312-39 : Certified SOC Analyst : Part 04

Robin, a SOC engineer in a multinational company, is planning to implement a SIEM. He realized that his organization is capable of performing only Correlation, Analytics, Reporting, Retention, Alerting, and Visualization required for the SIEM implementation and has to take collection and aggregation services from a Managed Security Services Provider (MSSP).

What kind of SIEM is Robin planning to implement?
- Self-hosted, Self-Managed
- Self-hosted, MSSP Managed
- Hybrid Model, Jointly Managed
- Cloud, Self-Managed
What type of event is recorded when an application driver loads successfully in Windows?
- Error
- Success Audit
- Warning
- Information
An attacker exploits the logic validation mechanisms of an e-commerce website. He successfully purchases a product worth $100 for $10 by modifying the URL exchanged between the client and the server.

Original URL: http://www.buyonline.com/product.aspx?profile=12&debit=100
Modified URL: http://www.buyonline.com/product.aspx?profile=12&debit=10

Identify the attack depicted in the above scenario.
- Denial-of-Service Attack
- SQL Injection Attack
- Parameter Tampering Attack
- Session Fixation Attack
John, a threat analyst at GreenTech Solutions, wants to gather information about specific threats against the organization. He started collecting information from various sources, such as humans, social media, chat room, and so on, and created a report that contains malicious activity.

Which of the following types of threat intelligence did he use?
- Strategic Threat Intelligence
- Technical Threat Intelligence
- Tactical Threat Intelligence
- Operational Threat Intelligence
Which of the following is a default directory in a Mac OS X that stores security-related logs?
- /private/var/log
- /Library/Logs/Sync
- /var/log/cups/access_log
- ~/Library/Logs
John, SOC analyst wants to monitor the attempt of process creation activities from any of their Windows endpoints.

Which of following Splunk query will help him to fetch related logs associated with process creation?
- index=windows LogName=Security EventCode=4678 NOT (Account_Name=*$) .. .. … ..
- index=windows LogName=Security EventCode=4688 NOT (Account_Name=*$) .. .. ..
- index=windows LogName=Security EventCode=3688 NOT (Account_Name=*$) .. .. ..
- index=windows LogName=Security EventCode=5688 NOT (Account_Name=*$) … … …
Harley is working as a SOC analyst with Powell Tech. Powell Inc. is using Internet Information Service (IIS) version 7.0 to host their website.

Where will Harley find the web server logs, if he wants to investigate them for any anomalies?
- SystemDrive%\inetpub\logs\LogFiles\W3SVCN
- SystemDrive%\LogFiles\inetpub\logs\W3SVCN
- %SystemDrive%\LogFiles\logs\W3SVCN
- SystemDrive%\ inetpub\LogFiles\logs\W3SVCN
What does the Security Log Event ID 4624 of Windows 10 indicate?
- Service added to the endpoint
- A share was assessed
- An account was successfully logged on
- New process executed
Which of the following is a set of standard guidelines for ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection?
- FISMA
- HIPAA
- PCI-DSS
- DARPA
What does the HTTP status codes 1XX represents?
- Informational message
- Client error
- Success
- Redirection
In which phase of Lockheed Martin’s – Cyber Kill Chain Methodology, adversary creates a deliverable malicious payload using an exploit and a backdoor?
- Reconnaissance
- Delivery
- Weaponization
- Exploitation
Identify the attack, where an attacker tries to discover all the possible information about a target network before launching a further attack.
- DoS Attack
- Man-In-Middle Attack
- Ransomware Attack
- Reconnaissance Attack
What does [-n] in the following checkpoint firewall log syntax represents?

fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-u unification_scheme_file] [-m unification_mode(initial|semi|raw)] [-a] [-k (alert name|all)] [-g] [logfile]
- Speed up the process by not performing IP addresses DNS resolution in the Log files
- Display both the date and the time for each log record
- Display account log records only
- Display detailed log chains (all the log segments a log record consists of)
Which of the following attack inundates DHCP servers with fake DHCP requests to exhaust all available IP addresses?
- DHCP Starvation Attacks
- DHCP Spoofing Attack
- DHCP Port Stealing
- DHCP Cache Poisoning
Mike is an incident handler for PNP Infosystems Inc. One day, there was a ticket raised regarding a critical incident and Mike was assigned to handle the incident. During the process of incident handling, at one stage, he has performed incident analysis and validation to check whether the incident is a true incident or a false positive.

Identify the stage in which he is currently in.
- Post-Incident Activities
- Incident Recording and Assignment
- Incident Triage
- Incident Disclosure
Which of the following is a correct flow of the stages in an incident handling and response (IH&R) process?
- Containment –> Incident Recording –> Incident Triage –> Preparation –> Recovery –> Eradication –> Post-Incident Activities
- Preparation –> Incident Recording –> Incident Triage –> Containment –> Eradication –> Recovery –> Post-Incident Activities
- Incident Triage –> Eradication –> Containment –> Incident Recording –> Preparation –> Recovery –> Post-Incident Activities
- Incident Recording –> Preparation –> Containment –> Incident Triage –> Recovery –> Eradication –> Post-Incident Activities
Rinni, SOC analyst, while monitoring IDS logs detected events shown in the figure below.

312-39 Part04 Q17 003

What does this event log indicate?
- Directory Traversal Attack
- XSS Attack
- SQL Injection Attack
- Parameter Tampering Attack
Peter, a SOC analyst with Spade Systems, is monitoring and analyzing the router logs of the company and wanted to check the logs that are generated by access control list numbered 210.

What filter should Peter add to the ‘show logging’ command to get the required output?
- show logging | access 210
- show logging | forward 210
- show logging | include 210
- show logging | route 210
Identify the attack in which the attacker exploits a target system through publicly known but still unpatched vulnerabilities.
- Slow DoS Attack
- DHCP Starvation
- Zero-Day Attack
- DNS Poisoning Attack
In which log collection mechanism, the system or application sends log records either on the local disk or over the network.
- rule-based
- pull-based
- push-based
- signature-based

312-39 : Certified SOC Analyst : Part 04

What kind of SIEM is Robin planning to implement?

What type of event is recorded when an application driver loads successfully in Windows?

An attacker exploits the logic validation mechanisms of an e-commerce website. He successfully purchases a product worth $100 for $10 by modifying the URL exchanged between the client and the server.

Identify the attack depicted in the above scenario.

John, a threat analyst at GreenTech Solutions, wants to gather information about specific threats against the organization. He started collecting information from various sources, such as humans, social media, chat room, and so on, and created a report that contains malicious activity.

Which of the following types of threat intelligence did he use?

Which of the following is a default directory in a Mac OS X that stores security-related logs?

John, SOC analyst wants to monitor the attempt of process creation activities from any of their Windows endpoints.

Which of following Splunk query will help him to fetch related logs associated with process creation?

Harley is working as a SOC analyst with Powell Tech. Powell Inc. is using Internet Information Service (IIS) version 7.0 to host their website.

Where will Harley find the web server logs, if he wants to investigate them for any anomalies?

What does the Security Log Event ID 4624 of Windows 10 indicate?

Which of the following is a set of standard guidelines for ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection?

What does the HTTP status codes 1XX represents?

In which phase of Lockheed Martin’s – Cyber Kill Chain Methodology, adversary creates a deliverable malicious payload using an exploit and a backdoor?

Identify the attack, where an attacker tries to discover all the possible information about a target network before launching a further attack.

What does [-n] in the following checkpoint firewall log syntax represents?

fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-u unification_scheme_file] [-m unification_mode(initial|semi|raw)] [-a] [-k (alert name|all)] [-g] [logfile]

Which of the following attack inundates DHCP servers with fake DHCP requests to exhaust all available IP addresses?

Identify the stage in which he is currently in.

Which of the following is a correct flow of the stages in an incident handling and response (IH&R) process?

Rinni, SOC analyst, while monitoring IDS logs detected events shown in the figure below.

What does this event log indicate?

Peter, a SOC analyst with Spade Systems, is monitoring and analyzing the router logs of the company and wanted to check the logs that are generated by access control list numbered 210.

What filter should Peter add to the ‘show logging’ command to get the required output?

Identify the attack in which the attacker exploits a target system through publicly known but still unpatched vulnerabilities.

In which log collection mechanism, the system or application sends log records either on the local disk or over the network.