Cisco Certified CyberOps Associate Intermediate Practice Exam: Medium Difficulty 2025

A security analyst sees a spike in HTTP requests from a single internal host to many external domains. The requests are evenly spaced and include random-looking subdomains (for example, a8f3.example.com, 9k1z.example.com). DNS logs show frequent TXT record lookups to the same domains. Which security concept best explains this activity pattern?

An organization is reviewing controls for a SOC environment. They want to reduce risk if a tier-1 analyst workstation is compromised, while still allowing analysts to pivot into tools (SIEM, EDR, ticketing) efficiently. Which approach best supports this goal?

A SOC receives an alert: multiple failed logins to a VPN account from various countries within a 10-minute window, followed by a successful login from one of those countries. Shortly after, there is a new OAuth authorization for a cloud email application. Which action best represents an effective next step in security monitoring triage?

You are tuning SIEM alerts for potential data exfiltration. NetFlow shows a workstation sending steady outbound traffic to a single external IP over TCP/443 outside business hours. DNS logs show the domain is newly registered. Proxy logs show a large number of POST requests with similar sizes. Which combination of data sources provides the strongest support for an exfiltration hypothesis?

A SIEM rule triggers on 'multiple authentication failures followed by success' for an administrator account. The analyst suspects password spraying. Which additional observation most strongly supports password spraying rather than a single user mistyping a password?

An analyst investigates a Windows host suspected of being compromised. They find a new scheduled task created to run a PowerShell command every 15 minutes. The command downloads content from a URL and executes it in memory. Which host-based artifact would be most useful to confirm persistence and identify what is being executed?

A Linux server begins making outbound connections to many random IPs on TCP/22. On the host, the analyst sees a new process 'kworker' running from /tmp and an increase in outbound connection attempts. Which action best helps validate whether the process is masquerading and identify its origin?

An IDS alerts on possible SMB lateral movement. Packet captures show a client initiating connections to multiple internal hosts on TCP/445, followed by repeated authentication attempts and then file operations. Which interpretation is most accurate for this network intrusion scenario?

A web application firewall (WAF) logs repeated requests to an API endpoint with payloads containing patterns like "' OR 1=1 --" and "UNION SELECT". Network telemetry also shows a spike in 500 errors from the application server. What is the most likely explanation and best immediate analytic focus?

During an incident, the SOC lead asks for evidence handling guidance. An analyst has collected a memory dump and relevant logs from a suspected compromised endpoint. Which procedure best aligns with good security policy and incident response practice?