300-215 Exam Questions

A security team receives reports of multiple files causing suspicious activity on users' workstations. The file attempted to access highly confidential information in a centralized...

An attacker embedded a macro within a word processing file opened by a user in an organization's legal department. The attacker used this technique to gain access to confidential f...

Refer to the exhibit. Which element in this email is an indicator of attack?

Refer to the exhibit. Which encoding technique is represented by this HEX string?

A network host is infected with malware by an attacker who uses the host to make calls for files and shuttle traffic to bots. This attack went undetected and resulted in a signific...

What is a use of TCPdump?

An incident response team is recommending changes after analyzing a recent compromise in which: - a large number of events and logs were involved; - team members were not able to i...

Which information is provided about the object file by the "-h" option in the objdump line command objdump 璪 oasys 璵 vax 環 fu.o?

Refer to the exhibit. An engineer is analyzing a .LNK (shortcut) file recently received as an email attachment and blocked by email security as suspicious. What is the next step an...

An investigator is analyzing an attack in which malicious files were loaded on the network and were undetected. Several of the images received during the attack include repetitive...

A security team detected an above-average amount of inbound tcp/135 connection attempts from unidentified senders. The security team is responding based on their incident response...

Which tool conducts memory analysis?

Refer to the exhibit. Which type of code is being used?

What is the function of a disassembler?

An "unknown error code" is appearing on an ESXi host during authentication. An engineer checks the authentication logs but is unable to identify the issue. Analysis of the vCenter...

Over the last year, an organization's HR department has accessed data from its legal department on the last day of each month to create a monthly activity report. An engineer is an...

An endpoint shows suspicious PowerShell activity, but no malicious files are found on disk. What evidence source is MOST likely to reveal the attacker's actions?

An analyst calculates hashes before and after imaging a hard drive. The hashes do not match. What does this MOST likely indicate?

Which Windows artifact BEST helps identify persistence via scheduled tasks?

An attacker gains access using stolen credentials but never executes malware. Which type of attack is this?

Which step should occur IMMEDIATELY after identifying ransomware actively encrypting files on multiple hosts?

Which indicator BEST distinguishes malware command-and-control (C2) traffic from normal outbound traffic?

An investigator finds evidence erased from disk but suspects prior existence. Which artifact is MOST likely to retain evidence?

Why is time synchronization CRITICAL during forensic analysis?

Which action BEST supports legal admissibility of digital evidence?

Which Cisco capability allows analysts to determine when a file became malicious AFTER it was initially allowed?

Refer to the exhibit. Which type of code does this snippet represent?

An attacker modifies a malicious file named TOPSECRET0123456789 by changing its file extension from a .png to a .doc in an attempt to evade detection. Which technique is being used...

Refer to the exhibit. Which registry key is suspected to be used by an attacker to establish persistence?

Refer to the exhibit. An experienced cybersecurity analyst is investigating a sophisticated suspected breach on a Windows server within an enterprise network and compiled the evide...

Refer to the exhibit. A cybersecurity analyst must analyze the logs from an Apache server for the client. The concern is that an offboarded employee home IP address was potentially...

The Linux system administrator of a company suspects that physical unauthorized access was granted to a local Linux terminal. The administrator wants to examine the suspected machi...

A threat hunter must analyze the threat intelligence report on APT29 and identify whether the threat actor is on the Windows machines of the customer network. According to the repo...

Refer to the exhibit. During a static analysis of the potentially malicious executable obpdisp.exe, a SOC analyst identifies several functions of the executable. The analyst must c...

A cybersecurity analyst must evaluate files from an endpoint in an enterprise network. The antivirus software on the endpoint flagged a suspicious file during a routine scan. On in...

Which technique exemplifies an antiforensic technique?

What is the purpose of YARA rules in malware analysis and how do the rules aid in identifying, classifying, and documenting malware?

Refer to the exhibit. The company was taken over by a larger one, and the IT Security team was brought in to evaluate the security architecture and setup. After the information col...

During an overnight shift, a cybersecurity team at a global trading firm detects irregular activity. The network intrusion system flags an encrypted traffic spike from high-value t...

A security analyst receives a notification from SIEM that an internal host has active connections to Tor exit nodes. The analyst investigates SIEM events related to the workstation...

During a recent incident response investigation, several suspicious network connections originating from a specific host were identified. The host was quickly isolated and the mach...

Which issue is associated with gathering evidence from virtualized environments provided by major cloud vendors?

A financial company handling international transactions recently experienced a complex security incident. The incident involves simultaneous DDoS attacks, suspected internal data l...