CompTIA CySA+ (CS0-003) · Domain 1 · 33% of exam

Security Operations

Drill 20 practice questions focused entirely on Security Operations for the CompTIA CS0-003 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A SOC analyst reviewing firewall logs notices that an internal workstation initiates outbound HTTPS connections to the same external IP address every 300 seconds, with each connection transferring a nearly identical small payload of approximately 512 bytes. The destination domain was registered three days ago and has no reputation data. Which conclusion is BEST supported by these indicators?

Reviewed for accuracy · Report an issue
Question 2 of 20

A SOC analyst is correlating events from a web server, a firewall, and a domain controller during an incident investigation. The analyst notices that the sequence of logged events across the three systems does not match the actual order in which the activity occurred, making it impossible to build an accurate timeline. All logs are being forwarded to the same SIEM. Which underlying issue is MOST likely responsible for this problem?

Reviewed for accuracy · Report an issue
Question 3 of 20

A threat intelligence analyst is reviewing an incident report. According to the report, an adversary obtained a zero-day vulnerability, then paired an exploit for that vulnerability with a malicious PDF payload to create a deliverable file. This file had not yet been sent to any target at the time the activity was observed. Using the Lockheed Martin Cyber Kill Chain, which stage does this coupling of exploit and payload BEST represent?

Reviewed for accuracy · Report an issue
Question 4 of 20

A threat analyst is documenting an intrusion using the Diamond Model of Intrusion Analysis. She has confirmed the malware sample (a custom RAT) and the compromised web server used to host the second-stage payload. To expand the investigation, she wants to identify other victims by pivoting from what she already knows. Which analytic pivot best leverages the confirmed data to discover additional affected organizations?

Reviewed for accuracy · Report an issue
Question 5 of 20

A threat analyst is documenting an intrusion using the Diamond Model of Intrusion Analysis. Investigation reveals that the attacker used a spear-phishing email to compromise an accounts-payable employee's workstation, then leveraged that access to reach the finance department's payment system. The analyst wants to properly populate the model's four core vertices. Which piece of evidence should be recorded under the 'Victim' vertex?

Reviewed for accuracy · Report an issue
Question 6 of 20

A SOC analyst reviewing DNS query logs from an internal workstation notices hundreds of outbound lookups per hour to domains such as 'kjf83hdsl2.info', 'zx9qmvbn4.info', and 'p1x8wqz7t.info'. Most of these queries return NXDOMAIN responses, but a small number resolve successfully to a hosting provider in another country. Which conclusion is best supported by these indicators?

Reviewed for accuracy · Report an issue
Question 7 of 20

A SOC analyst using an EDR platform observes that a finance workstation is executing an unsigned binary that is spawning encoded PowerShell commands and initiating outbound connections to multiple external IPs. The analyst needs to stop the potential spread while preserving the ability to investigate the host and collect volatile data. Which EDR capability should the analyst invoke FIRST?

Reviewed for accuracy · Report an issue
Question 8 of 20

A CySA+ analyst is reviewing EDR telemetry on a Windows workstation after an alert fired. The process tree shows that WINWORD.EXE (Microsoft Word) spawned cmd.exe, which then launched powershell.exe with an encoded command that reached out to an external IP. No legitimate business macro is deployed in the environment. Which host indicator is the strongest evidence of malicious activity in this telemetry?

Reviewed for accuracy · Report an issue
Question 9 of 20

A finance clerk received an email appearing to come from the CEO requesting an urgent wire transfer to a new vendor. The clerk forwards it to the SOC. Reviewing the mail gateway logs, an analyst notes the message passed SPF, DKIM, and DMARC checks and originated from a legitimately registered external domain, 'compañy-corp.com', while the organization's real domain is 'company-corp.com'. There were no malicious attachments or links. Which indicator best characterizes this activity?

Reviewed for accuracy · Report an issue
Question 10 of 20

While reviewing a compromised Windows workstation, an analyst runs a WMI query and discovers a __EventFilter bound to a CommandLineEventConsumer that launches a PowerShell script whenever system uptime reaches 200 seconds. No corresponding scheduled task or registry Run key entry exists. Which conclusion best describes what the analyst has found?

Reviewed for accuracy · Report an issue
Question 11 of 20

A SOC analyst is reviewing perimeter firewall logs and notices that a single external source IP generated hundreds of connection attempts to sequential destination ports (22, 23, 25, 80, 443, 3389, ...) on one internal host within a 15-second window. Nearly all attempts were denied by the firewall, and only a handful of ports returned SYN-ACK responses. Which activity does this pattern MOST likely indicate?

Reviewed for accuracy · Report an issue
Question 12 of 20

A security analyst is reviewing /var/log/auth.log on a Linux web server after an alert fired. The relevant entries show: a successful SSH login for the low-privilege account 'svc_deploy' from an internal jump host, followed 40 seconds later by repeated 'sudo: svc_deploy : command not allowed' messages, and then a single entry: 'sudo: pam_unix(sudo:session): session opened for user root by svc_deploy(uid=1004)'. Which conclusion is best supported by these log entries?

Reviewed for accuracy · Report an issue
Question 13 of 20

A CySA+ analyst reviews EDR telemetry from a compromised workstation. The host is periodically making outbound HTTPS connections to a legitimate cloud storage provider's API, and the analyst confirms the malware retrieves task instructions and posts stolen data through this service. When documenting the incident, which MITRE ATT&CK tactic BEST describes this observed behavior?

Reviewed for accuracy · Report an issue
Question 14 of 20

A SOC analyst reviewing EDR telemetry observes that a suspicious executable ran the command 'wevtutil cl Security' followed shortly by 'vssadmin delete shadows /all /quiet'. The analyst is mapping this activity to the MITRE ATT&CK framework to document the adversary's behavior. Which ATT&CK tactic best categorizes BOTH of these observed actions?

Reviewed for accuracy · Report an issue
Question 15 of 20

During an investigation, a CySA+ analyst reviews EDR telemetry from a compromised finance workstation. The logs show that a legitimate archiving utility bundled several spreadsheets into a password-protected RAR file, after which a scheduled process uploaded the archive to a personal cloud storage account over HTTPS. The analyst is documenting the incident using the MITRE ATT&CK framework. Which ATT&CK tactic best describes the final activity of uploading the archive to the external cloud service?

Reviewed for accuracy · Report an issue
Question 16 of 20

A SOC analyst reviews an incident where an attacker gained a foothold on an internal workstation. Investigation shows the user received an email with a link to a legitimate-looking cloud document portal. When the user entered credentials, they were captured, and the attacker later used those credentials to log in through the company's external VPN portal. The analyst is documenting the intrusion using the MITRE ATT&CK framework. Which technique best describes how the attacker obtained the credentials used for the initial foothold?

Reviewed for accuracy · Report an issue
Question 17 of 20

During a threat hunt, an analyst reviews Windows event logs and EDR telemetry from an internal file server. They observe that a user account authenticated to the server using a Kerberos ticket, but no corresponding interactive logon or password entry was recorded on the source workstation. The same ticket was then used to access three additional servers within minutes. Which MITRE ATT&CK technique best describes this observed activity?

Reviewed for accuracy · Report an issue
Question 18 of 20

A SOC lead wants to visualize which adversary techniques the team can currently detect versus which have no detection coverage. She maps existing detection rules to their corresponding technique IDs and produces a color-coded matrix that highlights defended techniques in green and undefended ones in red. Which use of the MITRE ATT&CK framework does this activity best represent?

Reviewed for accuracy · Report an issue
Question 19 of 20

A security analyst is reviewing telemetry from an enterprise mobile device management (MDM) console after users reported unexpected battery drain on company-issued phones. The logs show that a recently sideloaded internal utility app requests and actively uses the following runtime permissions: READ_SMS, ACCESS_FINE_LOCATION, RECORD_AUDIO, and READ_CONTACTS. The app's stated purpose is to display the corporate cafeteria menu. Which conclusion is MOST supported by this application-layer indicator?

Reviewed for accuracy · Report an issue
Question 20 of 20

A security analyst reviewing NetFlow data notices that an internal file server (10.10.5.12) is transferring large volumes of data to a single internal workstation (10.10.5.88) over SMB during off-hours. The workstation normally generates minimal traffic. No data has yet left the network perimeter, but the workstation's outbound connections to the internet remain flat. Based on the MITRE ATT&CK framework, which activity is MOST likely occurring?

Reviewed for accuracy · Report an issue

More CS0-003 practice

Keep going with the other CompTIA CySA+ (CS0-003) domains, or take a full timed mock exam.

← Back to CS0-003 overview