CompTIA CS0-003 CySA+ Exam Dumps and Practice Test Questions Set 14 Q196-210
Visit here for our full CompTIA CS0-003 exam dumps and practice test questions.
Question 196
A SOC analyst notices Linux endpoints attempting to modify system binaries and libraries during off-hours. The scripts performing these actions are undocumented and executed with elevated privileges. What is the most likely threat, and what should the SOC do first?
A) Routine system maintenance; allow modifications.
B) Malware attempting persistence and evasion; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured package management; update configuration.
D) User testing; verify with IT.
Answer: B)
Explanation:
Option A assumes routine system maintenance. Legitimate maintenance uses approved procedures, is scheduled, and employs verified scripts. Modifying system binaries and libraries off-hours with undocumented scripts indicates anomalous behavior. Allowing this could enable malware to persist, evade detection, and compromise system integrity. Routine maintenance is predictable and auditable, unlike undocumented modifications.
Option B is correct. Malware frequently modifies system binaries and libraries to maintain persistence and evade detection mechanisms. Indicators include off-hours activity, execution by undocumented scripts, elevated privileges, and attempts to modify critical system files. Immediate SOC response involves isolating affected endpoints to prevent further compromise, capturing memory and logs for forensic analysis, and analyzing the scripts to determine malware behavior, including persistence mechanisms and potential backdoors. Remediation involves restoring modified binaries and libraries from trusted backups, cleaning endpoints, updating monitoring rules to detect unauthorized modifications, and auditing similar systems for comparable activity. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, escalate privileges, evade detection, and compromise sensitive systems.
Option C assumes misconfigured package management. Misconfigurations generally produce predictable errors or warnings and do not explain the off-hours execution of undocumented scripts modifying critical system files. Treating this as a benign risk, persistent malware activity, and potential system compromise.
Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours undocumented scripts modifying critical system files are inconsistent with legitimate testing. Misclassification risks persistent malware activity, system compromise, and data integrity issues.
Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining system integrity, endpoint security, and regulatory compliance.
Question 197
A SOC analyst detects Windows endpoints executing scripts that attempt to export system credentials and registry hives to unknown external servers during off-hours. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?
A) Routine system backup; allow activity.
B) Malware performing credential theft and data exfiltration; isolate endpoints, capture traffic, and analyze scripts.
C) Misconfigured backup policies; update configuration.
D) User testing; notify users.
Answer: B)
Explanation:
Option A assumes a routine system backup. Legitimate backups are scheduled, documented, and use verified tools targeting approved destinations. Exporting system credentials and registry hives off-hours to unknown external servers with unsigned scripts indicates anomalous behavior. Allowing this could enable malware to steal credentials, exfiltrate sensitive data, and compromise system security. Routine backups are auditable and predictable, unlike unauthorized scripts.
Option B is correct. Malware frequently targets system credentials, registry data, and sensitive information for exfiltration. Indicators include off-hours activity, execution by unsigned scripts, elevated privileges, and attempts to communicate with unknown external destinations. Immediate SOC response involves isolating affected endpoints to prevent further data exfiltration, capturing network traffic for analysis, and performing endpoint forensics to identify the nature and scope of compromised data. Remediation includes cleaning affected endpoints, resetting compromised credentials, blocking malicious external IPs, updating monitoring rules for unauthorized data exports, and auditing similar endpoints for suspicious activity. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and enhances threat intelligence. Ignoring this activity allows persistent malware to harvest credentials, exfiltrate sensitive data, and compromise the security of additional systems.
Option C assumes misconfigured backup policies. Misconfigurations typically cause errors or failed backups and do not explain off-hours, unsigned scripts exporting sensitive data. Treating this as a benign risk, persistent malware activity, and credential compromise.
Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours execution of scripts exporting credentials and registry data is inconsistent with legitimate testing. Misclassification risks credential theft, unauthorized access, and regulatory violations.
Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security, data confidentiality, and system integrity.
Question 198
A SOC analyst observes Linux endpoints executing scripts that attempt to disable AppArmor and modify firewall rules during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?
A) Routine system configuration; allow activity.
B) Malware attempting persistence and evasion; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured AppArmor and firewall policies; update configuration.
D) User testing; verify with IT.
Answer: B)
Explanation:
Option A assumes a routine system configuration. Legitimate configuration changes are scheduled, documented, and use approved tools. Off-hours execution of undocumented scripts that disable security mechanisms like AppArmor and modify firewall rules indicates anomalous behavior. Allowing this could enable malware to bypass security controls, persist undetected, and compromise endpoints. Routine configuration changes are auditable and predictable, unlike unauthorized scripts.
Option B is correct. Malware often disables security mechanisms such as AppArmor and modifies firewall rules to evade detection and maintain persistence. Indicators include off-hours activity, execution by undocumented scripts, elevated privileges, and unauthorized modifications to security controls. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior and potential lateral movement. Remediation includes restoring AppArmor policies, resetting firewall rules, cleaning endpoints, updating monitoring rules, and auditing similar endpoints. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, evade detection, and compromise sensitive systems.
Option C assumes misconfigured AppArmor or firewall policies. Misconfigurations generally produce predictable errors or failures and do not explain off-hours, undocumented scripts disabling security mechanisms. Treating this as a benign risk, persistent malware activity, and system compromise.
Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, undocumented scripts modifying security mechanisms are inconsistent with legitimate testing. Misclassification risks persistent malware activity, security evasion, and endpoint compromise.
Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security, system integrity, and regulatory compliance.
Question 199
A SOC analyst detects Windows endpoints executing scripts attempting to create unauthorized scheduled tasks and modify Group Policy Objects during off-hours. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?
A) Routine administrative tasks; allow activity.
B) Malware attempting persistence and privilege escalation; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured scheduled tasks; update configuration.
D) User testing; notify users.
Answer: B)
Explanation:
Option A assumes routine administrative tasks. Legitimate tasks are scheduled, documented, and performed using approved tools. Off-hours execution of unsigned scripts, creating scheduled tasks, and modifying Group Policy Objects indicate anomalous activity. Allowing this could enable malware to escalate privileges, persist, and compromise endpoints. Routine administrative tasks are auditable and predictable.
Option B is correct. Malware often creates unauthorized scheduled tasks and modifies Group Policy Objects to maintain persistence and escalate privileges. Indicators include off-hours activity, elevated privileges, execution by undocumented scripts, and unauthorized configuration changes. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior and intended modifications. Remediation includes removing unauthorized scheduled tasks, restoring Group Policy Objects, cleaning endpoints, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to maintain elevated access, persist, and compromise additional systems.
Option C assumes misconfigured scheduled tasks. Misconfigurations typically produce predictable errors and do not explain off-hours, unsigned scripts creating tasks and modifying policies. Treating this as a benign risk, persistent malware activity, and privilege escalation.
Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours execution of undocumented scripts modifying policies is inconsistent with legitimate testing. Misclassification risks persistent malware activity and endpoint compromise.
Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security and system integrity.
Question 200
A SOC analyst observes Linux endpoints executing scripts attempting to upload internal files to external servers using unauthorized accounts during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?
A) Routine file backup; allow activity.
B) Malware performing data exfiltration; isolate endpoints, capture traffic, and analyze scripts.
C) Misconfigured file transfer services; update configuration.
D) User testing; verify with IT.
Answer: B)
Explanation:
Option A assumes routine file backup. Legitimate backups are scheduled, documented, and use approved credentials to known destinations. Off-hours uploads using unauthorized accounts via undocumented scripts indicate anomalous activity. Allowing this could enable malware to exfiltrate sensitive data and compromise confidentiality. Routine backups are predictable and auditable, unlike unauthorized scripts.
Option B is correct. Malware often exfiltrates data to external servers for financial gain, espionage, or sabotage. Indicators include off-hours activity, execution by undocumented scripts, elevated privileges, targeting sensitive data, and use of unauthorized accounts. Immediate SOC response involves isolating affected endpoints to prevent further data transfer, capturing network traffic for forensic analysis, and analyzing scripts to determine exfiltrated data. Remediation includes cleaning endpoints, blocking malicious IPs, updating monitoring rules, and auditing sensitive file repositories. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows persistent malware to compromise sensitive systems and exfiltrate critical data.
Option C assumes misconfigured file transfer services. Misconfigurations typically produce predictable errors or failed transfers and do not explain off-hours unauthorized uploads. Treating this as a benign risk, persistent malware activity.
Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours unauthorized uploads from undocumented scripts are inconsistent with legitimate testing. Misclassification risks persistent malware activity, data exfiltration, and regulatory violations.
Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining data confidentiality, endpoint security, and system integrity.
Question 201
A SOC analyst detects Windows endpoints executing scripts that attempt to disable security updates and uninstall antivirus software during off-hours. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?
A) Routine system maintenance; allow activity.
B) Malware attempting persistence and security evasion; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured update policies; update configuration.
D) User testing; notify users.
Answer: B)
Explanation:
Option A assumes routine system maintenance. Legitimate maintenance is scheduled, documented, and uses approved tools. Disabling security updates and uninstalling antivirus software via unsigned scripts during off-hours indicates anomalous activity. Allowing this could enable malware to evade detection, persist undetected, and compromise endpoints. Routine maintenance is predictable, auditable, and follows change management procedures, unlike unauthorized scripts.
Option B is correct. Malware frequently disables security updates and antivirus software to maintain persistence and evade detection. Indicators include off-hours execution, elevated privileges, execution by unsigned scripts, and unauthorized modifications to system security controls. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior and potential impact. Remediation includes restoring security updates, reinstalling antivirus software, cleaning endpoints, updating monitoring rules to detect unauthorized activity, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, evade detection, and compromise additional endpoints, potentially leading to data loss or lateral movement.
Option C assumes misconfigured update policies. Misconfigurations typically produce predictable errors or failed updates and do not explain off-hours, unsigned scripts disabling security mechanisms. Treating this as a benign risk, persistent malware activity, and endpoint compromise.
Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, unsigned scripts disabling security mechanisms are inconsistent with legitimate testing. Misclassification risks malware persistence, evasion, and system compromise.
Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security and system integrity.
Question 202
A SOC analyst observes Linux endpoints executing scripts that attempt to create unauthorized user accounts and modify sudoers files during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?
A) Routine administrative tasks; allow activity.
B) Malware attempting privilege escalation and persistence; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured sudoers files; update configuration.
D) User testing; verify with IT.
Answer: B)
Explanation:
Option A assumes routine administrative tasks. Legitimate administrative changes are scheduled, documented, and follow change management procedures. Creating unauthorized user accounts and modifying sudoers files via undocumented scripts during off-hours indicates anomalous activity. Allowing this could enable malware to escalate privileges, persist, and compromise endpoints. Routine administrative tasks are predictable and auditable, unlike unauthorized scripts.
Option B is correct. Malware often creates unauthorized accounts and modifies sudoers files to escalate privileges and maintain persistence. Indicators include off-hours execution, elevated privileges, execution by undocumented scripts, and unauthorized modifications to access controls. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior. Remediation includes restoring sudoers files, removing unauthorized accounts, cleaning endpoints, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to escalate privileges, persist undetected, and compromise sensitive systems.
Option C assumes misconfigured sudoers files. Misconfigurations typically produce predictable failures affecting limited accounts and do not explain off-hours, unsigned scripts creating accounts and modifying files. Treating this as a benign risk, persistent malware activity, and privilege escalation.
Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours undocumented scripts modifying sudoers files and creating accounts are inconsistent with legitimate testing. Misclassification risks persistent malware activity and endpoint compromise.
Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining system security and integrity.
Question 203
A SOC analyst detects Windows endpoints executing scripts that attempt to export Active Directory configuration and password hashes to unknown external servers during off-hours. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?
A) Routine AD backup; allow activity.
B) Malware performing credential theft and data exfiltration; isolate endpoints, capture traffic, and analyze scripts.
C) Misconfigured AD policies; update configuration.
D) User testing; notify users.
Answer: B)
Explanation:
Option A assumes a routine Active Directory backup. Legitimate AD backups are scheduled, documented, use approved tools, and target known destinations. Exporting AD configurations and password hashes off-hours via unsigned scripts indicates anomalous activity. Allowing this could enable malware to steal credentials, exfiltrate sensitive data, and compromise system security. Routine backups are predictable and auditable, unlike unauthorized scripts.
Option B is correct. Malware frequently targets Active Directory configurations and password hashes to escalate privileges and access sensitive resources. Indicators include off-hours activity, execution by unsigned scripts, elevated privileges, and communication with unknown external servers. Immediate SOC response involves isolating affected endpoints to prevent further data exfiltration, capturing network traffic for forensic analysis, and analyzing scripts to determine what data may have been accessed or exfiltrated. Remediation includes cleaning endpoints, resetting compromised credentials, blocking malicious IPs, updating monitoring rules, and auditing AD policies. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows persistent malware to compromise directory services, steal credentials, and compromise organizational security.
Option C assumes misconfigured AD policies. Misconfigurations typically produce predictable errors or limited impact and do not explain off-hours, unsigned scripts exfiltrating AD data. Treating this as a benign risk, persistent malware activity, and credential compromise.
Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours undocumented scripts exporting AD data are inconsistent with legitimate testing. Misclassification risks credential theft, data exfiltration, and regulatory violations.
Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining Active Directory security and system integrity.
Question 204
A SOC analyst detects Linux endpoints executing scripts attempting to disable audit logs and security monitoring agents during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?
A) Routine system maintenance; allow activity.
B) Malware attempting evasion and persistence; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured logging policies; update configuration.
D) User testing; verify with IT.
Answer: B)
Explanation:
Option A assumes routine system maintenance. Legitimate maintenance is scheduled, documented, and uses approved tools. Disabling audit logs and security monitoring agents via undocumented scripts during off-hours indicates anomalous activity. Allowing this could enable malware to evade detection, persist undetected, and compromise endpoints. Routine maintenance is predictable and auditable, unlike unauthorized scripts.
Option B is correct. Malware frequently disables auditing and monitoring to avoid detection and maintain persistence. Indicators include off-hours execution, elevated privileges, execution by undocumented scripts, and unauthorized modifications to security controls. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to identify malware behavior and potential impact. Remediation includes restoring audit logs and monitoring agents, cleaning endpoints, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, evade detection, and compromise system security.
Option C assumes misconfigured logging policies. Misconfigurations usually produce predictable errors or failed audits and do not explain off-hours unsigned script execution. Treating this as a benign risk, persistent malware activity, and system compromise.
Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hour, undocumented scripts disabling auditing and monitoring are inconsistent with legitimate testing. Misclassification risks persistent malware activity, evasion, and endpoint compromise.
Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security, system integrity, and regulatory compliance.
Question 205
A SOC analyst observes Windows endpoints executing scripts attempting to exfiltrate sensitive files to unknown external servers using unauthorized accounts during off-hours. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?
A) Routine file backup; allow activity.
B) Malware performing data exfiltration; isolate endpoints, capture traffic, and analyze scripts.
C) Misconfigured file transfer services; update configuration.
D) User testing; notify users.
Answer: B)
Explanation:
Option A assumes routine file backup. Legitimate backups are scheduled, documented, and use approved credentials targeting known destinations. Off-hours uploads to unknown external servers using unauthorized accounts via unsigned scripts indicate anomalous activity. Allowing this could enable malware to exfiltrate sensitive data and compromise confidentiality. Routine backups are predictable and auditable, unlike unauthorized scripts.
Option B is correct. Malware frequently exfiltrates sensitive files for financial gain, espionage, or sabotage. Indicators include off-hours activity, execution by undocumented scripts, elevated privileges, targeting sensitive data, and use of unauthorized accounts. Immediate SOC response involves isolating affected endpoints to prevent further exfiltration, capturing network traffic for forensic analysis, and analyzing scripts to determine exfiltrated data. Remediation includes cleaning endpoints, blocking malicious external IPs, updating monitoring rules, and auditing sensitive file repositories. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, exfiltrate data, and compromise organizational confidentiality.
Option C assumes misconfigured file transfer services. Misconfigurations typically cause predictable failures or limited errors and do not explain off-hours unauthorized uploads. Treating this as a benign risk, persistent malware activity.
Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours unauthorized uploads from undocumented scripts are inconsistent with legitimate testing. Misclassification risks persistent malware activity, data exfiltration, and regulatory violations.
Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining data confidentiality, endpoint security, and system integrity.
Question 206
A SOC analyst observes Linux endpoints executing scripts that attempt to install rootkits and modify kernel modules during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?
A) Routine kernel updates; allow activity.
B) Malware attempting persistence and root-level compromise; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured kernel module policies; update configuration.
D) User testing; verify with IT.
Answer: B)
Explanation:
Option A assumes routine kernel updates. Legitimate updates are scheduled, documented, and use verified packages. Off-hours installation of rootkits and modification of kernel modules via undocumented scripts indicates anomalous activity. Allowing this could enable malware to compromise root privileges, persist undetected, and manipulate system behavior. Routine updates are predictable, auditable, and follow strict change management policies, unlike unauthorized scripts.
Option B is correct. Malware frequently installs rootkits and modifies kernel modules to maintain persistence, escalate privileges, and evade detection. Indicators include off-hours execution, elevated privileges, execution by undocumented scripts, and unauthorized modifications to critical system components. Immediate SOC response involves isolating affected endpoints to prevent further compromise, capturing memory and logs for forensic analysis, and analyzing scripts to identify malware behavior and potential impact on system integrity. Remediation includes restoring kernel modules from trusted backups, removing rootkits, cleaning endpoints, updating monitoring rules to detect unauthorized modifications, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist at the root level, evade detection, escalate privileges, and compromise critical systems.
Option C assumes misconfigured kernel module policies. Misconfigurations typically produce predictable errors or prevent specific modules from loading, and do not explain off-hours execution of undocumented scripts modifying kernel modules. Treating this as a benign risk, persistent malware activity, privilege escalation, and root-level compromise.
Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, undocumented scripts installing rootkits and modifying kernel modules are inconsistent with legitimate testing. Misclassification risks persistent malware activity, root-level compromise, and system integrity issues.
Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security, system integrity, and regulatory compliance.
Question 207
A SOC analyst detects Windows endpoints executing scripts that attempt to disable Windows Defender, modify registry autorun keys, and execute scheduled tasks during off-hours. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?
A) Routine administrative tasks; allow activity.
B) Malware attempting persistence and security evasion; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured security policies; update configuration.
D) User testing; notify users.
Answer: B)
Explanation:
Option A assumes routine administrative tasks. Legitimate administrative changes are scheduled, documented, and use approved tools. Disabling Windows Defender, modifying autorun registry keys, and creating scheduled tasks via unsigned scripts during off-hours indicates anomalous activity. Allowing this could enable malware to persist, evade detection, and compromise endpoints. Routine administrative tasks are predictable and auditable, unlike unauthorized scripts.
Option B is correct. Malware frequently modifies registry keys, disables security software, and creates scheduled tasks to maintain persistence and evade detection. Indicators include off-hours activity, elevated privileges, execution by unsigned scripts, and unauthorized modifications to system security configurations. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior and potential impact. Remediation includes restoring Windows Defender, removing unauthorized autorun keys and scheduled tasks, cleaning endpoints, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, evade detection, and compromise endpoints and potentially the broader network.
Option C assumes misconfigured security policies. Misconfigurations generally produce predictable errors or prevent enforcement, but do not explain off-hours, unsigned script execution. Treating this as a benign risk, persistent malware activity, persistence, and endpoint compromise.
Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, unsigned scripts modifying security mechanisms are inconsistent with legitimate testing. Misclassification risks persistent malware activity, evasion, and endpoint compromise.
Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining system security and endpoint integrity.
Question 208
A SOC analyst observes Linux endpoints executing scripts that attempt to exfiltrate authentication tokens and configuration files to external servers during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?
A) Routine file backup; allow activity.
B) Malware performing credential theft and data exfiltration; isolate endpoints, capture traffic, and analyze scripts.
C) Misconfigured file storage services; update configuration.
D) User testing; verify with IT.
Answer: B)
Explanation:
Option A assumes routine file backup. Legitimate backups are scheduled, documented, and use approved credentials and destinations. Exfiltration of authentication tokens and configuration files off-hours via undocumented scripts indicates anomalous behavior. Allowing this could enable malware to compromise credentials, extract sensitive data, and persist undetected. Routine backups are predictable and auditable, unlike unauthorized scripts.
Option B is correct. Malware frequently targets authentication tokens and configuration files to gain unauthorized access, escalate privileges, or exfiltrate sensitive information. Indicators include off-hours activity, execution by undocumented scripts, elevated privileges, and communication with unknown external servers. Immediate SOC response involves isolating affected endpoints to prevent further exfiltration, capturing network traffic for forensic analysis, and analyzing scripts to determine what data has been targeted. Remediation includes cleaning endpoints, resetting compromised credentials, blocking malicious IPs, updating monitoring rules, and auditing sensitive directories. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows persistent malware to compromise authentication mechanisms, exfiltrate critical data, and expand control across the network.
Option C assumes misconfigured file storage services. Misconfigurations typically produce predictable failures or limited errors and do not explain off-hours unauthorized uploads. Treating this as a benign risk, persistent malware activity.
Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours, undocumented scripts uploading authentication tokens are inconsistent with legitimate testing. Misclassification risks persistent malware activity, credential theft, and regulatory violations.
Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security, credential integrity, and data confidentiality.
Question 209
A SOC analyst detects Windows endpoints executing scripts that attempt to create unauthorized service accounts and modify domain group memberships during off-hours. The scripts are unsigned and run with elevated privileges. What is the most likely threat, and what should the SOC do first?
A) Routine administrative tasks; allow activity.
B) Malware attempting privilege escalation and persistence; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured Active Directory policies; update configuration.
D) User testing; notify users.
Answer: B)
Explanation:
Option A assumes routine administrative tasks. Legitimate changes are scheduled, documented, and follow approved procedures. Creating unauthorized service accounts and modifying group memberships via unsigned scripts during off-hours indicates anomalous activity. Allowing this could enable malware to escalate privileges, persist, and compromise endpoints and domain resources. Routine administrative changes are predictable and auditable, unlike unauthorized scripts.
Option B is correct. Malware frequently creates unauthorized service accounts and modifies group memberships to escalate privileges and maintain persistence. Indicators include off-hours execution, elevated privileges, execution by undocumented scripts, and unauthorized modifications to Active Directory configurations. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior. Remediation includes removing unauthorized accounts, restoring correct group memberships, cleaning endpoints, updating monitoring rules, and auditing similar systems. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to persist, escalate privileges, and compromise domain-level resources, potentially facilitating lateral movement.
Option C assumes that unusual off-hours activity, specifically the execution of unsigned scripts creating service accounts, can be attributed to misconfigured Active Directory (AD) policies. Active Directory is a critical component of enterprise IT infrastructure, responsible for authentication, authorization, and centralized management of user accounts, groups, and security policies. Misconfigurations in AD can occur for a variety of reasons, such as incorrect group policy settings, improperly delegated administrative rights, or incorrect application of account restrictions. These misconfigurations generally produce predictable and limited effects, such as preventing specific users from accessing resources, triggering failed authentication events, or generating alerts for improperly applied permissions. Typically, these issues are confined to specific accounts or organizational units and can be identified and corrected through standard administrative oversight.
In contrast, off-hours execution of unsigned scripts creating new service accounts is highly inconsistent with the effects of misconfigured AD policies. Misconfigurations do not autonomously execute scripts, create accounts, or perform actions outside the bounds of defined administrative processes. Unsigned scripts running off-hours indicate deliberate activity, suggesting the presence of malware or an insider threat attempting to establish persistent access and escalate privileges. These scripts may bypass standard monitoring and logging mechanisms, allowing unauthorized actors to maintain control over critical systems while remaining undetected. Treating such activity as benign based on assumptions of misconfiguration exposes the organization to significant risk, including persistent malware activity and unauthorized privilege escalation.
Option D assumes that off-hours execution of unsigned scripts creating service accounts is the result of legitimate user testing. While testing is a normal part of IT operations, it is typically structured, scheduled, and documented. Authorized testing follows predefined procedures, involves known accounts and endpoints, and is executed in controlled environments to avoid unintended disruption or security risks. Legitimate testing does not involve creating service accounts without prior approval, modifying security policies, or executing unsigned scripts outside of monitored operational windows. Off-hours execution of undocumented scripts represents activity outside of approved procedures, indicating that these actions are unauthorized and potentially malicious.
Misclassifying such activity as legitimate testing carries substantial risks. Service accounts created by unauthorized scripts can provide persistent elevated access across multiple systems, allowing attackers or malware to bypass normal user restrictions and escalate privileges. These accounts can be leveraged to manipulate permissions, modify critical configurations, or move laterally across the domain, increasing the scope of compromise. Persistent malware using these service accounts can exfiltrate sensitive data, alter system configurations, or deploy additional malicious payloads, all while remaining largely invisible to monitoring tools. Off-hours activity further compounds the risk by taking advantage of periods of reduced administrative oversight, minimizing the likelihood of detection and intervention.
Effective response requires thorough verification, monitoring, and correlation of observed activity with documented operational procedures. Security teams should analyze AD logs, account creation events, and script execution records to determine the legitimacy of off-hours activity. Endpoint and process forensics, memory analysis, and behavioral baselines can help distinguish between authorized administrative actions and malicious activity. Network monitoring can reveal whether newly created service accounts are being used to access sensitive systems or exfiltrate data. Any deviation from scheduled, documented, and authorized procedures should be treated as suspicious until fully verified.
While misconfigured Active Directory policies or routine user testing can account for minor anomalies, they do not explain off-hours, unsigned script activity that creates service accounts. Such activity is highly inconsistent with benign misconfigurations or legitimate testing practices and strongly suggests malicious intent. Misclassification risks persistent malware operations, privilege escalation, and domain-wide compromise. Accurate verification, monitoring, and timely remediation are essential to identify unauthorized scripts, secure the Active Directory environment, and prevent attackers from establishing persistent control over critical systems. By maintaining strict oversight, ensuring all administrative and testing activities are documented, and promptly investigating anomalies, organizations can safeguard domain integrity, protect sensitive data, and mitigate the risk of extended compromise by malicious actors.
Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining domain security and system integrity.
Question 210
A SOC analyst observes Linux endpoints executing scripts that attempt to modify SSH configuration files and establish unauthorized root logins during off-hours. The scripts are undocumented and run with elevated privileges. What is the most likely threat, and what should the SOC do first?
A) Routine SSH configuration; allow activity.
B) Malware attempting persistence and privilege escalation; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured SSH policies; update configuration.
D) User testing; verify with IT.
Answer: B)
Explanation:
Option A assumes a routine SSH configuration. Legitimate SSH changes are scheduled, documented, and performed using approved tools. Modifying SSH configuration files and establishing unauthorized root logins via undocumented scripts during off-hours indicates anomalous behavior. Allowing this could enable malware to escalate privileges, persist undetected, and compromise endpoints. Routine SSH configuration is auditable and predictable, unlike unauthorized scripts.
Option B is correct. Malware often modifies SSH configuration files and establishes unauthorized root access to maintain persistence, escalate privileges, and enable remote control. Indicators include off-hours activity, execution by undocumented scripts, elevated privileges, and unauthorized changes to critical configuration files. Immediate SOC response involves isolating affected endpoints, capturing memory and logs for forensic analysis, and analyzing scripts to determine malware behavior and the scope of potential compromise. Remediation includes restoring SSH configurations from trusted backups, removing unauthorized root access, cleaning endpoints, updating monitoring rules to detect anomalous SSH activity, and auditing similar endpoints. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and strengthens threat intelligence. Ignoring this activity allows malware to maintain persistent root access, evade detection, and compromise critical systems.
Option C assumes misconfigured SSH policies. Misconfigurations typically produce predictable errors or limited access issues and do not explain off-hours unauthorized modifications to SSH configurations. Treating this as a benign risk, persistent malware activity, privilege escalation, and system compromise.
Option D assumes that unusual off-hours activity, such as the execution of undocumented scripts that modify SSH configurations and create root logins, can be attributed to legitimate user testing. In enterprise environments, user testing is an essential part of operational processes, including verifying system functionality, validating security controls, or assessing software performance. However, legitimate testing is structured, scheduled, and thoroughly documented. Approved scripts are executed in controlled conditions, with oversight from system administrators or security personnel, and involve known endpoints and accounts. This structure ensures that testing does not disrupt production environments or create inadvertent security risks. Predictability, transparency, and adherence to defined procedures are fundamental characteristics of legitimate testing.
The scenario described—off-hours execution of undocumented scripts that modify SSH configurations and create root logins—is inconsistent with these principles. SSH configuration changes and creation of root accounts are high-impact actions that can directly affect system security and operational stability. Legitimate testing rarely requires changes to SSH configurations, especially in an undocumented or off-hours manner. Similarly, creating root logins outside of approved procedures is not standard practice and violates organizational security policies. Off-hours execution further increases suspicion because testing activities are generally scheduled during approved maintenance windows or supervised periods to ensure monitoring and rapid response if issues arise. The use of undocumented scripts implies that these actions were performed without authorization, and the modifications target system controls in a way that aligns with tactics used by malicious actors to gain persistent access.
Misclassifying this activity as benign testing introduces substantial risks. Modifying SSH configurations and creating root accounts are classic techniques used by attackers and malware to establish persistent access to systems. By creating root logins, unauthorized users gain elevated privileges, enabling them to bypass standard security controls, manipulate system configurations, install additional malicious software, and escalate privileges further across the network. Unauthorized SSH modifications may disable security restrictions, allow remote access from untrusted hosts, or weaken encryption standards, all of which facilitate ongoing compromise and reduce the effectiveness of monitoring and intrusion detection mechanisms. Persistent malware or attackers leveraging these changes can move laterally, exfiltrate sensitive data, or compromise additional endpoints without immediate detection.
Effective response requires careful verification, monitoring, and correlation of activity with documented operational procedures. Security teams should analyze system logs, including SSH configuration changes, account creation events, and script execution records, to determine the origin and intent of these actions. Endpoint forensics, memory inspection, and process analysis can identify whether the scripts are authorized testing tools or unauthorized malicious code. Network monitoring and anomaly detection can help determine whether the modified SSH configurations are being exploited to facilitate unauthorized access or lateral movement. Behavioral baselines for typical administrative activity can further assist in distinguishing legitimate testing from suspicious behavior.
Failure to properly classify off-hours activity involving SSH and root modifications risks allowing attackers to maintain long-term access, escalate privileges, and compromise additional systems. Such misclassification can result in persistent malware operations, unauthorized control over endpoints, and eventual data exfiltration. The longer these actions go undetected, the more difficult remediation becomes, as attackers may establish backdoors, modify logs, or implement evasion techniques to conceal their activity.
While user testing is a legitimate operational activity, off-hours execution of undocumented scripts that modify SSH configurations and create root logins is highly inconsistent with approved testing practices. Legitimate testing is scheduled, documented, and predictable, and does not involve bypassing security controls or creating persistent elevated access. Misclassification of such activity as benign testing introduces serious risks, including persistent malware presence, privilege escalation, and endpoint compromise. Verification, investigation, and remediation are critical to ensuring that unauthorized scripts are identified and neutralized, system integrity is maintained, and organizational networks are protected. Accurate monitoring and strict adherence to operational documentation are essential to prevent attackers from exploiting misclassified activity to establish long-term persistence and expand control over critical systems.
Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security, system integrity, and administrative control.