SOC Analyst Test – Cyber Struggle

About SOC Analyst Test

This test consists of 55 technical questions including both offensive and investigative topics which equal to 135 points overall. Each question has a different score based on difficulty. The results will be calculated automatically and directly sent to you via given e-mail address. Therefore, please be sure you have provide correct contact information

Analyst Path and Grading

SOC TEST

1 / 60

Where are you from?

2 / 60

What is your education level?

High School

Associate

Bachelor

Master

Doctorate

3 / 60

What is your current title?

4 / 60

What Industry do you work in?

5 / 60

How many years experience do you have in your field?

0-1

1-3

3-5

6 / 60

Are you be able to work openly and cooperatively at all times?

Yes

7 / 60

Do you think you have the ability to not lose sight of the forest for the trees, yet still to be able to see the trees?

Yes

8 / 60

Since the cyberthreat landscape presenting a constant steam of new challenges, do you have the desire to want to develop your own skills and abilities?

Yes

9 / 60

Does powershell script block logging is enough for detecting process injection attacks?

Yes

10 / 60

Is it possible to write a file inside the server with SQL injection if backend database is MySQL?

Yes

11 / 60

Which of the following commands can be used in lateral movement inside network?

cmd.exe /c winrm-connect

ping

Enter-PSSession

Tmux

12 / 60

Which command would you use to print information about a scheduled task named revShell?

schtasks /list revShell

sc /query /tn revShell

schtasks /query /tn revShell

sc /list /tn revShell

13 / 60

Which Mitre Att&ck vectors included below command?

Start-BitsTransfer -Source $url -Destination $output

TA-0011 - Command And Control

TA-0002 - Execution

T1059 – Command and Scripting Interpreter

All of Them

14 / 60

Which tool is included in default installations of Windows and can query or modify file DACLs?

AccessChk64

wmic

aclChk

icacls

15 / 60

Using which source it is possible to detect process injection Windows API requests?

Eventlog

Sysmon

IIS Application logs

Powershell scriptblock logging

16 / 60

From which log source it is possible to detect directory traversal attacks on apache?

kern.log

auth.log

mysql.log

access.log

17 / 60

For reviewing syslogs, which directory should be checked for most Linux distros?

/home/log

/var/log

/log

/var/syslog

18 / 60

Which of the following entries in “/etc/sudoers” would give users in the administrators group the ability to run the “/bin/cat” command as root without requiring a password?

#admins ALL=(wheel) NOPASSWD:ALL

#ALL (admins) NOPASSWD: /bin/cat@asroot

%admins ALL=(root) NOPASSWD: /bin/cat

root ALL=(admins) /bin/cat: NOPASSWD

19 / 60

The Time to Live (TTL) field/value found in the IP header are used to:

Make sure all associated fragments arrive with a given window of time.

Expire TCP segments in transit when the TTL value becomes 0

Flush DNS records from cache when the TTL value is exceeded

Expire IP packets in transit when the TTL value becomes 0

20 / 60

Suppose a SYN packet is spoofed using a real IP address and then sent to a server that responds with a SYN/ACK to the actual IP address. How does the real IP address respond?

With an acknowledgement since it did not send the SYN

With a reset since it did not send the SYN

With a duplicate SYN since it did not send the SYN

With a TTL of 0 since it did not send the SYN

21 / 60

Which of the following you can not obtain while doing memory analysis?

Active TCP connections

Active process list

Executed commands via cmd

Cronjob list

22 / 60

Which type of Windows log is most likely to contain information about a file being deleted?

httpd logs

Security logs

System logs

Configuration logs

23 / 60

What is EventID 4720 means in Windows Event Log?

An application has crashed

An account was successfully logged on

A user account was created

A user account deleted

24 / 60

What is EventID 4697 means in Windows Event Log?

An application has crashed

An account was successfully logged on

A service was installed in the system

An object was deleted

25 / 60

What type of attack can be considered if “Ticket Encryption Type” parameter is equals to 0x17 (RC4-HMAC) inside Eventlog 4768: A Kerberos authentication ticket (TGT) log?

Brute-Force

Over pass the hash

Process injection

Dumping lsass process memory

26 / 60

Which of the following Windows registry keys is most useful for malware that aims at maintaining persistent presence on the infected system?

HKCUSystemCurrentControlSetControlMediaProperties

HKLMSoftwareMicrosoftWindowsCurrentVersionRun

HKLMSECURITY

%UserProfile%ntuser.dat

27 / 60

Which of the following tools should a cybersecurity analyst use to verify the integrity of a forensic image before and after an investigation?

strings

sha1sum

file

gzip

28 / 60

What is difference between IPS and IDS?

The IDS and IPS both read and compare network packets with the contents of known threats. IDS are tools for detection and remediation, which take action on their own.

The IDS aims at gathering and dropping dangerous packets before hitting their target. It is more proactive than IPS, which just needs a regular update of the database with new threat data.

IPS is a control system accepting or refusing a registered packet. IDS requires a person or other device to review and decide the next steps that can depend on the quantity of network traffic generated on a daily basis.

IDS is deployed inline to the traffic flow. IPS is not deployed inline and instead monitors the traffic flow via span or tap technology to then raise notifications.

29 / 60

What kind of detection method works by examining data for specific patterns?

Signature-Based

Role-Based

Rule-Based

Behavior-Based

30 / 60

A company has been receiving a high volume of attacks on their web site. The network administrator wants to be able to collect information on the attacker(s). What should be implemented?

DMZ (Demilitarized Zone)

A honey pot

A firewall

A new subnet

31 / 60

After a security breach, it was discovered that the attacker had gained access to the network by using a brute-force attack against a service account with a password that was set to not expire, even though complex password. Which of the following could be used to prevent similar attacks from being successful in the future?

Complex password policies

Account lockout

Self-service password reset portal

Scheduled vulnerability scans

32 / 60

A security analyst saw two alert;

1st; a process spawned from “wmiprvse.exe”
2nd; a suspicious connection detected from “svchost.exe”

Which service may abused if you think this two alert?

Remote Desktop

Windows Remote Managment

Internet Information Services

Windows Spool Services

33 / 60

Which Mitre ATT&CK™ tactic describes the process of an attacker gathering information to provide more information on the environment that they have gained access to?

Defense Evasion

Collection

Discovery

Privilege Escalation

34 / 60

An analyst notices that a user from building maintenance is part of the Domain Admin group. Which of the following does this indicate Mitre Att&ck vectors?

Discovery

Impact

Privilege escalation

Defense Evasion

35 / 60

Which Mitre ATT&CK™ tactic describes an attacker’s efforts to avoid detection?

Lateral Movement

Execution

Defense Evasion

Impact

36 / 60

Which Mitre ATT&CK™ tactic describes an attacker maintaining a presence on the endpoint?

Persistence

Command and Control

Exfiltration

Collection

37 / 60

What is another name for a process injection attack?

Denial of Service

Phishing

SQL Injection

Fileless attack

38 / 60

Which of the following is not considered part of the lateral movement process?

Internal reconnaissance

Privilege escalation

Exfiltration

Pivoting attacks

39 / 60

What is “Over Pass the Hash” attack?

Bruteforcing kerberos service

Changing password of domain admin

Forging a kerberos ticket using a users password hash remotely

Obtaining a users password

40 / 60

Which order of operation is necessary when executing a Kerberoasting attack?

SPN discovery, export service tickets, request service tickets, crack service tickets

Request service tickets, SPN discovery, crack service tickets, export service tickets

Export service tickets, request service tickets, SPN discovery, crack service tickets

SPN discovery, request service tickets, export service tickets, crack service tickets

41 / 60

What is DCSync attack?

Remotely executing malicious Powershell commands on DC server

Adding a backdoor domain admin

Dumping lsass memory of DC

Getting copy of the information in DC using domain replication in a malicious way

42 / 60

When executing Mimikatz from the target’s hard drive, which of the following commands must you execute, which requires you to impersonate SYSTEM-level access, prior to dumping credentials from the target host?

mimikatz # privilege::debug

mimikatz # token::whoami

mimikatz # token::elevate

mimikatz # lsadump::sam

43 / 60

To forge a golden ticket the attacker needs _____ ?

A service users password hash

A domain admins password hash

Guest Access to DC

Krbtgt users password hash

44 / 60

What is the purpose of query shown below?

source="/var/log/auth.log" COMMAND="*" USER="root"

List command ran with sudo

List Root logins

List Groups authentication permissions

List Root file permissions

45 / 60

What is the purpose of query shown below?

index="linux_access_log" ("|" OR "||" OR ";" OR "$" OR "&&") AND ("ls" OR "id" OR "whoami" OR "ping" OR "nc" OR "ncat" OR "php")

Checking for special charachters

Checking for system commands

Checking for reverse shell

Checking for OS Command injection

46 / 60

What type of attack can be considered if you see logs like in access.log?

"GET /?id=1' and if(substr((select version()),1,1) = '5' , sleep(3), 1) #&Submit=Submit HTTP/1.1" 200

Blind SQL injection

Union based SQL injection

Out-of-Band SQL injection

Error based SQL injection

47 / 60

What type of attack can be considered if IDS rule was hit?

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Attack"; flow:to_server,established;content:"alert(document.cookie)"; nocase; sid: 1000000;)

Cross site scripting

SQL injection

Process injection

File inclusion

48 / 60

The process of replacing HTML control characters (e.g. , “, &, etc) into their encoded representatives (e.g. “& lt ;” “& gt ;” “& quot ;” “& amp ;” etc..) is known as?

Input validation

Session management

Output encoding

Parameterized queries

49 / 60

Determine the back-end database from given error:

Query failed: ERROR: syntax error at or near "20131418" LINE 1: 20131418 ^ in /var/www/html/view_project.php on line 13

MySQL

PostgreSQL

MsSQL

Oracle RDBMS

50 / 60

What type of attack is typically associated with the strcpy function?

Pointer dereferencing

A race condition

SQL injection

Buffer overflow

51 / 60

What are the two most common phases of malware analysis?

Behavioral and code analysis

User and kernel mode analysis

Identification and containment analysis

Registry and file system analysis

52 / 60

Which of the following tools best supports the concept of breakpoints?

Debugger

Disassembler

Sniffer

Logger

53 / 60

Using Entropy analysis which of the following can be said for malware?

That is well written

When it has compiled

Which language it is written with

If it is packed / encrpyted

54 / 60

Which of the following defensive measures do malware authors use to encode the original executable to protect it against static code analysis?

Embedding an imports table in the malicious executable

Targeting client-side vulnerabilities

Packing the malicious executable

Employing fast-flux DNS techniques

55 / 60

Which mechanism is malware least likely to use when defending itself against analysis?

Employing polarization techniques

Detecting the presence of a debugger

Making use of "tricky" jump instructions

Inserting junk code instructions

56 / 60

In the context of malware analysis, what does the term "patching" refer to?

Installing software updates that address vulnerabilities in installed software.

Setting memory breakpoints by modifying access flags on memory segments.

Stepping through the executable without running every instruction within function calls.

Modifying a compiled executable to change its functionality without having to recompile it.

57 / 60

Which processor instruction is commonly used to fill up buffer space in exploit code and help slide the program execution flow to its final destination?

0x80

0x99

0x90

0x09

58 / 60

Which of the following assembly instructions is least likely to be used by malicious code to perform a jump?

JMP

XOR

RET

CALL

59 / 60

Which x86 register is most commonly used for storing a function's return value in assembler?

ECX

EIP

EAX

EFLAGS

60 / 60

Which of the following system calls is most likely to be used by a keylogger?

GetAsyncKeyState

GetProcAddress

POP

VirtualAllocEx