Professional Documents
Culture Documents
Logical Operations
CFR-210 Exam
Logical Operations CyberSec First Responder Exam
https://www.braindumps2go.com
Questions & Answers PDF P-2
An attacker performs reconnaissance on a Chief Executive Officer (CEO) using publicity available
resources to gain access to the CEO’s office. The attacker was in the CEO’s office for less than five
minutes, and the attack left no traces in any logs, nor was there any readily identifiable cause for the
exploit. The attacker in then able to use numerous credentials belonging to the CEO to conduct a
variety of further attacks. Which of the following types of exploit is described?
A. Pivoting
B. Malicious linking
C. Whaling
D. Keylogging
Answer: C
Question: 2
Which of the following is an automated password cracking technique that uses a combination of
upper and lower case letters, 0-9 numbers, and special characters?
A. Dictionary attack
B. Password guessing
C. Brute force attack
D. Rainbow tables
Answer: C
Question: 3
A zero-day vulnerability is discovered on a company’s network. The security analyst conducts a log
review, schedules an immediate vulnerability scan, and quarantines the infected system, but cannot
determine the root cause of the vulnerability. Which of the following is a source of information that
can be used to identify the cause of the vulnerability?
A. www.virustotal.com
B. Security RSS feeds
C. Security software websites
D. Government websites
https://www.braindumps2go.com
Questions & Answers PDF P-3
Answer: C
Question: 4
The Chief Information Officer (CIO) of a company asks the incident responder to update the risk
management plan. Which of the following methods can BEST help the incident responder identify
the risks that require in-depth analysis?
A. Qualitative analysis
B. Targeted risk analysis
C. Non-targeted risk analysis
D. Quantitative analysis
Answer: D
Question: 5
A security analyst for a financial services firm is monitoring blogs and reads about a zero-day
vulnerability being exploited by a little-known group of hackers. The analyst wishes to independently
validate and corroborate the blog’s posting. Whichof the following sources of information will
provide the MOST credible supporting threat intelligence in this situation?
Answer: C
Question: 6
Which of the following could an attacker use to perpetrate a social engineering attack? (Choose two.)
A. Keylogger
B. Yagi
C. Company uniform
D. Blackdoor
E. Phone call
Answer: A,E
Question: 7
During review of a company’s web server logs, the following items are discovered:
2015-03-01 03:32:11 www.example.com/index.asp?id=-999 or 1=convert(int,@@version)—
2015-03-01 03:35:33 www.example.com/index.asp?id=-999 or 1=convert(int,db_name())—
https://www.braindumps2go.com
Questions & Answers PDF P-4
Answer: D
Question: 8
An attacker has exfiltrated the SAM file from a Windows workstation. Which of the following attacks
is MOST likely being perpetrated?
A. user enumeration
B. Brute forcing
C. Password sniffing
D. Hijacking/rooting
Answer: C
Question: 9
Which of the following describes the MOST important reason for capturing post-attack metadata?
Answer: C
Question: 10
DRAG DROP
Drag and drop the following steps to perform a successful social engineering attack in the correct
order, from first (1) to last (6).
https://www.braindumps2go.com
Questions & Answers PDF P-5
Answer:
https://www.braindumps2go.com
Questions & Answers PDF P-6
Question: 11
A malicious actor sends a crafted email to the office manager using personal information collected
from social media. This type of social engineering attack is known as:
A. spear phishing
B. vishing
C. phishing
D. whaling
Answer: C
Question: 12
A computer attacker has compromised a system by implanting a script that will send 10B packages
over port 150. This port is also used for sending heartbeat messages to a central monitoring server.
Which of the following BEST describes the tactic used to execute this attack?
https://www.braindumps2go.com
Questions & Answers PDF P-7
A. Covert channels
B. Logic bomb
C. Backdoors
D. ICMP redirect
Answer: A
Question: 13
Which of the following techniques allows probing firewall rule sets and finding entry points into a
targeted system or network?
Answer: D
Question: 14
A security professional has been tasked with the protection of a specific set of information essential
to a corporation’s livelihood, the exposure of which could cost the company billions of dollars in
long-term revenue. The professional is interested in obtaining advice for preventing the theft of this
type of information. Which of the following is the BEST resource for finding this material?
Answer: A
Question: 15
Answer: D
https://www.braindumps2go.com
Questions & Answers PDF P-8
Question: 16
Answer: D
Question: 17
A malicious attacker has compromised a database by implementing a Python-based script that will
automatically establish an SSH connection daily between the hours of 2:00 am and 5:00 am. Which of
the following is the MOST common motive for the attack vector that was used?
A. Pivoting
B. Persistence/maintaining access
C. Exfiltration
D. Lateral movement
Answer: D
Question: 18
DRAG DROP
When perpetrating an attack, there are often a number of phases attackers will undertake,
sometimes taking place over a long period of time. Place the following phases in the correct
chronological order from first (1) to last (5).
https://www.braindumps2go.com
Questions & Answers PDF P-9
Answer:
https://www.braindumps2go.com
Questions & Answers PDF P-10
Question: 19
Which of the following tools can be used to identify open ports and services?
A. netstat
B. tcpdump
C. nmap
D. recon-ng
Answer: A
Question: 20
A high-level government official uses anonymous bank accounts to transfer a requested amount of
funds to individuals in another country. These individuals are known for defacing government
websites and exfiltrating sensitive data. Which of the following BEST describes the involved threat
actors?
https://www.braindumps2go.com
Questions & Answers PDF P-11
A. State-sponsored hackers
B. Gray hat hackers
C. Hacktivists
D. Cyber terrorists
Answer: D
Question: 21
Which of the following are reasons that a hacker would execute a DoS or a DDoS attack? (Choose
two.)
Answer: A,B
Question: 22
A hacker’s end goal is to target the Chief Financial Officer (CFO) of a bank. Which of the following
describes this social engineering tactic?
A. Vishing
B. Pharming
C. Spear phishing
D. Whaling
Answer: D
Question: 23
Which of the following can hackers use to gain access to a system over the network without knowing
the actual password?
A. User enumeration
B. Pass the hash
C. Port scanning
D. Password cracking
Answer: D
Question: 24
https://www.braindumps2go.com
Questions & Answers PDF P-12
A. SNMP
B. DNS
C. ARP
D. DHCP
Answer: D
Question: 25
Click the exhibit button. After reviewing captured network traffic logs, a security auditor suspects a
violation of the organization’s computer use policy. Which of the following is the likely indicator of
the violation?
https://www.braindumps2go.com
Questions & Answers PDF P-13
https://www.braindumps2go.com
Questions & Answers PDF P-14
A. Unauthorized programs
B. Malicious software
C. Service disruption
D. Registry entries
E. New user account
Answer: A
Question: 26
https://www.braindumps2go.com
Questions & Answers PDF P-15
A Windows system user reports seeing a command prompt window pop up briefly during each login.
In which of the following locations would an incident responder check to explain this activity?
A. rc.d
B. HKLM “RunOnce” key
C. c:\temp
D. /etc/init.d/
Answer: C
Question: 27
An incident responder is asked to create a disk image of a compromised Linux server. Which of the
following commands should be used to do this?
A. dd
B. Isof
C. gzip
D. fdisk
E. mbr
Answer: D
Question: 28
An intruder gains physical access to a company’s headquarters. The intruder is able to access the
company’s network via a visitor’s office. The intruder sets up an attack device, under the visitor’s
office desk, that impersonates the corporate wireless network. Users at headquarters begin to notice
slow browsing speeds from their company laptops. Which of the following attacks is MOST likely
occurring?
A. Man-in-the-middle
B. Denial of service
C. Social engineering
D. ARP table poisoning
Answer: D
Question: 29
An alert has been triggered identifying a new application running on a Windows server. Which of the
following tools can be used to identify the application? (Choose two.)
A. traceroute
B. nbstat
C. Hex editor
https://www.braindumps2go.com
Questions & Answers PDF P-16
D. Task manager
E. Process explorer
Answer: D,E
Question: 30
When performing an investigation, a security analyst needs to extract information from text files in a
Windows operating system. Which of the following commands should the security analyst use?
A. findstr
B. grep
C. awk
D. sigverif
Answer: C
Question: 31
An outside organization has reported to the Chief Information Officer (CIO) of a company that it has
received attack from a Linux system in the company’s DMZ. Which of the following commands
should an incident responder use to review a list of currently running programs on the potentially
compromised system?
A. task manager
B. tlist
C. who
D. top
Answer: D
Question: 32
While performing standard maintenance on a UNIX server, a system administrator notices a set of
large files with .tar .gz file extensions in the /tmp folder. The system administrator reports this to a
security analyst. Performing further research, the analyst has found the .tar .gz files contain
information normally housed on one of the bank’s data servers. Given this scenario, which of the
following is MOST likely occurring?
A. A malicious actor, having breached the system, is staging collected data for exfiltration.
B. Having nearly exhausted the capacity of the home directory, a user is moving files to make room.
C. An error on the .hosts file has resultedin the data being backed up to the wrong server.
D. One of the newly hired system administrators has inadvertently backed up data to the wrong
server.
Answer: B
https://www.braindumps2go.com
Questions & Answers PDF P-17
Question: 33
A security auditor has been asked to analyze event logs to look for signs of suspicious behavior. The
company operated on a normal workday schedule (e.g., Monday through Friday, 8 am – 5 pm) and
has implemented stringent access control policies (e.g. password complexity, failed login attempts).
Which of the following provides the MOST reason for concern?
Answer: A
Question: 34
A forensics analyst is analyzing an executable and thinks it may have some text of interest hidden
within it. Which of the following tools can the analyst use to assist in validating the suspicion?
A. Isof
B. cat command
C. hex editor
D. more
Answer: C
Question: 35
A system administrator is informed that a user received an email containing a suspicious attachment.
Which of the following methods is the FASTEST way to determine whether the file is suspicious or
not?
A. Reverse engineering
B. Virus scanning
C. Virtualization
D. Sandboxing
Answer: D
Question: 36
A user reports a pop-up error when starting a Windows machine. The error states that the machine
has been infected with a virus and instructs the user to download a new antivirus client. In which of
the following locations should the incidentresponder check to find what is generating the error
message? (Choose two.)
https://www.braindumps2go.com
Questions & Answers PDF P-18
Answer: A,C
Question: 37
A file is discovered in the /etc directory of an internal server by an automated file integrity checker. A
security analyst determines the file is a bash script. The contents are as follows:
---
#/bin/bash
IFS=:
[[-f/etc/passwd]] && cat/etc/passwd |
while read a b c d e f g
do
echo “$e ($a)”
done
---
Which of the following was the author of the script attempting to gather?
Answer: B
Question: 38
During a malware outbreak, a security analyst has been asked to capture network traffic in hourly
increments for analysis by the incident response team. Which of the following tcpdump commands
would generate hourly pcap files?
Answer: B
Question: 39
https://www.braindumps2go.com
Questions & Answers PDF P-19
From a compromised system, an attacker bypasses a proxy server and sends a large amount of data
to a remote location. A security analyst is tasked with finding the conduit that was used by the
attacker to bypass the proxy. Which of the following Windows tools should be used to find the
conduit?
A. net
B. fport
C. nbstat
D. netstat
Answer: D
Question: 40
An attack was performed on a company’s web server, disabling the company’s website. The incident
response team’s investigation produced the following:
1. Presence of malicious code installed on employees’ workstations.
2. Excessive UDP datagrams sent to a single address.
3. Web server received excessive UDP datagrams from multiple internal hosts.
4. Network experienced high traffic after 3:00 pm.
5. Employee workstations sent large traffic bursts when employees accessed the internal timecard
application.
Which of the following BEST describes the attack tool used to perform the attack?
A. KeyLogger
B. Logic bomb
C. Nessus
D. Metasploit
Answer: D
Question: 41
An organization needs to determine of any systems on its network (10.0.25.0/24) have web services
running on port 80 or 443. Which of the following is the BEST command to do this?
Answer: C
Question: 42
https://www.braindumps2go.com
Questions & Answers PDF P-20
the following commands should the incident responder use to identify any users currently logged
into the system? (Choose two.)
A. Isof
B. Is
C. id
D. w
E. lastlog
Answer: D
Question: 43
A suspicious laptop is found in a datacenter. The laptop is on and processing data, although there is
no application open on the screen. Which of the following BEST describes a Windows tool and
technique that an investigator should use to analyze the laptop’s RAM for working applications?
Answer: B
Question: 44
A system administrator needs to analyze a PCAP file on a Linux workstation where the use of GUI-
based applications is restricted. Which of the following command line tools can the administrator use
to analyze the PCAP?
A. nfdump
B. cryptcat
C. tshark
D. netstat
Answer: A
Question: 45
https://www.braindumps2go.com
Questions & Answers PDF P-21
Answer: D
Question: 46
Malicious code that can replicate itself using various techniques is referred to as a:
A. downloader
B. rootkit
C. launcher
D. worm
Answer: D
Question: 47
While a network administrator is monitoring the company network, an unknown local IP address is
starting to release high volumes of anonymous traffic to an unknown external IP address. Which of
the following would indicate to the network administrator potential compromise?
A. Packet losses
B. Excessive bandwidth usage
C. Service disruption
D. Off-hours usage
Answer: B
Question: 48
Click the exhibit button. Which of the following Windows tools is executed?
https://www.braindumps2go.com
Questions & Answers PDF P-22
A. nmap
B. netstat
C. tracert
D. traceroute
Answer: D
Question: 49
A malware analyst has been assigned the task of reverse engineering malicious code. To conduct the
analysis safely, which of the following could the analyst implement?
A. Honeypot
B. VLAN
C. Lock box
D. Sandbox
Answer: D
Question: 50
An attacker has decided to attempt a brute force attack on a UNIX server. In order to accomplish this,
which of the following steps must be performed?
A. Exfiltrate the shadow and SAM, run unshadow, and then runa password cracking utility on the
output file.
B. Exfiltrate the shadow and passwd, and then run a password cracking utility on both files.
C. Exfiltrate the shadow and SAM, and then run a password cracking utility on both files.
D. Exfiltrate the shadowand passwd, run unshadow, and then run a password cracking utility on the
output file.
Answer: C
https://www.braindumps2go.com
Questions & Answers PDF P-23
Question: 51
Answer: C
Question: 52
An incident responder has captured packets associated with malware. The source port is 8765 and
the destination port is 7653. Which of the following commands should be used on the source
computer to help determine which program is responsible for the connection?
A. services.msc
B. psexec
C. msconfig
D. fport
Answer: D
Question: 53
A UNIX workstation has been compromised. The security analyst discovers high CPU usage during
off-hours on the workstation. Which of the following UNIX programs can be used to detect the rogue
process? (Choose two.)
A. arp
B. ps
C. who
D. dd
E. top
Answer: C,E
Question: 54
A forensics investigator has been assigned the task of investigating a system user for suspicion of
using a company-owned workstation to view unauthorized content. Which of the following would be
a proper course of action for the investigator to take?
A. Notify the user that their workstation is being confiscated to perform an investigation, providing
https://www.braindumps2go.com
Questions & Answers PDF P-24
Answer: B
Question: 55
Log review shows that large amounts of data are being sent to an IP address unassociated with the
company. Which of the following migration techniques should be implemented?
A. DNS filtering
B. System hardening
C. Proxy
D. IPS
Answer: A
Question: 56
During the course of an investigation, an incident responder discovers illegal material on a user’s
hard drive. Which of the following is the incident responder’s MOST important next step?
A. Notify management
B. Place the hard drive in an evidence bag
C. Image the hard drive
D. Restrict the user’s access
Answer: A
Question: 57
Which of the following is the reason that out-of-band communication is used during a security
incident?
Answer: C
https://www.braindumps2go.com
Questions & Answers PDF P-25
Question: 58
An organization’s public information website has been defaced. The incident response team is
actively engaged in the following actions:
- Installing patches on the web server
- Turning off unnecessary services on web server
- Adding new ACL rules to the WAF
- Changing all passwords on web server accounts
Which of the following incident response phases is the team MOST likely conducting?
A. Respond
B. Recover
C. Contain
D. Identify
Answer: B
Question: 59
A SOC analyst reviews vendor security bulletins and security blog articles against the company’s
deployed system and software base. Based on current attack patterns, three vulnerabilities, including
a zero-day vulnerability, have been upgraded to high priority. Which of the following should the SOC
analyst recommend? (Choose two.)
Answer: B,E
Question: 60
DRAG DROP
https://www.braindumps2go.com
Questions & Answers PDF P-26
Drag and drop the following steps in the correct order from first (1) to last (7) that a forensic expert
would follow based on data analysis in a Windows system.
Answer:
https://www.braindumps2go.com
Questions & Answers PDF P-27
Question: 61
Organizations should exercise their Incident Response (IR) plan following initial creation. The primary
objective for this first IR plan exercise is to identify:
Answer: D
Question: 62
During an annual penetration test, several rootkit-enabled systems are found to be exfiltrating data.
The penetration test team and the internal incident response team work to begin cleanup. The
company’s operations team offers a new emails server to use for communications during the
https://www.braindumps2go.com
Questions & Answers PDF P-28
incident. As cleanup continues, the attackers seem to know exactly what the incident response plan
is. Which of the following will prevent the attackers from compromising cleanup activities?
Answer: A
Question: 63
During the identification phase, it is discovered that port 23 is being used maliciously. Which of the
following system hardening techniques should be used to remediate the issue?
Answer: B
Question: 64
A security analyst discovers a zero-day vulnerability affecting Windows, which has not been publicly
identified. The security analyst assumes this vulnerability is present on millions of computer system
and feels an obligation to share this information with other security professionals. Which of the
following would be the MOST adverse consequences of the analyst sharing this information?
Answer: A
Question: 65
Network engineering has reported low bandwidth during working hours. The incident response team
is currently investigating several anomalous activities that may be related. Which of the following is
the MOST appropriate method to further investigate this problem?
https://www.braindumps2go.com
Questions & Answers PDF P-29
Answer: C
Question: 66
An administrator wants to block Java exploits that were not detected by the organization’s antivirus
product. Which of the following mitigation methods should an incident responder perform? (Choose
two.)
Answer: C,E
Question: 67
Which of the following are legally compliant forensics applications that will detect ADS or a file with
an incorrect file extension? (Choose two.)
A. Regedit
B. EnCase
C. dd
D. FTK
E. Procmon
Answer: A,C
Question: 68
A network administrator has been asked to configure a new network. It is the company’s policy to
segregate network functions using different Virtual LANs (VLANs). On which of the following is this
configuration MOST likely to occur?
A. Network switch
B. Virtual Machine
C. Virtual Private Network
D. Network firewall
Answer: A
Question: 69
Which of the following mitigations will remain intact, regardless of the underlying network protocol?
https://www.braindumps2go.com
Questions & Answers PDF P-30
A. DNS filtering
B. Application whitelisting
C. IP address blocking D Proxy ACL
Answer: A
Question: 70
Which of the following enables security personnel to have the BEST security incident recovery
practices?
Answer: D
Question: 71
As part of an incident response effort, data has been collected and analyzed, and a malware infection
has been contained. Which of the following is the NEXT step the incident response team should take
within the incident response process?
A. Begin recovering all infected systems to return the organization to normal operations as soon as
possible.
B. Ensure every instance of the malware has been removed across the organization.
C. Discuss lessons learned before proceeding with other steps.
D. Start writing the report to ensure a quality product is delivered by the end of the project.
Answer: B
Question: 72
A security analyst would like to parse through several SQL logs for indicators of compromise. The
analyst is aware that none of the fields should contain a string of text longer than 30 characters;
however, the analyst is unaware if there are any implemented controls to prevent such an overflow.
Which of the following BEST describes the regular expression the analyst should use to find any
alphanumeric character string?
A. /^[a-zA-Z0-9]{5,30}$/
B. /^[a-zA-Z-9]{30}$/
C. /^[a-zA-Z]{5,30}$/
D. /^[a-Z0-9]{5,30}$/
https://www.braindumps2go.com
Questions & Answers PDF P-31
Answer: A
Question: 73
An incident responder needs to quickly locate specific data in a large data repository. Which of the
following Linux tool should be used?
A. cat
B. find
C. grep
D. man
Answer: C
Question: 74
An attacker has sent malicious macro-enabled Office files. Which of the following regular expressions
will return a list of macro-enabled files?
A. ^.*?\.(?:xls|ppt|doc)m
B. ^.*(?:xls|ppt|doc)m.*
C. ^.*?\.(?:xls|ppt|doc)m$
D. ^.*(?:xls|ppt|doc)m
Answer: B
Question: 75
A SOC analyst has been tasked with checking all files in every employee home directory for any
mention of a new product code named PitViper. Which of the following commands will return all
requested data?
Answer: A
Question: 76
Which of the following is the BEST way to capture all network traffic between hosts on a segmented
network?
A. HIPS
B. Firewall
https://www.braindumps2go.com
Questions & Answers PDF P-32
C. Router
D. Protocol analyzer
Answer: A
Question: 77
Customers are reporting issues connecting to a company’s Internet server. Which of the following
device logs should a technician review in order to help identify the issue?
A. WIPS
B. SSH
C. WAP
D. WAF
Answer: A
Question: 78
An unauthorized network scan may be detected by parsing network sniffer data for:
Answer: A
Question: 79
When investigating a wireless attack, which of the following can be obtained from the DHCP server?
Answer: A
Question: 80
An incident responder suspects that a host behind a firewall is infected with malware. Which of the
following should the responder use to find the IP address of the infected machine?
A. NAT table
B. ARP cache
https://www.braindumps2go.com
Questions & Answers PDF P-33
C. DNS cache
D. CAM cable
Answer: C
Question: 81
To redact or obfuscate sensitive data, a company requires its name be changed throughout a port-
incident report. Using a Linux sed command, which of the following will replace the company’s name
with “Acme”?
A. /Orange/Acme/g
B. s/Acme/Orange/g
C. /Acme/Orange/g
D. s/Orange/Acme/g
Answer: D
Question: 82
An organization performs regular updates to its network devices to alert and prevent access to
streaming media sites by the employees. Each device will send logs and alerts to a centralized server
for storage, archive, and analysis. Which of the following BEST describes the system that is
correlating the data found in all alerts and logs?
A. SIEM
B. NIDS
C. HIPS
D. WIPS
Answer: A
Question: 83
The incident response team needs to track which user last connected to a specific Windows domain
controller. Which of the following is the BEST way to identify that specific user?
Answer: D
Question: 84
https://www.braindumps2go.com
Questions & Answers PDF P-34
A. \Windows\Systems32\winevt\logs\System.evt
B. \Windows\System32\winevt\Logs\System.evtx
C. \Windows\Systems\winevt\Evtlogs\System.evtx
D. \Windows\System\winevt\Logs\System.evt
Answer: B
Question: 85
During a network-based attack, which of the following data sources will provide the BEST data to
quickly determine the attacker’s point of origin? (Choose two.)
A. DNS logs
B. System logs
C. WIPS logs
D. Firewall logs
E. IDS/IPS logs
Answer: A,D
Question: 86
Which of the following commands should be used to print out ONLY the second column of items in
the following file?
Source_File,txt
Alpha Whiskey
Bravo Tango
Charlie Foxtrot
Echo Oscar
Delta Roger
Answer: D
Question: 87
An alert on user account activity outside of normal business hours returns Windows even IDs 540
and 4624. In which of the following locations will these events be found?
https://www.braindumps2go.com
Questions & Answers PDF P-35
Answer: D
Question: 88
A. MAC addresses.
B. memory addresses.
C. IPv4 addresses.
D. IPv6 addresses.
Answer: A
Question: 89
An incident responder is asked to work with the IT department to address patch management issues
with the company servers. Which of the following is the BEST source for the incident responder to
obtain the CVEs for the latest industry-recognized patches?
A. Vulnerabilities database
B. Intelligence feeds
C. Security journals
D. Security blogs
Answer: A
Question: 90
An organization’s firewall has recently been bombarded with an excessive amount of failed requests.
A security analyst has been tasked with providing metrics on any failed attempts to ports above
1000. Which of the following regular expressions will work BEST to identify an IP address with the
desired port range?
A. /\b^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):({4,5}\d+)\b/
B. /\b^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):([4]\D+)\b/
C. /\b^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):([4]\d+)\b/
https://www.braindumps2go.com
Questions & Answers PDF P-36
D. /\b^(?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5})\b/
Answer: C
Question: 91
Answer: B
Question: 92
A network engineer has collected a packet capture using Wireshark and given it to the team for
analysis. The team is looking for activity based on the internal IP address of 10.0.25.123. Which of
the following filters should the team use to look at only traffic for this IP?
Answer: D
Question: 93
An analyst would like to search for a specific text string at the beginning of a line that begins with
four capital alphabetic characters. Which of the following search operators should be used?
A. /\b\w{4}\b
B. /\b[A-Z]{4}\g
C. /^\w{4}\b
D. /B[A-Z]{4}\b\g
Answer: B
Question: 94
Which of the following logs should be checked to determine if an internal user connected to a
potentially malicious website? (Choose two.)
A. FTP logs
https://www.braindumps2go.com
Questions & Answers PDF P-37
B. Email logs
C. Firewall logs
D. Proxy logs
E. HTTP logs
Answer: D,E
Question: 95
While reviewing some audit logs, an analyst has identified consistent modification of the sshd_config
file for an organization’s server. The analyst would like to investigate and compare contents of the
current file with archived versions of files that are saved weekly. Which of the following tools will be
MOST effective during the investigation?
Answer: B
Question: 96
A logfile generated from a Windows server was moved to a Linux system for further analysis. A
system administrator is now making edits to the file with vi and notices the file contains numerous
instances of Ctrl-M (^M) characters. Which of the following command line tools is the administrator
MOST likely to use to remove these characters from the logfile? (Choose two.)
A. tr
B. cut
C. cat
D. unix2dos
E. awk
Answer: A,C
Question: 97
A. Intrusion prevention
B. Proxy filtering
C. Web application firewall
D. Intrusion detection
Answer: C
https://www.braindumps2go.com
Questions & Answers PDF P-38
Question: 98
An incident responder notices many entries in an apache access log file that contain semicolons.
Which of the following attacks is MOST likely being attempted?
A. SQL injection
B. Remote file inclusion
C. Account brute force
D. Cross-site scripting
Answer: A
Question: 99
A DMZ web server has been compromised. During the log review, the incident responder wants to
parse all common internal Class A addresses from the log. Which of the following commands should
the responder use to accomplish this?
Answer: C
Question: 100
Which of the following types of logs is shown below, and what can be discerned from its contents?
2015-07-19 12:33:31 reject UDP 146.64.21.212 192.141.173.72 1234 80
2015-07-19 12:33:31 reject UDP 166.32.22.12 192.141.173.72 1234 80
2015-07-19 12:33:31 reject UDP 123.56.71.145 192.141.173.72 1234 80
2015-07-19 12:33:31 reject UDP 146.64.21.212 192.141.173.72 1234 80
2015-07-19 12:33:32 reject UDP 166.32.22.12 192.141.173.72 1234 80
2015-07-19 12:33:32 reject UDP 123.56.71.145 192.141.173.72 1234 80
2015-07-19 12:33:32 reject UDP 146.64.21.212 192.141.173.72 1234 80
2015-07-19 12:33:33 reject UDP 166.32.22.12 192.141.173.72 1234 80
2015-07-19 12:33:33 reject UDP 123.56.71.145 192.141.173.72 1234 80
2015-07-19 12:33:33 reject UDP 146.64.21.212 192.141.173.72 1234 80
2015-07-19 12:33:34 reject UDP 166.32.22.12 192.141.173.72 1234 80
2015-07-19 12:33:34 reject UDP 123.56.71.145 192.141.173.72 1234 80
2015-07-19 12:33:34 reject UDP 146.64.21.212 192.141.173.72 1234 80
2015-07-19 12:33:35 reject UDP 166.32.22.12 192.141.173.72 1234 80
2015-07-19 12:33:35 reject UDP 123.56.71.145 192.141.173.72 1234 80
https://www.braindumps2go.com
Questions & Answers PDF P-39
Answer: C
https://www.braindumps2go.com
Questions & Answers PDF P-40
https://www.braindumps2go.com/CFR-210.html
https://www.braindumps2go.com