Updated CompTIA CySA+ CS0-002 Practice Questions [2022] Pass CS0-002 Exam With Excellent Marks

1. A team of security analysts has been alerted to potential malware activity. The initial examination indicates one of the affected workstations is beaconing on TCP port 80 to five IP addresses and attempting to spread across the network over port 445.

Which of the following should be the team’s NEXT step during the detection phase of this response process?

2. A bad actor bypasses authentication and reveals all records in a database through an SQL injection. Implementation of which of the following would work BEST to prevent similar attacks in

3. A security analyst recently used Arachni to perform a vulnerability assessment of a newly developed web application.

The analyst is concerned about the following output:





Which of the following is the MOST likely reason for this vulnerability?

4. Which of the following would MOST likely be included in the incident response procedure after a security breach of customer PII?

5. Which of the following should a database administrator implement to BEST protect data from an untrusted server administrator?

6. A security analyst was alerted to a tile integrity monitoring event based on a change to the vhost-paymonts .conf file.

The output of the diff command against the known-good backup reads as follows:





Which of the following MOST likely occurred?

7. As a proactive threat-hunting technique, hunters must develop situational cases based on likely attack scenarios derived from the available threat intelligence information.

After forming the basis of the scenario, which of the following may the threat hunter construct to establish a framework for threat assessment?

8. An analyst wants to identify hosts that are connecting to the external FTP servers and what, if any, passwords are being used.

Which of the following commands should the analyst use?

9. Which of the following types of policies is used to regulate data storage on the network?

10. A security analyst is researching an incident and uncovers several details that may link to other incidents. The security analyst wants to determine if other incidents are related to the current incident.

Which of the following threat research methodologies would be MOST appropriate for the analyst to use?

11. During routine monitoring, a security analyst discovers several suspicious websites that are communicating with a local host.

The analyst queries for IP 192.168.50.2 for a 24-hour period:





To further investigate, the analyst should request PCAP for SRC 192.168.50.2 and.

12. Which of the following technologies can be used to store digital certificates and is typically used in high security implementations where integrity is paramount?

13. An organization developed a comprehensive modern response policy Executive management approved the policy and its associated procedures.

Which of the following activities would be MOST beneficial to evaluate personnel's familiarity with incident response procedures?

14. During a routine log review, a security analyst has found the following commands that cannot be identified from the Bash history log on the root user.





Which of the following commands should the analyst investigate FIRST?

15. What is the executable file name or the malware?

16. The security team at a large corporation is helping the payment-processing team to prepare for a regulatory compliance audit and meet the following objectives:

✑ Reduce the number of potential findings by the auditors.

✑ Limit the scope of the audit to only devices used by the payment-processing team for activities directly impacted by the regulations.

✑ Prevent the external-facing web infrastructure used by other teams from coming into scope.

✑ Limit the amount of exposure the company will face if the systems used by the payment-processing team are compromised.

Which of the following would be the MOST effective way for the security team to meet these objectives?

17. A system’s authority to operate (ATO) is set to expire in four days. Because of other activities and limited staffing, the organization has neglected to start reauthentication activities until now.

The cybersecurity group just performed a vulnerability scan with the partial set of results shown below:





Based on the scenario and the output from the vulnerability scan, which of the following should the security team do with this finding?

18. An information security analyst is reviewing backup data sets as part of a project focused on eliminating archival data sets.

Which of the following should be considered FIRST prior to disposing of the electronic data?

19. A security analyst is investigating a malware infection that occurred on a Windows system. The system was not connected to a network and had no wireless capability Company policy prohibits using portable media or mobile storage. The security analyst is trying to determine which user caused the malware to get onto the system.

Which of the following registry keys would MOST likely have this information?

20. Understanding attack vectors and integrating intelligence sources are important components of:

21. Which of the following BEST describes the process by which code is developed, tested, and deployed in small batches?

22. A security analyst has a sample of malicious software and needs to know what the sample does. The analyst runs the sample in a carefully controlled and monitored virtual machine to observe the software behavior.

Which of the following malware analysis approaches is this?

23. When attempting to do a stealth scan against a system that does not respond to ping, which of the following Nmap commands BEST accomplishes that goal?

24. A security analyst is investigating a system compromise. The analyst verities the system was up to date on OS patches at the time of the compromise.

Which of the following describes the type of vulnerability that was MOST likely expiated?

25. CORRECT TEXT

While investigating an incident in a company's SIEM console, a security analyst found hundreds of failed SSH login attempts, which all occurred in rapid succession. The failed attempts were followed by a successful login on the root user Company policy allows systems administrators to manage their systems only from the company's internal network using their assigned corporate logins.

Which of the following are the BEST actions the analyst can take to stop any further compromise? (Select TWO).

A Configure /etc/sshd_config to deny root logins and restart the SSHD service.

B. Add a rule on the network IPS to block SSH user sessions

C. Configure /etc/passwd to deny root logins and restart the SSHD service.

D. Reset the passwords for all accounts on the affected system.

E. Add a rule on the perimeter firewall to block the source IP address.

F. Add a rule on the affected system to block access to port TCP/22.

26. A large amount of confidential data was leaked during a recent security breach. As part of a forensic investigation, the security team needs to identify the various types of traffic that were captured between two compromised devices.

Which of the following should be used to identify the traffic?

27. A company recently experienced financial fraud, which included shared passwords being compromised and improper levels of access being granted. The company has asked a security analyst to help improve its controls.

Which of the following will MOST likely help the security analyst develop better controls?

28. Because some clients have reported unauthorized activity on their accounts, a security analyst is reviewing network packet captures from the company's API server.

A portion of a capture file is shown below:

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.s/soap/envelope/"><s:Body><GetIPLocation+xmlns="http://tempuri.org/">

<request+xmlns:a="http://schemas.somesite.org"+xmlns:i="http://www.w3.org/2001/XMLSchema-instance"></s:Body></s:Envelope> 192.168.1.22 --api.somesite.com 200 0 1006 1001 0 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap <<a:Password>Password123</a:Password><a:ResetPasswordToken+i:nil="true"/> <a:ShouldImpersonatedAuthenticationBePopulated+i:nil="true"/><a:Username>[email protected]</a:Username></request></Login></s:Body></s:Envelope> 192.168.5.66 --api.somesite.com 200 0 11558 1712 2024 192.168.4.89

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetIPLocation+xmlns="http://tempuri.org/"> <a:IPAddress>516.7.446.605</a:IPAddress><a:ZipCode+i:nil="true"/></request></GetIPLocation></s:Body></s:Envelope> 192.168.1.22 --api.somesite.com 200 0 1003 1011 307 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><IsLoggedIn+xmlns="http://tempuri.org/"> <request+xmlns:a="http://schemas.datacontract.org/2004/07/somesite.web+xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:Authentication> <a:ApiToken>kmL4krg2CwwWBan5BReGv5Djb7syxXTNKcWFuSjd</a:ApiToken><a:ImpersonateUserId>0</a:ImpersonateUserId><a:LocationId>161222</a:LocationId> <a:NetworkId>4</a:NetworkId><a:ProviderId>''1=1</a:ProviderId><a:UserId>13026046</a:UserId></a:Authentication></request></IsLoggedIn></s:Body></s:Envelope> 192.168.5.66 --api.somesite.com 200 0 1378 1209 48 192.168.4.89

Which of the following MOST likely explains how the clients' accounts were compromised?

29. A web-based front end for a business intelligence application uses pass-through authentication to authenticate users. The application then uses a service account, to perform queries and look up data m a database A security analyst discovers employees are accessing data sets they have not been authorized to use.

Which of the following will fix the cause of the issue?

30. 1.A security analyst is reviewing the network security monitoring logs listed below:





Which of the following is the analyst MOST likely observing? (Select TWO).

31. A security analyst is reviewing the following log from an email security service.





Which of the following BEST describes the reason why the email was blocked?

32. Massivelog log has grown to 40GB on a Windows server At this size, local tools are unable to read the file, and it cannot be moved off the virtual server where it is located.

Which of the following lines of PowerShell script will allow a user to extract the last 10.000 lines of the loq for review?

33. A security analyst is auditing firewall rules with the goal of scanning some known ports to check the firewall’s behavior and responses.

The analyst executes the following commands:





The analyst then compares the following results for port 22:

nmap returns “Closed”

hping3 returns “flags=RA”

Which of the following BEST describes the firewall rule?

34. During an incident investigation, a security analyst acquired a malicious file that was used as a backdoor but was not detected by the antivirus application. After performing a reverse-engineering procedure, the analyst found that part of the code was obfuscated to avoid signature detection.

Which of the following types of instructions should the analyst use to understand how the malware was obfuscated and to help deobfuscate it?

35. A security technician is testing a solution that will prevent outside entities from spoofing the company's email domain, which is comptiA.org. The testing is successful, and the security technician is prepared to fully implement the solution.

Which of the following actions should the technician take to accomplish this task?

36. The Chief Information Officer (CIO) of a large healthcare institution is concerned about all machines having direct access to sensitive patient information.

Which of the following should the security analyst implement to BEST mitigate the risk of sensitive data exposure?

37. A company just chose a global software company based in Europe to implement a new supply chain management solution.

Which of the following would be the MAIN concern of the company?