SOC Monthly Flashcard

A user reports receiving a suspicious email containing a link prompting them to enter their credentials. What is the FIRST step in investigating this phishing attempt?

A user reports that all their files have been encrypted with the .locked extension, and a ransom note is present. What is the IMMEDIATE action to take?

Your IDS detects multiple SQL injection attempts on a public-facing web server. What is the BEST response?

What does the command
netsh advfirewall set allprofiles state off
do?

A brute-force attack has been detected against an exposed RDP server. What is the BEST mitigation strategy?

Your DLP (Data Loss Prevention) alerts show large data uploads to a cloud storage service. What is the next step of action?

Your SIEM system has flagged an alert indicating a high volume of failed login attempts followed by a successful login to an internal system using a corporate user's credentials. The account owner reports they did not attempt to log in, and the login was from an unrecognized IP address. What should be your FIRST course of action to mitigate the ATO attack?

During a routine security audit, you notice an unusual PowerShell script running on a Windows system. The script appears to be Base64-encoded and is being executed from a temporary directory. What is your FIRST course of action?

What should be your FIRST course of action to improve security regarding authentication methods configured in the /etc/ssh/sshd_config file, including:
PasswordAuthentication yes
PubkeyAuthentication yes
ChallengeResponseAuthentication yes when concerned about the security of the password-based authentication method?

Which of the following is considered a false positive in security monitoring? An alert indicating a successful brute-force login attack when there was none, An alert about unusual traffic that is determined to be caused by a DDoS attack, An alert indicating malware detected in a sandbox environment, An alert indicating a legitimate login attempt by an authorized user