問題一覧
1
735 Which system is an attacker targeting by running the following command? PS > Invoke-MSOLSpray -UserList ./users.txt -Password Clippers22
Microsoft 365 cloud environment
2
686 In addition to special characters, certain keywords in log files may indicate a SQL injection attack. Which words could indicate a SQL injection attack?
"""union"", and ""select"""
3
760 Based on the nmap data in the screenshot the analyst would choose which IP address for a DNS attack?
10.0.0.1
4
817 An analyst believes that an attacker used the built-in tool MSBuild to compile msfvenom codWhat evidence can the analyst look for to test this theory?
Downloading of a shellcode wrapper
5
727 A penetration tester is using John the Ripper to audit the password strength of Linux systems. The systems use shadow passwords. What command will he run to unshadow the passwords to a file, combined.txt?
unshadow/etc/passwd /etc/shadow > combined.txt
6
836 Considering Volatility, why would psscan return more results than pslist?
The psscan plugin identifies hidden processes
7
704 How would an attacker hide an executable from being viewed by Windows Explorer?
Place it into an ADS of a .txt file
8
837 An organization has an SSH server that was compromiseGiven the following evidence, what most likely occurred?
An attacker accessed the system through a backdoor using netcat
9
808 How should an incident handler classify the following event shown in the output below?
SQL Injection
10
763 A security examiner has been given permission by senior management to conduct a password audit. What should the examiner ensure after the process completes?
Pot files are removed from cracking systems
11
737 What tool would an incident handler use to search for all autostart extensibility points (ASEPs) on a Windows host?
autoruns
12
669 Which of the following occurs when a penetration tester attempts to connect to a host with the following command? net use \\192.168.44.213
IPC$ share returns a list of running processes
13
703 When switching traffic on a LAN, what element of the Ethernet frame does a switch use to make its decision on where to send the data?
Destination MAC address
14
723 What is the size of the data transferred in the following Squid access log?
859 bytes
15
809 An administrator runs the following commanWhat should be their next step based on the output shown?
Decode the Base-64 value
16
675 What is the outcome of the command below? hashcat -m 3000 -a 3 ntds.dat --potfile-path ntds.potfile -1 ?u?d?s --increment ?1?1?1?1?1?1
Crack six digit LANMAN passwords
17
741 Which of the following dumped hashes would be most useful to an attacker?
Betty
18
728 Which of the following natively supports SMB encryption?
Windows Server 2012
19
780 Which of the following SSH commands will start a SOCKS proxy server on the local system?
ssh -D 2000 spantz@10.10.10.20
20
803 An attacker at IP address 11.22.33.44 set up a reverse shell so he could execute commands on a server (internal IP address 192.168.20.21) that sits behind a site firewall blocking incoming SSH traffic but allowing all outbound traffiWhat command would he run on the server?
Each Request
21
626 Which Microsoft tool can be used to mitigate the risk of an adversary reusing a stolen local administrator password hash?
LAPS
22
702 Which of the following Volatility commands will display the date and time an image was collected?
python vol.py -f ~/Desktop/win7_trial_64bit.raw imageinfo
23
764 What is downloaded when the following command is executed? $ bucket_finder.rb words --download
Content from publicly accessible S3 buckets
24
792 Which of the following will record web sites visited and web applications used for incident response analysis?
Squid
25
625 An organization has an SSH server that was compromised, but later eradicated and recovereThe system disks were wiped clean, the OS reinstalled, and patches re-applieAfter this valid, user-account on that system. process is complete, a security analyst noticed multiple simultaneous SSH logins from a single,Which of the following is the most likely explanation?
The SSH user account credentials have been compromised
26
731 A security team is actively monitoring windows event IDs 4634, 4688, and 4697. Which persistence mechanism will they detect with this approach?
Golden ticket use
27
770 Which of the following programs is used by John the Ripper to merge the /etc/passwd and /etc/shadow files?
unshadow
28
734 Which netcat command will listen on port 2222 for connections from a remote system (10.0.0.1)?
C:\>nc.exe -l-p 2222
29
684 Which of the following user accounts is the default Administrator account?
JoePowershell
30
679 A responder runs the two commands below looking for the number of lines that contain the word powershell. Which of the following is a reason why the output is different between the two plugins?
The psscan plugin has identified hidden processes
31
650 When would a web-based reconnaissance tool be preferred over a direct/local reconnaissance tool?
To keep traffic from the attacker's system from hitting the target network
32
644 Which of the following is a technique that can be used to reduce the amount of data to examine during an investigation?
Ignore files with known good hashes
33
742 An investigator performing an initial analysis of a memory image identified a suspicious URL while using the strings utility. A second investigator attempting to recreate the results cannot find the same URL when executing the command below. What could be the cause? $ strings CASE-43110.mem > case-43110.strings.txt
The URL is in little endian format
34
718 An attacker has penetrated a network and is moving into the stage of pivoting throughout the network. Which defense mitigates this stage of the attack?
Setting unique password for each computer’s local administrator