EMT Practice Test

1. Question Content...


Question List

Question1: An incident responder notices many entries in an apache access log file that contain semicolons. Which of the following attacks is MOST likely being attempted?

Question2: A high-level government official uses anonymous bank accounts to transfer a requested amount of funds to individuals in another country. These individuals are known for defacing government websites and exfiltrating sensitive data. Which of the following BEST describes the involved threat actors?

Question3: A forensics investigator has been assigned the task of investigating a system user for suspicion of using a company-owned workstation to view unauthorized content. Which of the following would be a proper course of action for the investigator to take?

Question4: Network engineering has reported low bandwidth during working hours. The incident response team is currently investigating several anomalous activities that may be related. Which of the following is the MOST appropriate method to further investigate this problem?

Question5: A system administrator is informed that a user received an email containing a suspicious attachment.
Which of the following methods is the FASTEST way to determine whether the file is suspicious or not?

Question6: While reviewing some audit logs, an analyst has identified consistent modification of the sshd_config file for an organization's server. The analyst would like to investigate and compare contents of the current file with archived versions of files that are saved weekly. Which of the following tools will be MOST effective during the investigation?

Question7: Customers are reporting issues connecting to a company's Internet server. Which of the following device logs should a technician review in order to help identify the issue?

Question8: DRAG DROP
Drag and drop the following steps to perform a successful social engineering attack in the correct order, from first (1) to last (6).
Select and Place:

Question9: A network administrator has been asked to configure a new network. It is the company's policy to segregate network functions using different Virtual LANs (VLANs). On which of the following is this configuration MOST likely to occur?

Question10: A security analyst would like to parse through several SQL logs for indicators of compromise. The analyst is aware that none of the fields should contain a string of text longer than 30 characters; however, the analyst is unaware if there are any implemented controls to prevent such an overflow. Which of the following BEST describes the regular expression the analyst should use to find any alphanumeric character string?

Question11: Which of the following are reasons that a hacker would execute a DoS or a DDoS attack? (Choose two.)

Question12: During review of a company's web server logs, the following items are discovered:
2015-03-01 03:32:11 www.example.com/index.asp?id=-999 or 1=convert(int,@@version)-
2015-03-01 03:35:33 www.example.com/index.asp?id=-999 or 1=convert(int,db_name())-
2015-03-01 03:38:25 www.example.com/index.asp?id=-999 or 1=convert(int,user_name())- Which of the following is depicted in the log example above?

Question13: An attacker performs reconnaissance on a Chief Executive Officer (CEO) using publicity available resources to gain access to the CEO's office. The attacker was in the CEO's office for less than five minutes, and the attack left no traces in any logs, nor was there any readily identifiable cause for the exploit. The attacker in then able to use numerous credentials belonging to the CEO to conduct a variety of further attacks. Which of the following types of exploit is described?

Question14: An attack was performed on a company's web server, disabling the company's website. The incident response team's investigation produced the following:
1. Presence of malicious code installed on employees' workstations.
2. Excessive UDP datagrams sent to a single address.
3. Web server received excessive UDP datagrams from multiple internal hosts.
4. Network experienced high traffic after 3:00 pm.
5. Employee workstations sent large traffic bursts when employees accessed the internal timecard application.
Which of the following BEST describes the attack tool used to perform the attack?

Question15: During the identification phase, it is discovered that port 23 is being used maliciously. Which of the following system hardening techniques should be used to remediate the issue?

Question16: An alert on user account activity outside of normal business hours returns Windows even IDs 540 and
4624. In which of the following locations will these events be found?

Question17: During an annual penetration test, several rootkit-enabled systems are found to be exfiltrating data. The penetration test team and the internal incident response team work to begin cleanup. The company's operations team offers a new emails server to use for communications during the incident. As cleanup continues, the attackers seem to know exactly what the incident response plan is. Which of the following will prevent the attackers from compromising cleanup activities?

Question18: A security analyst discovers a zero-day vulnerability affecting Windows, which has not been publicly identified. The security analyst assumes this vulnerability is present on millions of computer system and feels an obligation to share this information with other security professionals. Which of the following would be the MOST adverse consequences of the analyst sharing this information?

Question19: An organization's public information website has been defaced. The incident response team is actively engaged in the following actions:
- Installing patches on the web server
- Turning off unnecessary services on web server
- Adding new ACL rules to the WAF
- Changing all passwords on web server accounts
Which of the following incident response phases is the team MOST likely conducting?

Question20: An incident responder is investigating a Linux server reported to be "behaving strangely". Which of the following commands should the incident responder use to identify any users currently logged into the system? (Choose two.)

Question21: An organization needs to determine of any systems on its network (10.0.25.0/24) have web services running on port 80 or 443. Which of the following is the BEST command to do this?

Question22: An incident responder is asked to create a disk image of a compromised Linux server. Which of the following commands should be used to do this?

Question23: A forensics analyst is analyzing an executable and thinks it may have some text of interest hidden within it.
Which of the following tools can the analyst use to assist in validating the suspicion?

Question24: Malicious code that can replicate itself using various techniques is referred to as a:

Question25: Which of the following describes pivoting?

Question26: Which of the following is the reason that out-of-band communication is used during a security incident?

Question27: As part of an incident response effort, data has been collected and analyzed, and a malware infection has been contained. Which of the following is the NEXT step the incident response team should take within the incident response process?

Question28: During a malware outbreak, a security analyst has been asked to capture network traffic in hourly increments for analysis by the incident response team. Which of the following tcpdump commands would generate hourly pcap files?

Question29: A zero-day vulnerability is discovered on a company's network. The security analyst conducts a log review, schedules an immediate vulnerability scan, and quarantines the infected system, but cannot determine the root cause of the vulnerability. Which of the following is a source of information that can be used to identify the cause of the vulnerability?

Question30: Which of the following are legally compliant forensics applications that will detect ADS or a file with an incorrect file extension? (Choose two.)

Question31: A user reports a pop-up error when starting a Windows machine. The error states that the machine has been infected with a virus and instructs the user to download a new antivirus client. In which of the following locations should the incidentresponder check to find what is generating the error message?
(Choose two.)

Question32: Which of the following is the BEST way to capture all network traffic between hosts on a segmented network?

Question33: A DMZ web server has been compromised. During the log review, the incident responder wants to parse all common internal Class A addresses from the log. Which of the following commands should the responder use to accomplish this?

Question34: An organization's firewall has recently been bombarded with an excessive amount of failed requests. A security analyst has been tasked with providing metrics on any failed attempts to ports above 1000. Which of the following regular expressions will work BEST to identify an IP address with the desired port range?

Question35:
The above Linux command is used to search for:

Question36: A SOC analyst reviews vendor security bulletins and security blog articles against the company's deployed system and software base. Based on current attack patterns, three vulnerabilities, including a zero-day vulnerability, have been upgraded to high priority. Which of the following should the SOC analyst recommend? (Choose two.)

Question37: A security professional has been tasked with the protection of a specific set of information essential to a corporation's livelihood, the exposure of which could cost the company billions of dollars in long-term revenue. The professional is interested in obtaining advice for preventing the theft of this type of information. Which of the following is the BEST resource for finding this material?

Question38: Which of the following describes the MOST important reason for capturing post-attack metadata?

Question39: Click the exhibit button. After reviewing captured network traffic logs, a security auditor suspects a violation of the organization's computer use policy. Which of the following is the likely indicator of the violation?

Question40: An alert has been triggered identifying a new application running on a Windows server. Which of the following tools can be used to identify the application? (Choose two.)

Question41: Which of the following can hackers use to gain access to a system over the network without knowing the actual password?

Question42: The incident response team needs to track which user last connected to a specific Windows domain controller. Which of the following is the BEST way to identify that specific user?

Question43: Log review shows that large amounts of data are being sent to an IP address unassociated with the company. Which of the following migration techniques should be implemented?

Question44: Which of the following protocols can be used for data extension?

Question45: Which of the following could an attacker use to perpetrate a social engineering attack? (Choose two.)

Question46: A Windows system user reports seeing a command prompt window pop up briefly during each login. In which of the following locations would an incident responder check to explain this activity?

Question47: An attacker has sent malicious macro-enabled Office files. Which of the following regular expressions will return a list of macro-enabled files?

Question48: A computer attacker has compromised a system by implanting a script that will send 10B packages over port 150. This port is also used for sending heartbeat messages to a central monitoring server. Which of the following BEST describes the tactic used to execute this attack?

Question49: A file is discovered in the /etc directory of an internal server by an automated file integrity checker. A security analyst determines the file is a bash script. The contents are as follows:
---
#/bin/bash
IFS=:
[[-f/etc/passwd]] && cat/etc/passwd |
while read a b c d e f g
do
echo "$e ($a)"
done
---
Which of the following was the author of the script attempting to gather?

Question50: An administrator wants to block Java exploits that were not detected by the organization's antivirus product. Which of the following mitigation methods should an incident responder perform? (Choose two.)

Question51: Which of the following commands should be used to print out ONLY the second column of items in the following file?
Source_File,txt
Alpha Whiskey
Bravo Tango
Charlie Foxtrot
Echo Oscar
Delta Roger

Question52: A company website was hacked via the SQL query below:

Which of the following did the hackers perform?

Question53: A malicious attacker has compromised a database by implementing a Python-based script that will automatically establish an SSH connection daily between the hours of 2:00 am and 5:00 am. Which of the following is the MOST common motive for the attack vector that was used?

Question54: The Chief Information Officer (CIO) of a company asks the incident responder to update the risk management plan. Which of the following methods can BEST help the incident responder identify the risks that require in-depth analysis?

Question55: A suspicious laptop is found in a datacenter. The laptop is on and processing data, although there is no application open on the screen. Which of the following BEST describes a Windows tool and technique that an investigator should use to analyze the laptop's RAM for working applications?

Question56: From a compromised system, an attacker bypasses a proxy server and sends a large amount of data to a remote location. A security analyst is tasked with finding the conduit that was used by the attacker to bypass the proxy. Which of the following Windows tools should be used to find the conduit?

Question57: Organizations should exercise their Incident Response (IR) plan following initial creation. The primary objective for this first IR plan exercise is to identify:

Question58: A security analyst for a financial services firm is monitoring blogs and reads about a zero-day vulnerability being exploited by a little-known group of hackers. The analyst wishes to independently validate and corroborate the blog's posting. Which of the following sources of information will provide the MOST credible supporting threat intelligence in this situation?

Question59: An incident responder has captured packets associated with malware. The source port is 8765 and the destination port is 7653. Which of the following commands should be used on the source computer to help determine which program is responsible for the connection?

Question60: An analyst would like to search for a specific text string at the beginning of a line that begins with four capital alphabetic characters. Which of the following search operators should be used?

Question61: During an investigation on Windows 10 system, a system administrator needs to analyze Windows event logs related to CD/DVD-burning activities. In which of the following paths will the system administrator find these logs?

Question62: Which of the following techniques allows probing firewall rule sets and finding entry points into a targeted system or network?

Question63: An incident responder suspects that a host behind a firewall is infected with malware. Which of the following should the responder use to find the IP address of the infected machine?

Question64: An organization performs regular updates to its network devices to alert and prevent access to streaming media sites by the employees. Each device will send logs and alerts to a centralized server for storage, archive, and analysis. Which of the following BEST describes the system that is correlating the data found in all alerts and logs?

Question65: A network engineer has collected a packet capture using Wireshark and given it to the team for analysis.
The team is looking for activity based on the internal IP address of 10.0.25.123. Which of the following filters should the team use to look at only traffic for this IP?

Question66: Which of the following is an automated password cracking technique that uses a combination of upper and lower case letters, 0-9 numbers, and special characters?

Question67: An attacker has decided to attempt a brute force attack on a UNIX server. In order to accomplish this, which of the following steps must be performed?

Question68: An intruder gains physical access to a company's headquarters. The intruder is able to access the company's network via a visitor's office. The intruder sets up an attack device, under the visitor's office desk, that impersonates the corporate wireless network. Users at headquarters begin to notice slow browsing speeds from their company laptops. Which of the following attacks is MOST likely occurring?

Question69: During the course of an investigation, an incident responder discovers illegal material on a user's hard drive. Which of the following is the incident responder's MOST important next step?

Question70: When performing an investigation, a security analyst needs to extract information from text files in a Windows operating system. Which of the following commands should the security analyst use?

Question71: An incident responder needs to quickly locate specific data in a large data repository. Which of the following Linux tool should be used?

Question72: While a network administrator is monitoring the company network, an unknown local IP address is starting to release high volumes of anonymous traffic to an unknown external IP address. Which of the following would indicate to the network administrator potential compromise?

Question73: An unauthorized network scan may be detected by parsing network sniffer data for:

Question74: A malicious actor sends a crafted email to the office manager using personal information collected from social media. This type of social engineering attack is known as:

Question75: Which of the following tools can be used to identify open ports and services?

Question76: Click the exhibit button. Which of the following Windows tools is executed?

Question77: A malware analyst has been assigned the task of reverse engineering malicious code. To conduct the analysis safely, which of the following could the analyst implement?

Question78: While performing standard maintenance on a UNIX server, a system administrator notices a set of large files with .tar .gz file extensions in the /tmp folder. The system administrator reports this to a security analyst. Performing further research, the analyst has found the .tar .gz files contain information normally housed on one of the bank's data servers. Given this scenario, which of the following is MOST likely occurring?

Question79: An attacker has exfiltrated the SAM file from a Windows workstation. Which of the following attacks is MOST likely being perpetrated?

Question80: DRAG DROP
Drag and drop the following steps in the correct order from first (1) to last (7) that a forensic expert would follow based on data analysis in a Windows system.
Select and Place:

Question81: Which of the following technologies is used as mitigation to XSS attacks?

Question82: Which of the following types of logs is shown below, and what can be discerned from its contents?
2015-07-19 12:33:31 reject UDP 146.64.21.212 192.141.173.72 1234 80
2015-07-19 12:33:31 reject UDP 166.32.22.12 192.141.173.72 1234 80
2015-07-19 12:33:31 reject UDP 123.56.71.145 192.141.173.72 1234 80
2015-07-19 12:33:31 reject UDP 146.64.21.212 192.141.173.72 1234 80
2015-07-19 12:33:32 reject UDP 166.32.22.12 192.141.173.72 1234 80
2015-07-19 12:33:32 reject UDP 123.56.71.145 192.141.173.72 1234 80
2015-07-19 12:33:32 reject UDP 146.64.21.212 192.141.173.72 1234 80
2015-07-19 12:33:33 reject UDP 166.32.22.12 192.141.173.72 1234 80
2015-07-19 12:33:33 reject UDP 123.56.71.145 192.141.173.72 1234 80
2015-07-19 12:33:33 reject UDP 146.64.21.212 192.141.173.72 1234 80
2015-07-19 12:33:34 reject UDP 166.32.22.12 192.141.173.72 1234 80
2015-07-19 12:33:34 reject UDP 123.56.71.145 192.141.173.72 1234 80
2015-07-19 12:33:34 reject UDP 146.64.21.212 192.141.173.72 1234 80
2015-07-19 12:33:35 reject UDP 166.32.22.12 192.141.173.72 1234 80
2015-07-19 12:33:35 reject UDP 123.56.71.145 192.141.173.72 1234 80

Question83: A UNIX workstation has been compromised. The security analyst discovers high CPU usage during off- hours on the workstation. Which of the following UNIX programs can be used to detect the rogue process?
(Choose two.)

Question84: A hacker's end goal is to target the Chief Financial Officer (CFO) of a bank. Which of the following describes this social engineering tactic?

Question85: When determining the threats/vulnerabilities to migrate, it is important to identify which are applicable.
Which of the following is the FIRST step to determine applicability?

Question86: When investigating a wireless attack, which of the following can be obtained from the DHCP server?

Question87: DRAG DROP
When perpetrating an attack, there are often a number of phases attackers will undertake, sometimes taking place over a long period of time. Place the following phases in the correct chronological order from first (1) to last (5).
Select and Place:

Question88: A security auditor has been asked to analyze event logs to look for signs of suspicious behavior. The company operated on a normal workday schedule (e.g., Monday through Friday, 8 am - 5 pm) and has implemented stringent access control policies (e.g. password complexity, failed login attempts). Which of the following provides the MOST reason for concern?

Question89: Which of the following resources BEST supports malware analysis?

Question90: During a network-based attack, which of the following data sources will provide the BEST data to quickly determine the attacker's point of origin? (Choose two.)

Question91: A SOC analyst has been tasked with checking all files in every employee home directory for any mention of a new product code named PitViper. Which of the following commands will return all requested data?

Question92: An outside organization has reported to the Chief Information Officer (CIO) of a company that it has received attack from a Linux system in the company's DMZ. Which of the following commands should an incident responder use to review a list of currently running programs on the potentially compromised system?

Question93: Which of the following mitigations will remain intact, regardless of the underlying network protocol?

Question94: A system administrator needs to analyze a PCAP file on a Linux workstation where the use of GUI-based applications is restricted. Which of the following command line tools can the administrator use to analyze the PCAP?

Question95: A logfile generated from a Windows server was moved to a Linux system for further analysis. A system administrator is now making edits to the file with vi and notices the file contains numerous instances of Ctrl- M (^M) characters. Which of the following command line tools is the administrator MOST likely to use to remove these characters from the logfile? (Choose two.)

Question96: Why is it important to update system clocks from a single time source?