EMT Practice Test

1. Question Content...


Question List

Question1: Chloe, a SOC analyst with Jake Tech, is checking Linux systems logs. She is investigating files at /var/log/ wtmp.
What Chloe is looking at?

Question2: Harley is working as a SOC analyst with Powell Tech. Powell Inc. is using Internet Information Service (IIS) version 7.0 to host their website.
Where will Harley find the web server logs, if he wants to investigate them for any anomalies?

Question3: John as a SOC analyst is worried about the amount of Tor traffic hitting the network. He wants to prepare a dashboard in the SIEM to get a graph to identify the locations from where the TOR traffic is coming.
Which of the following data source will he use to prepare the dashboard?

Question4: Which of the following Windows event is logged every time when a user tries to access the "Registry" key?

Question5: Which of the following steps of incident handling and response process focus on limiting the scope and extent of an incident?

Question6: An organization wants to implement a SIEM deployment architecture. However, they have the capability to do only log collection and the rest of the SIEM functions must be managed by an MSSP.
Which SIEM deployment architecture will the organization adopt?

Question7: Which of the following attack can be eradicated by disabling of "allow_url_fopen and allow_url_include" in the php.ini file?

Question8: Which of the following command is used to enable logging in iptables?

Question9: What does HTTPS Status code 403 represents?

Question10: Which of the following fields in Windows logs defines the type of event occurred, such as Correlation Hint, Response Time, SQM, WDI Context, and so on?

Question11: If the SIEM generates the following four alerts at the same time:
I.Firewall blocking traffic from getting into the network alerts
II.SQL injection attempt alerts
III.Data deletion attempt alerts
IV.Brute-force attempt alerts
Which alert should be given least priority as per effective alert triaging?

Question12: Which of the following Windows Event Id will help you monitors file sharing across the network?

Question13: What type of event is recorded when an application driver loads successfully in Windows?

Question14: According to the Risk Matrix table, what will be the risk level when the probability of an attack is very low and the impact of that attack is major?

Question15: An organization is implementing and deploying the SIEM with following capabilities.

What kind of SIEM deployment architecture the organization is planning to implement?

Question16: Which of the following is a correct flow of the stages in an incident handling and response (IH&R) process?

Question17: Which of the following is a report writing tool that will help incident handlers to generate efficient reports on detected incidents during incident response process?

Question18: Which of the following technique involves scanning the headers of IP packets leaving a network to make sure that the unauthorized or malicious traffic never leaves the internal network?

Question19: What does the HTTP status codes 1XX represents?

Question20: Jane, a security analyst, while analyzing IDS logs, detected an event matching Regex /((\%3C)|<)((\%69)|i|(\%
49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/|.
What does this event log indicate?

Question21: What does the Security Log Event ID 4624 of Windows 10 indicate?

Question22: An attacker exploits the logic validation mechanisms of an e-commerce website. He successfully purchases a product worth $100 for $10 by modifying the URL exchanged between the client and the server.
Original
URL: http://www.buyonline.com/product.aspx?profile=12
&debit=100
Modified URL: http://www.buyonline.com/product.aspx?profile=12
&debit=10
Identify the attack depicted in the above scenario.

Question23: The threat intelligence, which will help you, understand adversary intent and make informed decision to ensure appropriate security in alignment with risk.
What kind of threat intelligence described above?

Question24: In which phase of Lockheed Martin's - Cyber Kill Chain Methodology, adversary creates a deliverable malicious payload using an exploit and a backdoor?

Question25: Identify the password cracking attempt involving a precomputed dictionary of plaintext passwords and their corresponding hash values to crack the password.

Question26: John, SOC analyst wants to monitor the attempt of process creation activities from any of their Windows endpoints.
Which of following Splunk query will help him to fetch related logs associated with process creation?

Question27: Which of the following formula represents the risk?

Question28: Identify the attack, where an attacker tries to discover all the possible information about a target network before launching a further attack.

Question29: Which of the following security technology is used to attract and trap people who attempt unauthorized or illicit utilization of the host system?

Question30: Which of the following attack can be eradicated by using a safe API to avoid the use of the interpreter entirely?

Question31: Which of the following stage executed after identifying the required event sources?

Question32: Harley is working as a SOC analyst with Powell Tech. Powell Inc. is using Internet Information Service (IIS) version 7.0 to host their website.
Where will Harley find the web server logs, if he wants to investigate them for any anomalies?

Question33: Banter is a threat analyst in Christine Group of Industries. As a part of the job, he is currently formatting and structuring the raw data.
He is at which stage of the threat intelligence life cycle?

Question34: What is the correct sequence of SOC Workflow?

Question35: Which of the following technique protects from flooding attacks originated from the valid prefixes (IP addresses) so that they can be traced to its true source?

Question36: What does [-n] in the following checkpoint firewall log syntax represents?
fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-u unification_scheme_file] [-m unification_mode(initial|semi|raw)] [-a] [-k (alert name|all)] [-g] [logfile]

Question37: In which of the following incident handling and response stages, the root cause of the incident must be found from the forensic results?

Question38: Which of the following framework describes the essential characteristics of an organization's security engineering process that must exist to ensure good security engineering?

Question39: John, a SOC analyst, while monitoring and analyzing Apache web server logs, identified an event log matching Regex /(\.|(%|%25)2E)(\.|(%|%25)2E)(\/|(%|%25)2F|\\|(%|%25)5C)/i.
What does this event log indicate?

Question40: InfoSystem LLC, a US-based company, is establishing an in-house SOC. John has been given the responsibility to finalize strategy, policies, and procedures for the SOC.
Identify the job role of John.

Question41: Which of the following is a default directory in a Mac OS X that stores security-related logs?

Question42: Which of the following data source can be used to detect the traffic associated with Bad Bot User-Agents?