Practice Test 2

Question 1

How should the source data be formatted to successfully run the following Athena query?

SELECT destination address, count () as total
FROM vpc_flow logs
WHERE date = Date( ‘2022-04-01’) AND
(destinationport = 443)
GROUP BY DISTINCT destinationaddress
LIMIT 25

YAML
CSV
PCAP
KQL

Answer 1

CSV

Question 2

Which of the following is a known limitation of detecting cloud service and infrastructure discovery activities?

IAM policies do not apply to ‘read’ or ‘list’ calls
Azure API read commands are not logged
AWS API calls using ‘describe’ are not logged

Answer 2

Azure API read commands are not logged

Question 3

Which of the following is a known limitation of detecting cloud service and infrastructure discovery activities?

IAM policies do not apply to ‘read’ or ‘list’ calls
Azure API read commands are not logged
AWS API calls using ‘describe’ are not logged

Answer 3

Azure API read commands are not logged

Question 4

What tool can improve logs by removing unnecessary fields and adding valuable details such as IP to hostname resolution?

ElastiCache
Logstash
EventBridge
Event Hubs

Answer 4

Logstash

Question 5

What Can be inferred about the following Macie alerts?

Severity: Medium x4
Finding Type: Sensitive Data x4
Resources Affected: xxxx/xxxx/cards.txt or customer_data.txt

The files likely contain executable code
The alert is based on sensitive filenames
The files contain images with sensitive data
The alert likely has a default severity

Answer 5

The alert likely has a default severity

Question 6

What behavior can be identified from S3 logs using the following command?
cat <log-files> I awk '{dataset[$5]+=$16; } END {
for (i in dataset) { print dataset[i] " " i }} sort -rn</log-files>

A single downloaded file with a very large size
A number of files downloaded by a single IP
A single IP downloading a large volume of data
A single file being downloaded many times

Answer 6

A single IP downloading a large volume of data

Question 7

What is a limitation of GuardDuty?

It requires enabling all 5 data sources
VPC flow logs must be enabled to use them as log source
Detections lack offcial ATT&CK mapping
No coverage is available for Kubernetes

Answer 7

AWS does not map findings or threats to MITRE ATT&CK.

There is a category for Kubernetes detections.

VPC flow logs can be used as a log source despite not configuring a flow.

There are 5 log sources available; they have different prices and it’s possible to determine which ones to use.

Question 8

Which of the following is a cousin domain of www[.]giac[.]org?

glac.org
www[.]giac[.]org/blog
wwwgiac.org
admin.giac.org

Answer 8

wwwgiac.org

Question 9

How long is Microsoft 365 Defender’s data available within the service itself?

30 days
7 days
90 days
365 days

Answer 9

30 days

Question 10

What is a characteristic of a low-interaction honeypot?

Allows attacker to pivot within an isolated network
Applications run on virtual instances with basic user rights
Identifies attacker techniques without compromising a system
Exposes known operating system vulnerabilities to attackers

Answer 10

A low-interaction honeypot only mimics a legitimate service which does not expose the underlying operating system. A high-interaction honeypot uses legitimate vulnerable services to attract attackers, because of these, it is possible to pivot to other systems.

Question 11

What is an advantage of AWS VPC now logs version 3 over version 2?

Sample packet captures are included for inspection
Elastic Network Interface ID field is built into the log
Region and availability zone details are added
Instance ID field is available for correlation

Answer 11

Instance ID field is available for correlation

The name of the instance involved in the flow becomes available on version 3; this facilitates correlating with other logs such as CloudTrail. Without this field, it would be necessary to query the resource associated with the logged ENI before it disappears.

Region and availability zone details are included in version 4.

Packet captures are not included in flow logs of any kind.

The Interface ID field is available in version 2.

Question 12

Which of the following is the starting point of a threat hunting process?

Matching a malware signature
Eradicating network vulnerabilities
Investigating an active incident
Creating an attack hypothesis

Answer 12

Creating an attack hypothesis

Question 13

What is the correct AWS CLI syntax?
aws [command] [API service] [key/value string] —mag]
aws [API service] [command] —[flag] [key/value string]
[API service] [command] —[flag] [key/value string] —aws
[command] [API service] [key/value string] —[flag]

Answer 13

aws [API service] [command] —[flag] [key/value string]

AWS CLI commands have the same basic building blocks.
* aws is the application name
* cloudtrail is the name of the API service
* lookup-events is the command
After the application, service, and command, you will see a set of key/value parameters with a command flag denoted by double dashes.

Question 14

What is missing from the following command?

az monitor activity-log list –offset Ih –query –output table

The transform command
A JMESPath filter expression
A Kusto filter expression
The Get-Date command

Answer 14

A JMESPath filter expression

The –query flag is quite complex and uses JMESPath as a query language to filter JSON results.

Question 15

When a CloudWatch agent is running with an unconfigured log group, how long will the logs be retained?

90 days
Forever
6 months
A week

Answer 15

Forever

Question 16

Which AWS service provides scheduled snapshots, CloudTraiI event timelines, and compliance rule status for individual resources?

Inspector
Athena
Config
CloudWatch

Answer 16

Config

Question 17

What is missing from the following risk definition equation?
Risk = Threat Probability *

Threat Criticality
Size of Organization
Data Sensitivity
Vulnerability Impact

Answer 17

The definition of “risk” is Risk = Threat Probability x Vulnerability Impact.

When Capital One was notified that they may be the victim of a breach, their threat probability was high. To determine the risk, they must determine the vulnerability impact. Though the number of assets, data sensitivity levels, and other factors could be part of understanding the vulnerability impact, it is not the full picture.

Question 18

Which measure can help reduce Athena’s service cost?

Using KQL when building queries
Partitioning the data tables
Creating table schemas for unknown formats
Tuming off Athena’s VMS when not in use

Answer 18

Athena’s cost scales with the size of the inspected table ($5 per TB) so partitioning the data tables can help set bounds and scan only relevant data.

Athena uses SQL for queries, KQL is supported by Azure Log Analytics.

Being serverless, users have no control over Athena’s infrastructure, costs are determined by data volume.

Creating table schemas for unknown formats is a requisite for using this tool.

Question 19

Which of the following does AWS ECS use to specify a container image and launch configuration?

IAM account settings
Service definition
Task definition
Cluster settings

Answer 19

To inform AWS ECS how to launch the containers, a task definition must be created.

This will include items like:
* Container image
* Compute Resources (CPU, memory, etc)
* Port mappings
* Environment variables
* Launch configuration
* Logging drivers

Service definition, IAM account settings, and cluster settings do not contain these settings.

Question 20

What is a recommended target for the VXLAN formatted data generated by AWS VPC Traffic Mirroring?

CloudTrail log console
S3 bucket
API gateway
Network load balancer

Answer 20

Trafic Mirroring copies inbound and outbound traffc from a network interface (ENI) attached to an Amazon EC2 instance (Source) and sends it another EC2 instance or Network Load Balancer that has a UDP listener (Target).

Network traffc sent is in the VXLAN format, a network virtualization technology that attempts to help address scalability problems with large doud computing. Always use a network load balancer and autoscaling group in front of your analytic systems. It is a best practice to always put a load balancer and EC2 in an autoscaling group even if you only have a single EC2 instance.

Question 21

Which of the following components is a Control Plane logging option when configuring AWS EKS?

Kubelet
Scheduler
Insights
Container

Answer 21

Scheduler

Question 22

What should replace the (?) missing element in the command below?

az provider operation list I \
(?) -r ‘.[] resourceTypes[] .operations[] . name’

extend
jq
ps
sort

Answer 22

jq

Question 23

A developer wants to focus on securing code. What resource should they study?

MITRE ATT&CK
CIS Benchmarks
OWASP Top 10

Answer 23

OWASP Top 10

Question 24

Which of the following allows an analyst to use Azure DCR to collect syslog events and send them to an Event Hub?

Log analytics agent
Monitor agent
OSSEC agent
OMS agent

Answer 24

Monitor agent

Question 25

How should automated response workflows be managed in a cloud environment? As development software As elastic architecture As production software As immutable architecture

Answer 25

As production software

Question 26

Which of the following will result in a failed Azure instance metadata request? Sending the request over HTTP rather than HTTPS Including a Metadata header value in the request Lack of username and password in the request Using the HTTP POST method to send the request

Answer 26

Using the HTTP POST method to send the request

Question 27

An organization uses AWS CloudWatch to respond to GuardDuty findings. What would prevent some findings from being delivered to CloudWatch? Suppression filter Regional entity False negative Data Source

Answer 27

Suppression filter

Question 28

What additional information does VPC flow log version 3 introduce? Interface ID Trafic direction Availability zones Instance ID

Answer 28

Instance ID

Question 29

Which root level directory commonly stores the default system log files on most Linux distributions? /usr /etc /var /dev

Answer 29

/var

Question 30

What Azure Durable Functions capability can be leveraged when working with automated response workflows? Higher redundancy across multiple regions Orchestration of other functions Higher concurrency limits A drag-and-drop interface

Answer 30

Azure Durable Functions aim to offer a solution to **orchestrate** the execution and state of **other functions**. Another solution aimed at function orchestration is Azure Logic Apps, which provides a user-friendly graphical interface. Azure does not advertise any kind of concurrency limits on serverless functions.

Question 31

Below is an example of what AWS SSM resource? " schemaVersion" : "description": "Example" , " parameters" : "message" : "type" "String" , "description": "Example parameter" , "default": "Hello GIAC" "mainsteps" "action": "aws : runPowerShellScript" , "name": "example" , "inputs" : "timeoutseconds" : " "runCommand" : "Write-output {{Message}}" Notebook API Call Document ## Footnote 31

Answer 31

An AWS Systems Manager **document** defines the actions that Systems Manager performs on a managed instance. There are built-in SSM documents (e.g., AWS- RunShellScript) but customized documents can also be created. This customed document uses the aws:runPowerShellScript plugin to run a PowerShellcommand on a target instance.

Question 32

Which command key word is used to obtain the instance details of live AWS EC2 resources? Config Describe List Show

Answer 32

The AWS CLI commands use key words like "**describe**" to query resource details. For example, to query EC2 resources: aws ec2 describe-instances The word "list" may be used for other resources, such as S3 buckets, but not EC2 instances.

Question 33

By default, CloudTrail logs are retained for how long? 1 year 30 days 90 days 6 months

Answer 33

By default, CloudTrail logs are retained by AWS for **90 days** and can be queried via API to retrieve them. CloudTrail logs can also be configured to be stored in a centralized location which would support longer retention times.

Question 34

What can be determined by the following /etc/bash.bashrc output? root [308]: cat /etc/passwd [1] The command failed The command generated one syslog message The command succeeded The command was the first in a series

Answer 34

When reviewing bash.bashrc stdout a command (like cat letc/passwd) with an exit code of 1 **indicates failure**. A 0 exit code indicates success.

Question 35

Which type of threat detection would use current knowledge of a known architecture or design to identify deviations from a baseline? Behavioral Statistical Atomic Signature

Answer 35

The formula for **statistical** detections is very dependent on the architecture and processes of an organization. It looks for outliers, changes, or disruptions that are different than the baseline that is defined based on the experience of the analyst. Atomic and signature detections use a single piece of information to determine good or bad. Behavioral detections require multiple logs from different telemetry sources to tell a story of questionable activity.

Question 36

Which tool generated the output shown in the screenshot? Permissions One of the following permissions is required to run the query. Sign in with an account that Can Consent to the permissions you will choose. AWS Systems Manager Microsoft Graph Explorer CloudWatch Logs Insights Azure Log Analytics ## Footnote 36

Answer 36

**Microsoft Graph Explorer** provides many useful sample queries along with a handy interface to modify, if necessary, these queries to access data in Microsoft 365. Before the query can be successful, an admin may be required to consent to the various permissions needed to access the required Microsoft 365 data and resources.

Question 37

An engineer wants to pass the results of the following command into a script that uses jq. What output option should they select? iam list-policies - -output ??? aws JavaScript JSON YAML Table

Answer 37

JSON

Question 38

Which protocol is supported for accessing Azure file share storage? RDP SSH NFS

Answer 38

NFS

Question 39

Which of the following is a CIS Critical Control? Unauthorized Access Network Service Scanning Security Misconfiguration Malware Defense

Answer 39

Malware Defense

Question 40

Which of the following is a MITRE ATT&CK Technique? Exfiltration Malware Defense Injection Create Account

Answer 40

Using the MITRE ATT&CK matrix, in the column below a tactic are listed the techniques that have been reported that an attacker will use. Clicking one, such as "**Create Account**", will provide details and how to mitigate it. Exfiltration is a tactic not a technique. Injection is on the OWASPTop 10. Malware Defense is a CIS critical control.

Question 41

Which solution identifies service misconfigurations in Azure environments? Security Hub Defender CloudWatch Inspector

Answer 41

Defender

Question 42

What file format is Azure Network Security Group now data stored in when output to Azure Storage? GZIP XML JSON PCAP

Answer 42

JSON

Question 43

Which of the following indicates an attacker using stacked queries to perform SQL injection? CONCAT JOIN Semicolon (;) Asterisk (*)

Answer 43

Semicolon (;)

Question 44

What function does Azure's Stream Analytics perform? Playing video content on Azure applications Forwarding event data to external sources Evaluating user behavior to find malicious insiders Evaluating network streams for anomalies

Answer 44

Azure's Stream Analytics can **forward event data to external services**, such as an organization's on premise SIEM. Stream Analytics can be configured within the Azure Event Hub. Stream analytics does not play video, or analyze logs for anomalies or malicious events.

Question 45

Which option describes the query below? StorageFileLogs I where OperationName = "GetFile" I project TimeGenerated, AccountName, CallerIpAddress, Uri CloudWatch Log Insights query on storage logs Kusto query enumerating access to S3 files KQL query performed on Azure Log Analytics Graylog query investigating Azure Storage logs ## Footnote 45

Answer 45

KQL query performed on Azure Log Analytics

Question 46

When pushing data to Azure's Event Grid, which of the following processes the received events? Stream Subscription Publisher Handler

Answer 46

Event **handlers** is the destination of the event that will process the event. A publisher is a user or organization that decides to send events to the Event Grid. The event subscription tells event grid which events on a topic you are interested in receiving.

Question 47

Active Scanning falls under which MITRE ATT&CK category? Detection Tactic Mitigation Technique

Answer 47

Technique

Question 48

What type of activity results in several HTTP GET requests with 401 status codes? Web crawling for non-existent URL paths and pages Web resource requiring a different HTTP method for access Password guessing against one or more web accounts Browsing to a bookmarked URL that has moved locations

Answer 48

Password guessing against one or more web accounts

Question 49

What Athena data source is used to query S3 by default? DynamoDB AwsDataCatalog CloudWatch RedshiftDB

Answer 49

A data source is made up of the location of the data, and the metadata catalog that will contain the schema for the data. By default, the **AwsDataCatalog** data source will query S3.

Question 50

Which of the following is a table in Microsoft Defender's Advanced Hunting schema? StorageFileLogs AuditLogs DeliveryAction EmailAttachmentlnfo

Answer 50

Microsoft 365 Defender Advanced Hunting allows querying through data from endpoints, Offce 365, and identities, among other options. It uses Kusto Query Language (KQL)! The data is stored in tables such as Alertlnfo or **EmailAttachmentlnfo**. AuditLogs and StorageFileLogs are Azure Log Analytics workspaces tables. DeliveryAction is a column, not a table.

Question 51

An analyst uses Microsoft Sentinel to run multiple KQL queries on a regular basis. How can the query outputs be viewed visually? Using a playbook to create a dashboard Creating a custom notebook Adding an information widget to the portal Creating a management plane

Answer 51

An analyst can **create a notebook** based off KQL queries that are run often. This allows for the results of the KQL query to be visualized. Creating a playbook allows for automated responses to be performed on triggered alerts.

Question 52

Which of the following shows a CloudTraiI event field value for an EC2 API call? Event id: 4625 Event severity: Critical Event table: KubeEvents Event name: Describelnstances

Answer 52

Event name: Describelnstances

Question 53

Based on the Azure Diagnostics Settings shown in the image, what is the purpose of the collected data? Archiving for off-line auditing Integrating into queries and alerts Bulk extraction to on-premise storage Real-time streamina to an external SIEM

Answer 53

Integrating into queries and alerts

Question 54

Which corresponds to an EventBridge capability? Generating events when resources perform actions Invoking an automated action given certain event patterns Performing actions such as instance deletion on targets Analyzing VPC flow data in order to generate logs

Answer 54

Invoking an automated action given certain event patterns

Question 55

Which of the following is an AWS Config Resource Type? Noncompliant Rules AMI: t2.micro Instance: i-072b2126247a8a8a4 EC2 Security Group

Answer 55

Selecting the "Resources" option takes us to the AWS Config Resource Inventory page. At the top, you can filter by resource category, resource type, and compliance level. Resource types include **EC2 SecurityGroup** or IAM Role.

Question 56

The query below will parse activity logs in which platform? I extend locallogon = extractjson("$.IsLocalLogon", AdditionalFieids, typeof(string)) Docker MacOS CloudWatch Azure

Answer 56

The **Azure Activity log** data is written to the AzureActivity table. Each operation will have a pipe character (l) separating them. To effectively filter and parse this data, one must understand the Kusto Query Language (KQL). There are many operators and functions that can be used to select, process, and present this data induding: * extend: Add more fields based upon specific criteria or another function's output * project: Determine which fields to display in the results * extractjson0: Many fields may have nested JSON values, so this function will extract the user-requested nested JSON value from a particular field

Question 57

GuardDuty provides which part of an automated workflow? Trigger Orchestration Response Validation

Answer 57

Every workflow starts with a **trigger**—some condition that is observed, met, and kicks off execution of the workflow. Cloud services provide triggering, or eventing capabilities, that may perform or support creating triggers. Services like GuardDuty will analyze data and create the event, from which you can create a trigger.

Question 58

An analyst reviewing Windows Event logs finds a large volume of 4625 events on a single host and associated with a single source IP address during a short period of time. What attack was likely occurring? Service Discovery SQL Injection Password Guessing Vulnerability Scan

Answer 58

Password Guessing

Question 59

Which docker driver forwards log messages to a remote host by default? gelf journald json-file nuentd

Answer 59

Docker has a few options that can control how data is formatted as well as give the ability to ship the data outside of the platform through logging driver configuration flags, such as: The 'gelf' driver which generate data in Graylog Extended Log Format (**GELF**) and ships it to a Graylog or Logstash endpoint. journald, json-file, and fluentd are all written to the local host by default.

Question 60

Which of the following indicates a password spraying attack? Login attempts for a single user name across multiple websites or applications A user's stolen credentials being used to create unauthorized accounts on other websites Constant login attempts for a targeted user account until a successful login occurs A single login attempt for multiple user accounts in a short period of time

Answer 60

A single login attempt for multiple user accounts in a short period of time

Question 61

What table is created automatically in Azure Log Analytics Workspaces to store indexed and enriched network now data collected by the Network Watcher service? VMConnection NetworkSessions AzureNetworkAnaIytics_CL DeviceNetworkEvents

Answer 61

AzureNetworkAnaIytics_CL

Question 62

Examin the following image. What artifact links these operaitons together in this grouping?

Answer 62

When reviewing event data in the Azure Portal, there are a few nuances to understand in Azure that make this service quite different than AWSs CloudTrail offering. First, events can be grouped together and share the same correlation ID field. This field's value is shared among the events that belong to the same uber operation. In other words, related events are merged into one collapsible group within the portal. For example, when deleting an Azure Resource Group, which Azure defines as "a container that holds related resources for an Azure solution", there will be many delete operations happening as several cloud resources are removed-yet it was one major action a user performed to cause all of these actions to be conducted. These many actions would share the same correlation ID.

Question 63

Once mysql-general.log is created, which additional setting is required to watch log activity in the AWS RDS dashboard? CONNECTION audit_log_events: GENERAL log_output: TABLE log_output: FILE

Answer 63

log_output: FILE

Question 64

Which is a feature of AWS Security Hub? Scheduled vulnerability scanning Environment compliance checking Sensitive data discovery User behavior analytics

Answer 64

AWS Security Hub will perform **Environment compliance checking** when provided a baseline framework. AWS Security Hub centralizes data from other AWS security services that may provide these services, but it does not perform vulnerability scanning, user behavior analytics, or sensitive data discovery.

Question 65

Which binary enables system call monitoring on Linux-based systems? cron auditd PAM zcat

Answer 65

The Linux binary auditd enables enhanced monitoring of Linux-based systems which include logging of system calls, file access/modification/deletion and specific kernel events.

Question 66

Secrets are injected into the runtime of Lambda functions from which location? Local Files Security Token Service Environment Variables Instance Metadata Service

Answer 66

Environment Variables

Question 67

The following command falls under which CloudTraiI event category? aws s3api delete-object - -bucket giac - -key flowlog.txt Access Bucket Data Security

Answer 67

CloudTrail **Data** events capture operations performed within a resource, such as operations on objects in an S3 bucket.

Question 68

The following configuration excerpt shows an example of what? { "Key": "aws : cloudformation:logical-id" , "Value" : "CherryCreekTrai11841 " } Role definitions Identity ARNs Resource tags Vault secrets

Answer 68

**Resource Tags** are key/value pairs that add metadata to a resource. For example, Location:Rhonda could be used to specify the location of a resource, which could then be searched or used for automation, reporting, and other activities.

Question 69

Which of the following processes is recommended to configure secrets in acontainerized web server? Incorporating them in the image as encoded files Storing them in the web server image, within the appropiate configuration file Passing them as command line arguments in the build step for the relevant layer Providing them as environment variable during container creation

Answer 69

When secrets are included in the image, anyone with a copy of the image could be able to extract them. Even if they are part of the build process, the build steps can be inspected with the docker history command, exposing the credentials. A recommended way to provide secrets is at the time of **container creation**. If the container is compromised the credentials are exposed, but at least we prevent the credentials from being shipped with the image. An additional benefit is avoiding complex credential rotations that have to impact the image and forcing a new release.

Question 70

Which of the following is a consideration for AWS Amplify? Full log viewing requires analysis through a browser window Logs sent to Cloudwatch are limited to timestamp and HTTP header data Log shipping requires a manual process of exporting CSV files Information is limited to data captured by web error logging

Answer 70

Log shipping requires a manual process of exporting CSV files

Question 71

The Azure Cognitive Search esearch.score metric provides what information? The relevance of the provided search criteria The percentage of the search completed so far The number of records matching the search criteria The accessibility of the targeted data sources

Answer 71

The relevance of the provided search criteria

Question 72

What can replace the "??" below to view all run commands that are available in az vm run0command ?? --1"westus2" List Index Show Display

Answer 72

List

Question 73

Which of the following can be used as an option in a filter rule for a AWS Traffic Mirroring session? Packet size in bytes Rule Name Custom Protocol Name Half or Full duplex Port ranges

Answer 73

Port ranges

Question 74

Which of the following best describes the Splunk Common Information Model? Written to allow threat intelligence feed integration Created to assist with field normalization Plugin used to provide data enrichment Allows for Cloudtrail log ingestion

Answer 74

Created to assist with field normalization

Question 75

Which is an essential characteristic of a cloud computing model according to NIST? Broad network access Multiple deployment models Service orchestration Centralized identity management

Answer 75

Broad network access