CompTIA CompTIA Certifications CS0-003 Questions & Answers

• Question 421:

  An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?

  A. Scope

  B. Weaponization

  C. CVSS

  D. Asset value

  Correct Answer: B

  Weaponization is a factor that describes how an adversary develops or acquires an exploit or payload that can take advantage of a vulnerability and deliver a malicious effect. Weaponization can increase the severity or impact of a vulnerability, as it makes it easier or more likely for an attacker to exploit it successfully and cause damage or harm. Weaponization can also indicate the level of sophistication or motivation of an attacker, as well as the availability or popularity of an exploit or payload in the cyber threat landscape. In this case, an older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. This indicates that weaponization was the reason for this escalation.

• Question 422:

  Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?

  A. Command and control

  B. Actions on objectives

  C. Exploitation

  D. Delivery

  Correct Answer: A

  Command and control (C2) is a phase of the Cyber Kill Chain that involves the adversary attempting to establish communication with a successfully exploited target. C2 enables the adversary to remotely control or manipulate the target system or network using various methods, such as malware callbacks, backdoors, botnets, or covert channels. C2 allows the adversary to maintain persistence, exfiltrate data, execute commands, deliver payloads, or spread to other systems or networks.

• Question 423:

  A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?

  A. External

  B. Agent-based

  C. Non-credentialed

  D. Credentialed

  Correct Answer: B

  Agent-based vulnerability scanning is a method that involves installing software agents on the target systems or networks that can perform local scans and report the results to a central server or console. Agent-based vulnerability scanning can reduce network traffic, as the scans are performed locally and only the results are transmitted over the network. Agent-based vulnerability scanning can also provide more accurate and up-to-date results, as the agents can scan continuously or ondemand, regardless of the system or network status or location.

• Question 424:

  Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?

  A. The lead should review what is documented in the incident response policy or plan

  B. Management level members of the CSIRT should make that decision

  C. The lead has the authority to decide who to communicate with at any t me

  D. Subject matter experts on the team should communicate with others within the specified area of expertise

  Correct Answer: A

  The incident response policy or plan is a document that defines the roles and responsibilities, procedures and processes, communication and escalation protocols, and reporting and documentation requirements for handling security incidents. The lead should review what is documented in the incident response policy or plan to determine who should be communicated with and when during a security incident, as well as what information should be shared and how. The incident response policy or plan should also be aligned with the organizational policies and legal obligations regarding incident notification and disclosure.

• Question 425:

  A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?

  A. Firewall logs

  B. Indicators of compromise

  C. Risk assessment

  D. Access control lists

  Correct Answer: C

• Question 426:

  An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed?

  A. Beaconing

  B. Cross-site scripting

  C. Buffer overflow

  D. PHP traversal

  Correct Answer: A

• Question 427:

  A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself. Which of the following can the analyst perform to see the entire contents of the downloaded files?

  A. Change the display filter to f cp. accive. pore

  B. Change the display filter to tcg.port=20

  C. Change the display filter to f cp-daca and follow the TCP streams

  D. Navigate to the File menu and select FTP from the Export objects option

  Correct Answer: C

  The best way to see the entire contents of the downloaded files in Wireshark is to change the display filter to ftp-data and follow the TCP streams. FTP-data is a protocol that is used to transfer files between an FTP client and server using TCP port 20. By filtering for ftp-data packets and following the TCP streams, the analyst can see the actual file data that was transferred during the FTP session

• Question 428:

  A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst. Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?

  A. SLA

  B. MOU

  C. NDA

  D. Limitation of liability

  Correct Answer: A

  SLA stands for service level agreement, which is a contract or document that defines the expectations and obligations between a service provider and a customer regarding the quality, availability, performance, or scope of a service. An SLA may also specify the metrics, penalties, or remedies for measuring or ensuring compliance with the agreed service levels. An SLA can help the SOC manager review if the team is meeting the appropriate contractual obligations for the customer, such as response time, resolution time, reporting frequency, or communication channels.

• Question 429:

  When starting an investigation, which of the following must be done first?

  A. Notify law enforcement

  B. Secure the scene

  C. Seize all related evidence

  D. Interview the witnesses

  Correct Answer: B

  The first thing that must be done when starting an investigation is to secure the scene. Securing the scene involves isolating and protecting the area where the incident occurred, as well as any potential evidence or witnesses. Securing the scene can help prevent any tampering, contamination, or destruction of evidence, as well as any interference or obstruction of the investigation.

• Question 430:

  Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output:

  Which of the following choices should the analyst look at first?

  

  A. wh4dc-748gy.lan (192.168.86.152)

  B. lan (192.168.86.22)

  C. imaging.lan (192.168.86.150)

  D. xlaptop.lan (192.168.86.249)

  E. p4wnp1_aloa.lan (192.168.86.56)

  Correct Answer: E

  The analyst should look at p4wnp1_aloa.lan (192.168.86.56) first, as this is the most suspicious device on the network. P4wnP1 ALOA is a tool that can be used to create a malicious USB device that can perform various attacks, such as keystroke injection, network sniffing, man-in-the-middle, or backdoor creation. The presence of a device with this name on the network could indicate that an attacker has plugged in a malicious USB device to a system and gained access to the network. Official https://github.com/mame82/P4wnP1_aloa