Cisco 300-220 Conducting Threat Hunting and Defending using Cisco Technologies for Cybersecurity 300-220 CBRTHD Exam Practice Test

The correct answer isearlier detection of attacks before data exfiltration. This outcome directly translates toreduced business impact, which is the ultimate goal of threat hunting.

Alert volume (Option A) and false-positive reduction (Option B) measure operational efficiency, not security effectiveness. Option D measures spending, not outcomes.

Early detection:

Reduces dwell time

Prevents data loss

Limits operational disruption

Increases attacker cost

Cisco’sCBRTHD blueprintemphasizes outcome-driven security metrics, with early detection being one of the strongest indicators of threat hunting maturity.

Therefore,Option Cis the correct and executive-level answer.

The correct answer isC. Modifying this key requires administrative privileges, which the malware might not have.

The exhibit shows persistence established under the registry path:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

This registry key is aper-user startup location, meaning any executable listed there will automatically run whenthat specific userlogs in. Crucially,write access to HKEY_CURRENT_USER (HKCU) does not require administrative privileges—only the privileges of the compromised user account.

In contrast,

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

appliessystem-wideand causes programs to execute at startup forall users. However, modifying this key requireslocal administrator privileges. In many real-world breaches, attackers initially compromisestandard user accounts, not administrators. As a result, malware often chooses HKCU-based persistence mechanisms because they arereliable, stealthy, and achievable without privilege escalation.

Options A and D are incorrect because both registry paths are fully supported in modern versions of Windows and are explicitly designed for startup execution. Option B is incorrect because neither key automatically removes entries after a reboot—both are persistent by design.

From a threat hunting and endpoint detection perspective, this distinction is critical. HKCU persistence indicates:

User-level compromise

No confirmed administrative access (yet)

Potential precursor to privilege escalation attempts

This technique maps toMITRE ATT&CK – Persistence: Boot or Logon Autostart Execution (T1547.001). Mature SOC teams monitorboth HKCU and HKLM Run keys, but they interpret them differently when reconstructing attacker capability and progression.

In summary, the attacker usedHKCUbecause it enables persistencewithout requiring administrative privileges, makingOption Cthe correct and professionally accurate answer.

The correct answer isdocumenting findings and updating detection logic. Threat hunting delivers long-term value only when discoveries are operationalized.

Options A and B are necessary incident response actions but do not improve future detection. Option D delays remediation and risks further damage.

Within theCBRTHD threat hunting lifecycle, confirmed malicious activity should result in:

Detailed documentation of attacker techniques

Identification of detection gaps

Creation or refinement of SIEM, EDR, or NDR rules

This process ensures that similar behavior will be detected automatically in the future, reducing reliance on manual hunts. It also increases organizational maturity by institutionalizing knowledge.

Cisco emphasizes this feedback loop as a core principle of effective threat hunting. Without it, SOC teams repeatedly rediscover the same threats.

Thus,Option Cis the correct and professionally validated answer.

The correct answer isC. Host 10.201.3.99 is attempting to contact the C2 server to retrieve the payload.

Cisco Secure Network Analytics (Stealthwatch) detectsCommand-and-Control (C2)activity by analyzingnetwork behavior, not by relying solely on known malicious indicators. In the exhibit, the critical investigative clue is theHTTP payload containing a suspicious external URL, which strongly suggests outbound communication from an internal host to an external command-and-control infrastructure.

The internal IP address10.201.3.99belongs to a workstation group (“Desktops”), indicating it is an internal endpoint, not a C2 server. This immediately rules out option B. Instead, the endpoint is acting as acompromised host (zombie)attempting to reach a remote server controlled by an attacker. This outbound beaconing behavior is a classic hallmark of C2 communication.

Option A is incorrect because packet count alone does not confirm C2 activity. C2 traffic is oftenlow-and-slow, intentionally designed to blend in with normal traffic patterns. Option D is also incorrect because the payload does not describe the zombie endpoint; rather, it shows aremote URL, which is likely part of malware staging or command retrieval.

From a threat hunting and SOC perspective, the most valuable information isdirectionality and intent:

Internal host → external suspicious domain

HTTP-based communication over an unusual port

Low data volume consistent with beaconing or payload retrieval

This aligns withMITRE ATT&CK – Command and Control (TA0011)techniques such asApplication Layer Protocols (T1071). Identifying which internal host is reaching out—and why—is essential for containment, endpoint isolation, and scope expansion.

Professionally, this insight enables the analyst to:

Quarantine host 10.201.3.99

Pivot to EDR telemetry on that endpoint

Block the external domain or IP

Hunt for similar beaconing patterns across the environment

In summary, the investigation is aided most by understanding thatan internal host is actively communicating with a C2 server, makingOption Cthe correct and operationally meaningful answer.

The correct answer iscorrelating attacker behavior across multiple MITRE ATT&CK techniques. This approach focuses onbehavioral detection, which is the cornerstone of effective threat hunting and advanced security operations.

Attackers who abuse legitimate administrative tools—often referred to asliving-off-the-land techniques—intentionally avoid malware-based detections. File hashes, signatures, and known indicators provide minimal value because there may beno malicious files at all. Options A and D sit at the lowest levels of thePyramid of Pain, making them easy for adversaries to evade.

By correlating behavior across multiple ATT&CK techniques—such as credential access, lateral movement, privilege escalation, and command execution—defenders detecthowthe attacker operates rather thanwhat toolsthey use. This forces adversaries to fundamentally change tradecraft, which is costly, risky, and time-consuming.

Option C improves visibility but does not inherently raise attacker cost. Threat intelligence feeds are reactive and often lag behind active campaigns.

From a professional threat hunting perspective, correlating multiple low-signal behaviors into ahigh-confidence attack patternis how mature SOCs detect stealthy intrusions. This method also supports scalable detection engineering, improved alert fidelity, and reduced false positives.

This strategy directly aligns with higher tiers of theThreat Hunting Maturity Modeland the top of thePyramid of Pain, making optionBthe correct answer.

The correct answer isAttack trees. Attack trees are uniquely suited for modelingmulti-step adversary behavior, which is essential when analyzing complex attack chains such as account takeover followed by data exfiltration.

Attack trees begin with ahigh-level attacker goal(for example, “Exfiltrate customer data”) and then break that goal into multiple branches representing different paths an attacker could take. These paths can include credential compromise, API abuse, privilege escalation, lateral movement, and persistence. This structure mirrors how real adversaries think and operate.

Option A (STRIDE) is useful for identifying broad threat categories—such as spoofing, tampering, or information disclosure—but it does not naturally capturesequential attack paths. Option B (CVSS) focuses on vulnerability severity scoring, not adversary behavior. Option D (DREAD) assesses risk impact but does not visualize how attacks unfold across systems.

For threat hunters and defenders, attack trees provide ashared mental modelbetween architects, SOC teams, and red teams. They directly inform detection engineering by highlightingcritical choke pointswhere attacker behavior must occur, such as token abuse, API enumeration, or anomalous role assumption in cloud environments.

In modern cloud security, where breaches often involvemultiple low-severity issues chained together, attack trees offer far greater strategic value than component-by-component analysis. They also align closely withMITRE ATT&CK mapping, enabling defenders to translate threat models into actionable hunts.

Thus, optionCis the most appropriate and professionally validated answer.

The correct answer isauthentication and remote execution logs. Lateral movement using legitimate tools relies heavily oncredential use and remote management protocols, not malware execution.

Attackers commonly use:

RDP

SMB administrative shares

WinRM

WMI

SSH

These techniques generateauthentication events, remote logons, and service execution logsrather than malware alerts. Antivirus tools are ineffective here because no malicious binaries are involved.

Option A is ineffective against living-off-the-land attacks. Option B is unrelated to lateral movement. Option D may show some activity but lacks the necessary depth to identify privilege misuse or session hopping.

Authentication telemetry enables hunters to detect anomalies such as:

Logons between non-associated systems

Sudden administrative access

Credential reuse across hosts

Abnormal session timing and frequency

This data is foundational forcredential-based attack detection, which remains one of the most common breach paths today. It also aligns withMITRE ATT&CK Lateral Movement and Credential Access tactics.

Thus, optionCis the correct answer.

The correct answer isNetwork/host artifacts. To understand why, it is important to map the observed attacker behavior to thePyramid of Pain, a model that ranks indicators by how difficult they are for adversaries to change once detected.

In this scenario, the adversary is usingNmap OS fingerprinting, which involves sending carefully crafted packets and analyzing responses (TCP/IP stack behavior, TTL values, window sizes, flags, and timing characteristics). These behaviors leave behindnetwork and host artifacts, such as distinctive scan patterns, abnormal TCP flag combinations, OS fingerprinting probes, and consistent tool-specific traffic signatures.

On the Pyramid of Pain:

IP addresses (D)sit at the very bottom. Attackers can trivially change IPs using VPNs, proxies, or botnets.

Port probes (B)andUDPs (A)represent low-level indicators that are also easy to modify. An attacker can change scan ports, protocols, or scan timing with minimal effort.

Network/host artifacts (C)sit significantly higher. These include tool-generated behaviors, protocol anomalies, OS fingerprinting patterns, and scan logic inherent to tools like Nmap. Changing these requires attackers to reconfigure tools, write custom scanners, or significantly alter their operational approach.

From a threat hunting and SOC maturity perspective, detecting and alerting onnetwork and host artifactsforces attackers to expend more time and resources, increasing their operational cost. This aligns with the core objective of the Pyramid of Pain:maximize adversary pain by detecting behaviors, not easily replaceable indicators.

Professionally mature SOC teams focus on identifying scanning techniques (e.g., Nmap OS detection, TCP ACK probes, UDP probes) rather than blocking individual IPs. These detections are resilient, scalable, and effective against both commodity attackers and advanced adversaries.

In short, while IPs and ports are useful for short-term containment,network and host artifacts provide the highest-value indicators in this scenario, makingCthe correct answer.

The correct answer isExploit public-facing application. The log excerpt in the exhibit clearly shows amalicious HTTP GET requesttargeting aWordPress plugin PHP filewith a craftedSQL injection payload:

UNION ALL SELECT CONCAT(...)

This syntax is a classic indicator ofSQL injection, a well-documented attack technique used to exploit insufficient input validation in web applications. According to the MITRE ATT&CK framework, this behavior maps to theInitial Access tactic (TA0001)and the techniqueExploit Public-Facing Application (T1190). The attacker is directly interacting with a publicly accessible web service and abusing a vulnerability in the application code to gain unauthorized access.

From a threat hunting and forensic standpoint, this is a textbook example of how attackers commonly achieve initial access to web servers. The attacker did not authenticate via remote services (such as SSH or RDP), nor did they rely on user interaction (as in a drive-by compromise). Instead, they sent a specially crafted request to a vulnerable endpoint exposed to the internet. This makes option B incorrect becauseExternal Remote Servicesrequires legitimate service access mechanisms. Option C is also incorrect becauseCommand and Scripting Interpreteris typically usedafterinitial access, once code execution is already achieved. Option D does not apply because there is no evidence of malicious content being delivered to end users.

The forensic team’s actions—isolating the server, cloning the disk, and analyzing logs—are standard post-incident procedures to reconstruct the attack chain. Web server access logs are especially valuable in these cases, as they often reveal malicious payloads, attacker IP addresses, targeted endpoints, and timestamps.

For defenders and threat hunters, this scenario reinforces the importance of monitoring web logs for anomalous query strings, enforcing secure coding practices, conducting regular vulnerability scans, and promptly patching third-party plugins. Public-facing applications remain one of themost exploited initial access vectors, making this technique a critical focus area in modern threat hunting programs.

The correct answer isB. Using "SecurityScan/2.5" to access all /admin endpoints. This log entry most clearly aligns with anauthorized security assessmentactivity designed to test weaknesses previously exploited during a breach.

Authorized security assessments—such as penetration tests or red team exercises—are typicallycontrolled, scoped, and intentional. They focus on validating security controls by probing sensitive areas (like administrative interfaces) while avoiding destructive actions. The user-agent string"SecurityScan/2.5"strongly suggests a purpose-built security scanning tool, which is commonly used by internal security teams or third-party assessors during sanctioned testing.

Option A is incorrect because performing login attempts at scale usingleaked credentialswould constitute real-world malicious behavior unless explicitly approved and tightly controlled. Even in authorized tests, credential stuffing with known leaked credentials is highly sensitive and would be explicitly documented; the wording here implies adversary behavior rather than assessment activity.

Option C is clearly malicious and inappropriate for an authorized assessment. Executing ashutdown commandis a destructive action and would violate standard rules of engagement for professional security testing. Such activity would be classified as adversarial exploitation, not a controlled delivery method.

Option D represents benign reconnaissance. A genericweb crawler gathering public-facing informationis typically associated with search engines or basic reconnaissance and does not directly test weaknesses related to a prior breach. While reconnaissance is part of assessments, it is not a strong indicator of a targeted, authorized delivery method.

From a threat hunting and SOC perspective, recognizing authorized assessment activity is critical to avoid misclassifying tests as incidents. Indicators include identifiable scanner user agents, predictable request patterns, limited scope targeting (such as /admin paths), and non-destructive behavior. This scenario reinforces an important operational lesson:context, intent, and tooling matter. Among the options,SecurityScan/2.5 targeting administrative endpointsbest reflects a legitimate, authorized security assessment delivery method.

The correct answer isUnauthorized penetration test. Based on the scenario provided, there is no indication that the observed activity was planned, approved, or coordinated by the organization. Instead, the evidence points tomalicious, unauthorized accessusing a valid user account, followed by destructive actions on the file server.

The exhibit showsmultiple file deletions and modificationsoccurring within a very short time window after asuccessful remote sign-in. From a professional SOC and threat hunting perspective, this sequence strongly suggestsaccount compromisefollowed byintentional malicious activity, such as data destruction, ransomware staging, or anti-forensics behavior. Intrusion Prevention System alerts further reinforce that the activity violated security policies, which would not be the case during a sanctioned test.

Option A (White box penetration test) and Option D (Black box penetration test) both describetesting methodologies, not threat types. White box testing is conducted with full internal knowledge and explicit authorization, while black box testing is performed with limited knowledge but still under a formal, approved engagement. In both cases, SOC teams are typically informed ahead of time to prevent unnecessary incident escalation.

Option B (Authorized penetration test) is also incorrect because authorized tests are documented, scoped, and approved by management. They do not involve real user account compromise without prior notification, nor do they trigger IPS alerts treated as genuine incidents.

In contrast,unauthorized penetration testingrefers to real-world attacker behavior where an adversary attempts to compromise systems without permission. Even if the attacker’s techniques resemble penetration testing tools or methods, the lack of authorization makes it a true security incident.

From a threat hunting and incident response standpoint, this classification is critical. Treating unauthorized activity as a live threat ensures proper containment actions, such as account disabling, credential resets, forensic preservation, and scope expansion. Misclassifying such activity as a test could lead to delayed response and increased damage.

In short,authorization—not technique—determines intent. Since no authorization exists in this scenario, the activity represents anunauthorized penetration attempt, making optionCthe correct answer.

The correct answer isObservation of repeated failed logins followed by a successful login from a new location. This scenario represents anIndicator of Attack (IOA)because it reflectsattacker behavior in progress, not confirmed compromise.

IOAs focus onpatterns of malicious intent, such as credential abuse, reconnaissance, or lateral movement, even when no malware or known indicators are present. In this case, the sequence of failed authentication attempts followed by a successful login from an unusual location strongly suggestspassword spraying or credential stuffing, both common initial access techniques.

Options A, B, and D are classicIndicators of Compromise (IOCs). Hashes, domains, and IP addresses are static artifacts that indicate a systemhas already been compromised. These indicators sit low on thePyramid of Painand are easy for attackers to change.

Cisco’sCBRTHD blueprintemphasizes hunting forIOAsbecause they enable:

Earlier detection

Reduced dwell time

Higher attacker cost

Cisco tools such asSecure Network Analytics,Secure Endpoint, and SIEM platforms are designed to correlate behavioral signals like authentication anomalies rather than relying solely on known bad indicators.

Therefore,Option Cis the correct and Cisco-aligned answer.

The correct answer isbehavioral analysis of outbound traffic patterns. Advanced attackers intentionally usestandard protocols such as HTTP and HTTPSto blend exfiltration traffic with normal activity.

Hash-based and signature-based methods are ineffective because:

No malware may be present

Traffic appears legitimate

Infrastructure is frequently rotated

Behavioral analysis detects anomalies such as:

Unusual data transfer volumes

Abnormal session timing

Beaconing patterns

Rare destinations

This approach aligns withnetwork threat hunting best practicesand forces attackers to significantly alter behavior, increasing adversary cost.

Therefore, optionBis correct.

The correct answer is SQL injection. The decoded HTTP request shown in the exhibit contains multiple unmistakable indicators of a SQL injection attack, including the use of SQL keywords and functions such as SELECT, CASE, SUBSTRING, ASCII, BIN, and conditional SLEEP() statements. These elements are characteristic of time-based blind SQL injection, a technique attackers use to extract database information when direct query results are not visible.

From a professional cybersecurity perspective, the presence of expressions like:

SELECT (CASE WHEN … THEN SLEEP(x))

SUBSTRING(password,1,1)

ASCII() and binary conversions

indicates that the attacker is probing the backend database character by character and using response timing to infer whether conditions are true or false. This is a well-known exploitation method used when error messages or query output are suppressed by the application.

The use of Base64 encoding does not represent the attack itself but rather an obfuscation technique to evade basic web application firewall (WAF) signatures and logging visibility. Encoding payloads allows attackers to bypass simple pattern-matching defenses, but once decoded, the underlying SQL injection becomes evident.

Option A (Unicode encoding) is incorrect because Unicode is commonly used for evasion, not exploitation. Option C (directory traversal) typically involves sequences like ../ to access filesystem paths, which are not present. Option D (XSS) targets client-side script execution and would include JavaScript payloads rather than database-focused logic.

According to the MITRE ATT&CK framework, this activity maps to Initial Access – Exploit Public-Facing Application (T1190). SQL injection remains one of the most exploited vulnerabilities in public-facing applications due to poor input validation and insecure coding practices.

For threat hunters and defenders, this scenario reinforces the importance of deep payload inspection, decoding obfuscated requests, monitoring for anomalous database query behavior, and enforcing secure development practices such as parameterized queries and input sanitization. SQL injection continues to be a high-impact, real-world attack vector despite being well understood, making it a critical focus area in web application threat hunting.

The correct answer isit highlights consistent attacker tradecraft. Attribution depends on recognizingbehavioral patternsthat persist across campaigns.

Attackers frequently change malware, infrastructure, and exploits, but they are far less likely to changehow they prefer to operate. Consistent use of SMB for lateral movement and deliberate avoidance of PowerShell reflect conscious operational choices.

Option A is unrelated to lateral movement behavior. Option B assumes malware development, which may not exist. Option D addresses impact, not attribution.

Cisco-aligned threat hunting usesMITRE ATT&CK technique mappingto correlate observed behaviors with known threat actor profiles. These behavioral fingerprints provide far stronger attribution confidence than low-level indicators.

Therefore,Option Cis the correct answer.

The correct answer isThey produce false positives and false negatives. Automated dynamic malware analysis tools, such as sandboxes, execute suspicious files in isolated environments to observe runtime behavior. While these tools are extremely valuable in modern SOCs, they are not infallible and have well-known limitations.

False positives occur when benign software exhibits behaviors that resemble malicious activity, such as creating registry keys, spawning child processes, or making network connections. Conversely, false negatives occur when malware intentionallyevades detectionby altering its behavior. Many modern malware samples include sandbox evasion techniques such as checking for virtualized environments, delaying execution, requiring user interaction, or disabling malicious functionality when analysis artifacts are detected.

Option A is incorrect because dynamic analysis can, in fact, uncover runtime vulnerabilities and exploit behavior. Option C is misleading; while tooling coverage varies, language support is not the primary limitation. Option D refers tomanual analysis, whereas the question explicitly addresses automated tools.

From a threat hunting and malware analysis standpoint, professionals understand that sandbox results must becorrelated with other telemetry, including endpoint behavior, network traffic, and threat intelligence. Automated tools are best used as part of a layered analysis strategy, not as a single source of truth.

This limitation reinforces a core security principle:automation accelerates detection, but human judgment validates impact. Skilled analysts interpret sandbox results, investigate anomalies, and determine real-world risk. Understanding the strengths and weaknesses of dynamic analysis tools allows SOC teams to avoid overreliance on automation while still benefiting from its speed and scale.

The correct answer isendpoint process ancestry tracking. Credential harvesting attacks frequently rely onfileless executionand living-off-the-land techniques.

When no files are written to disk, hash-based detection (Option A) is ineffective. Email sandboxing (Option C) and URL filtering (Option D) may detect initial delivery but provide little visibility into post-execution behavior.

Cisco Secure Endpoint provides detailed telemetry on:

Parent-child process relationships

Unexpected process spawning

Abnormal command-line arguments

Memory-resident execution

By analyzing process ancestry, hunters can identify suspicious chains such as:

Office applications spawning scripting engines

Browsers spawning credential-harvesting processes

Legitimate binaries launching unexpected child processes

This capability directly supportsMITRE ATT&CK Credential Access and Defense Evasion techniquesand is explicitly covered in theCBRTHD exam objectivesrelated to endpoint-based threat hunting.

Thus,Option Bis the most accurate and Cisco-aligned answer.

The correct answer isCollect and process intelligence and data. In this scenario, theinitial threat hunting phaseoccurred when the SOC team received the alert and began analyzing SIEM logs to validate whether the activity was legitimate or malicious. This aligns directly with the first phase of the threat hunting lifecycle, which focuses on gathering, normalizing, and analyzing security-relevant data.

Threat hunting is a structured, hypothesis-driven process, but it always begins withdata collection and intelligence processing. This includes ingesting logs from identity providers, authentication systems, cloud platforms, VPNs, and endpoint telemetry into a SIEM. In this case, the alert regarding a sign-in from an unusual country triggered analysts to examine historical login patterns and geolocation data. By confirming that the user had never authenticated from that country, the team established that the event was anomalous and likely malicious.

Option B (Response and resolution) occurredafterthe initial phase, when the IT administrator reset the user’s password to contain the threat. Option C (Hypothesis) would involve formulating a theory such as “the account may be compromised due to credential theft,” but this step requires validated data first. Option D (Post-incident review) only happens after the incident has been fully resolved and lessons learned are documented.

From a professional cybersecurity operations perspective, this phase is critical becausehigh-quality data determines hunt effectiveness. Poor log coverage or incomplete identity telemetry would prevent analysts from confidently confirming the anomaly. This example also highlights why identity-related telemetry is foundational to modern threat hunting—compromised credentials remain one of the most common initial access vectors.

In short, before a SOC can hypothesize, respond, or improve controls, it must firstcollect and process accurate intelligence and data, making option A the correct answer.