300-215 Sample Questions checked by AI
  1. Home -
  2. 300-215 Sample Questions checked by AI -
Broad Network Access
Rapid Elasticity
Measured service
Resource pooling
Match the cloud characteristic above onto the challenges below:
Application details are unavailable to investigators since being deemed private and confidential.
Obtaining evidence from the cloud provider.
Circumvention of virtual machine isolation techniques via code or bad actor.
Evidence correlation across one or more cloud providers.

Application details are unavailable to investigators since being deemed private and confidential. – Resource Pooling

Obtaining evidence from the cloud provider. – Measured Service

Circumvention of virtual machine isolation techniques via code or bad actor. – Broad Network Access

Evidence correlation across one or more cloud providers. – Rapid Elasticity

A threat actor attempts to avoid detection by turning data into a code that shifts numbers to the right four times. Which anti-forensics technique is being used? Choose one: poisoning tunneling obfuscation encryption
The anti-forensics technique being used in this scenario is obfuscation.
A website administrator has an output of an FTP session that runs nightly to download and unzip files to a local staging server. The download includes thousands of files, and the manual process used to find how many files failed to download is time-consuming. The administrator is working on a PowerShell script that will parse a log file and summarize how many files were successfully downloaded versus ones that failed. Which script will read the contents of the file one line at a time and return a collection of objects?
Choose one:
Get-Content-Folder \\Server\FTPFolder\Logfiles\ftpfiles.log | Show-From “ERROR”, “SUCCESS” Get-Content –ifmatch \\Server\FTPFolder\Logfiles\ftpfiles.log | Copy-Marked “ERROR”, “SUCCESS” Get-Content –Path \\Server\FTPFolder\Logfiles\ftpfiles.log | Select-String “ERROR”, “SUCCESS” Get-Content –Directory \\Server\FTPFolder\Logfiles\ftpfiles.log | Export-Result “ERROR”, “SUCCESS”
The script that will read the contents of the file one line at a time and return a collection of objects is:

Get-Content –Path \Server\FTPFolder\Logfiles\ftpfiles.log | Select-String “ERROR”, “SUCCESS”

This script uses the Get-Content cmdlet to read the contents of the file one line at a time, and then uses the Select-String cmdlet to search for the keywords “ERROR” and “SUCCESS” in the lines of the file. The Select-String cmdlet returns a collection of MatchInfo objects, each of which represents a line that contains one of the keywords. The resulting collection of objects can be further processed to generate a summary of the number of files that were successfully downloaded versus ones that failed.

An employee receives an email from a “trusted” person containing a hyperlink that is malvertising. The employee clicks the link and the malware downloads. An information analyst observes an alert at the SIEM and engages the cybersecurity team to conduct an analysis of this incident in accordance with the incident response plan. Which event detail should be included in this root cause analysis? Choose one: alert identified by the cybersecurity team phishing email sent to the victim information from the email header alarm raised by the SIEM
In the root cause analysis of this incident, the event detail that should be included is the “phishing email sent to the victim”.

This detail is important because it is the initial vector used by the threat actor to deliver the malvertising link to the employee. Understanding the characteristics of the phishing email, such as the sender, subject, and body, can help identify potential indicators of compromise and inform future security awareness training for employees. It can also help identify any gaps in the organization’s email filtering and anti-phishing measures that may have allowed the email to bypass detection. The other details, such as the alert identified by the cybersecurity team, the information from the email header, and the alarm raised by the SIEM, are important in the incident response process but may not necessarily provide insights into the root cause of the incident.

Which information is provided bout the object file by the “-h” option in the objdump line command objdump –b oasys –m vax –h fu.o? Choose one: headers bfdname debugging help
The “-h” option in the objdump command “objdump –b oasys –m vax –h fu.o” provides information about the headers of the object file “fu.o”.

The headers typically contain important information about the file, such as the entry point, section headers, program headers, and various flags and attributes that describe the file format and its contents. The “-h” option in objdump displays a summary of the headers, including their names, virtual addresses, sizes, and other relevant information. This information can be useful in understanding the structure of the object file and how it is loaded and executed by the system.

A security team received an alert of suspicious activity on a user’s Internet browser. The user’s anti-virus software indicated that the file attempted to create a fake recycle bin folder and connect to an external IP address. Which two actions should be taken by the security analyst with the executable file for further analysis? (Choose two.) Choose: Evaluate the process activity in Cisco Umbrella. Analyze the TCP/IP Streams in Cisco Secure Malware Analytics (Threat Grid). Network Exit Localization in Cisco Secure Malware Analytics (Threat Grid). Analyze the Magic File type in Cisco Umbrella. Evaluate the behavioral indicators in Cisco Secure Malware Analytics (Threat Grid).
The two actions that should be taken by the security analyst with the executable file for further analysis are:
  1. Analyze the TCP/IP Streams in Cisco Secure Malware Analytics (Threat Grid).
  2. Evaluate the behavioral indicators in Cisco Secure Malware Analytics (Threat Grid).

Analyzing the TCP/IP streams in Cisco Secure Malware Analytics (Threat Grid) can help identify the network behavior of the executable file and provide details about the external IP address it attempted to connect to. This information can be used to investigate the IP address and determine if it is a known malicious address or part of a larger attack campaign.

Evaluating the behavioral indicators in Cisco Secure Malware Analytics (Threat Grid) can help identify any malicious activities or behaviors associated with the file, such as creating a fake recycle bin folder, and provide insights into the intent and capabilities of the threat actor. This information can be used to develop a response plan and inform future security controls and policies.

The other options listed, such as evaluating the process activity in Cisco Umbrella, analyzing the Magic File type in Cisco Umbrella, and performing network exit localization in Cisco Secure Malware Analytics (Threat Grid), may also be useful in certain contexts but are less directly relevant to the information provided in the scenario.

A security team received reports of users receiving emails linked to external or unknown URLs that are non- returnable and non-deliverable. The ISP also reported a 500% increase in the amount of ingress and egress email traffic received. After detecting the problem, the security team moves to the recovery phase in their incident response plan. Which two actions should be taken in the recovery phase of this incident? (Choose two.)
Choose: verify the breadth of the attack remove vulnerabilities request packet capture
can hosts with updated signatures

The two actions that should be taken in the recovery phase of this incident are:

  1. Remove vulnerabilities
  2. Scan hosts with updated signatures

Removing vulnerabilities is an essential step in the recovery phase, as it helps prevent future incidents by addressing the root cause of the problem. The security team should identify and patch any vulnerabilities or misconfigurations that contributed to the incident and ensure that all systems and software are up-to-date and secure.

Scanning hosts with updated signatures can help identify any malware or suspicious activity that may still be present on the network. The security team should use updated antivirus software and other security tools to scan all systems and devices on the network, looking for signs of compromise or unauthorized access.

Verifying the breadth of the attack and requesting packet capture may be relevant in the investigation phase of the incident response plan but are less directly relevant to the recovery phase, where the focus is on restoring normal operations and ensuring that the network is secure.

An attacker embedded a macro within a word processing file opened by a user in an organization’s legal department. The attacker used this technique to gain access to confidential financial data. Which two recommendations should a security expert make to mitigate this type of attack? (Choose two.) Choose: firewall rules creation controlled folder access removable device restrictions network access control signed macro requirements
The two recommendations that a security expert should make to mitigate this type of attack are:
  1. Controlled folder access
  2. Signed macro requirements

Controlled folder access can help prevent unauthorized access to critical data by restricting write access to specific folders on the system. This can help prevent malware or unauthorized scripts from modifying files and can limit the impact of a successful attack.

Signed macro requirements can help prevent malicious macros from running by requiring that all macros be digitally signed and validated before they are allowed to execute. This can help prevent unauthorized or malicious code from running on the system and can limit the potential damage of a successful attack.

Firewall rules creation, removable device restrictions, and network access control are all important security controls but are less directly relevant to preventing macro-based attacks like the one described in the scenario. These controls may help prevent other types of attacks or limit the spread of malware, but they may not be effective against macros embedded within files that are opened by authorized users.

An engineer received a call to assist with an ongoing DDoS attack. The Apache server is being targeted, and availability is compromised. Which step should be taken to identify the origin of the threat? Choose one: An engineer should check the server’s processes by running commands ps -aux and sudo ps -a. An engineer should check the last hundred entries of a web server with the command sudo tail -100 /var/ log/apache2/access.log. An engineer should check the services on the machine by running the command service -status-all. An engineer should check the list of usernames currently logged in by running the command $ who | cut – d’ ‘ -f1| sort | uniq
To identify the origin of the DDoS attack targeting an Apache server, the step that should be taken is:

An engineer should check the last hundred entries of a web server with the command sudo tail -100 /var/ log/apache2/access.log.

By checking the Apache access logs, an engineer can identify the requests that are being sent to the server and potentially identify patterns or anomalies that indicate a DDoS attack. The “tail” command is used to view the last few lines of the log file, and the “-100” flag specifies that the last 100 lines should be displayed. The “sudo” command is used to run the command as a privileged user, which may be necessary to access the log file.

Checking the server’s processes, checking the services on the machine, or checking the list of usernames currently logged in may be useful for other types of attacks or incidents but are less directly relevant to identifying the origin of a DDoS attack targeting an Apache server.

Which scripts will search a log file for the IP address of 192.168.100.100 and create an output file named parsed_host.log while printing results to the console? Choose one:

Here is an example script that will search a log file for the IP address of 192.168.100.100 and create an output file named parsed_host.log while printing results to the console:

lua
grep "192.168.100.100" /path/to/logfile.log | tee parsed_host.log

This script uses the “grep” command to search for the specified IP address in the log file and the “tee” command to simultaneously write the results to a file named “parsed_host.log” and print them to the console.

You can modify the script to use the appropriate path to your log file and the IP address that you want to search for.

A security team receives reports of multiple files causing suspicious activity on users’ workstations. The file attempted to access highly confidential information in a centralized file server. Which two actions should be taken by a security analyst to evaluate the file in a sandbox? (Choose two.)
Choose:
Inspect file type.
Inspect processes.
Inspect PE header.
Inspect registry entries I
nspect file hash.

The two actions that should be taken by a security analyst to evaluate the file in a sandbox are:

  1. Inspect file type.
  2. Inspect file hash.

Inspecting the file type can help identify the nature of the file and its potential risks. Different types of files may have different levels of access and permissions on the system, and certain file types may be more likely to be associated with malware or other malicious activity.

Inspecting the file hash can help identify whether the file is known to be malicious or suspicious. The file hash can be checked against a database of known malware and indicators of compromise to identify any potential matches.

Inspecting processes, inspecting PE header, and inspecting registry entries may also be useful in certain contexts but are less directly relevant to evaluating a file in a sandbox. These inspections may be more relevant to analyzing the behavior and impact of a file that has already been identified as malicious.

An organization uses a Windows 7 workstation for access tracking in one of their physical data centers on which a guard documents entrance/exit activities of all personnel. A server shut down unexpectedly in this data center, and a security specialist is analyzing the case. Initial checks show that the previous two days of entrance/exit logs are missing, and the guard is confident that the logs were entered on the workstation. Where should the security specialist look next to continue investigating this case? Choose one: HKEY_CURRENT_USER\Software\Classes\Winlog HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList HKEY_LOCAL_MACHINES\SOFTWARE\Microsoft\WindowsNT\CurrentUser
To continue investigating this case, the security specialist should look at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList

The missing entrance/exit logs suggest that the user profile associated with the workstation may have been deleted or modified, which could be a sign of malicious activity. The ProfileList registry key contains information about user profiles on the system, including the user profile associated with the Windows 7 workstation used for access tracking.

By checking the ProfileList registry key, the security specialist can confirm whether the user profile associated with the workstation has been modified or deleted, and can potentially identify any malicious activity associated with the modification. The other registry keys listed, such as HKEY_CURRENT_USER\Software\Classes\Winlog and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon, may be relevant to other aspects of the system but are less directly relevant to investigating the missing logs in this scenario.

An incident response team is recommending changes after analyzing a recent compromise in which: a large number of events and logs were involved; team members were not able to identify the anomalous behavior and escalate it in a timely manner; several network systems were affected as a result of the latency in detection; security engineers were able to mitigate the threat and bring systems back to a stable state; and the issue reoccurred shortly after and systems became unstable again because the correct information was not gathered during the initial identification phase. Which two recommendations should be made for improving the incident response process? (Choose two.)
Choose:
Formalize reporting requirements and responsibilities to update management and internal stakeholders throughout the incident-handling process effectively.
Modify the incident handling playbook and checklist to ensure alignment and agreement on roles, responsibilities, and steps before an incident occurs.
Allocate additional resources for the containment phase to stabilize systems in a timely manner and reduce an attack’s breadth.
Improve the mitigation phase to ensure causes can be quickly identified, and systems returned to a functioning state.
Implement an automated operation to pull systems events/logs and bring them into an organizational context.
The two recommendations that should be made for improving the incident response process are:
  1. Modify the incident handling playbook and checklist to ensure alignment and agreement on roles, responsibilities, and steps before an incident occurs.
  2. Implement an automated operation to pull systems events/logs and bring them into an organizational context.

Modifying the incident handling playbook and checklist can help improve incident response by ensuring that all team members are aware of their roles and responsibilities and that they follow a consistent and well-defined process. This can help reduce the latency in detection and escalation and ensure that all necessary steps are taken to mitigate and recover from the incident.

Implementing an automated operation to pull system events/logs and bring them into an organizational context can help improve the identification phase of incident response by ensuring that all relevant information is collected and correlated in a timely and effective manner. This can help reduce the time to identify and respond to incidents, improve the accuracy of analysis, and ensure that the correct information is gathered to prevent recurrence of the incident.

Formalizing reporting requirements and responsibilities, allocating additional resources for the containment phase, and improving the mitigation phase are also important considerations for incident response but may be less directly relevant to the specific issues described in the scenario.

An organization recovered from a recent ransomware outbreak that resulted in significant business damage. Leadership requested a report that identifies the problems that triggered the incident and the security team’s approach to address these problems to prevent a reoccurrence. Which components of the incident should an engineer analyze first for this report?
Choose one:
motive and factors 
impact and flow
risk and RPN
cause and effect
For the report on the recent ransomware outbreak, the components of the incident that an engineer should analyze first are:

Cause and effect.

Analyzing the cause and effect of the ransomware outbreak is critical to understanding the root cause of the incident and identifying the vulnerabilities and weaknesses in the organization’s security posture. This analysis can help identify the specific events, actions, or conditions that contributed to the incident and can inform the development of a strategy to prevent recurrence.

Motive and factors, impact and flow, and risk and RPN are also important components of incident response, but they may be less directly relevant to the goal of analyzing the cause and effect of the ransomware outbreak and identifying strategies for prevention.

An “unknown error code” is appearing on an ESXi host during authentication. An engineer checks the authentication logs but is unable to identify the issue. Analysis of the vCenter agent logs shows no connectivity errors. What is the next log file the engineer should check to continue troubleshooting this error?
Choose one:
/var/log/syslog.log
var/log/general/log
var/log/shell.log /v
ar/log/vmksummary.log
To continue troubleshooting the “unknown error code” during authentication on an ESXi host, the next log file the engineer should check is:

/var/log/syslog.log

The syslog file contains system messages and is a common location for log entries related to authentication, network connectivity, and other system-level events. By checking this log file, the engineer may be able to identify more information about the error and determine the root cause of the problem.

The general log and shell log files are less directly relevant to troubleshooting authentication errors and are more commonly used for other purposes, such as monitoring script execution or system commands. The vmksummary log file contains a summary of system events and may be useful for monitoring system health but is less directly relevant to troubleshooting specific errors or issues with authentication.

A security team detected an above-average amount of inbound tcp/135 connection attempts from unidentified senders. The security team is responding based on their incident response playbook. Which two elements are part of the eradication phase for this incident? (Choose two.)
Choose:
data and workload isolation
enterprise block listing solution
centralized user management
anti-malware software
intrusion prevention system
The two elements that are part of the eradication phase for this incident are:
  1. Data and workload isolation
  2. Anti-malware software

Data and workload isolation is an important element of the eradication phase because it helps prevent the spread of the threat to other parts of the network. By isolating the affected data and workloads, the security team can ensure that the threat is contained and cannot continue to propagate through the network.

Anti-malware software is also important in the eradication phase because it can help identify and remove any malware that may have been introduced to the network as a result of the inbound connection attempts. By scanning systems for malware and removing any identified threats, the security team can help ensure that the network is clean and that the threat has been fully eradicated.

An enterprise block listing solution, centralized user management, and intrusion prevention system may be important elements of the incident response plan but are less directly relevant to the eradication phase of this specific incident.

What is a use of TCPdump? Choose one:
to change IP ports
to view encrypted data fields
to decode user credentials
to analyze IP and other packets

The main use of TCPdump is to analyze IP and other network packets. TCPdump is a command-line tool used to capture and display network packets as they pass through a network interface. It can be used to monitor network traffic, diagnose network issues, and capture network packets for further analysis.

With TCPdump, you can capture and display the contents of individual packets and filter the output to show only the packets of interest. You can also save the captured packets to a file for later analysis using other tools.

While TCPdump can help in troubleshooting and analyzing network issues, it does not have the ability to change IP ports, view encrypted data fields, or decode user credentials. Other tools may be more appropriate for these tasks, such as packet sniffers or decryption tools.

An employee notices unexpected changes and setting modifications on their workstation and creates an incident ticket. A support specialist checks processes and services but does not identify anything suspicious. The ticket was escalated to an analyst who reviewed this event log and also discovered that the workstation had multiple large data dumps on network shares. What should be determined from this information? Choose one:
data obfuscation
reconnaissance attack
log tampering
brute-force attack
From the information provided, the most likely scenario is that the employee’s workstation was targeted in a reconnaissance attack.

The unexpected changes and setting modifications on the workstation, coupled with the large data dumps on network shares, suggest that an attacker may have gained unauthorized access to the system and was searching for sensitive information. This is a common tactic in reconnaissance attacks, where attackers attempt to gather information about the target’s systems, applications, and data in order to plan and execute a more sophisticated attack.

There is no evidence of data obfuscation, log tampering, or brute-force attack in the scenario described. While these may be potential tactics used by attackers in other scenarios, they are not directly relevant to the information provided in this case.

An engineer is analyzing a .LNK (shortcut) file recently received as an email attachment and blocked by email security as suspicious. What is the next step an engineer should take? Choose one:
Quarantine the file within the endpoint antivirus solution as the file is a ransomware which will encrypt the documents of a victim.
Open the file in a sandbox environment for further behavioral analysis as the file contains a malicious script that runs on execution.
Upload the file to a virus checking engine to compare with well-known viruses as the file is a virus disguised as a legitimate extension.
Delete the suspicious email with the attachment as the file is a shortcut extension and does not represent any threat.
The next step an engineer should take when analyzing a .LNK (shortcut) file that was blocked by email security as suspicious is to:

Open the file in a sandbox environment for further behavioral analysis as the file contains a malicious script that runs on execution.

Shortcut files are commonly used by attackers to execute malicious scripts or launch malicious applications on a victim’s machine. By opening the file in a sandbox environment, the engineer can analyze the behavior of the file without risking infection to the endpoint. Sandboxes are isolated environments designed to run applications and files in a controlled environment that can prevent them from harming the host machine.

Quarantining the file, uploading the file to a virus checking engine, or deleting the suspicious email without analysis may not provide the necessary information to determine the nature and severity of the threat. It is important to analyze the file in a safe environment to ensure that any potential threats can be identified and mitigated.

Over the last year, an organization’s HR department has accessed data from its legal department on the last day of each month to create a monthly activity report. An engineer is analyzing suspicious activity alerted by a threat intelligence platform that an authorized user in the HR department has accessed legal data daily for the last week. The engineer pulled the network data from the legal department’s shared folders and discovered above average-size data dumps. Which threat actor is implied from these artifacts? Choose one:
internal user errors
external exfiltration
privilege escalation
malicious insider

From the artifacts described, the implied threat actor in this scenario is a malicious insider.

The fact that an authorized user in the HR department has accessed legal data daily for the last week, as well as the above average-size data dumps found in the legal department’s shared folders, suggest that a user with legitimate access to the data is abusing that access for malicious purposes.

This behavior is consistent with that of a malicious insider who has already gained access to the organization’s network and is using their authorized access to carry out an attack. Internal user errors, external exfiltration, and privilege escalation are less likely explanations for the suspicious activity, as they do not fully explain the pattern of access and the large data dumps.

A scanner detected a malware-infected file on an endpoint that is attempting to beacon to an external site. An analyst has reviewed the IPS and SIEM logs but is unable to identify the file’s behavior. Which logs should be reviewed next to evaluate this file further? Choose one:
email security appliance
DNS server
network device
Antivirus solution

To evaluate the malware-infected file and its behavior further, the logs of the Antivirus solution should be reviewed next.

The Antivirus solution is specifically designed to identify and detect malware on endpoints, and will typically log details about the malware, such as the file name, location, and behavior. By reviewing the Antivirus logs, an analyst can gain a better understanding of the characteristics and behavior of the malware, which can help to identify the scope of the threat and plan an appropriate response.

While the other logs mentioned, such as email security appliance logs, DNS server logs, and network device logs, may also provide valuable information in certain situations, they are less directly relevant to the analysis of a malware-infected file and may not provide as much detail about the malware’s behavior.

A network host is infected with malware by an attacker who uses the host to make calls for files and shuttle traffic to bots. This attack went undetected and resulted in a significant loss. The organization wants to ensure this does not happen in the future and needs a security solution that will generate alerts when command and control communication from an infected device is detected. Which network security solution should be recommended? Choose one:
Cisco Secure Firewall Threat Defense (Firepower)
Cisco Secure Web Appliance (WSA)
Cisco Secure Email Gateway (ESA)
Cisco Secure Firewall ASA
To generate alerts when command and control communication from an infected device is detected, the security solution that should be recommended is Cisco Secure Firewall Threat Defense (Firepower).

Firepower is a next-generation firewall (NGFW) solution that uses advanced threat detection technologies, including intrusion prevention system (IPS), file inspection, and malware protection, to monitor network traffic and identify threats. It also includes a feature called Advanced Malware Protection (AMP), which is specifically designed to detect and block malware, including command and control communication used by botnets.

By using Firepower, an organization can create policies to monitor network traffic for malicious behavior and generate alerts when command and control communication is detected. This can help to identify infected devices and prevent further damage from being done. While other network security solutions, such as the Cisco Secure Web Appliance (WSA) and the Cisco Secure Email Gateway (ESA), can also provide some level of protection against malware, they are not as directly relevant to the detection of command and control communication. The Cisco Secure Firewall ASA, while providing basic security features, is not as advanced as Firepower and does not include the same level of advanced threat detection technologies.

An engineer is analyzing a ticket for an unexpected server shutdown and discovers that the web-server ran out of useable memory and crashed. Which data is needed for further investigation? 
Choose one:
/var/log/access.log
/var/log/httpd/access.log
/var/log/httpd/messages.log
/var/log/messages.log
For further investigation into an unexpected server shutdown caused by the web-server running out of usable memory and crashing, the log file that should be reviewed is the messages.log file.

The messages.log file is a system log that records various system events and error messages, including kernel messages, service start and stop messages, and system error messages. This log file should contain information about the web-server crash, including any error messages or warnings that were generated leading up to the crash, as well as information about system resource usage, such as memory usage, which can help to identify the cause of the issue.

The other log files listed, such as /var/log/access.log and /var/log/httpd/access.log, are specific to the web-server’s access logs, which record information about web-server requests and responses. While these logs may be helpful in identifying web-server usage patterns, they are less likely to provide information about a system crash caused by memory issues. The /var/log/httpd/messages.log file is similar to the messages.log file, but is specific to the Apache web-server, so it may contain more detailed information about the web-server crash, but it should still be reviewed in conjunction with the system messages.log file.

What is the steganography anti-forensics technique?
hoose one:
hiding a section of a malicious file in unused areas of a file
concealing malicious files in ordinary or unsuspecting places
sending malicious files over a public network by encapsulation
changing the file header of a malicious file to another file type
The steganography anti-forensics technique is the practice of hiding information, such as files or messages, within other seemingly innocuous data, such as images or audio files.

Steganography works by slightly modifying the data in a way that is not noticeable to the human eye or ear, but can still be recovered using specialized software or techniques. For example, an attacker might use steganography to hide a malicious file within an image, which can then be distributed over the internet or sent through email without detection.

Steganography is considered an anti-forensics technique because it can be used to evade detection or analysis by forensic investigators, as the hidden data may not be immediately apparent without specialized tools or techniques. However, modern forensic tools can often detect and recover steganographic data, making it less effective as a means of hiding information than it once was.

An HR department submitted a ticket to the IT helpdesk indicating slow performance on an internal share server. The helpdesk engineer checked the server with a real-time monitoring tool and did not notice anything suspicious.  After checking the event logs, the engineer noticed an event that occurred 48 hour prior. Which two indicators of compromise should be determined from this information? (Choose two.) Choose:
malware outbreak
unauthorized system modification
privilege escalation
denial of service attack
compromised root access

From the information provided, it is difficult to determine specific indicators of compromise, but the two possible indicators based on the given information are:

  1. Unauthorized system modification: The presence of an event in the event log that occurred 48 hours prior suggests that some activity or modification took place on the system at that time. This could indicate that an attacker gained access to the system and made changes, or that an authorized user made changes without proper approval or documentation.
  2. Malware outbreak: While the slow performance on the internal share server is not necessarily a definitive indicator of a malware outbreak, it could be a symptom of such an outbreak. If the unauthorized system modification mentioned above involved the installation or activation of malware, that could explain the slow performance on the server. However, more information would be needed to definitively identify this as an indicator of compromise.

The other indicators listed, including privilege escalation, denial of service attack, and compromised root access, are not necessarily suggested by the information provided.

What is the transmogrify anti-forensics technique?  Choose one:
sending malicious files over a public network by encapsulation
concealing malicious files in ordinary or unsuspecting places
hiding a section of a malicious file in unused areas of a file
changing the file header of a malicious file to another file type

The term “transmogrify” does not typically refer to an anti-forensics technique in the context of cybersecurity. In general usage, “transmogrify” means to transform or change something in a significant or surprising way.

In the context of cybersecurity, there may be some creative or informal uses of the term to describe certain techniques or attacks, but there is not a widely recognized anti-forensics technique that goes by this name.

The other options listed – encapsulation, concealment, hiding, and file header manipulation – are all recognized techniques for concealing or disguising malicious files or data in order to evade detection or analysis by security tools or investigators.

What is the function of a disassembler?
Choose one:
aids transforming symbolic language into machine code
aids defining breakpoints in program execution
aids viewing and changing the running state
aids performing static malware analysis
A disassembler is a tool that aids in reverse engineering of machine code or binary files by converting them back into assembly language or source code that can be more easily understood by humans.

Specifically, a disassembler takes a compiled binary file and converts it into assembly language code, which is a low-level programming language that is more readable and understandable than the binary code. The disassembler may also provide additional information such as the addresses of the various functions and variables used in the code.

The resulting disassembled code can be analyzed to understand how the program works, identify vulnerabilities, and look for signs of malicious behavior. Disassemblers are commonly used for reverse engineering and malware analysis.

Therefore, the function of a disassembler is to aid in performing static malware analysis.

Which technique is used to evade detection from security products by executing arbitrary code in the address space of a separate live operation? Choose one:
GPO modification
privilege escalation
process injection
token manipulation

The technique used to evade detection from security products by executing arbitrary code in the address space of a separate live operation is called process injection.

Process injection involves injecting malicious code into a legitimate process running on a system in order to evade detection by security products. This is achieved by exploiting the trust relationship between the operating system and the legitimate process, allowing the malicious code to execute in the context of the trusted process.

By using this technique, the malicious code can avoid detection by security products that are looking for specific behaviors or patterns associated with malware. Additionally, process injection can be used to bypass security measures that are designed to prevent unauthorized access or modification of system files.

Therefore, process injection is the technique used to evade detection from security products by executing arbitrary code in the address space of a separate live operation.

An investigator is analyzing an attack in which malicious files were loaded on the network and were undetected. Several of the images received during the attack include repetitive patterns. Which anti-forensic technique was used? Choose one:
poofing
steganography
obfuscation
unneling
The anti-forensic technique that involves hiding information in files such as images, audio or video files is known as steganography. Therefore, the repetitive patterns found in the images during the attack suggest that steganography was used to hide the malicious files in the images.

Steganography is used to conceal the existence of data within other seemingly innocent data, making it difficult to detect. The technique involves embedding the data to be hidden within the data of another file, such as an image or a sound file, in a way that the alteration is not noticeable to the human eye or ear.

By using steganography, attackers can hide malicious files within benign files, allowing them to bypass security measures that are looking for specific types of malware. This technique can be used to distribute malware or exfiltrate sensitive data without being detected.

Therefore, in the given scenario, the anti-forensic technique that was used is steganography.

An engineer received a report of a suspicious email from an employee. The employee had already opened the attachment, which was an empty Word document. The engineer cannot identify any clear signs of compromise but while reviewing running processes, observes that PowerShell.exe was spawned by cmd.exe with a grandparent winword.exe process. What is the recommended action the engineer should take? Choose one:
Upload the file signature to threat intelligence tools to determine if the file is malicious.
Monitor processes as this a standard behavior of Word macro embedded documents.
Contain the threat for further analysis as this is an indication of suspicious activity.
Investigate the sender of the email and communicate with the employee to determine the motives.
Contain the threat for further analysis as this is an indication of suspicious activity.
What is a concern for gathering forensics evidence in public cloud environments? Choose one: Timeliness: Gathering forensics evidence from cloud service providers typically requires substantial time.
Multitenancy: Evidence gathering must avoid exposure of data from other tenants.
Configuration: Implementing security zones and proper network segmentation.
High Cost: Cloud service providers typically charge high fees for allowing cloud forensics.
Multitenancy is a concern for gathering forensics evidence in public cloud environments. Evidence gathering must avoid exposure of data from other tenants. In a public cloud environment, the resources are shared among multiple tenants, which makes it critical to ensure that the forensic investigation does not expose data belonging to other tenants on the same shared infrastructure. Special precautions need to be taken to prevent cross-contamination and ensure that the evidence gathered is only from the target tenant.
what will this wireshark filter for? tls.handshake.type ==1
This Wireshark filter is looking for TLS (Transport Layer Security) handshake messages with a type value of 1, which indicates a “client hello” message. This message is sent by a client to initiate a TLS session with a server, and contains information about the TLS version and cipher suites that the client supports.
An HR department submitted a ticket to the IT helpdesk indicating slow performance on an internal share server. The helpdesk engineer checked the server with a real-time monitoring tool and did not notice anything suspicious. After checking the event logs, the engineer noticed an event that occurred 48 hour prior. Which two indicators of compromise should be determined from this information? (Choose two.) Response:
Wrong malware outbreak
Correct unauthorized system modification privilege escalation denial of service attack Should have chosen compromised root access
The correct answer is:
  • unauthorized system modification
  • compromised root access

The slow performance of the internal share server and an event in the event logs from 48 hours prior may indicate that unauthorized system modifications were made, possibly leading to a compromised root access.

What is the function of a disassembler? Response: Wrong aids transforming symbolic language into machine code aids defining breakpoints in program execution aids viewing and changing the running state Should have chosen aids performing static malware analysis
Correct. A disassembler is a tool that is used to perform static analysis of software by transforming machine code back into assembly code, making it easier for analysts to understand the functionality of the code and identify potential security issues, including malware.
A network engineer is analyzing a Wireshark file to determine the HTTP request that caused the initial Ursnif banking Trojan binary to download. Which filter did the engineer apply to sort the Wireshark traffic logs?
Choose one:
tls.handshake.type ==1
tcp.window_size ==0
tcp.port eq 25
http.request.un matches
To determine the HTTP request that caused the initial Ursnif banking Trojan binary to download, the network engineer would typically apply a filter to sort the Wireshark traffic logs based on HTTP traffic.

The most likely filter for this purpose would be “http.request.method == GET” or “http.request.method == POST”, which would show only the HTTP requests that use the GET or POST method. The engineer could then review the traffic logs to find the specific HTTP request that initiated the download of the Ursnif banking Trojan binary.

Therefore, the correct answer is: http.request.method == GET or http.request.method == POST.

369808704:error-0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong ag:crypto/asni/tasn_dec.c:1112: 7369808704:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error crypto/asniftasn_dec.c:274 Type=X509 7369808704:error0D0680AS:asn1 encoding routines:asn1_check_tien’wrong tag:cryptolasniftasn_dec.c:1112: 7369808704:error0D08303A:asn1 encoding routines:asn1_template_noexp_d2i nested asn1 errorcrypto/asni/tasn_dec.c:536: 7369808704-ermor-0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1112: 7369808704:error:0D07803A asn1 encoding routines:asn1_item_embed_d2i-nested asn1 errorcrypto/asniftasn_dec.c:274 Type=RSA 7369808704:error.04093004:rsa routines:old_rsa_priv_decode:RSA lib:cryptolrsa/rsa_ameth.c.72: 7369808704 error 0D0680A8 asn1 encoding routines:asni_check_tlenwrong tag-crypto/asni/tasn_dec.c:1112: 7369808704-error0D07803A:asn1 encoding routines:asn1_item_embed_d2i-nested asn1 errorcrypto/asniftasn_dec.c:274.Type=PKCS8_PRIV_KEY_INFO 7369808704:error:2306F041:PKCS12 routines:PKCS12_key_gen_uni-malloc failure:crypto/pkcs12/p12_key.c:185: 7369808704 error: 2307806B:PKCS 12 routines:PKCS12_PBE_keyivgen: key gen error.crypto/pkes12/p12_crpt.c:55: 7369808704-error-06074078digital envelope routines:EVP_PBE_Cipherinitkeygen failure-crypto/evplevp_pbe.c:126: 7369808704:ermor-23077073:PKCS12 routines:PKCS12_pbe_cryptpkes12 algor cipherinit error-cryptolpkes12/p12_decr.c:41 7369808704:error:2306C067:PKCS12 routines:PKCS12_item_i2d_encrypt encrypt errorcryptoipkes12/p12_decr.c:144 7369808704:error-23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt errorcryptolpkes12/p12_add.c:119: What should be determined from this Apache log?
Response: A module named mod_ssl is needed to make SSL connections.
The private key does not match with the SSL certificate.
The certificate file has been maliciously modified 
The SSL traffic setup is improper

It seems like there has been some confusion in the question and the answer choices do not match the given log. The log is related to OpenSSL error codes and not an Apache log. That being said, the error codes indicate issues with SSL/TLS connections, including problems with certificates, private keys, and encryption setup. Therefore, the correct answer to the question is:

The SSL traffic setup is improper.

Need a Contact Center Planning guide?
Get the "DrVoIP Contact Center Planning Guide" free! Just call and speak to a DrVoIP Amazon Connect consultant! Or Visit the shop and pick up a copy along with the "Build it Yourself" kit.
Download Now or Purchase Support