CompTIA CS0-001 問題集

質問 1：
A company website has been compromised. A security analyst reviews the latest SIEM report to attempt to discover how the attack occurred. The SIEM contains the following entries:

Given the above logs, which of the following MOST likely occurred, causing the compromise? (Select TWO).
A. The attacker utilized a list of the most common content management systems to discover If the server was running one.
B. The attacker tried several directory traversal attacks to see if any were susceptible to the more common vulnerabilities.
C. The attacker used a focused set of the most common account names to attempt to gain access to the website.
D. The attacker avoided tripping any alerts by staying under the default alert threshold counts with each attack attempt.
E. The attacker enumerated the list of authors who post on the website and attempted to log in as each of them.
正解：A,C

質問 2：
A security analyst receives a mobile device with symptoms of a virus infection. The virus is morphing whenever it is from sandbox to sandbox to analyze. Which of the following will help to identify the number of variations through the analysis life cycle?
A. Log viewers
B. Journaling
C. OS and process analysis
D. Hashing utilities
正解：C

質問 3：
An organization wants to remediate vulnerabilities associated with its web servers. An initial vulnerability scan has been performed, and analysts are reviewing the results. Before starting any remediation, the analysts want to remove false positives to avoid spending time on issues that are not actual vulnerabilities. Which of the following would be an indicator of a likely false positive?
A. The scan result version is different from the automated asset inventory.
B. Reports indicate that findings are informational.
C. Any items labeled 'low' are considered informational only.
D. 'HTTPS' entries indicate the web page is encrypted securely.
正解：C

質問 4：
A security analyst performs various types of vulnerability scans.
Review the vulnerability scan results to determine the type of scan that was executed and if a false positive occurred for each device.
Instructions:
Select the Results Generated drop-down option to determine if the results were generated from a credentialed scan, non-credentialed scan, or a compliance scan.
For ONLY the credentialed and non-credentialed scans, evaluate the results for false positives and check the findings that display false positives. NOTE: If you would like to uncheck an option that is currently selected, click on the option a second time.
Lastly, based on the vulnerability scan results, identify the type of Server by dragging the Server to the results.
The Linux Web Server, File-Print Server and Directory Server are draggable.
If at any time you would like to bring back the initial state of the simulation, please select the Reset button. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.

正解：


質問 5：
A threat intelligence analyst who works for a financial services firm received this report:
"There has been an effective waterhole campaign residing at www.bankfinancecompsoftware.com. This domain is delivering ransomware. This ransomware variant has been called "LockMaster" by researchers due to its ability to overwrite the MBR, but this term is not a malware signature. Please execute a defensive operation regarding this attack vector." The analyst ran a query and has assessed that this traffic has been seen on the network. Which of the following actions should the analyst do NEXT? (Select TWO).
A. Advise the firewall engineer to implement a block on the domain
B. Produce a threat intelligence message to be disseminated to the company
C. Advise the security architects to enable full-disk encryption to protect the MBR
D. Advise the security analysts to add an alert in the SIEM on the string "LockMaster"
E. Visit the domain and begin a threat assessment
F. Format the MBR as a precaution
正解：C,E

質問 6：
A security analyst has noticed an alert from the SIEM. A workstation is repeatedly trying to connect to port 445 of a file server on the production network. All of the attempts are made with invalid credentials. Which of the following describes what is occurring?
A. An attacker has gained control of the workstation and is port scanning the network.
B. An attacker has gained control of the workstation and is attempting to pivot to the file server by creating an SMB session.
C. Malware has infected the workstation and is beaconing out to the specific IP address of the file server.
D. The file server is attempting to transfer malware to the workstation via SMB.
正解：B

質問 7：
During an investigation, a computer is being seized. Which of the following is the FIRST step the analyst should take?
A. Perform a physical hard disk image.
B. Initiate chain-of-custody documentation.
C. Unplug the network cable and take screenshots of the desktop.
D. Power off the computer and remove it from the network.
正解：D