New Release CS0-003 CompTIA CySA+ Questions

A new program has been set to execute on system start is the most likely cause of the suspicious activity that is occurring, as it indicates that the malware has modified the registry keys of the system to ensure its persistence. File Integrity Monitoring (FIM) is a tool that monitors changes to files and registry keys on a system and alerts the security analyst of any unauthorized or malicious modifications. The alert triggered by FIM shows that the malware has created a new registry key under the Run subkey, which is used to launch programs automatically when the system starts. The new registry key points to a file named “update.exe” in the Temp folder, which is likely a malicious executable disguised as a legitimate update file. Official References:

MITRE ATT&CK is a framework and knowledge base that describes the tactics, techniques, and procedures (TTPs) used by various adversaries in cyberattacks. MITRE ATT&CK can help security analysts compare TTPs between different known adversaries of an organization, as well as identify patterns, gaps, or trends in adversary behavior. MITRE ATT&CK can also help security analysts improve threat detection, analysis, and response capabilities, as well as share threat intelligence with other organizations or communities

A HTTP/404 error code means that the requested page or resource was not found on the web server. This could be caused by various reasons, such as incorrect URLs, moved or deleted pages, missing assets, or server misconfigurations123. The analyst should first identify the source of the requests and examine the related activity to determine if they are legitimate or malicious, and what actions need to be taken to resolve the issue. The other options are either premature or irrelevant without further investigation. References: 1: 404 Page Not Found Error: What It Is and How to Fix It 2: 404 Error Code: What Causes Them and How To Fix It 3: About 404 errors and how to Troubleshoot it?

To capture anomalous traffic from a compromised host, the best tools are tcpdump and Wireshark. Both tools are specifically designed for network traffic analysis. tcpdump is a command-line packet analyzer that allows capturing and displaying the packet headers on a network interface. It is efficient for quick and straightforward traffic capture. Wireshark, on the other hand, is a graphical packet analysis tool that provides detailed inspection of captured traffic, including protocol analysis and filtering capabilities. Both tools are widely used for network diagnostics and security investigations.