1/14
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai | Chat |
|---|
No analytics yet
Send a link to your students to track their progress
A SOC analyst notices that several newly deployed Cynet agents are failing to report registration status to the on-premise central console. Network topology reveals a firewall restricting outbound traffic. Which port configuration must be verified as open to allow the agents to register and receive configuration updates successfully?
A. Port 8080
B. Port 443
C. Port 8443
D. Port 514
B. Port 443
Cynet agents use secure HTTPS communications over port 443 to register and securely communicate with both cloud-hosted and on-premise central management consoles.
To bypass user-space API hooking implemented by traditional security products, malware attempts to perform direct system calls. How does the Cynet EPS (Endpoint Security) agent counteract this by interacting with the Windows OS kernel to monitor process activities?
A. By executing Hypervisor-Based Memory Introspection
B. By utilizing Kernel Callback Routines
C. By parsing ETW Threat Intelligence providers
D. By intercepting NTDLL API calls
B. By utilizing Kernel Callback Routines
Cynet utilizes kernel-level drivers that register filesystem, process, and registry callbacks (such as PsSetCreateProcessNotifyRoutine), capturing actions regardless of user-space hooks or direct syscalls.
An alert log in Cynet 360 shows an event triggered because a downloaded binary matched a known cryptographic hash of a known threat group tool. Which mechanism within the Cynet platform detected this incident?
A. Anomaly detection
B. Heuristics engines
C. Behavioral monitoring
D. Signature-based detection
D. Signature-based detection
Static properties such as exact file hashes (M D5, SH A256) fall squarely under static signature-based detection mechanisms.
A suspicious executable creates a process tree starting from a non-standard path, injects code into explorer. exe , and attempts to clear system logs. The Cynet alert log marks this as a malicious sequence of actions without relying on predefined file hashes. Which detection system generated this classification?
A. Signature-based detection
B. Fuzzy hashing
C. Static heuristics
D. Behavioral monitoring
D. Behavioral monitoring
Behavioral monitoring tracks the live sequence of system events, process relationships, and cross-process violations to intercept unknown attacks based on execution flow.
During a threat hunt, an analyst discovers an unknown executable scheduled to launch every time the machine boots. Where in the Windows Registry hive should the analyst look first to locate default common persistence entries that run unconditionally at user login?
A. Software\ClassesICLSID
B. System\CurrentControlSet\Services
C. Software\Microsoft\Windows\CurrentVersion\Run
D. System\CurrentControlSet\Contro\Session Manager
C. Software\Microsoft\Windows\CurrentVersion\Run
The Run subkey within both HKCU and HKLM is the most standard and frequently abused location for maintaining persistence across user sessions.
An incident responder needs to determine whether a malicious binary was executed on a workstation three days ago. The file has since been deleted, and no endpoint logs exist for that timeframe. Which registry- backed artifact should be parsed to evaluate historical proof of execution along with file path and size details?
A. Amcache.hve
B. Shellbags
C. Shimcache
D. UserAssist
A. Amcache.hve
Amcache.hve is a registry hive created by Windows to track application execution metadata, containing file hashes, compilation times, and paths of executed binaries.
A threat actor attempts to brute-force a local administrator account via SMB. Which Windows Security Event ID will populate the log to indicate a failed authentication attempt with detailed status codes?
A. Event ID 4720
B. Event ID 4625
C. Event ID 4624
D. Event ID 4648
B. Event ID 4625
Event ID 4625 is explicitly generated on the local machine where authentication failed, providing valuable context like the target account name and failure reason.
While investigating a potential administrative compromise, you encounter Windows System Event ID 7045. What critical piece of information does this log provide to help you verify whether a threat actor has successfully escalated privileges or established persistence?
A. The clearing of the Security log channel
B. The creation of an unauthorized local group
C. The installation of a new system service
D. The modification of a scheduled task
C. The installation of a new system service
Event ID 7045 is logged in the System channel whenever a new service is created or registered on the Windows operating system.
A SOC analyst is reconstructing a lateral movement attack path. They observe an Event ID 4624 with Logon Type 3 on a target server, followed immediately by a System Event ID 7045. What specific sequence of adversary activity does this log correlation represent?
A. Network authentication followed by remote service creation
B. Pass-the-Hash authentication followed by process injection
C. RDP session initialization followed by scheduled task execution
D. Interactive console login followed by registry modification
A. Network authentication followed by remote service creation
Logon Type 3 indicates a network logon (e.g., via SMB/RPC), and Event ID 7045 tracks service installation, which is characteristic of tools like PsExec used for lateral movement.
An enterprise environment experiences a multi-node malware infection. The incident response playbook mandates shifting from short-term containment to long-term containment. Which action exemplifies a long-term containment strategy rather than a short-term tactical fix?
A. Isolating a single infected endpoint using an EDR console
B. Modifying firewall rules and enterprise VLAN routing structures
C. Terminating a malicious process tree via an automated script
D. Revoking the credentials of a compromised user account
B. Modifying firewall rules and enterprise VLAN routing structures
Long-term containment involves permanent infrastructure adaptations, network architecture changes, or policy adjustments to prevent future traversal or recurrence.
A critical database server handling real-time customer transactions triggers an alert indicating a suspected ransomware outbreak. What is the primary operational risk that a SOC analyst must evaluate before executing a total host isolation remediation command inside Cynet?
A. Exhaustion of local agent memory allocation limits
B. Invalidation of the central console's digital certificates
C. Disruption to business continuity and revenue operations
D. Corruption of the underlying system VSS shadow copies
C. Disruption to business continuity and revenue operations
Isolating production database servers instantly terminates transactional access, potentially causing catastrophic operational downtime that may outweigh the containment benefits if the alert is unverified.
A SOC analyst views a high-severity alert showing rapid, high-volume file modification operations across network shares accompanied by the invocation of vssadmin. exe delete shadows /all /quiet . Which threat type is strongly indicated by this specific combination of events?
A. Data exfiltration
B. Phishing campaign hosting
C. Cryptojacking
D. Ransomware deployment
D. Ransomware deployment
Ransomware variants (such as Ryuk or LockBit) routinely maximize damage and prevent self-recovery by disabling Volume Shadow Copies immediately prior to mass data encryption.
A corporate developer installs a newly released proprietary compiler tool. The Cynet EDR engine alerts on this application, classifying it as a generic threat due to its lack of public code signatures and its low global prevalence score. How should the analyst classify this alert?
A. False negative
B. False positive
C. True positive
D. True negative
B. False positive
Because the compiler is legitimate software performing authorized developer actions and triggered the EDR purely due to structural anomalies and low prevalence, it is classified as a false positive.
To suppress a validated false positive alert triggered by an internally developed automated administration utility, an analyst must configure an EDR exclusion rule. Which approach suppresses the alert while maintaining the strongest security posture?
A. Disable the behavioral monitoring engine rule entirely across the zone
B. Create a broad wildcard exclusion across the entire Temp directory
C. Create an exclusion based solely on the common process filename
D. Create an exclusion limiting scope to the file's SHA256 hash
D. Create an exclusion limiting scope to the file's SHA256 hash
Excluding based on a specific SHA256 hash ensures that only that identical, verified safe file version is bypassed. If a threat actor substitutes or alters the binary, the rule will not match.
A Platinum Care SOC analyst is drafting an Executive Summary for a major client following a ransomware incident. Which drafting practice best aligns with communication standards tailored for corporate C-suite executives?
A. Including a detailed breakdown of firewall policy rules and port arrays
B. Focusing on business impact, risk mitigation, and remediation timelines
C. Listing assembly level code instructions of the decrypted malware payload
D. Providing complete hex dumps of modified master boot records
B. Focusing on business impact, risk mitigation, and remediation timelines
C-suite executives require high-level visibility centered around operational disruptions, financial exposure, regulatory compliance, and overall strategic risk management.