CySA+ Exam Questions 1 with Complete Solutions
You suspect that a service called explorer.exe on a Windows server is malicious and you need to terminate it. Which of the following tools would NOT be able to terminate
...
CySA+ Exam Questions 1 with Complete Solutions
You suspect that a service called explorer.exe on a Windows server is malicious and you need to terminate it. Which of the following tools would NOT be able to terminate it?
sc
wmic
secpol.msc
services.msc -Answer-
secpol.msc
(OBJ-3.1: The security policy auditor (secpol.msc) will allow an authorized administrator the option to change a great deal about an operating system, but it cannot explicitly stop a process or service that is already running. The sc.exe command allows an analyst to control services, including terminating them. The Windows Management Instrumentation (wmic) can terminate a service by using the following: wmic service call StopService. The services.msc tool can also be used to enable, start, or terminate a running service.)
Which of the following tools could be used to detect unexpected output from an application being managed or monitored?
A log analysis tool
A behavior-based analysis tool
A signature-based detection tool
Manual analysis -Answer- A behavior-based analysis tool
(OBJ-3: A behavior-based analysis tool can be used to capture/analyze normal behavior and then alert when an anomaly occurs. Configuring a behavior-based analysis tool requires more effort to properly set up, but it requires less work and manual monitoring once it is running. Signature-based detection is a process where a unique identifier is established about a known threat so that the threat can be identified in the future. Manual analysis requires a person to read all the output and determine if it is erroneous. A log analysis tool would only be useful to analyze the logs, but it would not be able to detect unexpected output by itself. Instead, the log analysis tool would need to use a behavior-based or signature-based detection system.)
A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer's phone. A hacker loves the game, but hate having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased prior to the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit?
Sensitive data exposure
Dereferencing
Broken authentication
Race condition -Answer- Race condition
(OBJ-4.4: Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer. In this scenario, the hacker's exploit is racing to modify the configuration file before the application reads the number of lives from it. Sensitive data exposure is a fault that allows privileged information (such as a token, password, or PII) to be read without being subject to the proper access controls. Broken authentication refers to an app that fails to deny access to malicious actors. Dereferencing attempts to access a pointer that references an object at a particular memory location.)
You have been given access to a Windows system located on an Active Directory domain as part of a white box penetration test. Which of the following commands would provide information about other systems on this network?
net use
net user
net group
net config -Answer- net use
(OBJ-1: The net use command will list network shares that the workstation is using. This will help to identify file servers and print servers on the network. The net group command can only be used on domain controllers. The net config command will allow servers and workstations services to be controlled once they have already been identified. The net user command would show any user accounts on the local Windows workstation you are using.)
Which type of monitoring would utilize a network tap?
Router-based
Active
Passive
SNMP -Answer- Passive
(OBJ-1: Network taps are devices that allow a copy of network traffic to be captured for analysis. They conduct passive network monitoring and visibility without interfering with the network traffic itself. Active monitoring relies on the scanning of targeted systems, not a network tap. Router-based monitoring would involve looking over the router's logs and configuration files. SNMP is used to monitor network devices, but is considered a form of active monitoring and doesn't rely on network taps.)
[Show More]
