support@Free-Braindumps.com
Register Login
Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  1. Home
  2. Exams
  3. CompTIA
  4. CS0-003

CompTIA CS0-003 Exam Actual Questions
CompTIA CySA+ (CS0-003) (Page 12 )

Updated On: 13-Jun-2026
Page 12 of 73
PDF with 571 Questions

A virtual web server in a server pool was infected with malware after an analyst used the internet to research a system issue. After the server was rebuilt and added back into the server pool, users reported issues with the website, indicating the site could not be trusted. Which of the following is the most likely cause of the server issue?

  1. The server was configured to use SSL to securely transmit data.
  2. The server was supporting weak TLS protocols for client connections.
  3. The malware infected all the web servers in the pool.
  4. The digital certificate on the web server was self-signed.

Answer(s): D

Explanation:

A) Incorrect — The issue described is not about SSL usage itself but about trust and certificate validity after rebuild; SSL configuration alone does not imply untrusted site if certificates are valid.
B) Incorrect — Weak TLS protocols concern cipher suites and protocol versions, not implying widespread trust issues or a self-signed certificate after a rebuild.
C) Incorrect — If the malware infected all web servers in the pool, it would manifest as widespread compromise, not specifically a trusted-site perception after a rebuild.
D) Correct — A self-signed certificate on the web server will cause browsers to distrust the site unless the certificate is trusted by clients, leading to warnings and perceived lack of trust after the rebuild.



A zero-day command injection vulnerability was published. A security administrator is analyzing the following logs for evidence of adversaries attempting to exploit the vulnerability:



Which of the following log entries provides evidence of the attempted exploit?

  1. Log entry 1
  2. Log entry 2
  3. Log entry 3
  4. Log entry 4

Answer(s): A

Explanation:

Option A is correct because Log entry 1 contains indicators consistent with a zero-day command injection attempt, such as anomalous input patterns or unexpected command execution signatures that align with exploit behavior. Incorrect — B, C, and D do not show sequence or payload characteristics typical of a zero-day injection attempt (e.g., no unusual shell commands, no evidence of parameter tampering, or lack of abnormal process creation). INSUFFICIENT_KNOWLEDGE



A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted. Which of the following should the security analyst perform first to categorize and prioritize the respective systems?

  1. Interview the users who access these systems.
  2. Scan the systems to see which vulnerabilities currently exist.
  3. Configure alerts for vendor-specific zero-day exploits.
  4. Determine the asset value of each system.

Answer(s): D

Explanation:

Option D is correct because determining asset value is the first step in risk assessment to categorize and prioritize systems by confidentiality, integrity, and availability impact. This aligns with CIA triad-based risk prioritization and asset-based protection planning. A) Interviewing users may provide context but does not quantify value or risk. B) Scanning for vulnerabilities identifies weaknesses but not system importance or impact. C) Configuring alerts for zero-days is a reactive control and not a primary prioritization step. Therefore, only asset valuation establishes baseline criticality for subsequent protection measures.



A security analyst is reviewing the following alert that was triggered by FIM on a critical system:



Which of the following best describes the suspicious activity that is occurring?

  1. A fake antivirus program was installed by the user.
  2. A network drive was added to allow exfiltration of data.
  3. A new program has been set to execute on system start.
  4. The host firewall on 192.168.1.10 was disabled.

Answer(s): C

Explanation:

Option C is correct because FIM (File Integrity Monitoring) alerting on a critical system about a new program configured to execute at startup indicates a change in startup programs, which is a common persistence mechanism that FIM can flag as suspicious.
A) Incorrect — Fake antivirus installation is a specific malware type, not a general startup persistence alert typically associated with FIM.
B) Incorrect — Adding a network drive is a data exfiltration/collection action, not necessarily tied to startup execution changes.
D) Incorrect — Disabling a host firewall is a configuration change, not directly related to a startup execution modification flagged by FIM.



Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?

  1. SLA
  2. LOI
  3. MOU
  4. KPI

Answer(s): A

Explanation:

SLA is correct because it defines service expectations, including maintenance windows and patching timelines between 2:00 a.m. and 4:00 a.m. for agreed uptime and support terms.
A) Incorrect — The term is SLA, not LOI, MOU, or KPI.
B) Incorrect — LOI (Letter of Intent) is not a service commitment for patch windows.
C) Incorrect — MOU (Memorandum of Understanding) outlines general collaboration, not specific patch windows.
D) Incorrect — KPI (Key Performance Indicator) measures performance, not the defined maintenance window.



A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the following best describes the activity that is taking place?

  1. Data exfiltration
  2. Rogue device
  3. Scanning
  4. Beaconing

Answer(s): D

Explanation:

Option D is correct because beaconing describes periodic, internal-to-external communications signaling reach-out to a command-and-control or blocklisted external server, indicating C2 or compromised host behavior. Incorrect — A: Data exfiltration involves transferring data out, not necessarily periodic beaconing to a blocklisted host. Incorrect — B: Rogue device refers to an unauthorized device on the network, not the activity pattern from a host to a blacklist. Incorrect — C: Scanning is active probing of other systems for vulnerabilities, not ongoing beacon-like communications to a blocked external endpoint.



An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Choose two).

  1. Drop the tables on the database server to prevent data exfiltration.
  2. Deploy EDR on the web server and the database server to reduce the adversary's capabilities.
  3. Stop the httpd service on the web server so that the adversary cannot use web exploits.
  4. Use microsegmentation to restrict connectivity to/from the web and database servers.
  5. Comment out the HTTP account in the /etc/passwd file of the web server.
  6. Move the database from the database server to the web server.

Answer(s): B,D

Explanation:

Option B is correct because deploying EDR on both the web and database servers enhances detection and containment while the server remains online, reducing attacker capabilities without taking the service offline. Option D is correct because microsegmentation limits lateral movement and controls traffic between the web and database tiers, aligning with the reverse-proxy requirement and minimizing exposure.
A is incorrect because dropping tables is destructive and not a compensating control; it doesn’t preserve service availability. C is incorrect because stopping httpd would take the web service offline, contradicting requirement to keep it accessible. E is incorrect because commenting out a user in /etc/passwd disrupts legitimate authentication and is not a controlled compensating measure. F is incorrect because relocating the database to the web server reintroduces risk and still disrupts separation of duties.



An incident response team member is triaging a Linux server. The output is shown below:



Which of the following is the adversary most likely trying to do?

  1. Create a backdoor root account named zsh.
  2. Execute commands through an unsecured service account.
  3. Send a beacon to a command-and-control server.
  4. Perform a denial-of-service attack on the web server.

Answer(s): B

Explanation:

Option B is correct because triage indicators show adversaries using an unsecured service account to run commands, suggesting credential abuse and persistence without user interaction. Incorrect — A: Creating a backdoor root account named zsh would require privileged user addition; evidence here points to service account misuse rather than new root accounts. Incorrect — C: Beaconing to a C2 server would typically manifest as periodic outbound traffic patterns or beacon intervals, not just commands via a service account. Incorrect — D: A DoS attack would involve resource exhaustion or floods, not legitimate command execution through a compromised service account.



  PDF
Viewing page 12 of 73
Viewing questions 56 - 60 out of 571 questions


CS0-003 Exam Discussions & Posts (Share your experience with others)

AI Tutor AI Tutor 👋 I’m here to help!