Is the 300-220 practice exam free?

Yes. ExamCademy offers all 60 300-220 practice questions for free with a registered account. No payment needed. Optional supporter features add AI explanations and spaced repetition study tools.

How accurate are the 300-220 practice questions?

All 300-220 questions are community-created and reviewed by moderators to align with Cisco's published exam objectives. The community continuously reports and fixes issues to keep content accurate and up to date.

How should I study for the 300-220 exam?

Start by browsing practice questions to identify weak areas. Use spaced repetition (Learn Mode) to focus study time on topics you struggle with. Combine practice questions with official Cisco documentation and hands-on experience for best results.

300-220 Practice Exam — Free 60+ Questions

60Practice Questions

3Study Modes

FreeTo Get Started

Topic:Sort:

Question 1

Threat Modeling Techniques

Threat Hunting Techniques

Question 22

Threat Hunting Processes

Question 23

Threat Hunting Techniques

Question 24

Threat Hunting Techniques

That's the end of the Preview

This exam has 60 community-verified practice questions. Create a free account to access all questions, comments, and explanations.

Topics covered:

Threat Hunting FundamentalsThreat Modeling TechniquesThreat Actor Attribution TechniquesThreat Hunting TechniquesThreat Hunting ProcessesThreat Hunting Outcomes

Log In / Sign Up

Page 1 of 3 • Questions 1-25 of 60

1 2 3

→

Know a question that should be here? Contribute to this exam

The Security Operations Center receives two alerts in security information and event management about two separate possible attacks. The first alert concerns brute force attempts on a domain controller, and the second attack concerns the flooding of a network. After an initial investigation, the team confirms that both alerts are valid and begins a detailed investigation.
According to the CAPEC model, which vulnerability criteria should the team prioritize in the investigation?

A quickest mitigation actions
B highest probability of attack
C highest typical severity
D most discovered weaknesses

Which threat hunting methodology aims to understand how adversaries think?

A intel-driven
B hybrid
C entity-driven
D TTP-driven

What is a characteristic of a memory-resident attack?

A The attack is file independent.
B The execution continues after a system restart.
C Programs must be closed to be infected.
D Malware is installed in the virtual memory.

What should be considered when using machine learning for data analysis in a SOC?

A More professionals are needed to maintain the system.
B Security gaps can occur during the early stages of development.
C Machine learning is unsuited for small organizations.
D Constant tuning is required for data analysis to be effective.

According to the MITRE ATT&CK framework, how is the password spraying technique classified?

A initial access
B credential access
C lateral movement
D privilege escalation

How does multiproduct integration enhance data visibility and analysis in a corporate environment?

A Different teams use different tools so that they can crosscheck their results.
B A central data visualizer is integrated into the APIs of the products to correlate input.
C Backup tools are in place for use when the main tools are unavailable.
D Different GUIs are used to get different views of the same events.

What is a limitation of automated dynamic malware analysis tools?

A They produce false positives and false negatives.
B They are time consuming when performed manually.
C Vulnerabilities in runtime environments cannot be found.
D All programming languages are not supported.

What triggers unstructured threat hunting?

A indicators of attack
B indicators of compromise
C tactics, techniques, and procedures
D customized threat identification

Refer to the exhibit.

Question Image

An increase in company traffic is observed by the SOC team. After they investigate the spike, it is concluded that the increase is due to ongoing scanning activity. Further analysis reveals that an adversary used Nmap for OS fingerprinting.
Which type of indicators used by the adversary sits highest on the Pyramid of Pain?

A UDPs
B network/host artifacts
C IP addresses
D port probes

What is the classification of the pass-the-hash technique according to the MITRE ATT&CK framework?

A credential access
B lateral movement
C privilege escalation
D persistence

A task has been assigned to enhance defenses against APT actors within a mid-sized technology company. Attacks by the adversaries are sophisticated and prolonged, and they use various tactics to infiltrate and persist within target networks. The company is focusing on the tactics used by the adversaries to significantly improve overall security posture. A review of the Pyramid of Pain model has been conducted, highlighting different levels of threat indicators, from simple hash values to complex TTPs. The objective is to enhance detection capabilities.
Which approach should be taken to detect APT activity at the Tactics level of the Pyramid of Pain?

A monitoring all available network logs for specific IPs linked to known APT activities
B blocking newly registered domains that have not been accessed before by company personnel
C analyzing logs to identify patterns of behavior matching APT tactics from MITRE ATT&CK
D using hash values to identify known malware files used in previous APT campaigns

Refer to the exhibit.

Question Image

The Security Operations team is reviewing firewall logs and decrypts this HTTP request coming one of finance team member’s endpoints.
Which stage of the Cyber Kill Chain does the evidence point to?

A Command and Control: establishing persistent C2 channels
B Installation: installing malware on endpoints
C Exfiltration: transferring data to remote server
D Delivery: transmitting malicious payload to target

A hacking group targets a construction company by sending emails that contain a malicious macro. An employee at the company executes the macro, and a PowerShell command is executed that downloads a file with further instructions from a website. The malware installs a keylogger on the employee’s computer and reports keystrokes to a C2 server.
What is being used according to the MITRE ATT&CK framework?

A ingress tool transfer
B fallback channels
C drive-by compromise
D indirect command execution

Refer to the exhibit.

Question Image

A forensic team must investigate how the company website was defaced. The team isolates the web server, clones the disk, and analyzes the logs.
Which technique was used by the attacker initially to access the website?

A drive-by compromise
B external remote services
C exploit public-facing application
D command and scripting interpreter

A threat hunting team tries to classify the IoT malware families based on abnormal patterns of activities.
Which method for IoT malware family classification is described?

A random forest
B decision tree learning
C random number generator
D gradient boosting

An analyst receives a report that states that the infection chain begins with a phishing email that contains a malicious download link. When the victim downloads the malicious RAR file, the archive needs a specific password to extract, which reveals a fake PDF executable malware and an image printing file. After the malware is decrypted and the fake PDF executable is run, an automatic execution of the embedded LummaC2 or Rhadamanthys information stealer occurs, which then collects the victim’s credentials and data, and sends them back to the C2 server.
Which conclusion should the analyst draw about the threat actor?

A The threat actor is focused on stealing sensitive information and may also aim to disrupt operations as a secondary objective after achieving the first one.
B The threat actor is likely engaged in opportunistic attacks without a clear target profile, focusing on broad-based phishing tactics to maximize reach.
C The threat actor is using a multi-stage attack to bypass security measures and exfiltrate sensitive information as the main objective of the operation.
D The threat actor is employing sophisticated techniques to gain initial access and uses malware to move laterally and maintain persistence across network.

Refer to the exhibit.

Question Image

A security engineer observes the Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service traffic with the Wireshark, which may spoof a source for name resolution to force communication with an adversary-controlled system, as well as perform an SMB Relay attack. After the security engineer identifies the traffic as malicious, they must determine the gaps in threat detection.
Which gap would an analyst determine?

A Intercept network traffic for unusual ARP traffic. Gratuitous ARP replies may be suspicious.
B Revoke for API calls associated with polling to intercept keystrokes.
C Monitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS.
D Augment Windows logs (ex: EIDs 1341, 1342, 1020, and 1063) for changes to DHCP settings.

Refer to the exhibit.

Question Image

What is the difference between the procedures of each APT group?

A The first APT group used the Plink utility for the inter-beacon communication over the HTTPS, and the second group executed the sc utility to create multistage C2 channels.
B The first APT group executed the Plink utility for the signed binary proxy execution, and the second group used the sc utility to exfiltrate data over alternative protocols.
C The first APT group executed the sc utility via PowerShell to enumerate active services on the domain controller, and the second group used the Plink utility to create an SSH tunnel.
D The first APT group used the Plink utility to create an SSH tunnel, and the second group executed the sc utility via PowerShell to enumerate active services on the domain controller.

A SOC team observed unusual traffic patterns during nonworking hours. Upon further investigation, it was discovered that the traffic is originating from two specific endpoints with outbound connections to the internet. Suspecting potential data exfiltration, the team aims to investigate further based on this hypothesis.
Which two threat indicators support the suspicion of data exfiltration? (Choose two.)

A Intense inbound traffic directed to the endpoints.
B Domain requests related to file-sharing websites.
C Irregular payload sizes during the increased traffic.
D Multiple zip commands executed on endpoints.
E Multiple requests for the same file from the file server.

Refer to the exhibit.

Question Image

A security analyst receives an alert from Cisco Secure Network Analytics (formerly StealthWatch) with the C2 category.
Which information aids the investigation?

A Host 10.201.3.99 is attempting to contact the C2 server to retrieve the payload.
B IP address 10.201.3.99 is a C2 server.
C The number of packets shows that a C2 communication occurred.
D The payload describes the address of the zombie endpoint.

Refer to the exhibit.

Question Image

The security team at a company reviews the Intrusion Prevention System logs and detects a pass-the-hash attack on a domain controller. After further investigation, the team discovers that the attack originated from an endpoint running the Mimikatz tool. The team must improve the visibility of the company’s endpoint actions and must add additional logging to detect similar attacks in the future.
Which logs should the team leverage?

A extended audit logs from the domain controller for better visibility
B command logging on the domain controller to detect malicious processes
C endpoint antivirus logs to monitor the behavior of running processes
D sysmon logging from all the endpoints to monitor the access processes

Refer to the exhibit.

Question Image

A SOC team is investigating an endpoint after noticing suspicious communications to a malicious IP address. During the investigation, the team analyzes the running processes of the host.
On which element should the team focus next to continue the investigation?

A ID of the running processes
B calc.exe process executed from svchost.exe
C arguments of svchost.exe
D taskhostw.exe reference key

A security analyst must create a SIEM signature to detect when malware modifies registry keys to establish persistence, which ensures that malware runs every time a user signs in to Windows. The focus must be on specific registry changes associated with this type of persistence mechanism.
Which registry modification must the security analyst target?

A HKEY_CURRENT_USER\Software\Microsoft_Windows\CurrentVersion\RunOnce
B HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
C HKEY_CURRENT_USER\Software\Microsoft_Windows\CurrentVersion\Run
D HKEY_CURRENT_USER\Software\Windows\CurrentVersion\Run

After a vulnerability scan is finished in the production environment, a security engineer discovers that several hosts have the CVE-2019-0752 Microsoft Scripting Engine vulnerability. The engineer enables script protection in Cisco AMP to protect hosts from script attacks and to flag script usage.
Which script interpreter works with the script protection feature?

A Ruby
B PowerShell
C Bash
D Python

300-220Preview

About the 300-220 Exam

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

That's the end of the Preview

300-220Preview

About the 300-220 Exam

Mode Selection

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

That's the end of the Preview