Jason Dion's CySA+ Practice Exam 1
Shawn needs to boot a system in order to remediate it. The system was compromised
by an attack and had a malicious program installed by creating a RunOnce key in the
registry. What can Shawn do to boot the computer and prevent the RunOnce from
executing the malicious program listed in the registry key?
A.Disable the registry at boot
B.Boot with Safe Mode
C.Boot with the -RunOnce flag
D.RunOnce cannot be disabled therefore she will need to boot from external media to
disable it first - ✔️✔️B.Boot with Safe Mode
Explanation
OBJ-3: When booting in Safe Mode, Run and RunOnce are ignored by the Windows
system. The autorun entries in the Registry are often targeted because they're not
always visible to the average user. In modern Windows systems, there are two types of
autorun keys: Run, which initializes its values asynchronously, and RunOnce, which
initializes its values in order. By default, these keys are ignored when the computer is
started in Safe Mode. The value name of RunOnce keys can be prefixed with an
asterisk (*) to force the program to run even in Safe mode
Taylor needs to sanitize hard drives from some leased workstations that are being
returned to a supplier at the end of the lease period. The workstations' hard drives
contained sensitive corporate data. Which is the most appropriate choice to ensure that
data exposure doesn't occur during this process?
A.Clear, validate, and document the sanitation of the drives
B.Clear the drives
C.Purge, validate, and document the sanitation of the drives
D.The drives must be destroyed to ensure no data loss - ✔️✔️C.Purge, validate, and
document the sanitation of the drives
Explanation
OBJ-3: Purging the drives, validating that the purge was effective, and documenting the
sanitization is the best response.
,Purging includes methods that eliminate information from being feasibly recovered even
in a lab environment. For example, performing a cryptographic erasure (CE) would
sanitize and purge the data from the drives without harming the drives themselves.
Clearing them leaves the possibility that some tools would allow data recovery. Since
the scenario indicates that these were leased drives that must be returned at the end of
a lease, they cannot be destroyed.
During which incident response phase is the preservation of evidence performed?
A.Preparation
B.Detection and analysis
C.Containment, eradication, and recovery
D.Post-incident activity - ✔️✔️C.Containment, eradication, and recovery
Explanation
OBJ-3: A cybersecurity analyst must preserve evidence during the containment,
eradication, and recovery phase. They must preserve forensic and incident information
for future needs, to prevent future attacks, or to bring up an attacker on criminal
charges. Restoration and recovery are often prioritized over analysis by business
operations personnel, but taking time to create a forensic image is crucial to preserve
the evidence for further analysis and investigation.
A.During the preparation phase, the incident response team conducts training, prepares
their incident response kits, and researches threats and intelligence.
B.During the detection and analysis phase, an organization focuses on monitoring and
detecting any possible malicious events or attacks.
D.During the post-incident activity phase, the organization conducts after-action reports,
creates lessons learned, and conducts follow-up actions to better prevent another
incident from occurring.
Where should a forensic analyst search to find a list of the wireless networks that a
laptop has previously connected to with a company-owned laptop?
A.Search the register for a complete list
B.Search the user's profile directory for the list
C.Search the wireless adapter cache for the list
D.A list of the previously connected wireless networks is not stored on the laptop -
✔️✔️A.Search the register for a complete list
, Explanation
OBJ-3: The Windows registry keeps a list of the wireless networks that a system has
previously connected to. The registry keys can be found in the directory of
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles. This stored
in Local Machine because it logs a copy of every access point connected to by all users
of the machine, not just the currently logged in user.
You suspect that a service called explorer.exe on a Windows server is malicious and
you need to terminate it. Which of the following tools would NOT be able to terminate it?
A.sc
B.wmic
C.secpol.msc
D.services.msc - ✔️✔️C.secpol.msc
Explanation
OBJ-3.1: The security policy auditor (secpol.msc) will allow an authorized administrator
the option to change a great deal about an operating system, but it cannot explicitly stop
a process or service that is already running.
A.The sc.exe command allows an analyst to control services, including terminating
them.
B.The Windows Management Instrumentation (wmic) can terminate a service by using
the following: wmic service <ServiceName> call StopService.
D.The services.msc tool can also be used to enable, start, or terminate a running
service.
An e-commerce website for a clothing store was recently compromised by an attacker.
Which of the following methods did the attacker use if they harvested an account's
cached credentials when the user logged into a SSO system?
A.Pass the hash
B.Lateral movement
C.Pivoting
D.Golden ticket - ✔️✔️A.Pass the hash
Explanation
Shawn needs to boot a system in order to remediate it. The system was compromised
by an attack and had a malicious program installed by creating a RunOnce key in the
registry. What can Shawn do to boot the computer and prevent the RunOnce from
executing the malicious program listed in the registry key?
A.Disable the registry at boot
B.Boot with Safe Mode
C.Boot with the -RunOnce flag
D.RunOnce cannot be disabled therefore she will need to boot from external media to
disable it first - ✔️✔️B.Boot with Safe Mode
Explanation
OBJ-3: When booting in Safe Mode, Run and RunOnce are ignored by the Windows
system. The autorun entries in the Registry are often targeted because they're not
always visible to the average user. In modern Windows systems, there are two types of
autorun keys: Run, which initializes its values asynchronously, and RunOnce, which
initializes its values in order. By default, these keys are ignored when the computer is
started in Safe Mode. The value name of RunOnce keys can be prefixed with an
asterisk (*) to force the program to run even in Safe mode
Taylor needs to sanitize hard drives from some leased workstations that are being
returned to a supplier at the end of the lease period. The workstations' hard drives
contained sensitive corporate data. Which is the most appropriate choice to ensure that
data exposure doesn't occur during this process?
A.Clear, validate, and document the sanitation of the drives
B.Clear the drives
C.Purge, validate, and document the sanitation of the drives
D.The drives must be destroyed to ensure no data loss - ✔️✔️C.Purge, validate, and
document the sanitation of the drives
Explanation
OBJ-3: Purging the drives, validating that the purge was effective, and documenting the
sanitization is the best response.
,Purging includes methods that eliminate information from being feasibly recovered even
in a lab environment. For example, performing a cryptographic erasure (CE) would
sanitize and purge the data from the drives without harming the drives themselves.
Clearing them leaves the possibility that some tools would allow data recovery. Since
the scenario indicates that these were leased drives that must be returned at the end of
a lease, they cannot be destroyed.
During which incident response phase is the preservation of evidence performed?
A.Preparation
B.Detection and analysis
C.Containment, eradication, and recovery
D.Post-incident activity - ✔️✔️C.Containment, eradication, and recovery
Explanation
OBJ-3: A cybersecurity analyst must preserve evidence during the containment,
eradication, and recovery phase. They must preserve forensic and incident information
for future needs, to prevent future attacks, or to bring up an attacker on criminal
charges. Restoration and recovery are often prioritized over analysis by business
operations personnel, but taking time to create a forensic image is crucial to preserve
the evidence for further analysis and investigation.
A.During the preparation phase, the incident response team conducts training, prepares
their incident response kits, and researches threats and intelligence.
B.During the detection and analysis phase, an organization focuses on monitoring and
detecting any possible malicious events or attacks.
D.During the post-incident activity phase, the organization conducts after-action reports,
creates lessons learned, and conducts follow-up actions to better prevent another
incident from occurring.
Where should a forensic analyst search to find a list of the wireless networks that a
laptop has previously connected to with a company-owned laptop?
A.Search the register for a complete list
B.Search the user's profile directory for the list
C.Search the wireless adapter cache for the list
D.A list of the previously connected wireless networks is not stored on the laptop -
✔️✔️A.Search the register for a complete list
, Explanation
OBJ-3: The Windows registry keeps a list of the wireless networks that a system has
previously connected to. The registry keys can be found in the directory of
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\NetworkList\Profiles. This stored
in Local Machine because it logs a copy of every access point connected to by all users
of the machine, not just the currently logged in user.
You suspect that a service called explorer.exe on a Windows server is malicious and
you need to terminate it. Which of the following tools would NOT be able to terminate it?
A.sc
B.wmic
C.secpol.msc
D.services.msc - ✔️✔️C.secpol.msc
Explanation
OBJ-3.1: The security policy auditor (secpol.msc) will allow an authorized administrator
the option to change a great deal about an operating system, but it cannot explicitly stop
a process or service that is already running.
A.The sc.exe command allows an analyst to control services, including terminating
them.
B.The Windows Management Instrumentation (wmic) can terminate a service by using
the following: wmic service <ServiceName> call StopService.
D.The services.msc tool can also be used to enable, start, or terminate a running
service.
An e-commerce website for a clothing store was recently compromised by an attacker.
Which of the following methods did the attacker use if they harvested an account's
cached credentials when the user logged into a SSO system?
A.Pass the hash
B.Lateral movement
C.Pivoting
D.Golden ticket - ✔️✔️A.Pass the hash
Explanation
