WGU C795 (CompTIA Security+ SY0-701):
ULTIMATE Context-Driven Study Guide -
Performance-Based Scenarios & Exam Blueprint
Mastery
DOMAIN 1: THREATS, ATTACKS, AND VULNERABILITIES
Focus: Identifying Attack Patterns, Malware Behaviors, and Indicators of Compromise
Scenario Q1:
A security analyst reviewing SIEM logs notices multiple failed login attempts from a
foreign IP against the VPN gateway, followed 20 minutes later by a successful login
from the internal HR department's IP range. The HR user account shows no recent
password change activity. What type of attack is MOST likely occurring?
A) Credential stuffing
B) Pass-the-hash
C) Password spraying
D) Brute force
Correct Answer: B
Complete Solution:
,Step 1: Context Breakdown
● Role: Security Analyst (monitoring/detection function)
● Threat Pattern: External reconnaissance (failed foreign logins) → lateral
movement via internal HR IP
● Key Anomaly: Successful internal login without password change after external
targeting
● Action Keyword: "MOST likely" — requires matching attack pattern to observed
indicators
Step 2: Concept Reinforcement
This describes lateral movement using compromised credentials without knowing the
plaintext password. Pass-the-hash attacks use NTLM hash values stolen from one
system to authenticate to others, leaving no password change trail.
Step 3: Why Right & Why Wrong
TableCopy
Answer Analysis
External reconnaissance followed by internal lateral movement without
B) Pass-the-hash ✓ password change = hash replay. The HR IP suggests the attacker
pivoted to an internal system.
Uses breached username/password pairs from other sites. Would
A) Credential stuffing show successful external login, not failed external then successful
internal.
Uses common passwords against many accounts. Would show
C) Password spraying multiple accounts targeted, not one account with lateral movement
pattern.
, Attempts all possible passwords. Would take far longer and generate
D) Brute force massive log volume; unlikely to succeed in 20 minutes against a VPN
gateway.
Step 4: Exam Relevance
Tests Objective 1.2: Compare and contrast types of attacks, specifically
credential-based attacks and lateral movement techniques.
ProTip: When you see "successful login without password change" after external
activity, immediately consider hash-based attacks or Kerberoasting. The absence of
password change is the critical differentiator.
Scenario Q2:
Following a malware outbreak, your incident response team isolates infected
workstations. Forensic analysis reveals a fileless malware that resides only in memory,
establishes a reverse shell to a C2 server, and uses PowerShell to enumerate domain
users. Which MITRE ATT&CK tactic BEST describes the PowerShell activity?
A) Initial Access
B) Execution
C) Discovery
D) Collection
Correct Answer: C
Complete Solution:
Step 1: Context Breakdown
, ● Role: Incident Responder (forensic analysis phase)
● Attack Stage: Post-exploitation (fileless malware active, C2 established)
● Specific Activity: PowerShell used to "enumerate domain users"
● Action Keyword: "BEST describes" — requires precise MITRE tactic mapping
Step 2: Concept Reinforcement
MITRE ATT&CK tactics represent the "why" of an attack technique. Discovery (TA0007)
involves techniques that allow adversaries to gain knowledge about the system and
internal network—specifically including account and permission enumeration.
Step 3: Why Right & Why Wrong
TableCopy
Answer Analysis
Enumerating domain users is classic reconnaissance to understand the
C) Discovery ✓
environment for privilege escalation or lateral movement targets.
A) Initial Access Already completed—malware is resident and C2 is established.
PowerShell is the execution method, but the purpose of this specific activity
B) Execution is discovery. The question asks what the activity describes, not what tool is
used.
Involves gathering data of interest (files, credentials). Enumeration is
D) Collection
reconnaissance, not data collection.
Step 4: Exam Relevance
Tests Objective 1.7: Explain the techniques used in penetration testing, including MITRE
ATT&CK framework application.
ULTIMATE Context-Driven Study Guide -
Performance-Based Scenarios & Exam Blueprint
Mastery
DOMAIN 1: THREATS, ATTACKS, AND VULNERABILITIES
Focus: Identifying Attack Patterns, Malware Behaviors, and Indicators of Compromise
Scenario Q1:
A security analyst reviewing SIEM logs notices multiple failed login attempts from a
foreign IP against the VPN gateway, followed 20 minutes later by a successful login
from the internal HR department's IP range. The HR user account shows no recent
password change activity. What type of attack is MOST likely occurring?
A) Credential stuffing
B) Pass-the-hash
C) Password spraying
D) Brute force
Correct Answer: B
Complete Solution:
,Step 1: Context Breakdown
● Role: Security Analyst (monitoring/detection function)
● Threat Pattern: External reconnaissance (failed foreign logins) → lateral
movement via internal HR IP
● Key Anomaly: Successful internal login without password change after external
targeting
● Action Keyword: "MOST likely" — requires matching attack pattern to observed
indicators
Step 2: Concept Reinforcement
This describes lateral movement using compromised credentials without knowing the
plaintext password. Pass-the-hash attacks use NTLM hash values stolen from one
system to authenticate to others, leaving no password change trail.
Step 3: Why Right & Why Wrong
TableCopy
Answer Analysis
External reconnaissance followed by internal lateral movement without
B) Pass-the-hash ✓ password change = hash replay. The HR IP suggests the attacker
pivoted to an internal system.
Uses breached username/password pairs from other sites. Would
A) Credential stuffing show successful external login, not failed external then successful
internal.
Uses common passwords against many accounts. Would show
C) Password spraying multiple accounts targeted, not one account with lateral movement
pattern.
, Attempts all possible passwords. Would take far longer and generate
D) Brute force massive log volume; unlikely to succeed in 20 minutes against a VPN
gateway.
Step 4: Exam Relevance
Tests Objective 1.2: Compare and contrast types of attacks, specifically
credential-based attacks and lateral movement techniques.
ProTip: When you see "successful login without password change" after external
activity, immediately consider hash-based attacks or Kerberoasting. The absence of
password change is the critical differentiator.
Scenario Q2:
Following a malware outbreak, your incident response team isolates infected
workstations. Forensic analysis reveals a fileless malware that resides only in memory,
establishes a reverse shell to a C2 server, and uses PowerShell to enumerate domain
users. Which MITRE ATT&CK tactic BEST describes the PowerShell activity?
A) Initial Access
B) Execution
C) Discovery
D) Collection
Correct Answer: C
Complete Solution:
Step 1: Context Breakdown
, ● Role: Incident Responder (forensic analysis phase)
● Attack Stage: Post-exploitation (fileless malware active, C2 established)
● Specific Activity: PowerShell used to "enumerate domain users"
● Action Keyword: "BEST describes" — requires precise MITRE tactic mapping
Step 2: Concept Reinforcement
MITRE ATT&CK tactics represent the "why" of an attack technique. Discovery (TA0007)
involves techniques that allow adversaries to gain knowledge about the system and
internal network—specifically including account and permission enumeration.
Step 3: Why Right & Why Wrong
TableCopy
Answer Analysis
Enumerating domain users is classic reconnaissance to understand the
C) Discovery ✓
environment for privilege escalation or lateral movement targets.
A) Initial Access Already completed—malware is resident and C2 is established.
PowerShell is the execution method, but the purpose of this specific activity
B) Execution is discovery. The question asks what the activity describes, not what tool is
used.
Involves gathering data of interest (files, credentials). Enumeration is
D) Collection
reconnaissance, not data collection.
Step 4: Exam Relevance
Tests Objective 1.7: Explain the techniques used in penetration testing, including MITRE
ATT&CK framework application.
