CompTIA CS0-003 CySA+ Exam Dumps and Practice Test Questions Set 9 Q121-135
Visit here for our full CompTIA CS0-003 exam dumps and practice test questions.
Question 121
A SOC analyst observes multiple Windows endpoints initiating outbound SMB connections to unknown external IPs. These connections occur off-hours, are executed by unsigned scripts, and attempt to copy system files. What is the most likely threat, and what should the SOC do first?
A) Routine file synchronization; allow connections.
B) Malware attempting lateral movement and exfiltration; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured SMB shares; update configuration.
D) User testing of file sharing; notify users.
Answer: B)
Explanation:
Option A assumes routine file synchronization. Legitimate synchronization is scheduled, uses approved processes, and targets known network locations. Persistent off-hours outbound SMB connections to unknown external IPs executed by unsigned scripts suggest malicious activity. Allowing this activity could result in unauthorized file access, data exfiltration, and network compromise. File synchronization does not typically attempt to copy system files to unknown external hosts, making this activity highly suspicious.
Option B is correct. Malware often leverages SMB to move laterally and exfiltrate sensitive files. Indicators include off-hours activity, execution by unsigned scripts, copying of system files, and communication with unknown external IPs. Immediate SOC response involves isolating affected endpoints to prevent further compromise, capturing memory and network traffic for forensic analysis, and analyzing the scripts to understand malware behavior and potential persistence mechanisms. Network monitoring and correlation with threat intelligence help identify additional compromised systems and attacker infrastructure. Remediation includes cleaning infected endpoints, restoring access controls, updating firewall and monitoring rules, and continuous network monitoring for similar activity. Preserving forensic evidence ensures regulatory compliance and supports post-incident investigation. Ignoring this activity allows malware to maintain access, compromise additional endpoints, and exfiltrate sensitive data undetected.
Option C assumes misconfigured SMB shares. Misconfigurations typically cause failed connections or limited access issues, not repeated off-hours file copying to unknown external IPs. Treating this as benign could leave malware undetected and active in the network.
Option D assumes user testing. Legitimate testing is scheduled, documented, and predictable. Execution by unsigned scripts targeting unknown external IPs outside business hours is inconsistent with testing activity. Misclassification could allow attackers to continue lateral movement and data exfiltration without detection.
Selecting option B ensures rapid containment, forensic analysis, and remediation. Isolating endpoints and analyzing memory and scripts helps identify malware activity, restore network security, and improve detection capabilities. This approach balances immediate response with comprehensive investigation while preserving evidence for regulatory and forensic purposes.
Question 122
A SOC analyst identifies Linux endpoints generating frequent outbound SSH connections to multiple external IPs not associated with business operations. The connections occur during off-hours and originate from scripts not approved by IT operations. What is the most likely threat, and what is the immediate SOC response?
A) Routine system administration; allow connections.
B) Malware establishing remote access or tunneling; isolate endpoints, capture network traffic, and analyze scripts.
C) Misconfigured SSH settings; update configuration.
D) User security testing; notify users.
Answer: B)
Explanation:
Option A assumes routine system administration. Administrative SSH activity is scheduled, predictable, and targets known internal or vendor hosts. Repeated off-hours connections to unknown external IPs executed by unapproved scripts indicate malicious behavior. Ignoring this activity could allow malware to maintain covert access, perform lateral movement, or exfiltrate data undetected. Routine administration is auditable, and deviations from standard practices should be investigated.
Option B is correct. Malware often uses SSH to establish remote access, create encrypted tunnels, and evade detection. Indicators include off-hours activity, repeated connections to unknown external IPs, execution by undocumented scripts, and multi-endpoint involvement. Immediate SOC response involves isolating endpoints to prevent lateral movement or further compromise, capturing network traffic to analyze SSH sessions, and performing endpoint forensics to identify malicious processes. Correlating activity with threat intelligence may reveal known attacker infrastructure. Remediation includes cleaning infected endpoints, restricting unauthorized SSH connections through firewall and access control updates, and implementing monitoring rules to detect similar behaviors. Preserving forensic evidence supports regulatory compliance and post-incident analysis. Ignoring this activity risks persistent malware presence, credential theft, and potential data exfiltration.
Option C assumes misconfigured SSH settings. Misconfigurations may result in failed connections, but do not explain repeated unauthorized outbound connections or script execution. Treating this as benign allows malware to operate undetected and persist in the environment.
Option D assumes user security testing. Legitimate testing is scheduled, documented, and predictable. Off-hours execution of unapproved scripts connecting to unknown external IPs is inconsistent with testing, and misclassification could result in continued compromise.
Selecting option B ensures containment, forensic analysis, and remediation. Isolating endpoints, analyzing scripts and network traffic, and monitoring the environment strengthens defenses against persistent malware operations.
Question 123
A SOC analyst observes Windows endpoints executing scripts that repeatedly attempt to delete backup files and modify system restore points during off-hours. The scripts are obfuscated and run under elevated privileges. What is the most likely threat, and what should the SOC do first?
A) Routine system cleanup; allow scripts.
B) Malware attempting to prevent recovery and maintain persistence; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured backup policies; update configuration.
D) User testing scripts; notify users.
Answer: B)
Explanation:
Option A assumes routine system cleanup. Legitimate maintenance follows documented schedules, targets known files, and does not attempt to disable recovery features or delete backups maliciously. Ignoring off-hours obfuscated scripts with elevated privileges could allow malware to prevent recovery, maintain persistence, and evade detection. Cleanup activities do not normally include disabling system restore or tampering with critical backups.
Option B is correct. Malware often targets backup and recovery mechanisms to prevent remediation after compromise. Indicators include off-hours execution, elevated privileges, obfuscation, and deletion or modification of backups and restore points. Immediate SOC response involves isolating affected endpoints, capturing memory and disk images for forensic analysis, and analyzing the scripts to identify persistence and payload delivery mechanisms. Threat intelligence can help identify known malware variants that target backup systems. Remediation includes cleaning affected endpoints, restoring backups, updating monitoring rules to detect similar behaviors, and validating system restore functionality. Preserving forensic evidence ensures regulatory compliance and supports incident investigation. Ignoring this activity could result in irreversible data loss, persistent malware control, and extended operational impact.
Option C assumes misconfigured backup policies. Misconfigurations typically produce errors or failed backups, not off-hours deletion attempts via obfuscated scripts. Treating this as benign allows malware to persist and compromise recovery mechanisms.
Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours obfuscated scripts tampering with backup files are inconsistent with testing activity. Misclassification risks allowing malware to maintain persistence and compromise critical systems.
Selecting option B ensures immediate containment, forensic analysis, and remediation, protecting the organization’s recovery mechanisms and preventing further malware impact.
Question 124
A SOC analyst observes Linux endpoints performing repeated low-volume HTTPS requests to newly registered domains using dynamically generated subdomains. The activity occurs outside business hours and is associated with undocumented scripts. What is the most likely threat, and what is the immediate SOC response?
A) Normal telemetry; allow requests.
B) Malware using dynamically generated domains for command-and-control; capture traffic, isolate endpoints, and analyze scripts.
C) Misconfigured web services; update configuration.
D) Legitimate cloud service testing; verify with vendor.
Answer: B)
Explanation:
Option A assumes normal telemetry. Legitimate telemetry occurs on known servers and follows predictable schedules. Persistent low-volume off-hours requests to dynamically generated domains indicate anomalous activity. Allowing this could enable malware to maintain command-and-control channels undetected. Telemetry patterns are generally auditable, and deviations from normal activity should be investigated.
Option B is correct. Malware often uses dynamically generated subdomains of newly registered domains to evade detection and maintain command-and-control infrastructure. Indicators include off-hours activity, low-volume but frequent requests, dynamically generated subdomains, and execution by undocumented scripts. Immediate SOC response involves capturing network traffic for analysis, isolating affected endpoints, and performing endpoint forensics to identify malicious scripts. Threat intelligence can reveal associated malicious infrastructure. Remediation includes cleaning endpoints, updating detection rules for dynamic domain patterns, and monitoring for similar activity across the network. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and informs future threat hunting strategies. Ignoring this activity allows malware to maintain persistent access and exfiltrate sensitive information over covert channels.
Option C assumes misconfigured web services. Misconfigurations may generate failed connections or predictable errors, but do not account for off-hours low-volume requests to dynamically generated domains. Treating this as benign allows malware to operate undetected.
Option D assumes legitimate cloud service testing. Testing activity is scheduled, documented, and predictable, typically communicating with known vendor domains. Off-hours dynamic domain requests are inconsistent with testing and may indicate malicious activity.
Selecting option B ensures proper containment, forensic analysis, and remediation while safeguarding endpoints and sensitive data.
Question 125
A SOC analyst identifies endpoints attempting to access multiple database accounts with repeated login failures outside business hours. The attempts are executed by unknown processes and target sensitive financial tables. What is the most likely threat, and what should the SOC do first?
A) Routine database maintenance; allow access.
B) Malware or malicious insider attempting credential harvesting or unauthorized access; isolate endpoints, review logs, and analyze processes.
C) Misconfigured authentication policies; update configuration.
D) User testing; notify users.
Answer: B)
Explanation:
Option A assumes routine database maintenance. Maintenance is predictable, occurs with authorized accounts, and involves known schedules. Off-hours repeated login failures to multiple sensitive accounts from undocumented processes suggest malicious activity. Ignoring this could result in data theft or unauthorized database access.
Option B is correct. Malware or a malicious insider may attempt unauthorized access to sensitive database accounts to exfiltrate data or escalate privileges. Indicators include off-hours activity, repeated login failures, targeting sensitive financial tables, and execution by unknown processes. Immediate SOC response involves isolating affected endpoints to prevent further unauthorized access, reviewing database and authentication logs to identify impacted accounts, and performing endpoint forensics to identify responsible malware or processes. Remediation includes revoking unauthorized access, cleaning infected endpoints, strengthening authentication mechanisms, updating monitoring and alerting, and validating permissions. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and informs future threat detection. Failure to respond risks data compromise, financial loss, and potential regulatory penalties.
Option C assumes misconfigured authentication policies. Misconfigurations typically result in predictable errors or single-system failures, not multi-account off-hour repeated login failures. Treating this as benign could allow ongoing compromise.
Option D assumes user testing. Legitimate testing is scheduled, documented, and predictable. Off-hours repeated login attempts by unknown processes are inconsistent with testing and suggest malicious intent.
Selecting option B ensures containment, forensic analysis, and remediation, protecting sensitive database systems, preventing credential compromise, and maintaining operational integrity.
Question 126
A SOC analyst identifies multiple Windows endpoints initiating outbound RDP connections to unknown external IPs outside business hours. The activity is associated with unsigned scripts that attempt privilege escalation. What is the most likely threat, and what is the immediate SOC response?
A) Routine remote administration; allow connections.
B) Malware establishing remote access and lateral movement; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured RDP settings; update configuration.
D) User security testing; notify users.
Answer: B)
Explanation:
Option A assumes routine remote administration. Legitimate remote administration is scheduled, predictable, and uses known IPs or vendor connections. Off-hours connections to unknown external IPs executed by unsigned scripts with privilege escalation are anomalous. Ignoring this activity risks persistent malware access, credential compromise, and lateral movement across the network. Remote administration typically generates logs, uses signed tools, and follows documented procedures. Treating this activity as normal would allow attackers to establish covert channels undetected.
Option B is correct. Malware commonly uses RDP for remote access, lateral movement, and establishing command-and-control channels. Indicators include off-hours activity, execution by unsigned scripts, privilege escalation attempts, and connections to unknown external IPs. Immediate SOC response should involve isolating affected endpoints to prevent lateral movement, capturing memory and RDP session data for forensic analysis, and analyzing the scripts to identify malware behavior. Network traffic should be monitored for unusual communication patterns, and threat intelligence can provide information on known malicious IPs. Remediation includes cleaning endpoints, restoring security configurations, updating firewall and monitoring rules, and performing network-wide scans to identify other potentially compromised systems. Preserving forensic evidence is essential for regulatory compliance, post-incident investigation, and threat intelligence. Ignoring the activity allows malware to persist, exfiltrate sensitive data, and potentially compromise additional endpoints.
Option C assumes misconfigured RDP settings. Misconfigurations typically result in connection errors or single-endpoint issues and do not account for off-hours execution by unsigned scripts or privilege escalation. Treating this as benign would leave malware operational, increasing risk exposure.
Option D assumes user security testing. Legitimate testing is scheduled, documented, and predictable. Execution of unsigned scripts targeting unknown external IPs during off-hours is inconsistent with testing, and misclassification could result in malware persistence and undetected compromise.
Selecting option B ensures immediate containment, forensic analysis, and remediation while strengthening detection rules and preventing further compromise. Isolating endpoints and analyzing memory and scripts helps the SOC understand malware behavior, restore network security, and prevent lateral movement.
Question 127
A SOC analyst observes Linux endpoints sending persistent low-volume HTTPS requests to newly registered domains using high-entropy subdomains. The activity occurs outside business hours and is executed by undocumented scripts. What is the most likely threat, and what is the SOC’s first response?
A) Normal telemetry; allow traffic.
B) Malware leveraging dynamically generated domains for command-and-control; isolate endpoints, capture traffic, and analyze scripts.
C) Misconfigured web services; update configuration.
D) Legitimate cloud synchronization; verify with vendor.
Answer: B)
Explanation:
Option A assumes normal telemetry. Telemetry occurs in known domains, follows scheduled intervals, and uses approved processes. Persistent low-volume HTTPS requests outside business hours targeting dynamically generated high-entropy subdomains indicate anomalous behavior. Ignoring this activity allows malware to maintain command-and-control communication undetected, potentially exfiltrating sensitive data or coordinating further attacks. Telemetry does not generate high-entropy queries nor operate outside standard schedules.
Option B is correct. Malware frequently employs dynamically generated domains to evade detection and maintain covert channels. Indicators include off-hours execution, low-volume but continuous communication, dynamically generated subdomains, and execution by undocumented scripts. Immediate SOC response involves isolating affected endpoints, capturing network traffic for forensic analysis, and analyzing scripts to understand malware persistence and communication patterns. Correlating captured traffic with threat intelligence can identify malicious infrastructure. Remediation includes cleaning affected endpoints, updating detection rules to detect high-entropy DNS or HTTPS traffic, and monitoring for similar behavior across the network. Preserving forensic evidence ensures regulatory compliance and supports post-incident investigation. Failing to respond could result in sustained malware presence, data exfiltration, and compromise of additional systems.
Option C assumes misconfigured web services. Misconfigurations usually produce failed connections or error messages rather than repeated, low-volume, high-entropy communication. Treating this as a benign risk, allowing malware to maintain covert channels.
Option D assumes legitimate cloud synchronization. Cloud services operate over known domains and typically during business hours. Off-hours high-entropy communication from undocumented scripts is inconsistent with standard synchronization activity, and misclassification could leave malware active.
Selecting option B ensures containment, forensic analysis, and remediation while protecting endpoints and sensitive data. Isolating endpoints and analyzing scripts allows the SOC to understand attacker infrastructure and prevent ongoing compromise.
Question 128
A SOC analyst identifies Windows endpoints executing obfuscated PowerShell scripts that create scheduled tasks, disable antivirus software, and download additional payloads from external IPs. Multiple endpoints are affected outside business hours. What is the most likely threat, and what is the SOC’s immediate response?
A) Routine administrative scripts; allow execution.
B) Fileless malware leveraging PowerShell for persistence and command-and-control; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured scheduled tasks; update configuration.
D) User testing; notify users.
Answer: B)
Explanation:
Option A assumes routine administrative scripts. Legitimate scripts are scheduled, signed, and documented. Off-hours execution, obfuscation, disabling antivirus, and downloading external payloads clearly indicate malicious behavior. Ignoring this activity could allow malware to persist, evade detection, and compromise additional endpoints. Administrative scripts do not usually modify system defenses or download unverified payloads.
Option B is correct. Fileless malware often utilizes PowerShell to execute entirely in memory, maintain persistence via scheduled tasks, disable antivirus for evasion, and download additional payloads. Indicators include off-hours execution, multi-endpoint compromise, obfuscation, and unauthorized scheduled tasks. Immediate SOC response involves isolating endpoints to prevent lateral movement, capturing memory for forensic analysis, and analyzing scripts to understand malware behavior and persistence mechanisms. Network traffic should be examined to identify malicious external IPs, and threat intelligence can help correlate attacker infrastructure. Remediation includes cleaning endpoints, restoring security functions, updating detection rules, and monitoring for similar activity. Preserving forensic evidence supports compliance and incident investigation. Failing to respond allows malware to maintain persistent access, exfiltrate sensitive data, and compromise additional systems.
Option C assumes misconfigured scheduled tasks. Misconfigurations typically do not include obfuscation, antivirus disabling, or payload downloading. Treating this as benign allows malware to persist and propagate.
Option D assumes user testing. Testing is scheduled, documented, and predictable. Execution of obfuscated scripts targeting multiple endpoints is inconsistent with testing activity. Misclassification risks prolonged malware operation and data compromise.
Selecting option B ensures rapid containment, forensic analysis, and remediation while protecting sensitive systems and maintaining network integrity.
Question 129
A SOC analyst detects endpoints repeatedly attempting to access multiple database accounts with failed login attempts during off-hours. The attempts are executed by unknown processes and target sensitive financial tables. What is the most likely threat, and what is the SOC’s first response?
A) Routine database maintenance; allow activity.
B) Malware or malicious insider attempting unauthorized access or credential harvesting; isolate endpoints, review logs, and analyze processes.
C) Misconfigured authentication policies; update configuration.
D) User testing; notify users.
Answer: B)
Explanation:
Option A assumes routine database maintenance. Maintenance is predictable, scheduled, and uses authorized accounts. Repeated failed login attempts to multiple sensitive accounts by undocumented processes indicate potential malicious activity. Ignoring this could result in unauthorized data access, credential theft, and compromise of critical financial information.
Option B is correct. Malware or malicious insiders frequently target sensitive database accounts for unauthorized access, credential harvesting, or lateral movement. Indicators include off-hours activity, failed login attempts across multiple accounts, targeting sensitive tables, and execution by unknown processes. Immediate SOC response involves isolating affected endpoints to prevent further unauthorized access, reviewing database and authentication logs to identify impacted accounts, and performing endpoint forensics to determine the responsible processes or malware. Remediation includes revoking unauthorized access, cleaning infected endpoints, strengthening authentication mechanisms, updating monitoring rules, and validating permissions. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and informs future threat detection strategies. Failing to respond could result in financial loss, regulatory penalties, and operational disruption.
Option C assumes misconfigured authentication policies. Misconfigurations may produce failed logins but are typically predictable and limited in scope, unlike multi-account off-hours failures caused by malware. Treating this as benign allows continued unauthorized access.
Option D assumes user testing. Legitimate testing is scheduled, documented, and predictable. Repeated off-hours login attempts by unknown processes are inconsistent with testing activity and indicate malicious intent.
Selecting option B ensures immediate containment, forensic analysis, and remediation, protecting database integrity and sensitive information while preventing further compromise.
Question 130
A SOC analyst observes endpoints executing scripts that attempt to disable endpoint detection and response (EDR) software while connecting to unknown external IPs. The scripts run with elevated privileges during off-hours. What is the most likely threat, and what is the SOC’s immediate response?
A) Routine administrative scripts; allow execution.
B) Malware attempting to bypass security controls and establish persistence; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured EDR policies; update configuration.
D) User testing; notify users.
Answer: B)
Explanation:
Option A assumes routine administrative scripts. Legitimate administrative activity is scheduled, documented, and uses approved tools. Scripts attempting to disable EDR, run with elevated privileges, and communicate with unknown external IPs are clearly malicious. Ignoring this could allow malware to bypass security monitoring, maintain persistence, and exfiltrate sensitive data.
Option B is correct. Malware frequently attempts to disable endpoint security tools to evade detection and maintain persistence. Indicators include elevated privilege execution, off-hours activity, unauthorized scripts, and communication with unknown IPs. Immediate SOC response involves isolating affected endpoints, capturing memory and system logs for forensic analysis, and analyzing scripts to determine malware functionality, persistence, and potential attacker infrastructure. Remediation includes cleaning endpoints, restoring EDR functionality, updating detection rules, and monitoring for similar activity. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and informs threat intelligence efforts. Failure to respond could result in persistent malware presence, network compromise, and potential exfiltration of sensitive information.
Option C assumes misconfigured EDR policies. Misconfigurations typically do not cause elevated scripts to bypass EDR and contact unknown IPs. Treating this as a benign risk undetected compromise.
Option D assumes user testing. Testing is predictable, scheduled, and documented. Off-hours execution of scripts disabling EDR and contacting unknown IPs is inconsistent with legitimate testing. Misclassification allows malware to persist undetected.
Selecting option B ensures immediate containment, forensic analysis, and remediation while maintaining endpoint security and preventing further compromise.
Question 131
A SOC analyst detects endpoints executing scripts that modify firewall rules to allow outbound traffic to multiple unknown external IPs during off-hours. These scripts run with elevated privileges and are unsigned. What is the most likely threat, and what should the SOC do first?
A) Routine firewall configuration changes; allow activity.
B) Malware attempting to bypass network security controls and exfiltrate data; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured firewall policies; update configuration.
D) User testing of firewall rules; notify users.
Answer: B)
Explanation:
Option A assumes routine firewall configuration changes. Legitimate changes follow documented change management processes, use approved tools, and are logged for auditing purposes. Off-hours execution by unsigned scripts that modify firewall rules to allow traffic to unknown external IPs is anomalous. Allowing this could enable attackers to exfiltrate sensitive data, bypass security monitoring, or establish persistent command-and-control channels. Routine firewall updates do not involve unapproved scripts or off-hours activity.
Option B is correct. Malware frequently modifies firewall rules to circumvent security controls and facilitate data exfiltration or lateral movement. Indicators include elevated privilege execution, off-hours activity, unsigned scripts, and connections to unknown external IPs. Immediate SOC response involves isolating affected endpoints to prevent further compromise, capturing memory and system logs for forensic analysis, and analyzing scripts to understand the malware’s methods and persistence mechanisms. Network traffic should be monitored for unusual patterns, and threat intelligence can help identify associated malicious IPs. Remediation includes cleaning endpoints, restoring firewall configurations, updating detection rules to alert on unauthorized rule changes, and continuous monitoring for similar activity. Preserving forensic evidence ensures regulatory compliance, supports incident investigation, and enhances threat intelligence. Ignoring this activity could allow malware to persist, exfiltrate sensitive information, and compromise additional systems.
Option C assumes misconfigured firewall policies. Misconfigurations typically result in failed connections or isolated issues and do not explain off-hours execution by unsigned scripts modifying rules to unknown external destinations. Treating this as benign would leave the environment vulnerable.
Option D assumes user testing. Legitimate testing is scheduled, documented, and predictable. Unsigned scripts modifying firewall rules during off-hours are inconsistent with testing activity and misclassification risks, and persistent malware activity.
Selecting option B ensures rapid containment, forensic analysis, and remediation while maintaining network security integrity. Isolating endpoints and analyzing memory and scripts allows the SOC to understand attacker behavior and prevent further compromise.
Question 132
A SOC analyst observes multiple Linux endpoints generating unusual ICMP traffic patterns, including large numbers of echo requests to unknown IPs during off-hours. The processes generating this traffic are not documented in IT operations. What is the most likely threat, and what is the SOC’s immediate response?
A) Routine network monitoring; allow traffic.
B) Malware performing network reconnaissance or denial-of-service preparation; isolate endpoints, capture traffic, and analyze processes.
C) Misconfigured ICMP settings; update configuration.
D) User network testing; notify users.
Answer: B)
Explanation:
Option A assumes routine network monitoring. Legitimate ICMP traffic is predictable, originates from authorized monitoring tools, and targets known hosts. Off-hours large-scale echo requests to unknown IPs from undocumented processes are anomalous. Allowing this activity could permit malware to perform network reconnaissance, map external networks, or prepare for denial-of-service attacks. Routine monitoring would not generate high-volume or anomalous off-hours ICMP traffic.
Option B is correct. Malware often leverages ICMP for reconnaissance, mapping networks, or preparing denial-of-service attacks. Indicators include off-hours execution, large numbers of ICMP requests, targeting unknown IPs, and execution by undocumented processes. Immediate SOC response involves isolating affected endpoints, capturing network traffic for analysis, and performing process forensics to identify malicious activity. Correlation with threat intelligence can identify potential attacker infrastructure or C2 channels. Remediation includes cleaning affected endpoints, updating detection rules for anomalous ICMP traffic, and monitoring network segments for similar patterns. Preserving forensic evidence ensures regulatory compliance, supports post-incident investigation, and enhances threat intelligence. Ignoring the activity allows malware to gain situational awareness, potentially leading to lateral movement, data exfiltration, or coordinated attacks.
Option C assumes misconfigured ICMP settings. Misconfigurations typically cause predictable errors or isolated anomalies and do not explain large-scale off-hours activity. Treating this as a benign risk, undetected reconnaissance, or preparation for attacks.
Option D assumes user network testing. Testing is scheduled, documented, and predictable. Off-hours anomalous ICMP traffic from undocumented processes is inconsistent with legitimate testing. Misclassification could allow malware to persist undetected.
Selecting option B ensures containment, forensic analysis, and remediation, while preventing potential network mapping, data compromise, and further attacks.
Question 133
A SOC analyst detects Windows endpoints creating new administrative accounts and modifying group policies during off-hours. These actions are executed by unsigned scripts not approved by IT operations. What is the most likely threat, and what should the SOC do first?
A) Routine administrative changes; allow activity.
B) Malware attempting privilege escalation and persistent access; isolate endpoints, capture memory, and analyze scripts.
C) Misconfigured Active Directory policies; update configuration.
D) User security testing; notify users.
Answer: B)
Explanation:
Option A assumes routine administrative changes. Legitimate changes follow change management processes, are scheduled, logged, and executed by authorized administrators. Off-hours creation of new administrative accounts and modification of group policies by unsigned scripts indicates malicious activity. Ignoring this could allow malware to escalate privileges, maintain persistence, and compromise additional systems. Routine administrative changes are auditable and predictable, unlike anomalous unsigned script activity.
Option B is correct. Malware often creates administrative accounts and modifies group policies to maintain persistent access and evade detection. Indicators include off-hours execution, unauthorized script activity, privilege escalation attempts, and undocumented changes in Active Directory. Immediate SOC response involves isolating affected endpoints, capturing memory and directory logs for forensic analysis, and analyzing scripts to determine malware behavior and persistence mechanisms. Correlation with SIEM data can reveal affected accounts and systems. Remediation includes removing unauthorized accounts, restoring proper group policies, cleaning endpoints, and updating monitoring and alerting to detect similar activity. Preserving forensic evidence ensures regulatory compliance and supports incident investigation. Ignoring this activity could allow malware to establish long-term control, exfiltrate sensitive data, or pivot across the network.
Option C assumes misconfigured Active Directory policies. Misconfigurations typically produce limited access issues, not multiple unauthorized account creations and off-hours group policy changes. Treating this as benign would leave malware operational.
Option D assumes user security testing. Testing is scheduled, documented, and predictable. Off-hours, unsigned scripts making administrative changes are inconsistent with legitimate testing. Misclassification could result in persistent malware activity and organizational compromise.
Selecting option B ensures immediate containment, forensic analysis, and remediation while protecting directory integrity and preventing further compromise.
Question 134
A SOC analyst notices endpoints repeatedly querying newly registered DNS domains with high-entropy subdomains during off-hours. The activity originates from undocumented scripts and is low-volume but continuous. What is the most likely threat, and what is the SOC’s first response?
A) Normal DNS queries; allow traffic.
B) Malware using DNS tunneling or dynamically generated domains for command-and-control; capture traffic, isolate endpoints, and analyze scripts.
C) Misconfigured DNS servers; update configuration.
D) User testing; verify activity with the IT team.
Answer: B)
Explanation:
Option A assumes normal DNS queries. Standard DNS activity targets known domains, follows predictable patterns, and uses approved processes. Persistent off-hours low-volume queries to newly registered high-entropy domains suggest malicious activity. Allowing this could enable malware to exfiltrate data, communicate with command-and-control infrastructure, and remain undetected. Normal DNS traffic does not generate dynamically generated subdomains or off-hours anomalous patterns.
Option B is correct. Malware frequently uses DNS tunneling or dynamically generated domains to maintain covert communication channels and evade detection. Indicators include low-volume persistent queries, high-entropy dynamically generated subdomains, execution by undocumented scripts, and off-hours activity. Immediate SOC response involves capturing DNS traffic for analysis, isolating affected endpoints, and performing endpoint forensics to identify responsible scripts and malware behavior. Threat intelligence can identify malicious domains and C2 infrastructure. Remediation includes cleaning endpoints, updating monitoring rules to detect anomalous DNS activity, and continuous network monitoring. Preserving forensic evidence ensures compliance and supports post-incident investigation. Ignoring the activity allows malware to exfiltrate sensitive information and maintain persistent access.
Option C assumes that unusual network activity, specifically continuous high-entropy DNS queries, is caused by misconfigured DNS servers. While DNS misconfigurations are common in enterprise environments, their effects are generally limited to predictable and easily traceable errors. For example, an improperly configured DNS server may fail to resolve certain internal or external domain names, repeatedly attempt to forward queries to unreachable servers, or produce error logs indicating failed lookups. These misconfigurations are typically isolated and static, affecting only certain requests or domains, and can be identified and corrected through routine administration and troubleshooting.
In contrast, continuous high-entropy DNS queries are inconsistent with typical misconfigured DNS behavior. High-entropy queries often contain random or encoded strings, suggesting they are not ordinary domain name requests but are instead being used as a covert channel for data transmission. Malware frequently uses DNS for command-and-control (C2) communication or exfiltration because DNS traffic is typically allowed through firewalls and is less likely to be closely monitored. By encoding data into subdomains and sending repeated queries to external servers, malware can maintain persistent communication with an attacker while remaining largely undetected. These queries often target newly registered or dynamic domains to avoid blacklisting, further distinguishing them from normal resolution failures caused by misconfiguration.
Treating continuous high-entropy DNS queries as benign can be extremely dangerous. Misclassifying this activity as a routine error allows malware to operate undetected, maintaining persistence within the network. Covert communication channels over DNS enable attackers to issue commands, exfiltrate sensitive data, and prepare for lateral movement across compromised systems. Unlike misconfigured DNS errors, which are predictable, isolated, and static, these high-entropy queries are deliberate, adaptive, and intended to evade detection. Ignoring them risks ongoing compromise, data exfiltration, and prolonged unauthorized access to network resources.
Effective response requires careful verification and forensic investigation. Security teams should analyze query patterns, identify the entropy of requested subdomains, and correlate the activity with endpoint behavior, system logs, and other indicators of compromise. Network monitoring tools, anomaly detection systems, and threat intelligence feeds can help determine whether queries are associated with known malware domains or dynamically generated domains used in attacks. Memory and process analysis may also reveal the source of these queries on affected endpoints, confirming whether they are generated by misconfigured services or malicious software.
While misconfigured DNS servers can cause predictable resolution failures and isolated issues, they do not produce continuous high-entropy queries targeting unknown or dynamic domains. Such activity is strongly indicative of covert malicious behavior rather than benign errors. Treating these queries as ordinary misconfiguration risks leaves malware operational, enabling persistent command-and-control communication and potential data exfiltration. Accurate detection, investigation, and remediation are essential to protect organizational networks, maintain system integrity, and prevent ongoing compromise by malicious actors.
Option D assumes user testing. Testing is scheduled, documented, and predictable. Off-hours high-entropy dynamic domain queries from undocumented scripts are inconsistent with legitimate testing. Misclassification could allow malware to persist undetected.
Selecting option B ensures containment, forensic analysis, and remediation, protecting the network and sensitive data.
Question 135
A SOC analyst observes endpoints attempting repeated unauthorized access to sensitive file shares outside business hours. Unknown processes execute these attempts, affecting multiple accounts and systems. What is the most likely threat, and what should the SOC do first?
A) Routine backup or maintenance; allow access.
B) Malware performing lateral movement or reconnaissance; isolate endpoints, review logs, and perform endpoint analysis.
C) Misconfigured file permissions; update configuration.
D) Legitimate off-hours testing; notify users.
Answer: B)
Explanation:
Option A assumes routine backup or maintenance. Such activity is scheduled, predictable, uses authorized accounts, and targets approved systems. Off-hours repeated unauthorized access attempts by unknown processes indicate malicious behavior. Ignoring this could allow malware to map the network, compromise sensitive information, and persist undetected. Routine backups do not trigger multi-account off-hours access failures.
Option B is correct. Malware frequently probes file shares to perform reconnaissance or lateral movement. Indicators include off-hours activity, repeated unauthorized access, multi-account targeting, and execution by undocumented processes. Immediate SOC response involves isolating affected endpoints, reviewing file access logs, and performing endpoint forensics to identify responsible processes. Correlating activity across SIEM data can reveal compromised accounts and affected systems. Remediation includes cleaning endpoints, strengthening access controls, updating monitoring rules, and validating account integrity. Preserving forensic evidence ensures compliance, supports post-incident investigation, and improves threat detection. Ignoring this activity allows malware to persist, gain elevated access, and potentially exfiltrate sensitive information.
Option C assumes that anomalous activity observed on a system—specifically repeated multi-account access attempts to sensitive or restricted files—can be attributed to misconfigured file permissions. File permission misconfigurations are common in enterprise environments and often occur due to errors in access control lists, incorrect inheritance of permissions, or improper assignment of user or group privileges. Such misconfigurations usually result in predictable, isolated errors. For instance, a user attempting to access a file without proper permissions may trigger a single failed access event logged by the operating system, or a misconfigured group policy might prevent certain users from reading or writing to a specific directory. These errors are generally limited in scope, easily traceable, and typically affect a small set of accounts or systems, allowing administrators to identify and correct the problem without extensive disruption.
However, the scenario described—repeated access attempts across multiple accounts—does not align with typical file permission misconfigurations. Misconfigurations rarely generate repeated, multi-account access attempts, particularly when those attempts are systematic and persistent. Instead, this type of activity is often indicative of malicious behavior, such as credential abuse, lateral movement, or automated brute-force attempts to access restricted resources. Malware or an unauthorized actor may attempt to access multiple accounts to escalate privileges, exfiltrate sensitive data, or identify vulnerabilities within the file system. These actions are deliberate, adaptive, and designed to avoid immediate detection, unlike predictable misconfiguration errors that occur consistently for a single user or system.
Treating repeated multi-account access attempts as benign based on the assumption of misconfigured permissions introduces significant risk. Misclassifying this activity allows malware or unauthorized users to maintain persistence, escalate privileges, and move laterally across the network undetected. Unlike simple misconfigurations, which are static and limited in scope, malicious activity often adapts to avoid security monitoring, clears logs, or executes from multiple endpoints to evade detection. Ignoring these indicators can result in prolonged compromise, potential data exfiltration, and increased difficulty in remediation once the threat is eventually discovered.
Effective response requires verification and thorough investigation. Security teams must analyze access logs to identify patterns, correlate activity with known accounts and scheduled tasks, and investigate endpoints exhibiting suspicious behavior. Behavioral baselines can help differentiate legitimate file access errors from potential malicious activity. In some cases, forensic analysis of system processes, memory, and network connections may be necessary to confirm whether the access attempts originate from misconfigured permissions or from malicious actors.
While misconfigured file permissions can result in predictable and isolated errors, repeated multi-account access attempts are highly inconsistent with benign misconfigurations. These patterns strongly suggest malicious activity. Treating them as harmless allows malware or attackers to maintain persistence, escalate privileges, and compromise sensitive resources. Accurate verification, monitoring, and targeted remediation are essential to identify unauthorized access attempts, mitigate risks, and preserve the integrity of the network and sensitive data.
Option D assumes legitimate testing. Testing is scheduled, documented, and predictable. Off-hours repeated unauthorized access by unknown processes is inconsistent with legitimate testing. Misclassification risks persistent compromise and data exfiltration.
Selecting option B ensures immediate containment, forensic analysis, and remediation while protecting file share integrity and preventing lateral movement and unauthorized access.