CompTIA CS0-003 CySA+ Exam Dumps and Practice Test Questions Set 13 Q181-195

Visit here for our full CompTIA CS0-003 exam dumps and practice test questions.

Question 181

A SOC analyst observes Windows endpoints creating unauthorized PowerShell scripts that attempt to disable event logging and bypass endpoint security during off-hours. What is the most likely threat, and what should the SOC do first?

A) Routine system maintenance; allow execution.
 B) Malware attempting persistence and evasion; isolate endpoints, capture memory, and analyze scripts.
 C) Misconfigured security policies; update configuration.
 D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine system maintenance. Legitimate maintenance is scheduled, documented, and uses approved signed scripts. Off-hours creation of PowerShell scripts that disable event logging and bypass security controls indicates anomalous behavior. Allowing this activity could enable malware to persist, evade detection, and compromise sensitive systems. Routine maintenance is predictable and auditable, unlike unauthorized scripting.

Option B is correct. Malware often leverages PowerShell to modify system configurations and disable security mechanisms to persist and evade detection. Indicators include off-hours execution, execution by unsigned or undocumented scripts, elevated privileges, and attempts to bypass logging. Immediate SOC response involves isolating affected endpoints, capturing memory and system logs for forensic analysis, and analyzing scripts to identify malware behavior and persistence mechanisms. Remediation includes restoring event logging and security controls, cleaning endpoints, updating monitoring rules to detect unauthorized scripts, and auditing similar endpoints. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, evade detection, and compromise additional systems.

Option C assumes misconfigured security policies. Misconfigurations generally produce predictable errors or alerts and do not explain off-hours, unsigned scripts attempting to bypass security controls. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours unauthorized PowerShell activity is inconsistent with legitimate testing. Misclassification risks malware persistence, evasion, and system compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security and system integrity.

Question 182

A SOC analyst detects Linux endpoints executing scripts that attempt to communicate with unknown external IPs on high-numbered ports during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine network monitoring; allow traffic.
 B) Malware establishing covert command-and-control channels; isolate endpoints, capture traffic, and analyze scripts.
 C) Misconfigured network services; update configuration.
 D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine network monitoring. Legitimate monitoring uses known endpoints, approved ports, and documented schedules. Off-hours communication to unknown external IPs on high-numbered ports from undocumented scripts indicates anomalous behavior. Allowing this could enable malware to maintain covert command-and-control (C2) channels and exfiltrate data. Routine monitoring does not involve unknown ports or undocumented scripts.

Option B is correct. Malware often uses high-numbered ports to evade detection and maintain covert C2 channels. Indicators include off-hours activity, execution by undocumented scripts, elevated privileges, and unknown external connections. Immediate SOC response involves isolating affected endpoints, capturing network traffic for analysis, and performing endpoint forensics to identify malware behavior and communication methods. Remediation includes cleaning endpoints, blocking malicious IPs, updating monitoring rules, and auditing network connections for anomalies. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and enhances threat intelligence. Ignoring this activity allows malware to persist, evade detection, and compromise sensitive systems.

Option C assumes misconfigured network services. Misconfigurations generally result in failed connections or errors and do not explain off-hours activity on unknown ports. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours undocumented scripts connecting to unknown external IPs on high-numbered ports are inconsistent with legitimate testing. Misclassification risks covert malware communication and data exfiltration.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining network and endpoint security.

Question 183

A SOC analyst observes Windows endpoints executing off-hours scripts attempting to modify registry keys that control startup applications. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine administrative configuration; allow activity.
 B) Malware attempting persistence through autostart mechanisms; isolate endpoints, capture memory, and analyze scripts.
 C) Misconfigured registry policies; update configuration.
 D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes a routine administrative configuration. Legitimate configuration changes are scheduled, documented, and use signed tools. Off-hours modification of startup registry keys via unsigned scripts is anomalous. Allowing this could enable malware to persist across reboots, evade detection, and compromise endpoints. Routine administrative changes are predictable and auditable.

Option B is correct. Malware often modifies autostart registry keys to maintain persistence. Indicators include off-hours activity, execution by unsigned scripts, elevated privileges, and changes to startup configurations. Immediate SOC response involves isolating affected endpoints, capturing memory and system logs for forensic analysis, and analyzing scripts to identify malware behavior and persistence mechanisms. Remediation includes restoring registry keys, cleaning endpoints, updating monitoring rules to detect unauthorized registry changes, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, evade detection, and compromise additional endpoints.

Option C assumes misconfigured registry policies. Misconfigurations generally produce errors or predictable failures and do not explain off-hours, unsigned script activity. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, unsigned scripts modifying autostart keys are inconsistent with legitimate testing. Misclassification risks persistent malware activity and system compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint integrity.

Question 184

A SOC analyst observes Linux endpoints executing scripts that attempt to upload large volumes of internal files to unknown external servers during off-hours. The scripts run with elevated privileges and are undocumented. What is the most likely threat, and what should the SOC do first?

A) Routine file backup; allow activity.
 B) Malware performing data exfiltration; isolate endpoints, capture traffic, and analyze scripts.
 C) Misconfigured file transfer services; update configuration.
 D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine file backup. Legitimate backups use approved credentials, scheduled procedures, and target known destinations. Off-hours uploads to unknown external servers from undocumented scripts indicate anomalous behavior. Allowing this could enable malware to exfiltrate sensitive data and compromise confidentiality. Routine backup activity is predictable and auditable.

Option B is correct. Malware frequently exfiltrates data by uploading sensitive files to external servers. Indicators include off-hours activity, execution by undocumented scripts, elevated privileges, and targeting unknown external destinations. Immediate SOC response involves isolating affected endpoints to prevent further exfiltration, capturing network traffic for forensic analysis, and analyzing scripts to determine what data may have been accessed or exfiltrated. Remediation includes cleaning endpoints, blocking malicious external IPs, updating monitoring rules to detect anomalous file transfers, and auditing sensitive data repositories for unauthorized access. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows persistent malware to exfiltrate critical data and compromise organizational confidentiality.

Option C assumes misconfigured file transfer services. Misconfigurations typically generate predictable failures or limited errors and do not explain off-hours off-network uploads. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, undocumented scripts uploading sensitive files externally are inconsistent with legitimate testing. Misclassification risks persistent malware activity and data exfiltration.

Selecting option B ensures immediate containment, forensic analysis, and remediation while protecting data confidentiality and endpoint security.

Question 185

A SOC analyst detects Windows endpoints executing scripts that attempt to disable security updates and modify firewall rules during off-hours. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine patch management; allow activity.
 B) Malware attempting persistence and security evasion; isolate endpoints, capture memory, and analyze scripts.
 C) Misconfigured system update policies; update configuration.
 D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine patch management. Legitimate patch updates are scheduled, documented, and use signed tools. Off-hours scripts disabling updates and modifying firewall rules via unsigned scripts indicate anomalous activity. Allowing this could enable malware to evade detection, persist on systems, and compromise endpoints. Routine patch management is predictable and auditable.

Option B is correct. Malware frequently disables security updates and modifies firewall rules to maintain persistence and evade detection. Indicators include off-hours activity, execution by unsigned scripts, elevated privileges, and unauthorized modifications to security configurations. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to identify malware behavior and persistence mechanisms. Remediation includes restoring security updates, resetting firewall rules, cleaning endpoints, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, evade detection, and compromise system security.

Option C assumes misconfigured update policies. Misconfigurations generally produce predictable failures or alerts and do not explain off-hours, unsigned scripts modifying security controls. Treating this as a high-risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, unsigned scripts modifying updates and firewall rules are inconsistent with legitimate testing. Misclassification risks malware persistence, evasion, and endpoint compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining system security and endpoint integrity.

Question 186

A SOC analyst observes Linux endpoints executing off-hours scripts that attempt to disable system logging and audit mechanisms. The scripts run with elevated privileges and are undocumented. What is the most likely threat, and what should the SOC do first?

A) Routine system maintenance; allow activity.
 B) Malware attempting evasion and persistence; isolate endpoints, capture memory, and analyze scripts.
 C) Misconfigured logging policies; update configuration.
 D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine system maintenance. Legitimate maintenance is scheduled, uses documented procedures, and employs approved scripts. Off-hours scripts disabling system logging and audit mechanisms indicate anomalous activity. Allowing this could enable malware to evade detection, maintain persistence, and compromise sensitive systems. Routine maintenance is predictable and auditable, unlike undocumented scripts.

Option B is correct. Malware often disables system logging and auditing to avoid detection and persist within a network. Indicators include off-hours execution, elevated privileges, execution by undocumented scripts, and attempts to bypass security controls. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior and persistence mechanisms. Remediation includes restoring logging and audit policies, cleaning endpoints, updating monitoring rules to detect similar activity, and auditing other endpoints for comparable changes. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and enhances threat intelligence. Ignoring this activity allows malware to persist, evade detection, and compromise additional endpoints.

Option C assumes misconfigured logging policies. Misconfigurations generally produce predictable errors or alerts and do not explain off-hours undocumented scripts attempting to disable logging. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, undocumented scripts disabling logging are inconsistent with legitimate testing. Misclassification risks persistent malware activity, evasion, and data compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining system integrity and endpoint security.

Question 187

A SOC analyst detects Windows endpoints executing scripts that attempt to exfiltrate data to unknown external servers during off-hours. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine data replication; allow activity.
 B) Malware performing data exfiltration; isolate endpoints, capture traffic, and analyze scripts.
 C) Misconfigured file transfer policies; update configuration.
 D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine data replication. Legitimate replication uses approved tools, scheduled procedures, and known destinations. Off-hours exfiltration attempts to unknown external servers via unsigned scripts indicate anomalous activity. Allowing this could enable malware to exfiltrate sensitive data and compromise confidentiality. Routine replication is predictable and auditable, unlike unauthorized scripts.

Option B is correct. Malware frequently exfiltrates data using scripts to transfer sensitive information to unauthorized external servers. Indicators include off-hours activity, execution by unsigned scripts, elevated privileges, and unknown destinations. Immediate SOC response involves isolating affected endpoints, capturing network traffic for forensic analysis, and analyzing scripts to determine the data targeted for exfiltration. Remediation includes cleaning endpoints, blocking malicious IPs, updating monitoring rules for anomalous file transfers, and auditing sensitive data repositories for unauthorized access. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows persistent malware to exfiltrate critical data and compromise organizational confidentiality.

Option C assumes misconfigured file transfer policies. Misconfigurations generally produce errors or failed transfers and do not explain off-hours exfiltration activity. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours undocumented scripts performing data exfiltration are inconsistent with legitimate testing. Misclassification risks persistent malware, data loss, and regulatory violations.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining data confidentiality and endpoint security.

Question 188

A SOC analyst observes Linux endpoints executing off-hours scripts that attempt to create unauthorized cron jobs and install unsigned software. The scripts run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine software updates; allow activity.
 B) Malware attempting persistence and evasion; isolate endpoints, capture memory, and analyze scripts.
 C) Misconfigured cron jobs; update configuration.
 D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine software updates. Legitimate updates use signed packages, approved repositories, and documented procedures. Off-hours installation of unsigned software and unauthorized cron jobs indicates anomalous activity. Allowing this could enable malware to persist, evade detection, and compromise endpoints. Routine updates are predictable and auditable.

Option B is correct. Malware frequently creates cron jobs and installs unsigned software to maintain persistence. Indicators include off-hours execution, elevated privileges, execution by undocumented scripts, and unauthorized software installations. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior and persistence mechanisms. Remediation includes removing unauthorized cron jobs, cleaning endpoints, enforcing signed software policies, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, evade detection, and compromise additional endpoints.

Option C assumes misconfigured cron jobs. Misconfigurations typically produce errors or failed executions and do not explain the off-hours execution of unsigned scripts. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours unauthorized cron jobs and software installations are inconsistent with legitimate testing. Misclassification risks persistent malware activity and endpoint compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security and system integrity.

Question 189

A SOC analyst detects Windows endpoints executing scripts that attempt to disable antivirus software and modify system services during off-hours. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine system updates; allow activity.
 B) Malware attempting persistence and security evasion; isolate endpoints, capture memory, and analyze scripts.
 C) Misconfigured system service policies; update configuration.
 D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine system updates. Legitimate updates are scheduled, documented, and use signed tools. Off-hours, unsigned scripts disabling antivirus and modifying system services indicate anomalous activity. Allowing this could enable malware to persist, evade detection, and compromise endpoints. Routine updates are predictable and auditable.

Option B is correct. Malware frequently disables antivirus software and modifies system services to maintain persistence and evade detection. Indicators include off-hours activity, execution by unsigned scripts, elevated privileges, and attempts to bypass security mechanisms. Immediate SOC response involves isolating affected endpoints, capturing memory and system logs for forensic analysis, and analyzing scripts to identify malware behavior and persistence mechanisms. Remediation includes restoring antivirus functionality, cleaning endpoints, restoring system services, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, evade detection, and compromise additional endpoints.

Option C assumes misconfigured system service policies. Misconfigurations generally produce predictable failures or alerts and do not explain off-hours, unsigned scripts modifying services and security software. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, unsigned scripts modifying system services and disabling antivirus software are inconsistent with legitimate testing. Misclassification risks persistent malware activity and endpoint compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security and integrity.

Question 190

A SOC analyst observes Linux endpoints executing scripts that attempt to establish unauthorized SSH connections to multiple internal servers during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine SSH administration; allow activity.
 B) Malware attempting lateral movement and privilege escalation; isolate endpoints, capture memory, and analyze scripts.
 C) Misconfigured SSH policies; update configuration.
 D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine SSH administration. Legitimate SSH connections are scheduled, documented, and executed by authorized accounts. Off-hours SSH connections to multiple servers from undocumented scripts indicate anomalous activity. Allowing this could enable malware to move laterally, escalate privileges, and compromise sensitive systems. Routine SSH administration does not involve off-hours multi-server unauthorized connections.

Option B is correct. Malware often attempts lateral movement and privilege escalation via SSH connections. Indicators include off-hours activity, execution by undocumented scripts, elevated privileges, and multiple targets. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior and intended targets. Remediation includes cleaning endpoints, enforcing strong password policies, updating monitoring rules, and auditing accounts across internal servers. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to escalate privileges, move laterally, and compromise additional systems.

Option C assumes misconfigured SSH policies. Misconfigurations typically affect specific accounts and generate predictable failures, not off-hours undocumented scripts accessing multiple servers. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, undocumented scripts performing SSH access are inconsistent with legitimate testing. Misclassification risks lateral movement, privilege escalation, and potential data compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining network and endpoint security.

Question 191

A SOC analyst observes Windows endpoints executing off-hours scripts that attempt to access sensitive cloud accounts using unauthorized credentials across multiple systems. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine cloud maintenance; allow access.
 B) Malware or insider attempting credential harvesting; isolate endpoints, review logs, and analyze scripts.
 C) Misconfigured cloud authentication; update configuration.
 D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine cloud maintenance. Legitimate maintenance is scheduled, uses approved credentials, and targets known cloud resources. Off-hours access attempts with unauthorized credentials across multiple systems indicate anomalous behavior. Allowing this could enable malware or malicious insiders to harvest credentials, exfiltrate sensitive data, and compromise cloud infrastructure. Routine maintenance is predictable and auditable, unlike undocumented scripts.

Option B is correct. Malware or insiders often attempt to access cloud accounts to steal credentials, escalate privileges, and gain unauthorized access to sensitive data. Indicators include off-hours activity, repeated access attempts, execution by undocumented scripts, targeting multiple accounts, and elevated privileges. Immediate SOC response involves isolating affected endpoints to prevent further compromise, reviewing authentication and access logs, and performing endpoint forensics to identify malicious processes. Remediation includes cleaning endpoints, resetting impacted credentials, enforcing multi-factor authentication, updating monitoring rules, and auditing cloud access policies. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity risks persistent credential compromise, unauthorized access, and data exfiltration.

Option C assumes misconfigured cloud authentication. Misconfigurations typically produce predictable errors or limit access for specific accounts and do not explain off-hours multi-system unauthorized access attempts. Treating this as a benign risk, persistent unauthorized activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours unauthorized access by undocumented scripts is inconsistent with legitimate testing. Misclassification risks persistent malware activity, credential theft, and cloud compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while protecting cloud accounts and sensitive data.

Question 192

A SOC analyst detects Linux endpoints executing scripts that attempt to escalate privileges by modifying sudoers files and adding new user accounts during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine administrative tasks; allow activity.
 B) Malware attempting privilege escalation and persistence; isolate endpoints, capture memory, and analyze scripts.
 C) Misconfigured sudoers files; update configuration.
 D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine administrative tasks. Legitimate administrative changes are scheduled, documented, and follow change management policies. Off-hours modifications of sudoers files and creation of new accounts via undocumented scripts indicate anomalous behavior. Allowing this could enable malware to gain elevated privileges, persist on endpoints, and compromise additional systems. Routine administrative changes are auditable and predictable, unlike unauthorized scripts.

Option B is correct. Malware often modifies sudoers files and creates user accounts to escalate privileges and maintain persistence. Indicators include off-hours execution, elevated privileges, execution by undocumented scripts, and unauthorized modifications to access controls. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to identify malware behavior and intended privilege escalation. Remediation includes restoring sudoers files, removing unauthorized accounts, cleaning endpoints, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to escalate privileges, maintain persistence, and compromise sensitive systems.

Option C assumes misconfigured sudoers files. Misconfigurations typically generate predictable failures affecting limited accounts and do not explain off-hours unauthorized script execution. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours undocumented scripts modifying sudoers files are inconsistent with legitimate testing. Misclassification risks privilege escalation, persistence, and endpoint compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint and system security.

Question 193

A SOC analyst detects Windows endpoints executing scripts that attempt to exfiltrate database credentials and configuration files to unknown external servers during off-hours. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine database backup; allow activity.
 B) Malware performing credential theft and data exfiltration; isolate endpoints, capture traffic, and analyze scripts.
 C) Misconfigured database policies; update configuration.
 D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes a routine database backup. Legitimate backups use approved tools, scheduled procedures, and known destinations. Off-hours exfiltration attempts to unknown external servers via unsigned scripts indicate anomalous behavior. Allowing this could enable malware to steal credentials, exfiltrate sensitive data, and compromise confidentiality. Routine backups are predictable and auditable, unlike unauthorized scripts.

Option B is correct. Malware often targets database credentials and configuration files for theft and external transmission. Indicators include off-hours activity, execution by unsigned scripts, elevated privileges, and connections to unknown external servers. Immediate SOC response involves isolating affected endpoints to prevent further exfiltration, capturing network traffic for forensic analysis, and analyzing scripts to identify stolen information. Remediation includes cleaning endpoints, blocking malicious external IPs, updating monitoring rules to detect anomalous database access, and auditing database accounts and configurations. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows persistent malware to exfiltrate critical credentials and compromise data integrity and security.

Option C assumes misconfigured database policies. Misconfigurations generally produce predictable errors or failures and do not explain off-hours activity via unsigned scripts. Treating this as a benign risk, persistent malware activity.

Option D assumes that unusual off-hours activity, such as the execution of unsigned scripts, can be attributed to legitimate user testing. In enterprise environments, testing is indeed a necessary and routine practice, but it is highly structured. Legitimate testing is scheduled, documented, and predictable, with clearly defined procedures, approved accounts, and known endpoints. Testing scripts are vetted, signed, and executed under controlled conditions to avoid introducing security risks or operational disruption. Any deviation from these established protocols is a strong indicator of unauthorized activity rather than routine testing.

The scenario described—off-hours execution of unsigned scripts exfiltrating credentials and configuration files—is inconsistent with legitimate testing. Authorized testing rarely involves accessing sensitive data, bypassing security controls, or transmitting information externally, as such actions would violate standard operational and security policies. Off-hours timing further increases the suspicion, as testing is usually conducted according to pre-approved schedules and during periods when monitoring and oversight are present. The combination of unsigned scripts, credential access, and data exfiltration strongly indicates malicious intent, either through malware or an insider threat, rather than routine system validation.

Misclassifying this activity as benign poses significant security risks. Credential theft can enable attackers to escalate privileges, move laterally across systems, and maintain persistent access. Exfiltration of configuration files can reveal sensitive network, system, or application settings, providing attackers with the information necessary to further compromise systems. Treating such activity as part of testing allows attackers to operate undetected, increasing the likelihood of data breaches and operational impact.

Effective response requires verification and monitoring. Security teams should examine script origin, execution logs, and network traffic, and correlate the activity with documented testing procedures. Any deviation should be treated as suspicious and investigated thoroughly. In conclusion, off-hours execution of unsigned scripts targeting credentials and configuration data is inconsistent with legitimate testing and indicates high-risk activity, requiring immediate attention to prevent compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while protecting database credentials and sensitive information.

Question 194

A SOC analyst detects Linux endpoints executing scripts that attempt to disable SELinux and modify firewall rules during off-hours. The scripts run with elevated privileges and are undocumented. What is the most likely threat, and what should the SOC do first?

A) Routine system configuration; allow activity.
 B) Malware attempting persistence and security evasion; isolate endpoints, capture memory, and analyze scripts.
 C) Misconfigured SELinux and firewall policies; update configuration.
 D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes a routine system configuration. Legitimate configuration changes are scheduled, documented, and use approved scripts. Off-hours disabling of SELinux and firewall modification by undocumented scripts indicates anomalous behavior. Allowing this could enable malware to bypass security controls, persist, and compromise endpoints. Routine system changes are auditable and predictable.

Option B is correct. Malware frequently disables SELinux and modifies firewall rules to evade detection and maintain persistence. Indicators include off-hours activity, elevated privileges, execution by undocumented scripts, and unauthorized modifications to security controls. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior. Remediation includes restoring SELinux enforcement, resetting firewall rules, cleaning endpoints, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, evade detection, and compromise sensitive systems.

Option C assumes that unusual off-hours activity, specifically the execution of undocumented scripts that disable security controls, is caused by misconfigured SELinux or firewall policies. SELinux and firewalls are critical components of modern system security, designed to enforce access controls, restrict unauthorized system interactions, and prevent malicious activity. Misconfigurations in these systems are relatively common in enterprise environments and can include improperly applied rules, incorrect context assignments, overly permissive policies, or overlooked exceptions. These misconfigurations generally produce predictable and traceable effects, such as blocked network traffic, failed system calls, denied access attempts, or alerts in security logs. Their impact is typically limited to specific systems or network segments and does not generate the type of behavior associated with unauthorized scripts modifying system security settings.

The off-hours execution of undocumented scripts that disable security controls is inconsistent with the typical outcomes of misconfigured SELinux or firewall policies. Misconfigurations generally result in observable errors or alerts rather than deliberate changes to system behavior initiated by scripts. For example, a misconfigured SELinux policy might prevent a legitimate process from running, or a firewall misconfiguration may block specific ports or network flows. These are static, predictable, and confined to the misconfigured component. They do not involve autonomous scripts bypassing security mechanisms to disable protections, clear logs, or modify access rules. Such actions are deliberate, coordinated, and operationally significant, indicating intent to evade detection or establish persistence rather than incidental policy misapplication.

Treating off-hours execution of these scripts as benign due to an assumption of misconfiguration poses significant risks. Malware and advanced persistent threats often leverage scripts to disable security controls in order to evade detection, maintain persistence, and facilitate further compromise. By disabling SELinux enforcement or modifying firewall rules, attackers can circumvent monitoring and prevent alerts from being triggered during their activities. This creates a stealthy environment in which malware can execute additional payloads, perform reconnaissance, exfiltrate sensitive data, or prepare the system for lateral movement across the network. Ignoring these indicators of compromise under the guise of a misconfiguration allows attackers to remain operational within the network, increasing the likelihood of extended and severe breaches.

Moreover, the off-hours timing of these actions amplifies the risk. Attackers frequently choose periods of reduced oversight, such as nights or weekends, to carry out activities that might otherwise be detected during standard monitoring. Undocumented scripts executed during these times are deliberately designed to exploit gaps in observation and operational vigilance. Misclassifying such activity as routine misconfiguration removes the opportunity for timely intervention, allowing malicious actors to expand their foothold, escalate privileges, and establish mechanisms for persistent access.

Proper response requires thorough investigation and verification rather than assumptions. Security teams must correlate observed activity with known operational procedures, audit system and firewall logs, and analyze script execution patterns. Forensic analysis of affected endpoints, including memory inspection and process monitoring, can identify whether scripts are authorized administrative tools or indicators of compromise. Behavioral baselines and anomaly detection are useful to distinguish between misconfigurations and deliberate malicious activity. Additionally, network traffic monitoring can reveal whether disabled firewall rules or SELinux adjustments are being exploited to facilitate external communications or data exfiltration.

While misconfigured SELinux or firewall policies can cause predictable system errors or blocked network traffic, they do not account for off-hours execution of undocumented scripts that disable security controls. Such activity is highly inconsistent with benign misconfigurations and strongly suggests malicious intent. Treating this behavior as harmless exposes the organization to persistent malware activity, potential data exfiltration, privilege escalation, and further compromise of critical systems. Accurate verification, timely investigation, and remediation are essential to identify unauthorized actions, restore security controls, and maintain the integrity of enterprise infrastructure. By differentiating between incidental misconfigurations and deliberate attacks, organizations can prevent persistent threats, protect sensitive data, and ensure that security mechanisms function as intended to safeguard operations and maintain network resilience.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, undocumented scripts disabling SELinux and modifying firewall rules are inconsistent with legitimate testing. Misclassification risks persistent malware activity, evasion, and endpoint compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security and integrity.

Question 195

A SOC analyst observes Windows endpoints executing off-hours scripts that attempt to create unauthorized administrative accounts and modify group policies. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine administrative tasks; allow activity.
 B) Malware attempting privilege escalation and persistence; isolate endpoints, capture memory, and analyze scripts.
 C) Misconfigured group policies; update configuration.
 D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine administrative tasks. Legitimate administrative tasks are scheduled, documented, and use signed tools. Off-hours creation of unauthorized admin accounts and modification of group policies via unsigned scripts indicates anomalous activity. Allowing this could enable malware to escalate privileges, maintain persistence, and compromise endpoints. Routine administrative tasks are predictable and auditable, unlike undocumented scripts.

Option B is correct. Malware frequently creates unauthorized accounts and modifies group policies to escalate privileges and persist undetected. Indicators include off-hours activity, elevated privileges, execution by unsigned scripts, and undocumented changes to access controls. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to identify malware behavior. Remediation includes removing unauthorized accounts, restoring group policies, cleaning endpoints, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to escalate privileges, maintain persistence, and compromise critical systems.

Option C assumes misconfigured group policies. Misconfigurations generally produce predictable errors affecting specific accounts and do not explain off-hours, unsigned script activity. Treating this as a benign risk, persistent malware activity.

Option D assumes that unusual off-hours activity, such as the creation of administrative accounts and modifications to group policies via undocumented scripts, can be attributed to legitimate user testing. In enterprise environments, testing is indeed a necessary and routine practice. However, legitimate testing is structured, scheduled, and documented. It follows predefined procedures and involves approved accounts, endpoints, and scripts that are executed under controlled conditions. Testing activities are designed to verify system functionality, ensure compliance with operational requirements, or assess the performance of applications or security controls. Predictability, documentation, and adherence to schedules are essential to ensure that testing does not interfere with production operations or create security vulnerabilities.

Off-hours execution of undocumented scripts that create administrative accounts or modify group policies is inconsistent with the principles of legitimate testing. Authorized testing rarely involves changing critical security configurations, creating elevated accounts without approval, or performing operations outside approved environments. Such actions would typically require prior authorization, scheduling, and detailed documentation, including approval from system owners or security teams. When scripts operate off-hours, affect multiple endpoints, and perform actions that bypass standard security controls, the behavior strongly suggests malicious intent rather than routine testing. These deviations from expected procedures indicate that the activity is unauthorized and likely designed to evade detection.

Misclassifying this type of activity as benign can introduce significant security risks. Scripts that create administrative accounts and modify group policies provide attackers with a mechanism for privilege escalation and persistent access. Unauthorized administrative accounts can be used to circumvent standard access controls, gain elevated permissions, and perform actions that would otherwise require approval. Modifying group policies allows attackers to weaken security configurations, disable monitoring or logging, and deploy malicious changes across multiple systems. These capabilities can enable malware to maintain persistence, move laterally within the network, and compromise additional endpoints without detection. The off-hours execution of these actions further reduces the likelihood that monitoring teams will notice them, providing attackers with a window to consolidate control and extend the impact of their activity.

Persistent unauthorized administrative access also increases the risk of sensitive data exposure and operational disruption. Attackers with administrative privileges can manipulate user accounts, exfiltrate confidential information, alter security logs, and install additional malware or backdoors. Misclassification of such activity delays detection and response, allowing attackers to establish long-term access to critical systems. This can result in extensive compromise of enterprise resources, including both endpoints and centralized services like Active Directory, cloud infrastructure, or network management systems.

Proper response requires verification, correlation, and thorough investigation. Security teams should analyze event logs, group policy modifications, and administrative account creation events to identify the origin and legitimacy of the activity. Endpoint forensics, memory analysis, and script inspection can help determine whether the scripts are authorized testing tools or malicious actors operating undetected. Anomaly detection, behavioral baselines, and correlation with documented testing schedules are essential for distinguishing between legitimate operational activity and unauthorized actions. Any deviation from approved procedures or off-hours activity should be treated with suspicion until verified.

While user testing is an essential component of IT operations, off-hours execution of undocumented scripts that create administrative accounts and modify group policies is highly inconsistent with legitimate testing practices. Testing is scheduled, documented, and predictable, and does not involve bypassing security controls or creating persistent elevated accounts. Misclassification of this behavior as benign introduces significant risk, including privilege escalation, persistent malware access, lateral movement, and endpoint compromise. Accurate verification, timely investigation, and prompt remediation are critical to protect enterprise systems, maintain the integrity of security controls, and prevent attackers from leveraging unauthorized access for ongoing malicious operations. Organizations must maintain strict oversight of testing activities and ensure that all scripts and administrative actions are authorized, documented, and monitored to mitigate the risk of persistent threats and ensure operational security.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint and network security.

Related posts:

  1. AWS Certified Machine Learning Specialty: The Only Straightforward Guide You Need
  2. Elevating Your Expertise: Introducing the Updated AWS Certified Solutions Architect Associate Course
  3. Facing the MS-102: A Realistic Look at the Exam’s Difficulty Level
  4. Master the Cisco 200-301 CCNA: Your Complete Study Guide with MyExamCollection
  5. Master the Cloud: Top 7 Tips to Ace the AWS Certified SysOps Administrator Associate Exam
  6. MB-230T01: Microsoft Dynamics 365 Customer Service Essentials Training
  7. Microsoft AZ-104 Microsoft Azure Administrator Exam Dumps and Practice Test Questions Set 15 Q211-225
  8. Sharpen Your Skills: 23 Practice Questions for the Google Cloud Professional Cloud Developer Certification Exam
  9. What to Do If You Didn’t Pass Your AWS Certification Exam
  10. Your Guide to the New AWS Certified Security Specialty Exam Version SCS‑C02