Question 1

A security team detected an above-average amount of inbound tcp/135 connection attempts from
unidentified senders. The security team is responding based on their incident response playbook.
Which two elements are part of the eradication phase for this incident? (Choose two.)

Accepted Answer

Explanation: The eradication phase in incident response involves eliminating the root cause of the incident and strengthening defenses to prevent reoccurrence. In this case: Intrusion Prevention System (D): Adding new rules to the IPS to detect and block malicious activity on TCP/135 is a direct eradication step to remove the threat’s entry point and prevent future attacks. Centralized User Management (C): Hardening user accounts, removing unnecessary permissions, and applying tighter authentication/authorization measures helps eliminate the possibility that threat actors could exploit weak or mismanaged accounts to continue accessing the system. Although anti-malware software (A) and enterprise block listing (E) are valuable, the most direct eradication steps here specifically involve managing network access (via IPS) and strengthening user controls (via centralized user management), especially when TCP/135 (MSRPC endpoint mapper) can be used to enumerate services and potentially access vulnerable endpoints remotely. This aligns with best practices outlined in incident response frameworks (such as the NIST SP 800-61 and referenced resources), which emphasize closing the exploited entry points (in this case, TCP/135) and removing any lingering access points through user management and network control enhancements. Reference: CyberOps Technologies (CBRFIR) 300-215 study guide, Chapter: Understanding the Incident Response Process, Eradication Phase, page 105-106. External Reference: “The Core Phases of Incident Response – Remediation,” Cipher blog [1]. External Reference: “Service Overview and Network Port Requirements,” Microsoft documentation [2].

Question 2

Refer to the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/300-215/page_37_img_2.jpg A security analyst notices unusual connections while monitoring traffic. What is the attack vector, and which action should be taken to prevent this type of event?

Accepted Answer

C

Explanation: The exhibit shows multiple ARP reply packets with the same IP addresses (192.168.51.105 and 192.168.51.201) being mapped to different MAC addresses, which triggers the message: "duplicate use of [IP] detected". This is a strong indicator of an ARP spoofing (or poisoning) attack. ARP spoofing occurs when a malicious actor sends falsified ARP messages to associate their MAC address with the IP address of another host. This misleads other devices on the network and allows interception or redirection of traffic. The Cisco CyberOps Associate guide specifically recommends configuring port security on switches as a method to mitigate ARP spoofing, by limiting the number of MAC addresses allowed per port or statically assigning legitimate MAC addresses to switch ports.

Question 3

An incident response analyst is preparing to scan memory using a YARA rule. How is this task completed?

Accepted Answer

C

Explanation: YARA rules are pattern-matching rules used to identify malware based on specific strings, conditions, and binary patterns. They are most effective in memory or file scans where analysts search for known indicators or unique signatures via string matching. Correct answer: C. string matching.

Question 4

Data has been exfiltrated and advertised for sale on the dark web. A web server shows:
Database unresponsiveness
PageFile.sys changes
Disk usage spikes with CPU spikes
High page faults
Which action should the IR team perform on the server?

Accepted Answer

C

Explanation: The combination of CPU spikes, disk usage peaks, and fluctuating PageFile.sys indicates excessive virtual memory paging, which may be a sign of malicious memory or file access behavior. PageFile.sys is part of the virtual memory system, and analyzing it can reveal which processes or payloads are consuming unusual amounts of memory, especially during exfiltration events.

Question 5

During a routine security audit, an organization's security team detects an unusual spike in network
traffic originating from one of their internal servers. Upon further investigation, the team discovered
that the server was communicating with an external IP address known for hosting malicious content.
The security team suspects that the server may have been compromised. As the incident response
process begins, which two actions should be taken during the initial assessment phase of this
incident? (Choose two.)

Accepted Answer

B, E

Explanation: During the initial phase of incident response, the two key actions are: Disconnecting the server (B) to contain the threat and prevent lateral movement or further exfiltration. Reviewing network logs (E) to understand the timeline and scope of the attack. These are emphasized in the containment and detection stages of the incident response lifecycle outlined in NIST 800-61 and covered in the Cisco CyberOps training. —

Question 6

A cybersecurity analyst is analyzing a complex set of threat intelligence data from internal and
external sources. Among the data, they discover a series of indicators, including patterns of unusual
network traffic, a sudden increase in failed login attempts, and multiple instances of suspicious file
access on the company's internal servers. Additionally, an external threat feed highlights that threat
actors are actively targeting organizations in the same industry using ransomware. Which action
should the analyst recommend?

Accepted Answer

B

Explanation: The described scenario includes both internal alerts (unusual network traffic, failed logins, suspicious file access) and external intelligence indicating active ransomware campaigns in the same industry. This constitutes a strong combination of precursors and indicators, as defined in the NIST SP 800-61 incident handling model and reinforced in the Cisco CyberOps Associate curriculum. According to the Cisco guide: “Once an incident has occurred, the IR team needs to contain it quickly before it affects other systems and networks within the organization.” “The containment phase is crucial in stopping the threat from spreading and compromising more systems”. Given these indicators and the high-value nature of the data involved, it is essential to proactively isolate suspected systems and activate the incident response plan to prevent damage from potential ransomware. —

Question 7

Refer to the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/300-215/page_70_img_1.jpg What is occurring?

Accepted Answer

D

Explanation: The command in the image uses schtasks /create with the ONLOGON schedule and System user context to execute test.exe. This is a well-documented persistence technique, where an attacker ensures that a malicious executable is launched automatically at each system logon. This kind of scheduled task creation aligns with persistence techniques in the MITRE ATT&CK framework (T1053). —

Question 8

What is the steganography anti-forensics technique?

Accepted Answer

D

Explanation: Steganography is the anti-forensics technique of hiding malicious content within seemingly innocent files, such as image, audio, or video files. The goal is to conceal data or code in a way that avoids suspicion and detection, thereby making traditional security inspection tools ineffective unless they are explicitly designed to detect hidden data within media files. Steganography differs from encryption because it does not simply make data unreadable; it hides the existence of the data itself. It is commonly used in cyber operations to hide command-and-control instructions or to exfiltrate sensitive information in covert ways. Reference: CyberOps Technologies (CBRFIR) 300-215 study guide, Chapter on Evasion and Obfuscation Techniques, Anti-Forensics, Steganography Section.

Question 9

Refer to the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/300-215/page_14_img_1.jpg What is the IOC threat and URL in this STIX JSON snippet?

Accepted Answer

A

Explanation: This STIX (Structured Threat Information eXpression) JSON snippet provides two key elements relevant for IOC (Indicator of Compromise) analysis: The indicator pattern shows a suspicious URL: → "pattern": "[url:value = 'http://x4z9rb.cn/4712/']" This is the actual IOC that can be used for detection. The type of object that the indicator relates to: → "type": "malware" → "name": "x4z9arb backdoor" This indicates the nature of the threat associated with the IOC is malware. Therefore, the threat is "malware" and the associated indicator (IOC) is the URL: http://x4z9rb.cn/4712/ Option A correctly captures both the IOC category ("malware") and the indicator value ("http://x4z9rb.cn/4712/"). Reference: CyberOps Technologies (CBRFIR) 300-215 study guide, Chapter on “Understanding Threat Intelligence Platforms,” including the use of STIX/TAXII for representing threat data.

Question 10

Which tool should be used for dynamic malware analysis?

Accepted Answer

D

Explanation: Dynamic malware analysis involves executing the malware in a controlled environment to observe its behavior, such as file creation, network traffic, or system modifications. A sandbox is designed for this purpose—it safely executes and monitors suspicious code without risking the host system. The other tools (Decompiler, Unpacker, Disassembler) are primarily used in static analysis. Correct answer: D. Sandbox —

Question 11

What are two features of Cisco Secure Endpoint? (Choose two.)

Accepted Answer

A, C

Explanation: Cisco Secure Endpoint (formerly AMP for Endpoints) offers features like: File trajectory: to track file behavior and spread across endpoints. Orbital Advanced Search: for querying endpoint data to detect threats in real time.

Question 12

Refer to the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/300-215/page_44_img_1.jpg According to the Wireshark output, what are two indicators of compromise for detecting an Emotet malware download? (Choose two.)

Accepted Answer

A, D

Explanation: From the Wireshark capture: A (iraniansk.com): This domain is not a known legitimate resource and is hosting a suspicious file named “Fy.exe,” strongly indicative of a malware distribution domain. D (Fy.exe): The Content-Disposition: attachment; filename="Fy.exe" header explicitly signals a binary executable download, a key indicator in Emotet campaigns. While Content-Type: application/octet-stream (E) is typical of binary data transfers, it is not unique to malware and cannot by itself serve as a strong IoC. The nginx server (B) and cookie/hash string (C) similarly do not uniquely indicate compromise.

Question 13

Refer to the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/300-215/page_87_img_1.jpg

Accepted Answer

D

Explanation: The string shown is long, alphanumeric, and includes both uppercase and lowercase letters with numbers—characteristics of Base64 encoding. This format is widely used to obfuscate payloads in malicious scripts, particularly in phishing or malware campaigns. Base64 encoding is also supported by Python and other platforms for data transformation. —

Question 14

An analyst finds .xyz files of unknown origin that are large and undetected by antivirus. What action should be taken next?

Accepted Answer

A

Explanation: The safest and most effective approach is to isolate the files and subject them to heuristic and behavioral analysis. This can reveal obfuscated malware or unauthorized data storage techniques, even if signature-based antivirus fails to flag them.

Question 15

An attacker embedded a macro within a word processing file opened by a user in an organization’s
legal department. The attacker used this technique to gain access to confidential financial dat
a. Which two recommendations should a security expert make to mitigate this type of attack?
(Choose two.)

Accepted Answer

A, C

Explanation: To prevent macro-based attacks, the Cisco CyberOps study guide emphasizes the importance of limiting execution of unauthorized or unsigned macros. "Requiring that all macros be digitally signed and limiting execution only to those that meet the required trust level is a key mitigation strategy against malicious macros." Additionally, enabling features like Controlled Folder Access helps in protecting sensitive directories from unauthorized changes by untrusted applications, including those launched via malicious macros . These two measures—enforcing signed macro policies and leveraging controlled folder access— directly help in mitigating the risk posed by embedded malicious macros in documents.

Free Cisco 300-215 Actual Exam Questions