Which Snort rule behavior is triggered by: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:”Potential FTP Brute Force”; flow:from_server,established; content:”530”; threshold:type both, track by_dst, count 5, seconds 60;)?
Alerts once every 60 seconds if at least 5 ‘Login incorrect’ (530) responses are sent to an external destination.
Which Wireshark filter isolates DNS traffic specifically for the host 192.168.0.35?
dns && ip.addr == 192.168.0.35
How does a stateful packet filter handle a packet that does not match an existing state table entry or a new ‘established’ connection?
It drops the packet as it is considered out-of-state or unsolicited.
What does a discrepancy between $MFT Standard_Information ($SI) and File_Name ($FN) timestamps most likely indicate?
Anti-forensic ‘timestomping’ (manual modification of timestamps).
High entropy and a lack of recognizable strings/imports in an executable are signs of what evasion technique?
Obfuscation via a runtime packer.
What is a primary security flaw of the TFTP protocol?
It lacks built-in authentication or encryption mechanisms.
What is the most critical action to ensure disk image integrity during a forensic chain of custody?
Generating and verifying a cryptographic hash (e.g., SHA-256) of the image.
What term describes using a compromised web server in the DMZ to attack internal database servers?
Pivoting
How does a standard stateful firewall handle a TCP packet with the ACK flag set but no corresponding state table entry?
It drops the packet because it is unsolicited and out-of-state.
Which Cisco IOS feature prevents IP spoofing by filtering traffic based on the IP assigned via DHCP?
IP Source Guard
What is the primary goal of the ‘Containment’ phase in incident response?
Limiting the scope and impact of the incident to prevent further damage.
What are the characteristics of ‘packed’ malware?
High entropy and a lack of a visible import table.
Which Wireshark filter isolates traffic for 10.0.0.5 that is NOT using DNS?
ip.addr == 10.0.0.5 && !dns
Why should IR teams analyze the ‘Drafts’ folder of a compromised email account?
To identify emails intended for exfiltration or covert communication that were not yet sent.
Which AWS service monitors performance patterns to alert on unusual activity?
AWS CloudWatch
How do you confirm a Blind SQL Injection vulnerability?
Inject a payload that triggers a time delay (e.g., WAITFOR DELAY) and measure response time.
Which Windows Event ID is critical for detecting lateral movement via Pass-the-Hash (NTLM)?
Event ID 4624 (Logon Type 3)
What is the primary function of a Cloud Access Security Broker (CASB)?
Providing visibility and policy enforcement for data in third-party SaaS apps.
What is the main advantage of NetFlow over full packet capture (PCAP)?
Lower storage requirements for long-term historical analysis of ‘who talked to whom’.
What is ‘Process Hollowing’?
A technique where malware replaces the memory of a legitimate suspended process with malicious code.
What is a ‘Honeytoken’ in Active Defense?
A piece of data (like a fake credential) that triggers an alert when accessed or used.
An ICMP Type 8 (Echo Request) sent to a broadcast address with a spoofed source is what attack?
Smurf Attack
Which AWS log source records all API calls made within an account?
AWS CloudTrail
What is a key benefit of ‘Outbound Filtering’ (Egress Filtering)?
It can prevent compromised systems from communicating with external C2 servers.
