support@Free-Braindumps.com
Register Login
Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  1. Home
  2. Exams
  3. CompTIA
  4. CS0-003

CompTIA CS0-003 Exam Actual Questions
CompTIA CySA+ (CS0-003) (Page 13 )

Updated On: 13-Jun-2026
Page 13 of 73
PDF with 571 Questions

A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application:

getConnection(database01,"alpha" ,"AxTv.127GdCx94GTd");

Which of the following is the most likely vulnerability in this system?

  1. Lack of input validation
  2. SQL injection
  3. Hard-coded credential
  4. Buffer overflow

Answer(s): C

Explanation:

Option C is correct because the snippet includes what appears to be a hard-coded credential (username "alpha" with a token-like value), indicating credential exposure within code or config. A) Lack of input validation is less about credentials and more about input sanitization; not clearly evidenced here. B) SQL injection involves crafted input to manipulate SQL queries, which is not shown. D) Buffer overflow would involve memory overrun risks, not credentials in a connection string. Incorrect — A, B, and D do not precisely describe credential exposure via hard-coded credentials in the debugger output.



A technician is analyzing output from a popular network mapping tool for a PCI audit:



Which of the following best describes the output?

  1. The host is not up or responding.
  2. The host is running excessive cipher suites.
  3. The host is allowing insecure cipher suites.
  4. The Secure Shell port on this host is closed.

Answer(s): C

Explanation:

Option C is correct because the network mapping tool’s output indicates the host is allowing insecure cipher suites, which is a PCI DSS concern and would be flagged in a security assessment.
A) Incorrect — The output indicating insecure cipher suites does not imply the host is down or unresponsive; that would typically show no reply or timeout, not insecure ciphers.
B) Incorrect — Cipher suites are about encryption options, not “excessive” cipher suite use; the term implies insecure or weak options, not sheer quantity.
D) Incorrect — SSH port closed would be reported as no SSH service or inaccessibility on port 22, not as insecure cipher suites.



A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following would best aid in decreasing the workload without increasing staff?

  1. SIEM
  2. XDR
  3. SOAR
  4. EDR

Answer(s): C

Explanation:

Option C is correct because SOAR (Security Orchestration, Automation, and Response) automates playbooks to handle repetitive security tasks, reducing manual workload and enabling staff to focus on higher‑value work without追加 headcount. A) SIEM consolidates logs and detects threats but typically increases analyst workload without automation unless integrated with SOAR. B) XDR extends detection across multiple domains but does not inherently automate responses to the degree SOAR does. D) EDR focuses on endpoint detection and response, not broad workload automation across the environment. INSUFFICIENT_KNOWLEDGE



An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?

  1. Disable the user's network account and access to web resources.
  2. Make a copy of the files as a backup on the server.
  3. Place a legal hold on the device and the user's network share.
  4. Make a forensic image of the device and create a SHA-1 hash.

Answer(s): D

Explanation:

Option D is correct because making a forensic image of the device and computing a SHA-1 hash preserves a bit-for-bit copy and verifiable integrity of the original evidence, which is essential for court-admissible digital forensics and chain-of-custody in investigations. A) Disabling accounts may hinder ongoing investigation but does not preserve data or prove integrity. B) Copying files to a server risks altering evidence and may not capture deleted or hidden data. C) Legal holds are relevant but do not ensure a forensically sound copy or hash verification of the device itself. Correct — preserves a defensible, verifiable forensic image and hash.



An analyst receives threat intelligence regarding potential attacks from an actor with seemingly unlimited time and resources. Which of the following best describes the threat actor attributed to the malicious activity?

  1. Insider threat
  2. Ransomware group
  3. Nation-state
  4. Organized crime

Answer(s): C

Explanation:

Option C is correct because attribution to a "nation-state" aligns with threats described as having seemingly unlimited time and resources, long-term objectives, and advanced capabilities typical of state-sponsored actors in threat intelligence contexts.
A) Incorrect — Insider threat implies an internal actor with access and motive internal to the organization, not necessarily unlimited resources or external attribution.
B) Incorrect — Ransomware group is typically financially motivated and quickly deploys ransomware tools, not characterized by unlimited time/resource attribution.
D) Incorrect — Organized crime groups focus on financial gain and rapid operations, not sustained, strategic nation-state style campaigns.



A systems analyst is limiting user access to system configuration keys and values in a Windows environment. Which of the following describes where the analyst can find these configuration items?

  1. config.ini
  2. ntds.dit
  3. Master boot record
  4. Registry

Answer(s): D

Explanation:

Option D is correct because the Windows Registry stores configuration keys and values that control system and application settings. Incorrect — A: config.ini is a generic INI file, not a centralized Windows configuration store. Incorrect — B: ntds.dit holds Active Directory data, not local system config keys. Incorrect — C: Master Boot Record contains boot information, not configuration items for software/system settings.



While reviewing web server logs, a security analyst found the following line:

<IMG SRC='vbscript:msgbox("test")'>

Which of the following malicious activities was attempted?

  1. Command injection
  2. XML injection
  3. Server-side request forgery
  4. Cross-site scripting

Answer(s): D

Explanation:

Option D is correct because the payload uses a vbscript: URI to execute a script within the browser context, which is characteristic of a Cross-site scripting (XSS) attempt to trigger client-side code execution.
A) Incorrect — Command injection targets the server by injecting commands; the line invokes a script in the client, not server command execution.
B) Incorrect — XML injection exploits XML parsers; the payload is not XML-based.
C) Incorrect — Server-side request forgery tricks the server into issuing requests on behalf of the user; the payload operates in the client-side scripting context.



A security analyst at a company called ACME Commercial notices there is outbound traffic to a host IP that resolves to https://office365password.acme.co. The site's standard VPN logon page is www.acme.com/logon. Which of the following is most likely true?

  1. This is a normal password change URL.
  2. The security operations center is performing a routine password audit.
  3. A new VPN gateway has been deployed.
  4. A social engineering attack is underway.

Answer(s): D

Explanation:

Option D is correct because outbound access to a host resolving to a domain that imitates a legitimate login page (office365password.acme.co) indicates a phishing/social engineering attempt designed to harvest credentials. Incorrect — A: Normal password change URL would point to a trusted domain and standard path, not a spoofed external host. B: SOC performing routine password audit would not typically generate outbound traffic to a deceptive site. C: Deployment of a new VPN gateway would not inherently cause a redirect to a spoofed login page. The observed pattern aligns with credential-phishing behavior.



  PDF
Viewing page 13 of 73
Viewing questions 97 - 104 out of 571 questions


CS0-003 Exam Discussions & Posts (Share your experience with others)

AI Tutor AI Tutor 👋 I’m here to help!