300-220Preview

Which threat hunting methodology aims to understand how adversaries think?

What is a characteristic of a memory-resident attack?

What should be considered when using machine learning for data analysis in a SOC?

According to the MITRE ATT&CK framework, how is the password spraying technique classified?

How does multiproduct integration enhance data visibility and analysis in a corporate environment?

What is a limitation of automated dynamic malware analysis tools?

What triggers unstructured threat hunting?

Refer to the exhibit.

An increase in company traffic is observed by the SOC team. After they investigate the spike, it is concluded that the increase is due to ongoing scanning activity. Further analysis reveals that an adversary used Nmap for OS fingerprinting.
Which type of indicators used by the adversary sits highest on the Pyramid of Pain?

What is the classification of the pass-the-hash technique according to the MITRE ATT&CK framework?

A task has been assigned to enhance defenses against APT actors within a mid-sized technology company. Attacks by the adversaries are sophisticated and prolonged, and they use various tactics to infiltrate and persist within target networks. The company is focusing on the tactics used by the adversaries to significantly improve overall security posture. A review of the Pyramid of Pain model has been conducted, highlighting different levels of threat indicators, from simple hash values to complex TTPs. The objective is to enhance detection capabilities.
Which approach should be taken to detect APT activity at the Tactics level of the Pyramid of Pain?

Refer to the exhibit.

The Security Operations team is reviewing firewall logs and decrypts this HTTP request coming one of finance team member’s endpoints.
Which stage of the Cyber Kill Chain does the evidence point to?

A hacking group targets a construction company by sending emails that contain a malicious macro. An employee at the company executes the macro, and a PowerShell command is executed that downloads a file with further instructions from a website. The malware installs a keylogger on the employee’s computer and reports keystrokes to a C2 server.
What is being used according to the MITRE ATT&CK framework?

Refer to the exhibit.

A forensic team must investigate how the company website was defaced. The team isolates the web server, clones the disk, and analyzes the logs.
Which technique was used by the attacker initially to access the website?

A threat hunting team tries to classify the IoT malware families based on abnormal patterns of activities.
Which method for IoT malware family classification is described?

An analyst receives a report that states that the infection chain begins with a phishing email that contains a malicious download link. When the victim downloads the malicious RAR file, the archive needs a specific password to extract, which reveals a fake PDF executable malware and an image printing file. After the malware is decrypted and the fake PDF executable is run, an automatic execution of the embedded LummaC2 or Rhadamanthys information stealer occurs, which then collects the victim’s credentials and data, and sends them back to the C2 server.
Which conclusion should the analyst draw about the threat actor?

Refer to the exhibit.

A security engineer observes the Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service traffic with the Wireshark, which may spoof a source for name resolution to force communication with an adversary-controlled system, as well as perform an SMB Relay attack. After the security engineer identifies the traffic as malicious, they must determine the gaps in threat detection.
Which gap would an analyst determine?

Refer to the exhibit.

What is the difference between the procedures of each APT group?

A SOC team observed unusual traffic patterns during nonworking hours. Upon further investigation, it was discovered that the traffic is originating from two specific endpoints with outbound connections to the internet. Suspecting potential data exfiltration, the team aims to investigate further based on this hypothesis.
Which two threat indicators support the suspicion of data exfiltration? (Choose two.)

Refer to the exhibit.

A security analyst receives an alert from Cisco Secure Network Analytics (formerly StealthWatch) with the C2 category.
Which information aids the investigation?

Refer to the exhibit.

The security team at a company reviews the Intrusion Prevention System logs and detects a pass-the-hash attack on a domain controller. After further investigation, the team discovers that the attack originated from an endpoint running the Mimikatz tool. The team must improve the visibility of the company’s endpoint actions and must add additional logging to detect similar attacks in the future.
Which logs should the team leverage?

Refer to the exhibit.

A SOC team is investigating an endpoint after noticing suspicious communications to a malicious IP address. During the investigation, the team analyzes the running processes of the host.
On which element should the team focus next to continue the investigation?

A security analyst must create a SIEM signature to detect when malware modifies registry keys to establish persistence, which ensures that malware runs every time a user signs in to Windows. The focus must be on specific registry changes associated with this type of persistence mechanism.
Which registry modification must the security analyst target?

After a vulnerability scan is finished in the production environment, a security engineer discovers that several hosts have the CVE-2019-0752 Microsoft Scripting Engine vulnerability. The engineer enables script protection in Cisco AMP to protect hosts from script attacks and to flag script usage.
Which script interpreter works with the script protection feature?