nerdexam
Exams300-215Questions#48
CiscoCisco

300-215 · Question #48

300-215 Question #48: Real Exam Question with Answer & Explanation

The correct answer is C: Conduct a behavioral analysis of the PowerShell execution pattern and deobfuscate the. Obfuscated PowerShell is a common post-exploit tactic. Deobfuscating and profiling its behavior is the fastest way to uncover dropped payloads, C2 callbacks, or data theft routines-providing clear IoCs to drive containment and remediation.

Submitted by valeria.br· Mar 6, 2026Incident Response Techniques

Question

An incident responder reviews a log entry that shows a Microsoft Word process initiating an outbound network connection followed by PowerShell execution with obfuscated commands. Considering the machine's role in a sensitive data department, what is the most critical action for the responder to take next to analyze this output for potential indicators of compromise?

Options

  • ACompare the metadata of the Microsoft Word document with known templates to verify its
  • BExamine the network destination of the outbound connection to assess the credibility and
  • CConduct a behavioral analysis of the PowerShell execution pattern and deobfuscate the
  • DCorrelate the time of the outbound network connection with the user's activity log to establish a

Explanation

Obfuscated PowerShell is a common post-exploit tactic. Deobfuscating and profiling its behavior is the fastest way to uncover dropped payloads, C2 callbacks, or data theft routines-providing clear IoCs to drive containment and remediation.

Topics

#incident response#PowerShell forensics#obfuscation#IOC identification#endpoint forensics

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 300-215 PracticeBrowse All 300-215 Questions