Weekend Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sntaclus

examout.co

Refer to the exhibit.

A network engineer is analyzing a Wireshark file to determine the HTTP request that caused the initial Ursnif banking Trojan binary to download. Which filter did the engineer apply to sort the Wireshark traffic logs?

A.

http.request.un matches

B.

tls.handshake.type ==1

C.

tcp.port eq 25

D.

tcp.window_size ==0

A security team needs to prevent a remote code execution vulnerability. The vulnerability can be exploited only by sending '${ string in the HTTP request. WAF rule is blocking '${', but system engineers detect that attackers are executing commands on the host anyway. Which action should the security team recommend?

A.

Enable URL decoding on WAF.

B.

Block incoming web traffic.

C.

Add two WAF rules to block 'S' and '{' characters separately.

D.

Deploy antimalware solution.

An organization fell victim to a ransomware attack that successfully infected 256 hosts within its network. In the aftermath of this incident, the organization's cybersecurity team must prepare a thorough root cause analysis report. This report aims to identify the primary factor or factors that led to the successful ransomware attack and to develop strategies for preventing similar incidents in the future. In this context, what should the cybersecurity engineer include in the root cause analysis report to demonstrate the underlying cause of the incident?

A.

log files from each of the 256 infected hosts

B.

detailed information about the specific team members involved in the incident response effort

C.

method of infection employed by the ransomware

D.

complete threat intelligence report shared by the National CERT Association

During a routine inspection of system logs, a security analyst notices an entry where Microsoft Word initiated a PowerShell command with encoded arguments. Given that the user's role does not involve scripting or advanced document processing, which action should the analyst take to analyze this output for potential indicators of compromise?

A.

Monitor the Microsoft Word startup times to ensure they align with business hours.

B.

Confirm that the Microsoft Word license is valid and the application is updated to the latest version.

C.

Validate the frequency of PowerShell usage across all hosts to establish a baseline.

D.

Review the encoded PowerShell arguments to decode and determine the intent of the script.

A security team received an alert of suspicious activity on a user’s Internet browser. The user’s anti-virus software indicated that the file attempted to create a fake recycle bin folder and connect to an external IP address. Which two actions should be taken by the security analyst with the executable file for further analysis? (Choose two.)

A.

Evaluate the process activity in Cisco Umbrella.

B.

Analyze the TCP/IP Streams in Cisco Secure Malware Analytics (Threat Grid).

C.

Evaluate the behavioral indicators in Cisco Secure Malware Analytics (Threat Grid).

D.

Analyze the Magic File type in Cisco Umbrella.

E.

Network Exit Localization in Cisco Secure Malware Analytics (Threat Grid).

multiple machines behave abnormally. A sandbox analysis reveals malware. What must the administrator determine next?

A.

if Patient 0 still demonstrates suspicious behavior

B.

source code of the malicious attachment

C.

if the file in Patient 0 is encrypted

D.

if Patient 0 tried to connect to another workstation

A new zero-day vulnerability is discovered in the web application. Vulnerability does not require physical access and can be exploited remotely. Attackers are exploiting the new vulnerability by submitting a form with malicious content that grants them access to the server. After exploitation, attackers delete the log files to hide traces. Which two actions should the security engineer take next? (Choose two.)

A.

Validate input upon submission.

B.

Block connections on port 443.

C.

Install antivirus.

D.

Update web application to the latest version.

E.

Enable file integrity monitoring.

Refer to the exhibit.

After a cyber attack, an engineer is analyzing an alert that was missed on the intrusion detection system. The attack exploited a vulnerability in a business-critical, web-based application and violated its availability. Which two mitigation techniques should the engineer recommend? (Choose two.)

A.

encapsulation

B.

NOP sled technique

C.

address space randomization

D.

heap-based security

E.

data execution prevention

Refer to the exhibit.

According to the SNORT alert, what is the attacker performing?

A.

brute-force attack against the web application user accounts

B.

XSS attack against the target webserver

C.

brute-force attack against directories and files on the target webserver

D.

SQL injection attack against the target webserver

A security team is notified from a Cisco ESA solution that an employee received an advertising email with an attached .pdf extension file. The employee opened the attachment, which appeared to be an empty document. The security analyst cannot identify clear signs of compromise but reviews running processes and determines that PowerShell.exe was spawned by CMD.exe with a grandparent AcroRd32.exe process. Which two actions should be taken to resolve this issue? (Choose two.)

A.

Upload the .pdf file to Cisco Threat Grid and analyze suspicious activity in depth.

B.

No action is required because this behavior is standard for .pdf files.

C.

Check the Windows Event Viewer for security logs about the incident.

D.

Quarantine this workstation for further investigation, as this event is an indication of suspicious activity.

E.

Investigate the reputation of the sender address and temporarily block all communications with this email domain.