New Year Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

An analyst is examining the logs for a web application’s login form. They see thousands of failed logon attempts using various usernames and passwords. Internet research indicates that these credentials may have been compiled by combining account information from several recent data breaches.

Which type of attack would this be an example of?

A.

Credential sniffing

B.

Password cracking

C.

Password spraying

D.

Credential stuffing

Full Access
Question # 5

Which of the following is a correct Splunk search that will return results in the most performant way?

A.

index=foo host=i-478619733 | stats range(_time) as duration by src_ip | bin duration span=5min | stats count by duration, host

B.

| stats range(_time) as duration by src_ip | index=foo host=i-478619733 | bin duration span=5min | stats count by duration, host

C.

index=foo host=i-478619733 | transaction src_ip |stats count by host

D.

index=foo | transaction src_ip |stats count by host | search host=i-478619733

Full Access
Question # 6

Which search command allows an analyst to match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as minor breakers such as periods or underscores?

A.

CASE()

B.

LIKE()

C.

FORMAT ()

D.

TERM ()

Full Access
Question # 7

What is the following step-by-step description an example of?

1. The attacker devises a non-default beacon profile with Cobalt Strike and embeds this within a document.

2. The attacker creates a unique email with the malicious document based on extensive research about their target.

3. When the victim opens this document, a C2 channel is established to the attacker’s temporary infrastructure on a compromised website.

A.

Tactic

B.

Policy

C.

Procedure

D.

Technique

Full Access
Question # 8

While testing the dynamic removal of credit card numbers, an analyst lands on using therexcommand. What mode needs to be set to in order to replace the defined values with X?

| makeresults

| eval ccnumber="511388720478619733"

| rex field=ccnumber mode=???"s/(\d{4}-){3)/XXXX-XXXX-XXXX-/g"

Please assume that the aboverexcommand is correctly written.

A.

sed

B.

replace

C.

mask

D.

substitute

Full Access
Question # 9

When searching in Splunk, which of the following SPL commands can be used to run a subsearch across every field in a wildcard field list?

A.

foreach

B.

rex

C.

makeresults

D.

transaction

Full Access
Question # 10

A successful Continuous Monitoring initiative involves the entire organization. When an analyst discovers the need for more context or additional information, perhaps from additional data sources or altered correlation rules, to what role would this request generally escalate?

A.

SOC Manager

B.

Security Analyst

C.

Security Engineer

D.

Security Architect

Full Access
Question # 11

Which of the following data sources can be used to discover unusual communication within an organization’s network?

A.

EDS

B.

Net Flow

C.

Email

D.

IAM

Full Access
Question # 12

According to Splunk CIM documentation, which field in the Authentication Data Model represents the user who initiated a privilege escalation?

A.

username

B.

src_user_id

C.

src_user

D.

dest_user

Full Access
Question # 13

There are many resources for assisting with SPL and configuration questions. Which of the following resources feature community-sourced answers?

A.

Splunk Answers

B.

Splunk Lantern

C.

Splunk Guidebook

D.

Splunk Documentation

Full Access
Question # 14

Which of the following is a best practice for searching in Splunk?

A.

Streaming commands run before aggregating commands in the Search pipeline.

B.

Raw word searches should contain multiple wildcards to ensure all edge cases are covered.

C.

Limit fields returned from the search utilizing the cable command.

D.

Searching over All Time ensures that all relevant data is returned.

Full Access
Question # 15

During their shift, an analyst receives an alert about an executable being run from C:\Windows\Temp. Why should this be investigated further?

A.

Temp directories aren't owned by any particular user, making it difficult to track the process owner when files are executed.

B.

Temp directories are flagged as non-executable, meaning that no files stored within can be executed, and this executable was run from that directory.

C.

Temp directories contain the system page file and the virtual memory file, meaning the attacker can use their malware to read the in memory values of running programs.

D.

Temp directories are world writable thus allowing attackers a place to drop, stage, and execute malware on a system without needing to worry about file permissions.

Full Access
Question # 16

Which of the following is a tactic used by attackers, rather than a technique?

A.

Gathering information about a target.

B.

Establishing persistence with a scheduled task.

C.

Using a phishing email to gain initial access.

D.

Escalatingprivileges via UAC bypass.

Full Access
Question # 17

An analysis of an organization’s security posture determined that a particular asset is at risk and a new process or solution should be implemented to protect it. Typically, who would be in charge of implementing the new process or solution that was selected?

A.

Security Architect

B.

SOC Manager

C.

Security Engineer

D.

Security Analyst

Full Access
Question # 18

The Lockheed Martin Cyber Kill Chain® breaks an attack lifecycle into several stages. A threat actor modified the registry on a compromised Windows system to ensure that their malware would automatically run at boot time. Into which phase of the Kill Chain would this fall?

A.

Act on Objectives

B.

Exploitation

C.

Delivery

D.

Installation

Full Access
Question # 19

An analyst needs to create a new field at search time. Which Splunk command will dynamically extract additional fields as part of a Search pipeline?

A.

rex

B.

fields

C.

regex

D.

eval

Full Access