| Exam Code | 300-215 |
| Exam Name | Conducting Forensic Analysis and Incident Response Using Cisco CyberOps Technologies (CBRFIR) |
| Questions | 59 Questions Answers With Explanation |
| Update Date | March 05,2024 |
| Price |
Was : |
Are you ready to take your career to the next level with Conducting Forensic Analysis and Incident Response Using Cisco CyberOps Technologies (CBRFIR)? At Prep4Certs, we're dedicated to helping you achieve your goals by providing high-quality 300-215 Dumps and resources for a wide range of certification exams.
At Prep4Certs, we're committed to your success in the Cisco 300-215 exam. Our comprehensive study materials and resources are designed to equip you with the knowledge and skills needed to ace the exam with confidence:
Start Your Certification Journey Today
Whether you're looking to advance your career, expand your skill set, or pursue new opportunities, Prep4Certs is here to support you on your certification journey. Explore our comprehensive study materials, take your exam preparation to the next level, and unlock new possibilities for professional growth and success.
Ready to achieve your certification goals? Begin your journey with Prep4Certs today!
An engineer is analyzing a ticket for an unexpected server shutdown and discovers that the web-server ran out of useable memory and crashed. Which data is needed for further investigation?
A. /var/log/access.log
B. /var/log/messages.log
C. /var/log/httpd/messages.log
D. /var/log/httpd/access.log
Which technique is used to evade detection from security products by executing arbitrary code in the address space of a separate live operation?
A. process injection
B. privilege escalation
C. GPO modification
D. token manipulation
Refer to the exhibit. An engineer is analyzing a TCP stream in a Wireshark after a suspicious email with a URL. What should be determined about the SMB traffic from this stream?
A. It is redirecting to a malicious phishing website,
B. It is exploiting redirect vulnerability
C. It is requesting authentication on the user site.
D. It is sharing access to files and printers.
Refer to the exhibit. What should an engineer determine from this Wireshark capture of suspicious network traffic?
A. There are signs of SYN flood attack, and the engineer should increase the backlog and
recycle the oldest half-open TCP connections.
B. There are signs of a malformed packet attack, and the engineer should limit the packet size and set a threshold of bytes as a countermeasure.
C. There are signs of a DNS attack, and the engineer should hide the BIND version and restrict zone transfers as a countermeasure.
D. There are signs of ARP spoofing, and the engineer should use Static ARP entries and IP address-to-MAC address mappings as a countermeasure.
A network host is infected with malware by an attacker who uses the host to make calls for files and shuttle traffic to bots. This attack went undetected and resulted in a significant loss. The organization wants to ensure this does not happen in the future and needs a security solution that will generate alerts when command and control communication from an infected device is detected. Which network security solution should be recommended?
A. Cisco Secure Firewall ASA
B. Cisco Secure Firewall Threat Defense (Firepower)
C. Cisco Secure Email Gateway (ESA)
D. Cisco Secure Web Appliance (WSA)
An employee receives an email from a “trusted” person containing a hyperlink that is malvertising. The employee clicks the link and the malware downloads. An information analyst observes an alert at the SIEM and engages the cybersecurity team to conduct an analysis of this incident in accordance with the incident response plan. Which event detail should be included in this root cause analysis?
A. phishing email sent to the victim
B. alarm raised by the SIEM
C. information from the email header
D. alert identified by the cybersecurity team
What are YARA rules based upon?
A. binary patterns
B. HTML code
C. network artifacts
D. IP addresses
Refer to the exhibit. Which two determinations should be made about the attack from the Apache access logs? (Choose two.)
A. The attacker used r57 exploit to elevate their privilege.
B. The attacker uploaded the word press file manager trojan.
C. The attacker performed a brute force attack against word press and used sql injection against the backend database.
D. The attacker used the word press file manager plugin to upoad r57.php.
E. The attacker logged on normally to word press admin page.
An engineer received a report of a suspicious email from an employee. The employee had already opened the attachment, which was an empty Word document. The engineer cannot identify any clear signs of compromise but while reviewing running processes, observes that PowerShell.exe was spawned by cmd.exe with a grandparent winword.exe process. What is the recommended action the engineer should take?
A. Upload the file signature to threat intelligence tools to determine if the file is malicious.
B. Monitor processes as this a standard behavior of Word macro embedded documents.
C. Contain the threat for further analysis as this is an indication of suspicious activity.
D. Investigate the sender of the email and communicate with the employee to determine the motives.
Refer to the exhibit. An HR department submitted a ticket to the IT helpdesk indicating slow performance on an internal share server. The helpdesk engineer checked the server with a real-time monitoring tool and did not notice anything suspicious. After checking the event logs, the engineer noticed an event that occurred 48 hour prior. Which two indicators of compromise should be determined from this information? (Choose two.)
A. unauthorized system modification
B. privilege escalation
C. denial of service attack
D. compromised root access
E. malware outbreak
