1. B
Deleting the scheduled task immediately stops the persistence mechanism, and analyzing the PowerShell script helps identify additional indicators of compromise (IOCs) such as C2 servers, file locations, or other malicious activities. Simply disabling Task Scheduler or blocking PowerShell enterprise-wide would disrupt legitimate operations. This approach balances immediate containment with evidence preservation for further investigation.

2. B
Domain Generation Algorithms (DGAs) are used by malware to generate a large number of pseudo-random domain names for command and control communication. This makes it difficult to block C2 infrastructure by blacklisting domains. The pattern of multiple failed DNS queries to algorithmically generated names is a classic indicator of DGA-based malware attempting to reach its C2 server.

3. B
Credential Guard uses virtualization-based security to isolate the Local Security Authority (LSA) process, which stores credentials. This prevents tools like mimikatz from accessing LSASS memory to extract credentials. Credential Guard specifically protects against pass-the-hash and pass-the-ticket attacks by storing secrets in a protected environment that is isolated from the normal operating system.

4. B
Alternate Data Streams (ADS) are a feature of NTFS that allow additional data to be attached to a file without changing the file’s primary content or visible size. Attackers abuse ADS to hide malicious code, executables, or data because standard directory listings (dir, ls) and many security tools do not display or scan alternate data streams by default, making them an effective hiding technique.

5. B
Network isolation is the first priority to prevent the ransomware from spreading to additional systems through lateral movement, shared drives, or automated propagation mechanisms. Containment prevents further damage. Once isolated, you can then focus on recovery options such as backups, investigation of the attack vector, and remediation. Paying ransom should be a last resort and does not guarantee file recovery.

6. B
Web Application Firewall logs capture HTTP/HTTPS requests and responses, including the malicious SQL queries injected by the attacker. WAF logs show the exact payloads, parameters, and attack patterns used in the SQL injection. While web server logs also contain this information, WAF logs typically provide better security-focused details including blocked attempts and attack signatures.

7. B
According to the Lockheed Martin Cyber Kill Chain, after gaining initial access (Delivery and Exploitation phases), the attacker moves to the Installation phase where they install malware, backdoors, or establish persistence mechanisms. The sequence is: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → Command and Control → Actions on Objectives.

8. C
Creating new local or domain accounts is classified as “Create Account” (T1136) in the MITRE ATT&CK framework. This technique is used by attackers to establish persistence and maintain access. T1078 refers to using existing valid accounts, T1098 is modifying existing accounts, and T1550.002 specifically refers to pass-the-hash techniques.

9. B
The order of volatility refers to how quickly data is lost or changed. The correct order from most volatile to least volatile is: CPU registers and cache → RAM → network connections and running processes → swap/page files → hard drive → backups and archives. Memory (RAM) and active network connections are most volatile and should be collected first, followed by less volatile storage media.

10. B
“Living off the Land” (LOLBins – Living Off the Land Binaries) refers to attackers using legitimate system tools, utilities, and processes that are already present in the operating system to carry out malicious activities. Examples include PowerShell, WMI, PsExec, certutil, and bitsadmin. This technique helps attackers evade detection since these tools are expected to run in normal environments.

11. B
When PsExec is used for remote execution, it installs a service on the remote system. Event ID 7045 (A service was installed in the system) in the System log captures this service creation. While Event ID 4624 shows the logon, Event ID 7045 provides more specific evidence of PsExec usage. The service name typically starts with “PSEXESVC” which is a clear indicator.

12. B
Forensic imaging (also called disk imaging or bit-stream imaging) creates an exact sector-by-sector copy of a storage device, including deleted files, slack space, and unallocated space. This preserves the complete state of the drive for analysis while maintaining evidence integrity. A logical backup only copies active files, not the complete disk structure needed for forensic investigation.

13. B
Web shells are typically placed in the web root directory or subdirectories where the web server serves content (e.g., /var/www/html/ for Apache on Linux). This allows the attacker to access the web shell through a web browser by navigating to the malicious file’s URL. Common web shell file extensions include .php, .asp, .aspx, .jsp depending on the server technology.

14. A
WMI persistence is established through Event Filters (monitoring for specific conditions), Event Consumers (actions taken when conditions are met), and Filter-to-Consumer Bindings (linking filters to consumers). Attackers create permanent WMI event subscriptions that execute malicious code when specific triggers occur. Tools like Autoruns and PowerShell can detect suspicious WMI subscriptions in the root\subscription namespace.

15. B
A honeypot is a decoy system or network designed to attract attackers and monitor their activities. The primary purposes are to detect intrusions, deflect attacks from production systems, and study attacker tactics, techniques, and procedures (TTPs). Honeypots provide early warning of attacks and valuable threat intelligence about emerging attack methods.

16. B
The Master File Table (MFT) is a database that contains records for every file and directory on an NTFS volume. Forensic analysis of the MFT reveals file metadata including: timestamps (creation, modification, access, MFT entry change), file names, file sizes, attributes, and critically, records of deleted files. Tools like MFTExplorer and NTFS Log Tracker parse MFT data.

17. B
The Run registry key (HKLM\Software\Microsoft\Windows\CurrentVersion\Run) executes programs automatically when Windows starts. Attackers place entries here to ensure their malware runs every time the system boots, establishing persistence. This is one of the most common persistence mechanisms. Other related keys include RunOnce, RunServices, and similar startup locations.

18. B
Network isolation (disconnecting network cable or disabling network adapters) prevents further malicious activity, C2 communication, and lateral movement while keeping the system running. This preserves volatile memory contents and running processes for forensic analysis. Powering off loses memory contents, and running antivirus scans may alter evidence.

19. B
Pass-the-Hash exploits NTLM authentication by using captured password hashes instead of requiring the plaintext password. NTLM authentication accepts the hash directly for authentication, allowing attackers who have compromised password hashes to authenticate without knowing actual passwords. This is why disabling NTLM and using Kerberos is recommended for Windows environments.

20. A
Event ID 1102 (The audit log was cleared) indicates that someone has cleared the Security event log. This is often done by attackers to hide their tracks and destroy evidence of their activities. Event ID 104 in the System log also indicates log clearing. Monitoring for these events is critical for detecting log tampering.

21. B
Calculating file hashes (MD5, SHA-1, SHA-256) and checking them against threat intelligence sources like VirusTotal, MISP, or other threat feeds is a safe, non-intrusive first step. This can quickly determine if the file is known malware. Never execute suspicious files in production. Static analysis and sandboxed dynamic analysis should follow if needed.

22. B
Log4Shell (CVE-2021-44228) is a critical remote code execution vulnerability in the Apache Log4j Java logging library. It allows attackers to execute arbitrary code through JNDI (Java Naming and Directory Interface) injection by crafting malicious log messages. This vulnerability affected numerous applications and services worldwide and was assigned a CVSS score of 10.0.

23. D
Attackers commonly combine multiple PowerShell flags for evasion: -ExecutionPolicy Bypass (ignore script execution restrictions), -WindowStyle Hidden (hide the PowerShell window), -Version 2.0 (use older version to avoid enhanced logging), -EncodedCommand (encode commands in Base64), and -NoProfile (skip loading profiles). Detection requires monitoring PowerShell execution with these suspicious combinations.

24. B
Incident response priorities follow the order: Detection → Containment → Notification → Investigation → Remediation → Recovery → Lessons Learned. After detecting a zero-day exploit, immediate containment prevents further spread, and notification ensures stakeholders (management, security teams, legal) are informed. Containment may include network isolation, system shutdown, or access restrictions while investigation proceeds.

25. B
Static analysis examines malware without executing it, using techniques like reviewing code, examining strings, analyzing file structure, and checking for known signatures. Dynamic analysis involves executing malware in a controlled environment (sandbox) to observe its behavior. Static analysis is safer as it doesn’t risk malware execution but may miss obfuscated or encrypted code.

26. B
A Golden Ticket attack requires the KRBTGT account password hash. The KRBTGT account is used by the Key Distribution Center (KDC) to encrypt and sign all Kerberos tickets. With this hash, an attacker can create valid Kerberos Ticket Granting Tickets (TGTs) for any account, with any privileges, for any duration, effectively giving them unlimited access to the domain.

27. B
While all factors are important, potential impact to critical business operations should have highest priority. A vulnerability affecting critical infrastructure, patient safety systems, financial transactions, or operations that could cause significant business disruption takes precedence over incidents affecting non-critical systems, regardless of the number of systems affected or ease of remediation.

28. B
Token impersonation exploits Windows access tokens, which are objects that describe the security context of a process or thread. Attackers with sufficient privileges can steal or duplicate access tokens from other processes (especially highly privileged processes) and impersonate those security contexts to escalate privileges. Tools like Incognito and Meterpreter’s incognito module automate this attack.

29. B
Volatility is a widely-used open-source memory forensics framework specifically designed for analyzing RAM dumps. It can extract processes, network connections, registry keys, passwords, and other critical artifacts from memory images. Wireshark is for network analysis, Autopsy is for disk forensics, and FTK Imager is for creating forensic images.

30. B
Base64 encoding (using -EncodedCommand or -enc flag) helps attackers evade signature-based detection systems that look for known malicious strings in plaintext. While encoding doesn’t provide real encryption or security, it obscures the command from casual inspection and simple string-matching detection rules. Defenders should decode and inspect encoded PowerShell commands.

31. C
EternalBlue is a critical exploit that targets a vulnerability in Microsoft’s Server Message Block (SMB) protocol, specifically SMBv1, which operates on port 445. This exploit allows attackers to execute arbitrary code remotely without authentication. The vulnerability (CVE-2017-0144) was infamously used in the WannaCry and NotPetya ransomware attacks in 2017. Once exploited, it gives attackers SYSTEM-level privileges on vulnerable Windows systems. Organizations should disable SMBv1, apply security patches (MS17-010), and block port 445 at network boundaries to prevent this attack.