CompTIA CS0-003 CySA+ Exam Dumps and Practice Test Questions Set 11 Q151-165

Visit here for our full CompTIA CS0-003 exam dumps and practice test questions.

Question 151

A SOC analyst notices that endpoints are creating unauthorized VPN connections to external IPs outside business hours. The connections are initiated by unsigned scripts running with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine VPN maintenance; allow connections.
B) Malware establishing persistent remote access and data exfiltration channels; isolate endpoints, capture traffic, and analyze scripts.
C) Misconfigured VPN settings; update configuration.
D) User testing of VPN; notify users.

Answer: B)

Explanation:

Option A assumes routine VPN maintenance. Legitimate maintenance is scheduled, documented, and uses approved signed tools. Off-hours creation of VPN connections from unknown scripts with elevated privileges indicates anomalous behavior. Allowing this activity could enable malware to maintain persistent access, bypass network security controls, or exfiltrate sensitive data. Routine VPN maintenance does not involve unsigned scripts or unscheduled connections.

Option B is correct. Malware often uses VPN connections to establish persistent access, evade monitoring, and exfiltrate data. Indicators include off-hours activity, execution by unsigned scripts, and connection to unknown external IPs. Immediate SOC response involves isolating affected endpoints to prevent further communication, capturing network traffic for analysis, and performing script analysis to identify malicious activity and methods of persistence. Correlating with threat intelligence can help identify malicious infrastructure. Remediation includes cleaning endpoints, restoring VPN security policies, blocking malicious external IPs, updating monitoring rules, and continuous threat detection. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity could result in persistent malware access, lateral movement, and data compromise.

Option C assumes misconfigured VPN settings. Misconfigurations generally cause connection failures or predictable errors and do not explain unauthorized off-hours VPN creation. Treating this as a benign risk of undetected malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, unsigned scripts creating VPN connections are inconsistent with legitimate testing. Misclassification risks persistent malware activity, data exfiltration, and unauthorized network access.

Selecting option B ensures rapid containment, forensic analysis, and remediation while maintaining endpoint integrity and network security.

Question 152

A SOC analyst identifies Linux endpoints attempting repeated SSH connections to multiple internal systems during off-hours using undocumented scripts. The connections attempt to escalate privileges on remote systems. What is the most likely threat, and what should the SOC do first?

A) Routine SSH administration; allow connections.
B) Malware attempting lateral movement and privilege escalation; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured SSH policies; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine SSH administration. Legitimate SSH activity is predictable, scheduled, signed, and originates from authorized accounts. Off-hours execution of undocumented scripts attempting multiple SSH connections and privilege escalation is anomalous. Allowing this activity could enable malware to compromise multiple internal systems, harvest credentials, and perform lateral movement. Routine administration does not use undocumented scripts for off-hours mass access attempts.

Option B is correct. Malware frequently leverages SSH for lateral movement and privilege escalation. Indicators include off-hours activity, repeated connection attempts to multiple internal endpoints, execution by undocumented scripts, and attempts to escalate privileges. Immediate SOC response involves isolating affected endpoints, capturing memory and system logs for forensic analysis, and analyzing scripts to determine the malware’s behavior, persistence mechanisms, and affected accounts. Correlating SSH logs across the network can identify additional impacted systems. Remediation includes cleaning endpoints, resetting compromised accounts, updating SSH policies, and enhancing monitoring for anomalous access attempts. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to move laterally, escalate privileges, and compromise sensitive systems undetected.

Option C assumes misconfigured SSH policies. Misconfigurations usually cause predictable errors or single endpoint failures and do not explain repeated off-hours multi-system access attempts. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours repeated SSH attempts by undocumented scripts are inconsistent with legitimate testing and indicate malicious activity. Misclassification risks network compromise and credential theft.

Selecting option B ensures containment, forensic analysis, and remediation while maintaining internal network security.

Question 153

A SOC analyst notices Windows endpoints executing obfuscated scripts that attempt to disable antivirus protection and create hidden scheduled tasks. The activity occurs during off-hours. What is the most likely threat, and what should the SOC do first?

A) Routine administrative scripts; allow execution.
B) Malware using fileless techniques to establish persistence; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured task scheduler; update configuration.
D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine administrative scripts. Legitimate scripts are scheduled, signed, and documented. Off-hours execution of obfuscated scripts that disable antivirus protection and create hidden tasks indicates anomalous activity. Allowing this could allow malware to persist, evade detection, and compromise additional systems. Routine scripts do not perform these unauthorized actions.

Option B is correct. Malware often uses obfuscated scripts and fileless techniques to maintain persistence and evade detection. Indicators include off-hours activity, execution by undocumented processes, attempts to disable security tools, and hidden scheduled task creation. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to understand malware behavior and persistence mechanisms. Network monitoring should identify connections to external IPs or C2 infrastructure. Remediation includes cleaning endpoints, restoring antivirus and task scheduling functionality, updating detection rules, and monitoring for similar activity. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, evade detection, and compromise systems undetected.

Option C assumes a misconfigured task scheduler. Misconfigurations typically produce errors or failed task execution and do not account for hidden scheduled tasks and disabled antivirus software. Treating this as benign allows malware persistence.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours obfuscated scripts disabling security controls are inconsistent with legitimate testing. Misclassification risks persistent malware, data compromise, and evasion of monitoring.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security.

Question 154

A SOC analyst detects Linux endpoints sending low-volume HTTPS requests to newly registered high-entropy domains during off-hours. These requests originate from undocumented scripts. What is the most likely threat, and what is the SOC’s first response?

A) Routine telemetry; allow traffic.
B) Malware using dynamically generated domains for command-and-control; isolate endpoints, capture traffic, and analyze scripts.
C) Misconfigured web services; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine telemetry. Normal telemetry uses known servers, predictable intervals, and authorized processes. Low-volume HTTPS requests to newly registered high-entropy domains during off-hours indicate anomalous behavior. Allowing this could enable malware to maintain command-and-control channels and exfiltrate data undetected. Telemetry does not generate dynamically generated subdomains or off-hours continuous requests.

Option B is correct. Malware often uses dynamically generated domains to maintain covert command-and-control communication. Indicators include low-volume persistent HTTPS requests, dynamically generated subdomains, off-hours execution, and undocumented scripts. Immediate SOC response involves isolating affected endpoints, capturing network traffic, and performing endpoint forensics to identify malicious scripts and C2 infrastructure. Threat intelligence can identify malicious domains. Remediation includes cleaning endpoints, updating detection rules, and monitoring for similar anomalous activity. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and enhances threat intelligence. Ignoring this activity allows malware to persist and potentially exfiltrate sensitive data undetected.

Option C assumes misconfigured web services. Misconfigurations generate predictable errors and do not explain off-hours low-volume requests to dynamically generated domains. Treating this as a benign risk, undetected malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours undocumented scripts producing high-entropy HTTPS requests are inconsistent with testing activity. Misclassification allows malware to evade detection and persist.

Selecting option B ensures containment, forensic analysis, and remediation while protecting network integrity and sensitive data.

Question 155

A SOC analyst observes repeated failed login attempts to sensitive cloud accounts from multiple endpoints during off-hours. Unknown scripts execute these attempts across multiple accounts. What is the most likely threat, and what should the SOC do first?

A) Routine cloud maintenance; allow activity.
B) Malware or malicious insider attempting unauthorized access; isolate endpoints, review logs, and analyze scripts.
C) Misconfigured cloud authentication policies; update configuration.
D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine cloud maintenance. Legitimate maintenance is scheduled, documented, and uses authorized accounts. Repeated failed login attempts from unknown scripts across multiple accounts indicate malicious activity. Ignoring this could result in unauthorized access, credential compromise, and data exfiltration. Routine maintenance does not trigger multi-account off-hours failed login attempts.

Option B is correct. Malware or malicious insiders may attempt unauthorized access for credential harvesting or lateral movement. Indicators include off-hours repeated login failures, multi-account targeting, and execution by undocumented scripts. Immediate SOC response involves isolating endpoints, reviewing authentication logs, and performing endpoint forensics to identify the responsible processes or malware. Remediation includes cleaning endpoints, resetting affected accounts, enforcing multi-factor authentication, updating monitoring rules, and validating account integrity. Preserving forensic evidence ensures regulatory compliance, supports investigation, and informs threat intelligence. Failing to respond risks compromise of sensitive cloud data and potential regulatory penalties.

Option C assumes misconfigured authentication policies. Misconfigurations typically affect limited accounts and do not explain repeated failed login attempts across multiple accounts. Treating this as a benign risk, persistent unauthorized access.

Option D assumes legitimate testing. Testing is scheduled, documented, and predictable. Off-hours repeated login attempts by unknown scripts are inconsistent with testing and indicate malicious behavior. Misclassification risks data compromise and credential theft.

Selecting option B ensures immediate containment, forensic analysis, and remediation while protecting cloud account integrity and preventing unauthorized access.

Question 156

A SOC analyst observes endpoints creating unauthorized outbound SSH tunnels to unknown external servers during off-hours. The scripts initiating the connections are unsigned and run with elevated privileges. What is the most likely threat, and what is the SOC’s first response?

A) Routine SSH tunneling; allow connections.
B) Malware establishing covert channels for exfiltration or remote access; isolate endpoints, capture traffic, and analyze scripts.
C) Misconfigured SSH settings; update configuration.
D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine SSH tunneling. Legitimate SSH tunnels are scheduled, documented, and executed using signed scripts or approved tools. Off-hours SSH tunnels to unknown external servers initiated by unsigned scripts with elevated privileges indicate anomalous activity. Allowing this behavior could enable malware to exfiltrate sensitive data or maintain persistent remote access undetected. Routine SSH tunneling does not involve unknown external endpoints, unsigned scripts, or off-hours execution.

Option B is correct. Malware often leverages SSH tunnels to create covert communication channels for exfiltration or remote access. Indicators include off-hours activity, execution by unsigned scripts, elevated privileges, and connections to unknown external IPs. Immediate SOC response involves isolating affected endpoints to prevent further communication, capturing network traffic for analysis, and performing script analysis to identify malware behavior, persistence mechanisms, and targeted data. Network monitoring should identify additional endpoints performing similar activity, and threat intelligence can help determine the nature of external servers. Remediation includes cleaning endpoints, restoring secure SSH configurations, blocking malicious IPs, updating monitoring rules, and validating all user accounts and credentials. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and strengthens threat intelligence. Ignoring this activity could allow malware to maintain covert access, perform lateral movement, and exfiltrate sensitive information undetected.

Option C assumes misconfigured SSH settings. Misconfigurations typically result in failed connection attempts or error logs, and do not explain off-hours, unsigned script activity targeting unknown servers. Treating this as a benign risk of undetected malware persistence.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, unsigned scripts creating SSH tunnels to unknown servers are inconsistent with legitimate testing. Misclassification risks persistent malware activity and sensitive data compromise.

Selecting option B ensures rapid containment, forensic analysis, and remediation while maintaining endpoint integrity and network security.

Question 157

A SOC analyst identifies multiple Linux endpoints executing scripts that attempt to install unsigned software from external sources during off-hours. The scripts run with elevated privileges and bypass package management controls. What is the most likely threat, and what should the SOC do first?

A) Routine software installation; allow activity.
B) Malware attempting persistence and evasion; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured package management; update configuration.
D) User testing; verify activity with IT.

Answer: B)

Explanation:

Option A assumes routine software installation. Legitimate software installation uses signed packages, approved repositories, scheduled deployment, and authorized administrative accounts. Off-hours execution of unsigned software installation scripts that bypass package management controls indicates anomalous behavior. Allowing this could enable malware to maintain persistence, evade security monitoring, and deploy additional malicious payloads. Routine software installation is predictable, documented, and auditable.

Option B is correct. Malware frequently installs unsigned software to gain persistence, evade detection, or deploy additional capabilities. Indicators include off-hours activity, elevated privilege execution, bypassing package management, and execution by undocumented scripts. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior, persistence mechanisms, and potential exfiltration channels. Network monitoring can detect connections to malicious repositories, and threat intelligence can help identify known malicious sources. Remediation includes cleaning endpoints, enforcing signed software policies, updating monitoring rules, and auditing installed software across endpoints. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and improves threat intelligence. Ignoring this activity allows malware to maintain persistence, escalate privileges, and compromise additional systems undetected.

Option C assumes misconfigured package management. Misconfigurations usually result in predictable failures or errors and do not explain off-hours, unsigned script activity. Treating this as a benign risk, persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, unsigned software installation scripts are inconsistent with legitimate testing. Misclassification risks malware persistence, evasion, and data compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while protecting endpoint integrity and sensitive information.

Question 158

A SOC analyst observes endpoints generating repeated low-volume ICMP requests to unknown external IPs outside business hours. The traffic originates from undocumented scripts. What is the most likely threat, and what should the SOC do first?

A) Routine network monitoring; allow traffic.
B) Malware performing reconnaissance or preparing for denial-of-service; isolate endpoints, capture traffic, and analyze scripts.
C) Misconfigured ICMP settings; update configuration.
D) User network testing; notify users.

Answer: B)

Explanation:

Option A assumes routine network monitoring. Legitimate ICMP traffic originates from authorized monitoring tools, occurs at predictable intervals, and targets known hosts. Low-volume, repeated off-hours ICMP requests to unknown external IPs from undocumented scripts indicate anomalous activity. Allowing this behavior could allow malware to perform reconnaissance, map external networks, or prepare for denial-of-service attacks. Routine monitoring does not generate undocumented off-hours ICMP activity targeting unknown IPs.

Option B is correct. Malware frequently uses ICMP for reconnaissance, network mapping, or staging for future attacks. Indicators include repeated low-volume requests, off-hours execution, connections to unknown external IPs, and execution by undocumented scripts. Immediate SOC response involves isolating affected endpoints, capturing network traffic for analysis, and performing endpoint forensics to identify malicious processes. Correlation with threat intelligence can reveal potential attacker infrastructure. Remediation includes cleaning endpoints, updating detection rules for anomalous ICMP traffic, and continuous network monitoring. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and enhances threat intelligence. Ignoring this activity allows malware to gather network information, plan attacks, and compromise systems undetected.

Option C assumes misconfigured ICMP settings. Misconfigurations typically generate predictable errors or isolated failures, not repeated off-hours ICMP traffic. Treating this as a benign risk of malware persistence.

Option D assumes user network testing. Testing is scheduled, documented, and predictable. Undocumented off-hours ICMP traffic is inconsistent with legitimate testing. Misclassification allows malware reconnaissance to persist undetected.

Selecting option B ensures immediate containment, forensic analysis, and remediation while protecting network integrity and preventing reconnaissance.

Question 159

A SOC analyst detects Windows endpoints attempting unauthorized access to cloud storage accounts during off-hours. Unknown scripts attempt to access multiple accounts across several systems. What is the most likely threat, and what should the SOC do first?

A) Routine cloud maintenance; allow activity.
B) Malware or malicious insider attempting credential harvesting; isolate endpoints, review logs, and analyze scripts.
C) Misconfigured cloud permissions; update configuration.
D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine cloud maintenance. Legitimate maintenance uses authorized accounts, scheduled procedures, and documented processes. Off-hours unauthorized access attempts across multiple accounts from unknown scripts are anomalous. Allowing this could enable malware or an insider to harvest credentials, exfiltrate data, and compromise sensitive accounts. Routine maintenance is predictable and auditable.

Option B is correct. Malware or malicious insiders often attempt unauthorized access to cloud accounts to obtain credentials or perform lateral movement. Indicators include off-hours repeated access attempts, multi-account targeting, and execution by undocumented scripts. Immediate SOC response involves isolating endpoints to prevent further access, reviewing authentication and access logs, and performing endpoint forensics to identify responsible processes. Remediation includes cleaning endpoints, resetting impacted accounts, enforcing multi-factor authentication, updating monitoring rules, and validating account integrity. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and strengthens threat intelligence. Ignoring this activity risks sensitive cloud data compromise and regulatory penalties.

Option C assumes misconfigured cloud permissions. Misconfigurations typically impact specific accounts or permissions and do not explain repeated unauthorized attempts across multiple accounts. Treating this as benign risks persistent unauthorized access.

Option D assumes legitimate testing. Testing is scheduled, documented, and predictable. Off-hours unauthorized cloud access by unknown scripts is inconsistent with testing. Misclassification could result in credential compromise, data exfiltration, and persistent malware activity.

Selecting option B ensures containment, forensic analysis, and remediation while protecting cloud account integrity and sensitive information.

Question 160

A SOC analyst identifies Linux endpoints executing scripts that attempt to bypass firewall rules and communicate with unknown external IPs during off-hours. The scripts run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine firewall testing; allow activity.
B) Malware attempting to bypass security controls and maintain persistence; isolate endpoints, capture traffic, and analyze scripts.
C) Misconfigured firewall rules; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine firewall testing. Legitimate firewall tests are scheduled, documented, and use approved tools. Off-hours scripts bypassing firewall rules and contacting unknown external IPs are anomalous. Allowing this could enable malware to evade security controls, maintain persistence, and exfiltrate data. Routine testing is auditable and does not involve unsigned scripts.

Option B is correct. Malware often attempts to bypass firewall rules to maintain persistence, establish covert communication, or exfiltrate data. Indicators include off-hours activity, execution by undocumented scripts, elevated privileges, and connections to unknown external IPs. Immediate SOC response involves isolating affected endpoints, capturing network traffic for analysis, and performing script analysis to identify malicious behavior and persistence mechanisms. Remediation includes cleaning endpoints, restoring firewall rules, updating monitoring rules, and continuous network surveillance. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and improves threat intelligence. Ignoring this activity allows malware to maintain covert access, evade monitoring, and compromise systems.

Option C assumes misconfigured firewall rules. Misconfigurations typically cause predictable failures or access issues, not off-hours unsigned script activity. Treating this as benign risks malware persistence and data exfiltration.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours unsigned scripts bypassing firewall controls are inconsistent with legitimate testing. Misclassification risks persistent malware activity and network compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining firewall integrity and network security.

Question 161

A SOC analyst observes multiple Windows endpoints executing unsigned scripts that attempt to create new local administrative accounts and modify user group memberships during off-hours. What is the most likely threat, and what should the SOC do first?

A) Routine administrative updates; allow activity.
B) Malware attempting privilege escalation and persistence; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured Active Directory policies; update configuration.
D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine administrative updates. Legitimate administrative activity is scheduled, documented, uses signed tools, and follows change management procedures. Off-hours creation of new local admin accounts and modification of group memberships via unsigned scripts is anomalous. Allowing this could enable malware to escalate privileges, maintain persistence, and compromise additional systems. Routine administrative updates are auditable and predictable, unlike unauthorized scripts.

Option B is correct. Malware frequently creates unauthorized administrative accounts and modifies user group memberships to maintain persistence and gain elevated privileges. Indicators include off-hours activity, unsigned scripts, and changes to group memberships not documented in change logs. Immediate SOC response involves isolating affected endpoints to prevent lateral movement, capturing memory and system logs for forensic analysis, and analyzing scripts to identify malware behavior and persistence mechanisms. Correlating changes across the network can reveal other compromised systems. Remediation includes removing unauthorized accounts, restoring group memberships to their intended state, cleaning endpoints, updating monitoring rules, and validating account integrity. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and improves threat intelligence. Ignoring this activity allows malware to maintain control, exfiltrate sensitive data, and compromise additional systems.

Option C assumes misconfigured Active Directory policies. Misconfigurations usually result in limited errors or access issues and do not explain off-hours unsigned scripts creating accounts. Treating this as benign risks persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours unsigned scripts creating administrative accounts are inconsistent with legitimate testing and indicate malicious activity. Misclassification could allow malware to maintain persistence and compromise systems.

Selecting option B ensures immediate containment, forensic analysis, and remediation while protecting system integrity and preventing privilege escalation.

Question 162

A SOC analyst detects Linux endpoints executing scripts that attempt to disable system auditing, bypass security policies, and connect to unknown external IPs during off-hours. What is the most likely threat, and what should the SOC do first?

A) Routine system maintenance; allow activity.
B) Malware attempting to evade detection and establish persistence; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured audit policies; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine system maintenance. Legitimate maintenance is scheduled, documented, and uses approved signed tools. Disabling system auditing and bypassing security policies via undocumented scripts during off-hours is anomalous. Allowing this could enable malware to evade detection, persist on systems, and compromise additional endpoints. Routine maintenance is auditable and predictable.

Option B is correct. Malware often attempts to disable auditing and security policies to avoid detection and maintain persistence. Indicators include off-hours activity, execution by undocumented scripts, attempts to bypass security controls, and communication with unknown external IPs. Immediate SOC response involves isolating affected endpoints to prevent lateral movement or further compromise, capturing memory and system logs for forensic analysis, and analyzing scripts to understand malware behavior and persistence mechanisms. Correlating this activity across the network can identify other impacted endpoints. Remediation includes restoring audit policies, cleaning endpoints, updating monitoring rules, and continuously tracking for anomalous activity. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and enhances threat intelligence. Ignoring this activity allows malware to maintain access, evade detection, and potentially exfiltrate sensitive data.

Option C assumes misconfigured audit policies. Misconfigurations typically produce predictable errors or alert logs and do not explain off-hours execution of scripts that disable auditing and security controls. Treating this as benign risks persistent malware activity.

Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours execution of unauthorized scripts disabling audit policies is inconsistent with legitimate testing. Misclassification risks persistent malware, evasion, and potential data compromise.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint and network security.

Question 163

A SOC analyst notices Windows endpoints performing off-hours off-network DNS queries to newly registered, high-entropy domains. The queries originate from undocumented scripts. What is the most likely threat, and what should the SOC do first?

A) Routine DNS monitoring; allow queries.
B) Malware using dynamically generated domains for command-and-control; isolate endpoints, capture traffic, and analyze scripts.
C) Misconfigured DNS settings; update configuration.
D) User network testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine DNS monitoring. Legitimate DNS activity originates from authorized monitoring tools, targets known domains, and occurs at predictable intervals. Off-hours DNS queries to high-entropy, newly registered domains from undocumented scripts are anomalous. Allowing this could enable malware to maintain command-and-control channels and exfiltrate data undetected. Routine monitoring does not generate high-entropy off-hours DNS queries from unauthorized scripts.

Option B is correct. Malware often uses dynamically generated domains to maintain covert command-and-control communication. Indicators include off-hours activity, execution by undocumented scripts, low-volume but continuous DNS queries, and high-entropy domains. Immediate SOC response involves isolating affected endpoints, capturing network traffic, and performing endpoint forensics to identify malicious scripts and C2 infrastructure. Correlating logs with threat intelligence can help identify known malicious domains. Remediation includes cleaning endpoints, updating detection rules, monitoring for similar activity, and validating DNS policies across the network. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and improves threat intelligence. Ignoring this activity allows malware to persist, evade detection, and exfiltrate data.

Option C assumes misconfigured DNS settings. Misconfigurations usually produce predictable failures or error logs and do not explain off-hours high-entropy queries. Treating this as benign risks persistent malware activity.

Option D assumes user network testing. Testing is scheduled, documented, and predictable. Off-hours undocumented scripts performing anomalous DNS queries are inconsistent with legitimate testing. Misclassification could result in persistent malware and covert C2 activity.

Selecting option B ensures immediate containment, forensic analysis, and remediation while protecting network integrity and sensitive information.

Question 164

A SOC analyst observes endpoints executing scripts that attempt repeated failed logins to sensitive on-premises accounts during off-hours. Unknown processes execute these attempts across multiple accounts. What is the most likely threat, and what should the SOC do first?

A) Routine system maintenance; allow activity.
B) Malware or malicious insider performing credential harvesting; isolate endpoints, review logs, and analyze scripts.
C) Misconfigured authentication policies; update configuration.
D) User testing; notify users.

Answer: B)

Explanation:

Option A assumes routine system maintenance. Legitimate maintenance is scheduled, documented, and uses authorized accounts. Repeated failed login attempts from unknown scripts across multiple accounts are anomalous. Allowing this could enable malware or an insider to harvest credentials and compromise sensitive systems. Routine maintenance does not involve multi-account off-hours failed login attempts.

Option B is correct. Malware or malicious insiders frequently attempt unauthorized access to collect credentials or map account privileges. Indicators include off-hours activity, repeated failed login attempts across multiple accounts, and execution by undocumented scripts. Immediate SOC response involves isolating affected endpoints, reviewing authentication logs to identify impacted accounts, and performing endpoint forensics to identify malicious processes. Remediation includes cleaning endpoints, resetting impacted accounts, enforcing multi-factor authentication, updating monitoring rules, and validating account integrity. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and strengthens threat intelligence. Ignoring this activity risks credential compromise, lateral movement, and potential data exfiltration.

Option C assumes that unusual off-hours activity, specifically repeated multi-account failed login attempts, is the result of misconfigured authentication policies. Authentication misconfigurations can occur in enterprise environments due to improperly set account lockout policies, incorrect password complexity requirements, misapplied group memberships, or misconfigured identity provider integrations. These misconfigurations typically result in predictable and limited errors, such as a single account failing to authenticate, lockouts for specific users, or error messages logged during scheduled authentication attempts. Misconfigurations tend to affect specific accounts or a defined subset of users rather than generating widespread, repeated login failures across multiple accounts. They also generally follow predictable patterns and can be resolved through configuration adjustments or policy corrections.

In contrast, repeated failed login attempts across multiple accounts during off-hours are highly inconsistent with normal misconfiguration behavior. Such activity is more indicative of deliberate malicious activity, including brute-force attacks, credential-stuffing attempts, or automated scripts attempting to escalate privileges. Attackers and malware often operate during off-hours to reduce the likelihood of detection, taking advantage of periods when monitoring and administrative oversight are reduced. The repeated, multi-account nature of these login failures signals an intentional attempt to gain unauthorized access, as opposed to a benign error caused by misconfigured authentication policies. Misclassifying this activity as a simple configuration issue risks allowing an attacker or persistent malware to continue attempting access, potentially leading to account compromise, unauthorized privilege escalation, or lateral movement within the network.

Option D assumes that off-hours failed login attempts are the result of legitimate user testing. While testing is a normal part of IT operations, it is typically scheduled, documented, and executed in controlled environments. Testing usually involves known accounts, approved scripts, and clearly defined endpoints. It does not involve repeated failed login attempts across multiple accounts or the use of unknown or unauthorized scripts. Off-hours activity of this nature deviates sharply from normal testing practices, suggesting that the activity is unauthorized and potentially malicious. Legitimate testing is designed to verify functionality or system performance, not to simulate brute-force attacks or interact with user accounts in a manner that could bypass security controls.

Misclassification of repeated off-hours login failures as benign testing introduces substantial risk. Persistent attackers or malware can exploit misidentified activity to maintain access, avoid detection, and escalate privileges over time. Multi-account login attempts can be a precursor to account compromise, which may be leveraged to access sensitive systems, exfiltrate data, or deploy additional malicious tools. The combination of off-hours execution, multiple account targets, and repeated failures strongly suggests an intentional attempt to gain access rather than an operational error. Failing to investigate these anomalies allows attackers to remain persistent within the network, increasing the potential impact of compromise.

Effective response requires verification, monitoring, and correlation with known operational procedures. Security teams should examine authentication logs, analyze the source IP addresses and accounts involved, and compare activity against baseline user behavior. Identifying patterns such as repeated off-hours attempts from unknown scripts, unexpected endpoints, or unauthorized devices helps differentiate between legitimate administrative or testing activity and malicious actions. In addition, behavioral analysis and anomaly detection can reveal persistent threats attempting to bypass detection through low-volume or sporadic attempts. Forensic investigation, including endpoint analysis and network monitoring, can further identify whether the failed login attempts are associated with malware or insider threat activity.

While misconfigured authentication policies or legitimate testing may produce isolated anomalies, they do not account for repeated off-hours failed login attempts across multiple accounts initiated by unknown scripts. This behavior is highly indicative of malicious intent, including persistent malware or insider threats. Treating such activity as benign risks allows unauthorized access to continue, potentially leading to privilege escalation, data compromise, and further system infiltration. Accurate verification, careful monitoring, and prompt investigation are critical to identify unauthorized activity, mitigate threats, and maintain the security and integrity of enterprise systems. Proper classification ensures that security teams can respond effectively, preventing attackers from exploiting misidentified events to maintain persistence or escalate their access.

Selecting option B ensures immediate containment, forensic analysis, and remediation while protecting account integrity and sensitive information.

Question 165

A SOC analyst detects Linux endpoints executing scripts that attempt to create unauthorized cron jobs and install unsigned software during off-hours. The scripts run with elevated privileges. What is the most likely threat, and what should the SOC do first?

A) Routine administrative tasks; allow activity.
B) Malware attempting persistence and evasion; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured cron jobs; update configuration.
D) User testing; verify with IT.

Answer: B)

Explanation:

Option A assumes routine administrative tasks. Legitimate administrative activity is scheduled, documented, uses signed tools, and follows change management procedures. Off-hours creation of unauthorized cron jobs and unsigned software installation via undocumented scripts is anomalous. Allowing this could enable malware to persist, evade detection, and compromise additional systems. Routine tasks do not involve unauthorized cron jobs or unsigned software installations.

Option B is correct. Malware often uses cron jobs and unsigned software installations to maintain persistence and evade detection. Indicators include off-hours activity, elevated privilege execution, and execution by undocumented scripts. Immediate SOC response involves isolating endpoints, capturing memory and system logs for forensic analysis, and analyzing scripts to identify malware behavior, persistence mechanisms, and potential exfiltration paths. Remediation includes removing unauthorized cron jobs, cleaning endpoints, enforcing signed software policies, updating monitoring rules, and validating all systems for additional compromises. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to maintain persistent access, evade detection, and compromise additional endpoints.

Option C assumes that unusual activity observed on endpoints or servers—specifically the off-hours execution of unsigned scripts through cron jobs—is caused by misconfigured cron jobs. Cron jobs are scheduled tasks in Unix-like systems that automate repetitive administrative or operational tasks. Misconfigurations in cron typically result in predictable outcomes, such as missed executions, incorrect execution times, or error logs indicating failed commands or scripts. For example, a misconfigured cron job may attempt to run a script with the wrong path, use an invalid syntax, or fail due to missing dependencies. These errors are localized, traceable, and generally isolated to the affected system or script. They do not explain the continuous, off-hours execution of unsigned scripts, nor do they account for scripts performing actions outside of their expected operational scope.

Unsigned scripts, by their nature, are not validated by trusted sources or cryptographic signatures. Their execution, especially when scheduled via cron jobs outside standard operational windows, raises significant security concerns. Unlike errors caused by misconfigured cron jobs—which produce predictable and easily diagnosable failures—unsigned scripts executing off-hours may be part of a deliberate attempt by malware or an attacker to maintain persistence. Persistent malware often leverages scheduled tasks like cron jobs to ensure its payload executes at regular intervals, bypassing detection during high-monitoring periods. By assuming that such activity is the result of misconfiguration, administrators risk leaving malicious processes operational, allowing them to execute additional payloads, collect sensitive data, or prepare for lateral movement without detection.

Option D assumes that off-hours execution of cron jobs is part of legitimate user testing. In enterprise environments, user testing is typically scheduled, documented, and performed under controlled conditions. Testing tasks are predictable, restricted to specific endpoints or systems, and generally involve known software that has been approved by IT or security teams. Off-hours execution of unsigned scripts or unauthorized cron jobs is inconsistent with these practices. Testing procedures rarely involve deploying unverified software or bypassing standard security controls, and they are almost always conducted with oversight to prevent operational disruption. Unauthorized, unscheduled scripts running via cron during off-hours indicate activity outside documented procedures and suggest malicious intent rather than benign testing.

Misclassifying this type of activity as legitimate testing presents a substantial security risk. Malware commonly exploits scheduled tasks such as cron jobs to achieve persistence. Unsigned scripts running in off-hours may perform stealthy reconnaissance, modify system configurations, exfiltrate data, or install additional malicious software. If security teams dismiss this behavior as routine testing, attackers are granted the opportunity to maintain control over compromised systems, evade detection, and expand their access across the network. This creates a scenario where malware can operate continuously, executing covert actions without triggering immediate alerts. Over time, the cumulative impact of persistent, uninvestigated malware can include data breaches, system corruption, and disruption of business operations.

Effective response requires verification, investigation, and correlation with operational procedures. Security teams must examine cron job schedules, script origins, and execution patterns to determine whether the activity aligns with authorized tasks. Endpoint analysis, including memory and process inspection, can help identify whether unsigned scripts are malicious. Behavioral baselines can further distinguish between legitimate administrative operations and anomalous execution patterns. Furthermore, correlating off-hours cron activity with network communications, log modifications, or other indicators of compromise can confirm the presence of persistent malware.

While misconfigured cron jobs or legitimate user testing can produce anomalies in system behavior, neither scenario explains the off-hours execution of unsigned scripts. Such activity is highly inconsistent with benign misconfiguration or controlled testing and strongly indicates malicious intent. Treating this activity as harmless risks, persistent malware operations, evasion of detection mechanisms, and potential data compromise. Accurate verification, monitoring, and timely remediation are essential to ensure that unauthorized scripts are identified and removed, endpoints are secured, and organizational systems remain protected from ongoing threats. Proper investigation distinguishes between routine operational errors and deliberate attacks, safeguarding sensitive data and maintaining the integrity of the enterprise environment.

Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint and system security.