Free Practice Questions for Cisco 300-220 Exam

The correct answer isdocumenting findings and updating detection logic. Threat hunting delivers long-term value only when discoveries are operationalized.

Options A and B are necessary incident response actions but do not improve future detection. Option D delays remediation and risks further damage.

Within theCBRTHD threat hunting lifecycle, confirmed malicious activity should result in:

Detailed documentation of attacker techniques

Identification of detection gaps

Creation or refinement of SIEM, EDR, or NDR rules

This process ensures that similar behavior will be detected automatically in the future, reducing reliance on manual hunts. It also increases organizational maturity by institutionalizing knowledge.

Cisco emphasizes this feedback loop as a core principle of effective threat hunting. Without it, SOC teams repeatedly rediscover the same threats.

Thus,Option Cis the correct and professionally validated answer.

The correct answers areUse of Windows Remote Management (C)andUse of tools and commands to connect to remote shares (E). Both are core mechanisms attackers leverage forlateral movementafter gaining valid credentials through techniques such as pass-the-hash or pass-the-ticket.

Windows Remote Management (WinRM) is a legitimate administrative service used for remote command execution and system management. However, attackers frequently abuse WinRM to move laterally by executing commands on remote endpoints using stolen credentials. From a threat hunting perspective, abnormal WinRM usage—such as execution outside normal administrative hours, from unusual source hosts, or by non-administrative user accounts—is a strong indicator of lateral movement activity.

Similarly, the use of tools and commands to connect to remote shares (such as net use, wmic, SMB-based access, or mounting administrative shares like C$) is a classic lateral movement technique. Attackers use remote shares to transfer tools, stage payloads, and execute malware across systems. Monitoring these activities at the endpoint level helps identify suspicious authentication attempts, unexpected share access, and abnormal file transfers.

Option A (runas) relates more to privilege escalation than lateral movement. Option B is specific to Linux privilege persistence and is not relevant to endpoint lateral movement hunting in this context. Option D (scheduled task creation) is primarily associated with persistence rather than movement between systems.

By monitoring WinRM activity and remote share usage, security teams gain visibility intocredential-based movement, which remains one of the most common and dangerous attacker behaviors in enterprise environments. Effective lateral movement hunting focuses onhow credentials are used, not just how they are stolen.

The correct answer isconverting hunt findings into permanent detections. Threat hunting is only effective when discoveries areoperationalized.

Without converting findings into SIEM, EDR, or NDR detections, organizations repeatedly identify the same attacker behaviors, wasting time and resources. Options A, B, and D improve capacity but do not eliminate blind spots.

Mature threat hunting programs ensure that:

Hunts produce detection rules

Alerts are tuned and validated

Knowledge is institutionalized

This is a defining trait ofhigh-maturity security organizationsand directly improves resilience. Therefore, optionCis correct.

The correct answer isIndicators of attack (IOAs). Unstructured threat hunting is typically triggered byweak signals, anomalies, or suspicious behaviorsthat do not yet meet the threshold of confirmed compromise. These early signals are best described as indicators of attack rather than indicators of compromise.

To understand this distinction, it’s important to separateIOAsfromIOCs. Indicators of compromise (Option A) include confirmed artifacts such as malicious hashes, known bad IP addresses, or identified malware. When IOCs are present, the organization is already reacting to a known or validated threat, which aligns more closely withstructured threat huntingor incident response—not unstructured hunting.

Unstructured threat hunting is exploratory in nature. It is often initiated when analysts notice something “off,” such as unusual login behavior, abnormal process execution, unexpected network traffic patterns, or deviations from baseline behavior. These observations suggestattacker intent or activity in progress, but without definitive proof of compromise. That uncertainty is precisely what drives unstructured hunts.

Option B (tactics, techniques, and procedures) is incorrect because TTPs are typically used to formhypothesis-driven, structured huntsbased on known adversary behavior frameworks like MITRE ATT&CK. Option C (customized threat identification) is vague and not a recognized trigger within professional threat hunting models.

From a SOC and threat hunting maturity perspective, unstructured hunting commonly occurs inlower to mid maturity environments, where hunters rely on intuition, experience, and anomaly detection rather than predefined hypotheses. It often serves as thestarting pointfor discovering new attack patterns, which can later be formalized into structured hunts and detection logic.

In short, unstructured threat hunting begins when defenders detectindicators of attack—signals that something malicious may be happening, even if there is no confirmed compromise yet. This makesOption Dthe correct and professionally accurate answer.

The correct answer isUnauthorized penetration test. Based on the scenario provided, there is no indication that the observed activity was planned, approved, or coordinated by the organization. Instead, the evidence points tomalicious, unauthorized accessusing a valid user account, followed by destructive actions on the file server.

The exhibit showsmultiple file deletions and modificationsoccurring within a very short time window after asuccessful remote sign-in. From a professional SOC and threat hunting perspective, this sequence strongly suggestsaccount compromisefollowed byintentional malicious activity, such as data destruction, ransomware staging, or anti-forensics behavior. Intrusion Prevention System alerts further reinforce that the activity violated security policies, which would not be the case during a sanctioned test.

Option A (White box penetration test) and Option D (Black box penetration test) both describetesting methodologies, not threat types. White box testing is conducted with full internal knowledge and explicit authorization, while black box testing is performed with limited knowledge but still under a formal, approved engagement. In both cases, SOC teams are typically informed ahead of time to prevent unnecessary incident escalation.

Option B (Authorized penetration test) is also incorrect because authorized tests are documented, scoped, and approved by management. They do not involve real user account compromise without prior notification, nor do they trigger IPS alerts treated as genuine incidents.

In contrast,unauthorized penetration testingrefers to real-world attacker behavior where an adversary attempts to compromise systems without permission. Even if the attacker’s techniques resemble penetration testing tools or methods, the lack of authorization makes it a true security incident.

From a threat hunting and incident response standpoint, this classification is critical. Treating unauthorized activity as a live threat ensures proper containment actions, such as account disabling, credential resets, forensic preservation, and scope expansion. Misclassifying such activity as a test could lead to delayed response and increased damage.

In short,authorization—not technique—determines intent. Since no authorization exists in this scenario, the activity represents anunauthorized penetration attempt, making optionCthe correct answer.

The correct answers areB. Processes in nonstandard file pathsandC. Common processes with modified names. These two detection rules are highly effective for identifyingmalicious processes spawned by phishing-delivered malware.

Phishing payloads commonly drop executables intononstandard directoriessuch as AppData, Temp, Downloads, or user profile subfolders. Legitimate Windows binaries rarely execute from these locations. Monitoring for process execution from such paths is a proven technique for detecting malware loaders, credential stealers, and post-exploitation tooling.

Additionally, attackers frequentlymasquerade malware as legitimate processesby using slightly modified names, such as lsasss.exe, svch0st.exe, or expl0rer.exe. These tactics are designed to evade casual inspection and basic allowlisting. Detecting common Windows process names with anomalies—such as incorrect spelling, unexpected parent processes, or abnormal execution paths—is a high-fidelity behavioral signal.

Option A is too broad; nearly all processes are created by users directly or indirectly, making it noisy. Option D (process ownership changes) and Option E (startup time changes) are less relevant to detecting credential-harvesting processes at execution time and may miss the initial malicious activity.

From a threat hunting and detection engineering perspective, optionsB and Calign withMITRE ATT&CK – Defense Evasion and Credential Accesstechniques. These rules focus onbehavioral detection, not static indicators, making them resilient against attacker variation.

In short, detectingwhere a process runs fromandwhat it pretends to beprovides strong coverage against phishing-delivered malware, makingB and Cthe correct and professionally validated choices.

The correct answer islegitimate system processes executing encoded commands. Fileless malware avoids writing binaries to disk and instead abuses trusted processes such as PowerShell, WMI, or rundll32.

Encoded or obfuscated commands executed by legitimate binaries are a strong indicator offileless execution and defense evasion. Cisco Secure Endpoint provides deep visibility into command-line arguments and process behavior, enabling detection of this technique.

Option A is normal behavior. Option B may indicate suspicious execution but still involves files. Option D relies on file presence, which fileless attacks intentionally avoid.

This technique aligns withMITRE ATT&CK – Command and Scripting Interpreter and Defense Evasionand is directly relevant toCBRTHD exam objectivesrelated to endpoint-based threat hunting.

Therefore,Option Cis the correct answer.

The correct answer isit indicates disciplined and methodical tradecraft. Attribution relies on understandingattacker behavior patterns, not just tools or infrastructure.

Consistent operational discipline—such as cautious discovery, avoidance of noisy actions, and deliberate escalation—reflectshuman decision-making, which is difficult to change and often persists across campaigns.

Options A, B, and D focus on artifacts or infrastructure, which attackers frequently rotate. Behavioral patterns, however, form atradecraft fingerprint.

Cisco-aligned threat hunting usesMITRE ATT&CK technique mappingand behavioral consistency to support attribution, making this observation highly valuable.

Thus,Option Cis correct.