WGU D483 SECURITY OPERATIONS (COMPTIA
CYSA+ CS0-003) – COMPLETE MOCK EXAM
QUESTIONS WITH DETAILED RATIONALES AND
PERFORMANCE-BASED TASKS A+ ALREADY
GRADED
Threat Detection & Analysis
Question 1
A SIEM generates an alert indicating a user authenticated successfully from Kenya and then five minutes
later from Germany. What does this MOST likely indicate?
A. Normal VPN behavior
B. Impossible travel anomaly
C. DNS poisoning
D. Network congestion
Answer: B. Impossible travel anomaly
Rationale:
Impossible travel detection identifies logins occurring from geographically distant locations within
unrealistic timeframes, often indicating credential compromise.
Question 2
Which log source would BEST identify lateral movement using Remote Desktop Protocol (RDP)?
A. DNS logs
B. Authentication logs
C. DHCP logs
D. SMTP logs
Answer: B. Authentication logs
Rationale:
RDP lateral movement generates authentication events, especially successful and failed login attempts
between hosts.
Question 3
, An attacker uses encoded PowerShell commands to avoid detection. What tactic is being used?
A. Persistence
B. Obfuscation
C. Sandboxing
D. Tokenization
Answer: B. Obfuscation
Rationale:
Obfuscation hides malicious intent by disguising commands or code to evade security tools and analysts.
Question 4
A SOC analyst notices beaconing traffic every 10 minutes to an external IP address. What does this
MOST likely indicate?
A. Normal DNS activity
B. Data backup synchronization
C. Command-and-control communication
D. ARP poisoning
Answer: C. Command-and-control communication
Rationale:
Regular periodic outbound connections often indicate malware checking in with a command-and-control
server.
Network Security
Question 5
Which protocol should be disabled because it transmits credentials in cleartext?
A. SSH
B. HTTPS
C. Telnet
D. SFTP
Answer: C. Telnet
Rationale:
Telnet sends credentials unencrypted, making interception trivial.
Question 6
Which security control BEST prevents unauthorized devices from connecting to a corporate network?
CYSA+ CS0-003) – COMPLETE MOCK EXAM
QUESTIONS WITH DETAILED RATIONALES AND
PERFORMANCE-BASED TASKS A+ ALREADY
GRADED
Threat Detection & Analysis
Question 1
A SIEM generates an alert indicating a user authenticated successfully from Kenya and then five minutes
later from Germany. What does this MOST likely indicate?
A. Normal VPN behavior
B. Impossible travel anomaly
C. DNS poisoning
D. Network congestion
Answer: B. Impossible travel anomaly
Rationale:
Impossible travel detection identifies logins occurring from geographically distant locations within
unrealistic timeframes, often indicating credential compromise.
Question 2
Which log source would BEST identify lateral movement using Remote Desktop Protocol (RDP)?
A. DNS logs
B. Authentication logs
C. DHCP logs
D. SMTP logs
Answer: B. Authentication logs
Rationale:
RDP lateral movement generates authentication events, especially successful and failed login attempts
between hosts.
Question 3
, An attacker uses encoded PowerShell commands to avoid detection. What tactic is being used?
A. Persistence
B. Obfuscation
C. Sandboxing
D. Tokenization
Answer: B. Obfuscation
Rationale:
Obfuscation hides malicious intent by disguising commands or code to evade security tools and analysts.
Question 4
A SOC analyst notices beaconing traffic every 10 minutes to an external IP address. What does this
MOST likely indicate?
A. Normal DNS activity
B. Data backup synchronization
C. Command-and-control communication
D. ARP poisoning
Answer: C. Command-and-control communication
Rationale:
Regular periodic outbound connections often indicate malware checking in with a command-and-control
server.
Network Security
Question 5
Which protocol should be disabled because it transmits credentials in cleartext?
A. SSH
B. HTTPS
C. Telnet
D. SFTP
Answer: C. Telnet
Rationale:
Telnet sends credentials unencrypted, making interception trivial.
Question 6
Which security control BEST prevents unauthorized devices from connecting to a corporate network?
