Free Practice Questions for Cisco 300-220 Exam

The correct answer isformulating a hypothesis to search for credential misuse without alerts. This activity is the defining characteristic ofthreat hunting.

Threat hunting isproactive and hypothesis-driven, meaning analysts intentionally search for attacker behavior that has not yet triggered alerts. Detection engineering, on the other hand, focuses on building and tuning automated rules that respond to known patterns.

Options A, B, and D all representreactive or preventative security operations. They rely on known indicators or alerts and are foundational but insufficient against stealthy adversaries who abuse valid credentials and native tools.

Cisco’sCBRTHD blueprintexplicitly emphasizes hypothesis-based hunting as a core competency. Hunters ask questions like:

“If credentials were stolen, how would that look in our telemetry?”

“What behavior would indicate lateral movement without malware?”

This approach aligns with detectingIndicators of Attack (IOAs)and operating higher on thePyramid of Pain, forcing adversaries to change tactics instead of infrastructure.

Therefore,Option Cis the correct and Cisco-aligned answer.

The correct next action is tosubmit the file for sandboxing. In professional security operations and threat hunting workflows, sandboxing is the most appropriate step when a file originates from an untrusted source and hash-based reputation checks return anunknownresult. An unknown hash means the file has not yet been classified as benign or malicious by threat intelligence databases, which is common with newly created malware or targeted attacks.

Sandboxing allows the security team to performdynamic analysisby executing the file in an isolated, controlled environment. This process observes runtime behaviors such as process creation, registry modification, network communications, command-and-control callbacks, file system changes, and exploit attempts. These behaviors provide high-fidelity indicators that static analysis or hash lookups cannot reveal.

Option B, reviewing the directory path, is useful for contextual awareness but does not determine whether the file is malicious. Option C, running a full malware scan, is premature; modern malware often evades signature-based scans, especially when the file is previously unknown. Option D, investigating the reputation of the website, is a supporting activity but does not assess the actual behavior or payload of the downloaded file.

From a threat hunting and incident response standpoint, sandboxing bridges the gap betweendetection and confirmation. If the sandbox analysis confirms malicious behavior, the team can escalate to containment actions such as isolating the endpoint, blocking hashes and domains, and performing scope analysis to identify other affected systems. Additionally, sandbox results can be used to create new SIEM detections and EDR behavioral rules, strengthening future defenses.

This approach aligns with professional best practices:unknown file + untrusted source = dynamic analysis first. It ensures accurate classification while minimizing unnecessary disruption to the user or environment.

The correct answer isearlier detection of attacks before data exfiltration. This outcome directly translates toreduced business impact, which is the ultimate goal of threat hunting.

Alert volume (Option A) and false-positive reduction (Option B) measure operational efficiency, not security effectiveness. Option D measures spending, not outcomes.

Early detection:

Reduces dwell time

Prevents data loss

Limits operational disruption

Increases attacker cost

Cisco’sCBRTHD blueprintemphasizes outcome-driven security metrics, with early detection being one of the strongest indicators of threat hunting maturity.

Therefore,Option Cis the correct and executive-level answer.

The correct answer isendpoint process execution and memory access events. During thedata collection and processing phase, the goal is to gatherhigh-fidelity telemetrythat supports hypothesis validation.

Credential harvesting often occurswithout dropping malwareand instead relies on:

Memory scraping

LSASS access

Credential dumping tools

In-memory execution

Cisco Secure Endpoint provides deep visibility into:

Process creation and parent-child relationships

Memory access attempts

Privilege abuse

Fileless execution

Option A provides enrichment but not raw behavioral evidence. Option C supports context but does not replace endpoint telemetry. Option D is reactive and unreliable for structured hunts.

Within theCBRTHD threat hunting lifecycle, this phase emphasizesevidence over indicators. Without endpoint execution and memory telemetry, hunters cannot reliably confirm credential access techniques.

This aligns withMITRE ATT&CK Credential Accesstactics and Cisco’s emphasis onendpoint behavioral analytics.

Thus,Option Bis the correct answer.

The correct answer isdocument findings and operationalize detections. In Cisco’s threat hunting methodology, confirmation of malicious activity isnot the end of the hunt.

The most critical next step is to:

Document attacker behavior

Identify detection gaps

Create or improve SIEM, EDR, or NDR detection rules

This ensures the organization does not repeatedly rediscover the same threat. Options C and D are incident response and communication activities, not threat hunting lifecycle steps. Option A skips the crucial improvement phase.

TheCBRTHD blueprintstrongly emphasizes:

Continuous improvement

Feedback loops

Detection engineering

By operationalizing findings, the SOC increases maturity and forces adversaries to change tactics.

Therefore,Option Bis correct.

The correct answer isC. Use a Base64-encoded VBScript that is decoded and executed on the endpoint. The exhibit clearly shows aVBScript-based attack chainthat relies onBase64 encodingto obfuscate malicious content and evade basic detection mechanisms.

In the code snippet, the function call afghhha("aHR0cHM6Ly9z...") contains a string that is visiblyBase64-encoded. When decoded, Base64 strings commonly reveal URLs, commands, or additional script logic. The script then uses WinHttpReq.Open and WinHttpReq.Send to retrieve remote content over HTTP, extracts a specific portion of the response using string manipulation (InStr, Mid), and executes it dynamically using the execute() function. This is a strong indicator ofliving-off-the-land scripting abuse, where native Windows scripting engines are leveraged for malicious purposes.

From a MITRE ATT&CK perspective, this behavior aligns withCommand and Scripting Interpreter (T1059), specificallyVBScript (T1059.005), and includes elements ofObfuscated/Encoded Files or Information (T1027). Encoding payloads in Base64 helps attackers bypass signature-based detection tools and makes static analysis more difficult.

Option A is incorrect because the script does not perform checks to determine prior compromise; instead, it actively retrieves and executes payloads. Option B is incorrect because no batch file creation is shown. Option D is also incorrect, as there is no evidence of persistence mechanisms such as Startup folder modification or shortcut creation. The wscript.Sleep function indicates periodic execution or beaconing, but persistence itself is not established in the shown code.

For threat hunters and SOC analysts, this technique highlights the importance of monitoringscript interpreter usage,encoded command execution,suspicious WinHTTP requests, anddynamic code execution via execute(). Detecting encoded scripts and abnormal scripting behavior is critical, as these techniques are widely used in phishing payloads, malware loaders, and initial access tooling.

In professional environments, defenders should combine EDR behavioral detections, script block logging, AMSI integration, and network telemetry to effectively identify and disrupt this attack technique.

The correct answer isUse Deep Packet Inspection (DPI) to block malicious domains. The key detail in this scenario is that the endpoint is makingcontinuous outbound TCP connections to a known Command-and-Control (C2) server over port 80, which strongly indicates active malware beaconing or payload retrieval.

Deep Packet Inspection enables security controls—such as next-generation firewalls or network security analytics platforms—to inspectapplication-layer content, including HTTP headers, URLs, domains, and payload characteristics. This allows defenders to block C2 communicationbased on domain names, URL patterns, or behavioral signatures, even if attackers change IP addresses. Since C2 infrastructure is frequently rotated, IP-based blocking alone is insufficient for long-term mitigation.

Option A (browser extension deny list) may help prevent a specific initial infection vector, but it does not addresspost-compromise C2 traffic, especially if malware communicates independently of the browser. Option B (antivirus quarantine) is reactive and limited by signature coverage; modern malware often evades AV detection. Option D (IDS) can detect similar connections but typically does notblocktraffic unless integrated with an IPS or firewall, making it less effective for mitigation.

From a professional threat hunting and SOC standpoint, blocking C2 communication at thenetwork layer using DPIis a high-impact defensive control. It disrupts attacker command channels, prevents data exfiltration, and buys time for endpoint remediation and forensic investigation.

This aligns withMITRE ATT&CK – Command and Control (TA0011)mitigation strategies and reflects a mature security posture:detect at the endpoint, disrupt at the network. Therefore, optionCis the most effective action to mitigate similar connections in the future.

The correct answer isendpoint process ancestry tracking. Credential harvesting attacks frequently rely onfileless executionand living-off-the-land techniques.

When no files are written to disk, hash-based detection (Option A) is ineffective. Email sandboxing (Option C) and URL filtering (Option D) may detect initial delivery but provide little visibility into post-execution behavior.

Cisco Secure Endpoint provides detailed telemetry on:

Parent-child process relationships

Unexpected process spawning

Abnormal command-line arguments

Memory-resident execution

By analyzing process ancestry, hunters can identify suspicious chains such as:

Office applications spawning scripting engines

Browsers spawning credential-harvesting processes

Legitimate binaries launching unexpected child processes

This capability directly supportsMITRE ATT&CK Credential Access and Defense Evasion techniquesand is explicitly covered in theCBRTHD exam objectivesrelated to endpoint-based threat hunting.

Thus,Option Bis the most accurate and Cisco-aligned answer.

The correct answer isconsistent attacker tradecraft mapped to MITRE ATT&CK. Attribution at a professional level relies onbehavioral consistency, not superficial artifacts.

Advanced threat actors routinely rotate infrastructure, recompile malware, and vary filenames specifically to defeat attribution efforts. As a result, indicators such as IP addresses, hashes, and timestamps are unreliable and sit low on thePyramid of Pain.

What attackers cannot easily change ishow they operate. This includes:

Initial access techniques

Credential harvesting methods

Lateral movement patterns

Persistence mechanisms

Command-and-control behaviors

When these behaviors remain consistent across incidents, they form abehavioral fingerprint. Mapping these observations toMITRE ATT&CK techniquesallows analysts to compare activity against known threat group profiles maintained by intelligence providers and national CERTs.

Option A and B are weak indicators easily altered by attackers. Option D provides almost no attribution value, as timing alone is coincidental and unreliable.

Professional attribution requires correlating TTPs across campaigns and validating them against historical threat actor intelligence. This method supports high-confidence attribution used in legal, executive, and geopolitical contexts.

Therefore,Option Cis the correct and defensible answer.