01. What is the steganography anti-forensics technique?
a) hiding a section of a malicious file in unused areas of a file
b) changing the file header of a malicious file to another file type
c) sending malicious files over a public network by encapsulation
d) concealing malicious files in ordinary or unsuspecting places
02. A security team detected an above-average amount of inbound tcp/135 connection attempts from unidentified senders. The security team is responding based on their incident response playbook.
Which two elements are part of the eradication phase for this incident?
a) anti-malware software
b) data and workload isolation
c) centralized user management
d) intrusion prevention system
e) enterprise block listing solution
03. An engineer received a call to assist with an ongoing DDoS attack. The Apache server is being targeted, and availability is compromised. Which step should be taken to identify the origin of the threat?
a) An engineer should check the list of usernames currently logged in by running the command $ who | cut – d’ ‘ -f1| sort | uniq
b) An engineer should check the last hundred entries of a web server with the command sudo tail -100 /var/ log/apache2/access.log.
c) An engineer should check the services on the machine by running the command service -status-all.
d) An engineer should check the server’s processes by running commands ps -aux and sudo ps -a.
04. What is a concern for gathering forensics evidence in public cloud environments?
a) High Cost: Cloud service providers typically charge high fees for allowing cloud forensics.
b) Configuration: Implementing security zones and proper network segmentation.
c) Timeliness: Gathering forensics evidence from cloud service providers typically requires substantial time.
d) Multitenancy: Evidence gathering must avoid exposure of data from other tenants.
05. A security team received an alert of suspicious activity on a user’s Internet browser. The user’s anti-virus software indicated that the file attempted to create a fake recycle bin folder and connect to an external IP address.
Which two actions should be taken by the security analyst with the executable file for further analysis?
a) Evaluate the process activity in Cisco Umbrella.
b) Analyze the TCP/IP Streams in Cisco Secure Malware Analytics (Threat Grid).
c) Evaluate the behavioral indicators in Cisco Secure Malware Analytics (Threat Grid).
d) Analyze the Magic File type in Cisco Umbrella.
e) Network Exit Localization in Cisco Secure Malware Analytics (Threat Grid).
06. What is the function of a disassembler?
a) aids performing static malware analysis
b) aids viewing and changing the running state
c) aids transforming symbolic language into machine code
d) aids defining breakpoints in program execution
07. Which information is provided bout the object file by the “-h” option in the objdump line command objdump –b oasys –m vax –h fu.o?
08. A security team receives reports of multiple files causing suspicious activity on users’ workstations. The file attempted to access highly confidential information in a centralized file server.
Which two actions should be taken by a security analyst to evaluate the file in a sandbox?
a) Inspect registry entries
b) Inspect processes.
c) Inspect file hash.
d) Inspect file type.
e) Inspect PE header.
09. Which technique is used to evade detection from security products by executing arbitrary code in the address space of a separate live operation?
a) process injection
b) privilege escalation
c) GPO modification
d) token manipulation
10. Over the last year, an organization’s HR department has accessed data from its legal department on the last day of each month to create a monthly activity report.
An engineer is analyzing suspicious activity alerted by a threat intelligence platform that an authorized user in the HR department has accessed legal data daily for the last week.
The engineer pulled the network data from the legal department’s shared folders and discovered above average-size data dumps. Which threat actor is implied from these artifacts?
a) privilege escalation
b) internal user errors
c) malicious insider
d) external exfiltration