented, and executed by authorized accounts. Off-hours repeated failed login attempts across multiple servers from undocumented scripts indicate anomalous behavior. Allowing this could enable malware to perform lateral movement, escalate privileges, and compromise sensitive systems. Routine SSH administration does not involve off-hours multi-server login failures via unknown scripts.

Option B is correct. Malware often attempts to move laterally and escalate privileges by brute-forcing SSH credentials. Indicators include off-hours activity, repeated failed logins, execution by undocumented scripts, and targeting multiple endpoints. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior and intended targets. Remediation includes cleaning endpoints, enforcing strong password policies, updating monitoring rules, and auditing accounts across servers. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and enhances threat intelligence. Ignoring this activity could allow malware to gain elevated access, move laterally, and compromise additional systems.

Option C assumes misconfigured SSH policies. Misconfigurations usually result in predictable failures affecting limited accounts and do not explain off-hours multi-server login attempts. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours undocumented scripts attempting multiple SSH logins are inconsistent with legitimate testing. Misclassification risks lateral movement, privilege escalation, and potential data compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining system security and network integrity.

Question 178

A SOC analyst detects Windows endpoints executing off-hours scripts that attempt to create unauthorized administrative accounts and modify local group memberships. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine administrative tasks; allow activity.
B) Malware attempting privilege escalation and persistence; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured Active Directory policies; update configuration.
D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine administrative tasks. Legitimate administrative changes are scheduled, documented, use signed tools, and follow change management procedures. Off-hours creation of unauthorized accounts and modification of group memberships via unsigned scripts indicates anomalous activity. Allowing this could enable malware to escalate privileges, maintain persistence, and compromise additional systems. Routine administrative tasks are auditable and predictable.

Option B is correct. Malware frequently creates unauthorized administrative accounts and modifies group memberships to maintain control and escalate privileges. Indicators include off-hours activity, execution by unsigned scripts, elevated privileges, and undocumented changes. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to identify malware behavior. Remediation includes removing unauthorized accounts, restoring group memberships, cleaning endpoints, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to maintain elevated access, evade detection, and compromise additional systems.

Option C assumes that unusual activity involving off-hours creation of administrative accounts by unsigned scripts can be attributed to misconfigured Active Directory (AD) policies. While AD misconfigurations are common in enterprise environments—such as improperly applied group policies, incorrect delegation of permissions, or misconfigured account restrictions—these misconfigurations typically generate limited and predictable errors. For example, a misapplied policy might prevent a single user from accessing a resource, trigger an error for a specific group, or generate an alert in event logs. The scope of such misconfigurations is generally narrow, and they affect known accounts or well-defined organizational units.

In contrast, the off-hours execution of unsigned scripts that create administrative accounts is highly inconsistent with typical AD misconfigurations. Misconfigurations do not result in scripts running autonomously to create privileged accounts outside of scheduled administrative processes. This behavior suggests deliberate and potentially malicious actions, as it provides a pathway for attackers to gain persistent elevated access within the network. Unsigned scripts bypass normal administrative controls and auditing mechanisms, enabling attackers to operate stealthily without immediate detection. Such activity is characteristic of malware or insider threats aiming to establish long-term persistence and escalate privileges.

Treating this activity as benign due to an assumption of AD misconfiguration introduces significant risks. If security teams dismiss off-hours creation of administrative accounts by unsigned scripts as a configuration error, persistent malware could maintain access, compromise additional accounts, and expand its control over the network. This not only increases the potential for data exfiltration or modification but also undermines the integrity of critical systems and Active Directory itself. The creation of unauthorized administrative accounts can facilitate lateral movement, privilege escalation, and the deployment of additional malicious tools, all while remaining largely invisible to routine monitoring if auditing is bypassed or logs are tampered with.

Proper response requires careful verification and investigation. Security teams must analyze AD logs, validate account creation events, and trace the origin of scripts responsible for these actions. Endpoint and process forensics can help determine whether the scripts are legitimate administrative tools or malicious actors attempting to evade detection. Correlating off-hours activity with other indicators of compromise, such as unusual network connections or cleared logs, is essential to accurately assess risk.

While misconfigured AD policies can produce errors, they do not account for unsigned scripts creating administrative accounts during off-hours. This activity strongly suggests malicious intent, and treating it as benign risks persistent malware, privilege escalation, and compromise of the enterprise environment. Verification and timely remediation are essential to protect network integrity and maintain secure access controls.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, unsigned scripts creating admin accounts are inconsistent with legitimate testing. Misclassification risks malware persistence, privilege escalation, and system compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint and network security.

Question 179

A SOC analyst observes Linux endpoints executing scripts that attempt to disable system auditing and security controls during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine system maintenance; allow activity.
B) Malware attempting evasion and persistence; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured audit policies; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine system maintenance. Legitimate maintenance is scheduled, uses approved scripts, and is documented. Disabling system auditing and security controls during off-hours via undocumented scripts is anomalous. Allowing this could enable malware to evade detection, persist on endpoints, and compromise systems. Routine maintenance does not involve unsigned scripts bypassing security controls.

Option B is correct. Malware often disables auditing and security controls to maintain persistence and avoid detection. Indicators include off-hours activity, elevated privileges, execution by undocumented scripts, and attempts to bypass security controls. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to understand malware behavior and persistence mechanisms. Remediation includes restoring audit policies and security controls, cleaning endpoints, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and enhances threat intelligence. Ignoring this activity allows malware to persist, evade detection, and potentially exfiltrate data.

Option C assumes that unusual off-hours activity, such as scripts executing to disable auditing and security controls, is caused by misconfigured audit policies. Audit policy misconfigurations are relatively common in enterprise environments and can include issues such as incomplete logging, improperly applied policies, or incorrect permissions that prevent certain events from being recorded. These misconfigurations generally produce predictable and localized results, such as missing logs for specific accounts or systems, failed audit events, or alerts indicating errors in policy application. The effects are typically static, traceable, and limited to the affected system or audit category. Misconfigurations do not normally explain active, off-hours execution of scripts that modify system configurations, disable security controls, or suppress logging. Such activity is deliberate and operationally significant, far beyond what would be expected from a benign configuration error.

Scripts that actively disable auditing and security controls, particularly when executed during off-hours, indicate behavior consistent with malicious intent. Malware and sophisticated attackers often use these techniques to establish persistence while evading detection. Disabling auditing prevents the generation of security logs that would normally alert administrators to anomalous activity, allowing malicious actors to operate under the radar. Disabling security controls further reduces the likelihood of detection, giving malware the ability to execute additional payloads, modify configurations, or prepare the environment for further compromise. Treating these events as benign due to an assumption of misconfigured audit policies risks leaving persistent threats operational, allowing attackers to remain in the network without triggering conventional alerts.

Option D assumes that off-hours execution of scripts, disabling auditing and security control, is a result of legitimate user testing. In enterprise IT operations, testing is a scheduled, documented, and controlled process. Legitimate tests follow approved procedures, involve known accounts or endpoints, and are predictable in their timing and execution. Testing rarely requires or justifies bypassing security controls or interfering with logging, because doing so would compromise operational integrity and the reliability of results. Off-hours execution of undocumented scripts that modify security or auditing settings is inconsistent with standard testing practices. Such activity represents a significant deviation from controlled procedures, suggesting the presence of unauthorized or malicious processes rather than benign testing.

Misclassifying this activity as legitimate testing introduces substantial risk. Persistent malware often operates during off-hours to minimize detection and avoid interfering with day-to-day operations. Scripts that disable auditing and security controls create a window of opportunity for attackers to maintain persistence, escalate privileges, and conduct lateral movement across systems without generating alerts. Data exfiltration, credential harvesting, and unauthorized system modifications can occur under these conditions, amplifying the potential impact of compromise. By assuming this activity is benign, organizations may inadvertently allow malware to continue operating undetected, increasing the difficulty of remediation and recovery.

Proper response requires careful verification and correlation with operational schedules and documented procedures. Security teams should examine logs, system changes, and script execution details to identify the origin and intent of off-hours activity. Behavioral analysis and anomaly detection can highlight deviations from normal operations, such as unauthorized modifications to auditing policies or security settings. Endpoint and process forensic investigations may also reveal the presence of obfuscated or malicious scripts responsible for disabling controls. Network monitoring and log integrity verification are additional tools to ensure that unauthorized actions are detected and mitigated.

While misconfigured audit policies or legitimate testing may explain isolated anomalies, neither scenario accounts for off-hours execution of scripts that disable auditing and security controls. Such activity is highly inconsistent with benign misconfiguration or controlled testing and is strongly indicative of malicious intent. Misclassification risks persistent malware activity, evasion of detection, and potential data compromise. Accurate verification, monitoring, and timely remediation are essential to ensure that unauthorized scripts are identified and neutralized. Maintaining the integrity of auditing and security controls is critical to preserving visibility into system activity, detecting unauthorized access, and preventing attackers from maintaining persistence. By distinguishing between routine operational errors and deliberate malicious behavior, organizations can reduce risk, protect sensitive data, and maintain the security and resilience of their network environments.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint and network security.

Question 180

A SOC analyst detects endpoints executing off-hours scripts that attempt to access sensitive cloud storage using unauthorized credentials across multiple systems. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine cloud maintenance; allow access.
B) Malware or insider attempting credential harvesting; isolate endpoints, review logs, and analyze scripts.
C) Misconfigured cloud permissions; update configuration.
D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine cloud maintenance. Legitimate maintenance is scheduled, uses authorized credentials, and targets known resources. Off-hours access attempts using unauthorized credentials across multiple systems from undocumented scripts are anomalous. Allowing this could enable malware or an insider to harvest credentials, exfiltrate sensitive data, and compromise cloud infrastructure. Routine maintenance is auditable and predictable.

Option B is correct. Malware or malicious insiders often attempt to access cloud storage to harvest credentials and perform unauthorized actions. Indicators include off-hours activity, repeated access attempts, execution by undocumented scripts, targeting multiple accounts, and elevated privileges. Immediate SOC response involves isolating affected endpoints to prevent further compromise, reviewing authentication and access logs, and performing endpoint forensics to identify responsible processes. Remediation includes cleaning endpoints, resetting impacted credentials, enforcing multi-factor authentication, updating monitoring rules, and auditing all cloud access policies. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and strengthens threat intelligence. Ignoring this activity risks persistent credential compromise, unauthorized access, and data exfiltration.

Option C assumes misconfigured cloud permissions. Misconfigurations typically affect specific accounts and produce predictable errors, not off-hours multi-system access attempts by unknown scripts. Treating this as a benign risk, persistent unauthorized activity.

Option D assumes that unusual off-hours activity in cloud environments, such as repeated access attempts from undocumented scripts, can be attributed to legitimate user testing. In enterprise cloud operations, testing is indeed a standard practice. However, legitimate testing is typically carefully scheduled, formally documented, and executed in controlled environments. This ensures that all participants are aware of the testing, its timing, and its scope, allowing administrators to monitor and validate its effects while preventing unintended disruption to production services. Testing tasks usually involve known endpoints, approved user accounts, and pre-authorized scripts or tools. Predictability, transparency, and control are hallmarks of legitimate testing activity.

The scenario described—off-hours access attempts to cloud resources from undocumented scripts—is inconsistent with the characteristics of legitimate testing. Unauthorized scripts executing outside of scheduled hours suggest activity outside of organizational procedures and oversight. These scripts are not documented, meaning there is no record of approval or validation, and their behavior is not predictable or controlled. In addition, repeated access attempts, particularly when they are off-hours, may indicate attempts to bypass monitoring systems, test account permissions, or probe cloud resources for exploitable configurations. Such behavior is highly suspicious and diverges from the standard expectations of testing, where tasks are carefully scoped, logged, and executed in accordance with internal policies and schedules.

Misclassifying this activity as legitimate testing carries significant risks. Persistent malware or unauthorized users can leverage off-hours access to maintain a foothold in cloud environments without raising immediate alerts. Unauthorized scripts may attempt to collect or exfiltrate credentials, enabling attackers to escalate privileges, pivot to other cloud resources, or access sensitive data. By blending in with normal operations, malware can evade detection while performing reconnaissance, gathering account information, or preparing for further compromise. Repeated attempts to access cloud services also suggest the potential use of automated scripts for brute-force attacks, session hijacking, or exploitation of misconfigured permissions.

Credential theft in cloud environments can have severe consequences. Cloud accounts often have elevated privileges or access to critical infrastructure, sensitive customer information, or business-critical applications. Unauthorized access resulting from misclassified activity could allow attackers to deploy additional malicious scripts, manipulate configurations, disrupt services, or exfiltrate confidential information. Off-hours activity reduces the likelihood of immediate detection, increasing the window of opportunity for attackers to establish persistence and expand their reach across cloud resources. This creates the potential for long-term compromise and a broader impact on the organization’s operational and security posture.

Proper response requires verification, monitoring, and correlation of anomalous activity with documented testing procedures. Security teams must examine logs of cloud account activity, network traffic, and API calls to determine whether the access attempts align with approved operational or testing schedules. Behavioral analysis can help distinguish legitimate activity from suspicious patterns, such as repeated failed login attempts, access to rarely used resources, or use of undocumented scripts. Forensic analysis of endpoints or cloud instances generating these requests can also help determine whether malware is present or whether scripts are acting maliciously. Integrating alerting mechanisms, anomaly detection, and identity access monitoring further supports accurate identification of unauthorized activity in cloud environments.

While user testing is a legitimate and necessary activity, off-hours access attempts from undocumented scripts targeting cloud resources are highly inconsistent with normal testing procedures. Legitimate testing is scheduled, documented, and predictable, whereas unauthorized scripts operating during off-hours suggest deliberate, malicious activity. Misclassification of this behavior as benign can allow persistent malware to operate undetected, steal credentials, escalate privileges, and compromise cloud resources. Effective detection, verification, and remediation are essential to prevent unauthorized access, protect sensitive data, and maintain the integrity of cloud infrastructure. Organizations must ensure that off-hours cloud activity is scrutinized, correlated with operational baselines, and thoroughly investigated to distinguish between authorized testing and potential security threats, thereby safeguarding against persistent compromise and credential-based attacks.

Selecting option B ensures immediate containment, forensic analysis, and remediation while protecting cloud account integrity and sensitive data.