CompTIA CySA+ Domain 1: Security Operations

OSINT is intelligence derived exclusively from publicly or commercially available information, which is exactly what the analyst collects here without touching the target.

• AHUMINT is intelligence collected from human sources through interpersonal contact, not from publicly available published information gathered passively.
• CSIGINT is derived from intercepted signals and communications, which requires technical interception rather than reading openly published material.
• DGEOINT is geospatial/imagery intelligence about physical features and locations, not the open-source textual profiling described in the scenario.

In RFC 5424 (and RFC 3164) the severity scale runs 0–7 with 0 = Emergency ('system is unusable'); lower numbers are more severe.

• BSeverity 7 is Debug, the least urgent level used for verbose diagnostics — the opposite end of the scale from an unusable system.
• CSeverity 4 is Warning, indicating a potential future problem, not the most urgent 'system is unusable' condition described here.
• DSeverity 1 is Alert ('action must be taken immediately') which is urgent but one level below Emergency (0), so it is not the most severe value.

T1071 (Command and Control) is adversaries communicating over OSI application-layer protocols such as HTTPS/DNS to blend with existing traffic and avoid detection.

• AT1041 specifically covers stealing data over an existing C2 channel; the scenario is about establishing C2 inside common protocols, not the exfiltration step.
• BT1566 Phishing is an initial-access delivery technique via deceptive messages, unrelated to how command-and-control traffic blends into application protocols.
• DT1090 Proxy relays traffic through intermediary infrastructure to obscure origin; it does not describe embedding C2 within a standard application-layer protocol.

A PKI is precisely the framework established to issue, maintain, and revoke public key certificates that bind public keys to identities.

• AA SIEM aggregates and correlates security event logs for monitoring; it does not issue, maintain, or revoke the public-key certificates described here.
• BData loss prevention detects and blocks unauthorized exfiltration of sensitive data; it has nothing to do with certificate lifecycle management.
• CMultifactor authentication verifies identity using multiple factors; it consumes certificates but does not provide the framework that issues and revokes them.

Multifactor authentication is authentication using two or more distinct factors — here something you know (password) plus something you have (token).

• ASingle sign-on lets one authentication grant access to many systems; it concerns session reuse, not the number of distinct factors presented.
• CFederation lets identities from one trust domain access another's resources; it addresses cross-domain trust, not how many factors are used.
• DSingle-factor authentication uses only one factor; the scenario explicitly combines two distinct factors, which is the opposite of single-factor.

A sandbox is a restricted, controlled execution environment that lets untrusted software run while preventing it from accessing unauthorized system resources.

• BA honeypot is a decoy system meant to attract and study attackers, not an isolated environment for an analyst to detonate a specific sample under control.
• CA jump box is a hardened host used to administer other systems across a boundary; it is for controlled access, not for safely executing untrusted code.
• DA bastion host is an exposed, hardened gateway into a network; it is not designed as an isolated detonation environment for malware analysis.

A false positive is an alert that incorrectly indicates malicious activity is occurring, which is exactly an alert that fired on benign, authorized traffic.

• AA true positive is an alert that correctly identifies genuinely malicious activity; here the activity was benign, so the alert was not correct.
• BA false negative is a failure to alert on activity that WAS malicious; this scenario is the reverse — an alert fired on activity that was benign.
• DA true negative is the correct absence of an alert when nothing malicious occurred; but here an alert did fire, so it cannot be a true negative.

ATT&CK lists T1071 Application Layer Protocol under the Command and Control tactic, where adversaries communicate with compromised systems by mimicking normal protocol traffic.

• AExfiltration covers stealing data out of the network; T1071 describes the channel used to remotely control the host, which ATT&CK maps to a different tactic.
• BPersistence is about maintaining access across reboots or credential changes; blending C2 traffic into application protocols is not a persistence mechanism in ATT&CK's T1071 mapping.
• CInitial Access covers the entry vector into the network; T1071 concerns post-compromise communication with an already-controlled host, which is a separate tactic.

ATT&CK places Phishing (T1566) under Initial Access, the tactic covering entry vectors adversaries use to gain their initial foothold within a target network.

• BCollection covers gathering data of interest after compromise; phishing to obtain the first foothold is an entry vector mapped to a different ATT&CK tactic.
• CLateral Movement is pivoting between internal systems after access is gained; an inbound phishing email seeking the initial foothold is not lateral movement.
• DReconnaissance is pre-compromise information gathering; sending a weaponized email to actually gain access is an entry step ATT&CK classifies under Initial Access.

Zero trust grants no implicit trust based on physical or network location and authenticates and authorizes every access request to a resource, matching the scenario precisely.

• ADefense in depth stacks multiple perimeter controls but still assumes insiders are trusted once past them, which contradicts the no-implicit-trust model described here.
• BCastle-and-moat trusts anything already inside the network boundary, the exact legacy assumption this redesign is explicitly trying to eliminate for every request.
• DNAC only gates devices at the point of network admission; it does not enforce continuous per-resource authorization independent of network location across the whole enterprise.

SDN introduces an abstraction for the data forwarding plane and separates it from the control plane, letting a central controller program forwarding via open interfaces as described.

• BSASE converges networking and security services at the cloud edge for users; it does not specifically define the control-plane and data-plane separation the scenario describes.
• CNFV runs network functions like firewalls as virtual machines on commodity hardware; it complements SDN but is not the decoupling of forwarding from control logic.
• DSTP is a Layer 2 loop-prevention protocol that blocks redundant switch links; it has nothing to do with centrally programming forwarding through a controller.

Containers are a form of operating system virtualization that package an app and isolate it while sharing the single host OS kernel, exactly as described here.

• AA Type 1 hypervisor hosts virtual machines that each run a separate guest OS on virtualized hardware, the opposite of processes sharing one host kernel.
• BFull virtualization runs one or more complete operating systems on virtual hardware; the scenario shares a single host OS kernel rather than virtualizing hardware per guest.
• CVDI delivers full desktop operating systems to end users from a server; it is not the OS-level packaging of microservices that share the host kernel.

OpenID Connect is a simple identity layer on top of OAuth 2.0 that issues an ID token so a client can verify the authenticated end user's identity, matching the scenario.

• ASAML is an XML-based federation standard that exchanges assertions; it predates and is not built on top of the OAuth 2.0 authorization framework described in the scenario.
• CKerberos authenticates principals inside a realm using time-stamped tickets from a key distribution center; it is not an identity layer built on OAuth 2.0 for web apps.
• DRADIUS centralizes authentication, authorization, and accounting for network access such as VPN or 802.1X; it does not layer identity tokens over OAuth 2.0.

Segmentation divides a network into smaller isolated subsections with firewalls so a compromise stays contained and adversary lateral movement to critical assets is restricted.

• APort mirroring copies traffic to a monitoring port for analysis; it provides visibility but does not divide the network into isolated zones to stop lateral movement.
• BLink aggregation bonds multiple physical links for more bandwidth and redundancy; it does nothing to isolate zones or restrict an attacker's movement between them.
• CNAT rewrites IP addresses at a boundary to conserve or hide addresses; it is not a control for splitting the internal network into isolated, firewalled segments.

A hypervisor or virtual machine monitor virtualizes hardware resources so multiple virtual machines, each with its own guest OS, run on a single physical host as described.

• AA container runtime runs containers that share the host OS kernel; it does not provide each workload a full guest operating system on virtualized hardware as described.
• BA microkernel scheduler arbitrates processes within a single operating system kernel; it does not abstract hardware to run multiple independent virtual machines.
• DA terminal/remote-desktop session broker distributes user sessions to session hosts; it does not virtualize physical hardware to host full virtual machines.

The policy enforcement point is the system responsible for enabling, monitoring, and eventually terminating connections between a subject and an enterprise resource, enforcing the engine's decision.

• AThe policy engine decides whether to grant access using its trust algorithm, but it does not itself open, watch, and tear down the connection to the resource.
• CThe policy administrator establishes or shuts the communication path by signaling the enforcement point, but the actual connection handling occurs at the enforcement point itself.
• DA certificate authority issues digital certificates for PKI trust; it is a supporting data source, not the zero trust component that brokers the subject-to-resource connection.

T1046 covers getting a listing of services running on remote hosts using port and vulnerability scans, exactly the multi-port sweep enumerating which services answer.

• ARemote System Discovery enumerates which hosts or IP addresses exist, whereas the workstation here is fingerprinting which service ports answer on each host.
• BT1071 is a command-and-control technique for blending traffic into protocols like HTTPS, not the rapid port-and-service enumeration sweep described across the subnet here.
• DExternal Remote Services covers abusing VPNs or RDP gateways for access into the network, not internally scanning many hosts to discover which service ports respond.

T1048 is stealing data over a different protocol than the existing command-and-control channel, such as FTP or DNS, precisely matching the side-channel transfers observed.

• AThat describes Exfiltration Over C2 Channel (T1041), but here the data leaves over FTP and DNS, deliberately separate from the established HTTPS command-and-control link.
• CPeriodic beaconing maintains the control channel rather than moving bulk data out, so it does not describe the archive transfers leaving over FTP and DNS here.
• DExfiltration to a web or cloud service (T1567) uses legitimate sites like Dropbox over HTTPS, not the raw FTP and DNS protocols seen carrying the data here.

T1547.001 covers referencing a program with a Registry run key so it executes when the user logs in, exactly matching the new HKCU Run value observed.

• BScheduled Task/Job (T1053) uses the task scheduler with time or event triggers, not a Registry Run key value that fires automatically at each interactive logon.
• CCreate or Modify System Process (T1543.003) registers a Windows service under the service control manager, which differs from writing a per-user Run key entry.
• DEvent Triggered Execution via WMI (T1546.003) persists through permanent event consumers, not by adding a value to the CurrentVersion\Run registry key as seen here.

Process Injection (T1055) executes arbitrary code in the address space of a separate live process to evade defenses, matching the shellcode written into explorer.exe.

• AMasquerading (T1036) manipulates a file's name or location to look legitimate, but here a separate trusted process is being driven to run injected memory-resident code.
• BHijack Execution Flow (T1574) abuses how a process resolves libraries at load time, not the direct writing of shellcode into a live process's memory shown here.
• CReflective Code Loading (T1620) executes code inside the current process's own memory, whereas the indicator shows code written into a separate, already-running explorer.exe.

T1036.005 is matching the name or location of legitimate files, like placing an executable under System32 or naming it svchost.exe, exactly as observed here.

• AInvalid Code Signature (T1036.001) abuses signing metadata to appear trusted, but the indicators here are a copied trusted name and a trusted directory placement instead.
• CObfuscated Files or Information (T1027) compresses or packs a payload to defeat signatures, which is unrelated to copying a trusted filename into a trusted folder.
• DIndicator Removal by clearing logs (T1070) erases evidence after the fact, not the act of naming and placing a binary to impersonate a legitimate Windows file.

T1136 (Create Account) is making a new account such as a local one via net user /add to maintain secondary credentialed access, exactly as described here.

• AValid Accounts (T1078) abuses already-existing credentials the attacker obtained, whereas the indicator here is the deliberate creation of a brand-new local account.
• BSetuid/Setgid abuse (T1548.001) is a Linux privilege-escalation path, not the creation of a new Windows local account through the net user command shown here.
• DOS Credential Dumping from LSASS (T1003.001) harvests existing secrets from memory, which is different from adding a new local administrator account to the system.

T1567 is using an existing legitimate external web service to exfiltrate data, and uploading to Dropbox over HTTPS is the canonical cloud-storage example of it.

• BExfiltration Over Alternative Protocol (T1048) using DNS tunneling is a different channel; the observed indicator is bulk HTTPS uploads to a trusted cloud storage site.
• CExfiltration Over C2 Channel (T1041) reuses the adversary's own command path, not a legitimate third-party web service like Dropbox that hosts already trust.
• DExfiltration Over Physical Medium (T1052) moves data onto USB devices, which is unrelated to the network upload of archives to an external cloud storage account.

A packet sniffer or protocol analyzer monitors the network and captures packets, letting the analyst inspect protocol fields and payload bytes of the suspect beacon.

• AA SIEM correlates summarized log records and events but does not retain the raw packet payloads needed to read the actual traffic contents.
• BHashing the disk image verifies file integrity for forensics but captures no live network traffic, so the beacon payload stays invisible to the analyst.
• DDNS reputation and WHOIS lookups characterize the remote host's identity and history but reveal nothing about the byte-level contents of the captured packets.

A SIEM gathers security data from many components and presents it through a single interface, enabling correlation of failed logons across the disparate sources.

• AEDR focuses on activity and processes on individual endpoints; it does not aggregate and correlate logon events drawn from servers, VPNs, and web tiers together.
• CA protocol analyzer captures packets on one segment for deep inspection, not cross-source log correlation, so distributed logon attempts remain unconnected.
• DSOAR automates a response action after detection; it is not the mechanism that aggregates and correlates the multi-source logs needed to spot the pattern.

SPF lets the domain explicitly authorize the hosts allowed to use its domain names, so a receiver can check whether the sending IP was permitted.

• ADKIM uses a cryptographic signature to claim responsibility for a message's content, but it does not validate whether the sending IP was authorized.
• BReceived-header timestamps trace the relay path and timing of a message; they say nothing about whether the domain authorized the originating host.
• CA SHA-256 digest detects content tampering, an integrity control unrelated to authorizing which IP addresses may send mail for the domain.

A SHA-256 hash produces a condensed digest of the file; identical digests confirm the bytes are unchanged, and any alteration yields a different digest.

• BSPF authorization checks apply to the sending host of an email, not to verifying that a stored file matches a known-good cryptographic fingerprint.
• CA protocol analyzer inspects live packet payloads on the wire; it does not compute a fingerprint that proves a file is byte-for-byte identical.
• DA SOAR playbook automates a containment action; quarantining the host does nothing to verify whether the file itself was modified from the original.

SCAP is a suite of specifications that standardize the format and nomenclature for communicating software flaw and security configuration information, enabling automated assessment.

• ADMARC governs how mail receivers handle messages that fail authentication; it has nothing to do with standardizing vulnerability or configuration assessment content.
• CSOAR automates response actions through playbooks after a detection; it does not define the standardized content format used to express configuration checks.
• DA SIEM aggregates and correlates logs to detect activity; it is not the specification suite that standardizes how vulnerability and configuration checks are expressed.

A SOAR automates the response to detected activity by applying predefined playbooks that dictate the containment actions taken when a specific event occurs.

• AA SIEM collects, centralizes, and correlates log data, but only SOAR platforms perform the automated response functions the team needs to cut repetitive steps.
• BA protocol analyzer supports manual packet inspection during investigation; it cannot orchestrate or automate the containment workflow triggered by each alert.
• DSCAP standardizes the format of configuration and vulnerability content; it neither detects alerts nor automates the multi-step response the SOC wants.

A playbook provides a standard set of procedures to identify, coordinate, remediate, and recover, so every responder follows the same repeatable steps regardless of shift.

• BA hash baseline verifies file integrity but offers no procedural guidance, so it cannot standardize how analysts carry out the ransomware response.
• CAn SPF record authorizes sending mail hosts to fight spoofing; it is unrelated to documenting the repeatable steps of an incident-response process.
• DA SIEM correlation rule detects the activity and fires an alert, but it does not document the standardized response procedure the responders must follow.

ATT&CK defines a tactic as the why of a technique, the adversary's tactical goal and reason for performing an action.

• AProcedures are specific instances of how a technique was carried out, not the adversary's overall tactical goal being modeled here.
• CTechniques represent how a goal is achieved by an action; the stem names the goal itself, which is a tactic not a technique.
• DIndicators are observable forensic artifacts of compromise, not entries in the ATT&CK tactic taxonomy describing adversary goals and reasons.

ATT&CK defines a technique as how an adversary achieves a tactical goal by performing an action, exactly what dumping credentials describes here.

• ATactics express the why or goal such as credential access; T1003 names a concrete method, which ATT&CK classifies as a technique instead.
• BAn indicator is an observable artifact like a hash or IP, whereas T1003 is a behavior entry in the ATT&CK technique catalog.
• DCampaigns group related intrusion activity over time; a T-number identifies an individual technique, not a dated campaign of adversary operations.

Indicators of compromise are technical artifacts or observables, like hashes and IPs, signaling that a compromise has occurred or is underway.

• BTTPs describe how adversaries behave across the lifecycle; a hash or IP is a discrete observable artifact, classified instead as an indicator.
• CA hypothesis is a testable proposed explanation that drives hunting; the confirmed hash and IP are evidence of compromise, not a hypothesis.
• DVulnerabilities are weaknesses that enable attacks, whereas the recovered hash and IP are observed artifacts confirming an intrusion already happened.

An APT possesses sophisticated expertise and significant resources, pursuing objectives repeatedly over an extended period and adapting to defenders' efforts to resist it.

• AHacktivists pursue ideological aims, often in brief noisy campaigns, not the patient, well-funded, long-dwell intrusion behavior the report describes here.
• BScript kiddies lack the resources and expertise described; they run borrowed tooling opportunistically rather than sustaining adaptive, prolonged, multi-vector operations against a target.
• CCommodity actors chase fast, broad, low-effort gains; the sustained, adaptive, resource-intensive campaign profiled instead matches an advanced persistent threat actor.

An insider threat is a person using authorized access, wittingly or unwittingly, to harm the organization; accidental and negligent acts are included.

• AInsider threat covers unwitting acts; harm caused by a trusted user's mistake still qualifies even when there was no malicious intent.
• CAn APT is an external, sophisticated, resourced adversary; here a trusted internal user with valid access caused the loss, not an outsider.
• DHacktivists deliberately disclose data for ideological ends; the employee made an unintentional error, which fits the insider-threat category instead.

Cyber threat hunting proactively focuses on specific threat actors and their associated tactics, techniques, and procedures to surface intrusions automated detections may miss.

• ASignature antivirus passively blocks matching files; threat hunting is an active, analyst-led search for adversary behavior that automated controls did not catch.
• BTriage responds to alerts the tooling already raised, whereas hunting proactively seeks adversary activity even when no alert or detection has fired.
• DPatch management remediates weaknesses; it does not search telemetry for adversary behavior, which is the proactive hunting activity the scenario describes.

NIST lists tactics, techniques, and procedures as a core type of cyber threat information, describing how threat actors behave rather than atomic artifacts.

• BIndicators are specific observable artifacts; the bulletin describes generalized adversary behavior across victims, which NIST classifies as TTPs instead.
• CSource confidence rates trustworthiness of information; the bulletin's behavioral narrative of access and persistence is threat content classified as TTPs.
• DTool configurations are a separate threat-information type; the described patterns of access, movement, and persistence are behavioral TTPs in NIST guidance.

OCSP lets a relying party query the issuer's responder for the live status of one specific certificate without retrieving the full CRL, matching the real-time per-certificate requirement described.

• AA CRL is the periodically issued, signed list of revoked serial numbers, so downloading and parsing it is exactly the bulk approach the analyst wanted to avoid for a single certificate.
• BChecking the validity window only shows whether the certificate has expired, which is an entirely different test that conveys nothing about whether the issuer has revoked it.
• DThe key usage extension constrains which operations the certificate's public key may perform, such as digital signature or key encipherment, and carries no revocation status whatsoever.

A TPM is a tamper-resistant integrated circuit on the motherboard that performs cryptographic operations including key generation and protects sensitive material such as keys, serving as a hardware root of trust.

• BAn operating-system credential store keeps secrets in software where a compromised kernel or privileged process can read them, providing no tamper-resistant hardware boundary or measured-boot anchor.
• CA self-signed certificate is merely a public-key binding written to disk; it neither generates nor shields private keys inside tamper-resistant silicon and offers no boot-integrity measurement.
• DA remote key-management gateway centralizes keys over the network but places no tamper-resistant root of trust on the endpoint itself, which this requirement explicitly demands for the laptop.

NetFlow and IPFIX export per-flow metadata such as source and destination addresses, ports, protocol, and byte and packet counts, giving scalable conversation-level visibility without storing payloads.

• AFull packet capture stores every byte of every packet including payloads, giving deep forensic detail but consuming enormous storage that the scenario explicitly rules out on high-bandwidth links.
• BAntivirus quarantine logs record malware detections on individual endpoints and contain no record of host-to-host conversations, ports, or byte counts flowing across the network links described.
• CCertificate transparency logs publish issued TLS certificates for misissuance monitoring and carry nothing about which hosts exchanged traffic or how many bytes moved between them.