Multiple Choice
Identify the
choice that best completes the statement or answers the question.
|
|
|
1.
|
(1 point) An attacker searches LinkedIn to identify
bank employees and studies the bank’s public website before attempting any login attempts.
Which phase is occurring?
a. | Persistence | b. | Taking action | c. | Reconnaissance | d. | Initial access |
|
|
|
2.
|
(1 point) A phishing email tricks an employee into
entering credentials, allowing the attacker to log into the bank’s network. Which phase does
this represent?
a. | Lateral movement | b. | Evading detection | c. | Reconnaissance | d. | Initial access |
|
|
|
3.
|
(1 point) After gaining access, an attacker installs
a remote access trojan (RAT) so they can return later without repeating the phishing attack. Which
phase is this?
a. | Taking action | b. | Lateral movement | c. | Reconnaissance | d. | Persistence |
|
|
|
4.
|
(1 point) Logs show a compromised account attempting
to access administrative servers and higher-level user accounts. Which phase is most likely
occurring?
a. | Reconnaissance | b. | Lateral movement | c. | Initial
access | d. | Evading detection |
|
|
|
5.
|
(1 point) An attacker copies customer financial
records and transfers them to an external server. Which phase does this action represent?
a. | Reconnaissance | b. | Persistence | c. | Initial
access | d. | Taking action |
|
|
|
6.
|
(1 point) Security logs show that log files were
deleted shortly after sensitive data was stolen. Which phase should analysts determine?
a. | Lateral movement | b. | Reconnaissance | c. | Evading
detection | d. | Taking action |
|
|
|
7.
|
(1 point) Analysts observe repeated scanning of the
bank’s public-facing systems without login attempts. Which phase is most likely
underway?
a. | Taking action | b. | Initial access | c. | Reconnaissance | d. | Persistence |
|
|
|
8.
|
(1 point) An attacker uses weak VPN credentials
purchased online to access the bank’s internal system. Which phase does this indicate?
a. | Initial access | b. | Reconnaissance | c. | Evading
detection | d. | Lateral movement |
|
|
|
9.
|
(1 point) Malware is configured to automatically
reconnect to a command-and-control server after system reboot. Which phase does this
represent?
a. | Reconnaissance | b. | Initial access | c. | Taking
action | d. | Persistence |
|
|
|
10.
|
(1 point) Monitoring tools detect privilege
escalation from a standard user account to a domain administrator account. Which phase is most
closely associated with this behavior?
a. | Persistence | b. | Lateral movement | c. | Reconnaissance | d. | Evading
detection |
|
|
|
11.
|
(1 point) A ransomware note appears after files are
encrypted across multiple departments. Which phase is represented by the encryption?
a. | Initial access | b. | Taking action | c. | Lateral
movement | d. | Reconnaissance |
|
|
|
12.
|
(1 point) Forensic analysis shows malware files were
removed and timestamps altered before the attacker disconnected. Which phase does this
demonstrate?
a. | Taking action | b. | Evading detection | c. | Reconnaissance | d. | Persistence |
|
|
|
13.
|
(1 point) An adversary gathers publicly available
financial reports and network diagrams posted online. Which phase is this?
a. | Reconnaissance | b. | Initial access | c. | Lateral
movement | d. | Taking action |
|
|
|
14.
|
(1 point) A malicious USB drive gives an attacker
access to a workstation for the first time. Which phase does this represent?
a. | Persistence | b. | Reconnaissance | c. | Evading
detection | d. | Initial access |
|
|
|
15.
|
(1 point) An attacker creates a hidden administrator
account to maintain long-term system control. Which phase is this?
a. | Taking action | b. | Reconnaissance | c. | Lateral
movement | d. | Persistence |
|
|
|
16.
|
(1 point) A compromised employee device begins
accessing shared drives belonging to other departments. Which phase is most likely occurring?
a. | Taking action | b. | Initial access | c. | Lateral
movement | d. | Evading detection |
|
|
|
17.
|
(1 point) Customer data is collected and sent to an
overseas server controlled by the attacker. Which phase is represented by this data
exfiltration?
a. | Reconnaissance | b. | Initial access | c. | Persistence | d. | Taking action |
|
|
|
18.
|
(1 point) Logs show that antivirus alerts were
disabled before suspicious activity continued. Which phase does this behavior represent?
a. | Lateral movement | b. | Evading detection | c. | Reconnaissance | d. | Taking action |
|
|
|
19.
|
(1 point) After initial compromise, an attacker
installs a rootkit to avoid having to regain access later. Which phase does this describe?
a. | Taking action | b. | Initial access | c. | Reconnaissance | d. | Persistence |
|
|
|
20.
|
(1 point) An attacker uses OSINT to identify the
bank’s software vendor and email format before sending phishing emails. Which phase is
this?
a. | Reconnaissance | b. | Taking action | c. | Evading
detection | d. | Lateral movement |
|
|
|
21.
|
(1 point) A security analyst detects attempts to
access a domain controller from a compromised workstation. Which phase should be identified?
a. | Persistence | b. | Lateral movement | c. | Initial
access | d. | Reconnaissance |
|
|
|
22.
|
(1 point) A denial-of-service attack makes the
bank’s website unavailable to customers. Which phase does this represent?
a. | Evading detection | b. | Reconnaissance | c. | Taking
action | d. | Persistence |
|
|
|
23.
|
(1 point) Forensic tools reveal that log entries
were edited to hide suspicious login attempts. Which phase does this indicate?
a. | Lateral movement | b. | Taking action | c. | Evading
detection | d. | Initial access |
|
|
|
24.
|
(1 point) A compromised password allows an attacker
to enter the bank’s system for the first time. Which phase is this?
a. | Reconnaissance | b. | Initial access | c. | Persistence | d. | Lateral
movement |
|
|
|
25.
|
(1 point) An attacker gathers public data, gains
access, installs malware, escalates privileges, steals data, and deletes logs. Which phase directly
follows persistence in this sequence?
a. | Initial access | b. | Lateral movement | c. | Reconnaissance | d. | Evading
detection |
|
|
|
26.
|
(1 point) An attacker searches public employee
profiles and company websites before launching an attack. Which phase is occurring?
a. | Persistence | b. | Initial access | c. | Reconnaissance | d. | Taking action |
|
|
|
27.
|
(1 point) A phishing email successfully tricks an
employee into revealing login credentials. Which phase does this represent?
a. | Lateral movement | b. | Reconnaissance | c. | Initial
access | d. | Evading detection |
|
|
|
28.
|
(1 point) After gaining entry, the attacker installs
malware to maintain long-term access. Which phase is this?
a. | Initial access | b. | Persistence | c. | Reconnaissance | d. | Taking action |
|
|
|
29.
|
(1 point) An attacker moves from one compromised
computer to a server with higher privileges. Which phase is occurring?
a. | Lateral movement | b. | Evading detection | c. | Initial
access | d. | Reconnaissance |
|
|
|
30.
|
(1 point) Customer financial records are copied and
transferred outside the organization. Which phase does this represent?
a. | Taking action | b. | Persistence | c. | Initial
access | d. | Reconnaissance |
|
|
|
31.
|
(1 point) Logs show an attacker deleted evidence
after stealing data. Which phase is being demonstrated?
a. | Initial access | b. | Lateral movement | c. | Evading
detection | d. | Reconnaissance |
|
|
|
32.
|
(1 point) A suspicious IP repeatedly scans the
company’s website to identify open ports. Which phase should analysts determine?
a. | Persistence | b. | Reconnaissance | c. | Taking
action | d. | Initial access |
|
|
|
33.
|
(1 point) An attacker logs into a system using
stolen credentials. Which phase does this represent?
a. | Evading detection | b. | Lateral movement | c. | Initial
access | d. | Reconnaissance |
|
|
|
34.
|
(1 point) Malware is configured to automatically
reconnect to an attacker’s server after reboot. Which phase is this?
a. | Initial access | b. | Reconnaissance | c. | Persistence | d. | Taking action |
|
|
|
35.
|
(1 point) A compromised device attempts to access
other systems within the network. Which phase is underway?
a. | Taking action | b. | Lateral movement | c. | Reconnaissance | d. | Initial access |
|
|
|
36.
|
(1 point) An attacker encrypts files to disrupt
business operations. Which phase is this?
a. | Persistence | b. | Taking action | c. | Reconnaissance | d. | Initial access |
|
|
|
37.
|
(1 point) System logs show timestamps were altered
to hide unauthorized access. Which phase does this indicate?
a. | Lateral movement | b. | Evading detection | c. | Taking
action | d. | Reconnaissance |
|
|
|
38.
|
(1 point) An attacker gathers OSINT about company
software vendors before attacking. Which phase is this?
a. | Evading detection | b. | Reconnaissance | c. | Initial
access | d. | Persistence |
|
|
|
39.
|
(1 point) Weak passwords allow an attacker to enter
the system for the first time. Which phase does this show?
a. | Taking action | b. | Reconnaissance | c. | Lateral
movement | d. | Initial access |
|
|
|
40.
|
(1 point) A backdoor account is created to maintain
access. Which phase is represented?
a. | Persistence | b. | Taking action | c. | Reconnaissance | d. | Evading
detection |
|
|
|
41.
|
(1 point) Network monitoring shows access attempts
to administrative accounts from a compromised machine. Which phase is this?
a. | Taking action | b. | Reconnaissance | c. | Lateral
movement | d. | Initial access |
|
|
|
42.
|
(1 point) Sensitive data is exfiltrated to an
external server controlled by the attacker. Which phase is occurring?
a. | Taking action | b. | Initial access | c. | Persistence | d. | Reconnaissance |
|
|
|
43.
|
(1 point) After completing their objective, the
attacker removes malware and clears logs. Which phase does this represent?
a. | Evading detection | b. | Persistence | c. | Lateral
movement | d. | Reconnaissance |
|
|
|
44.
|
(1 point) A hacker collects information about
employee email formats before launching phishing emails. Which phase is this?
a. | Reconnaissance | b. | Taking action | c. | Initial
access | d. | Persistence |
|
|
|
45.
|
(1 point) A malicious USB device provides the
attacker with their first system entry point. Which phase does this indicate?
a. | Initial access | b. | Reconnaissance | c. | Persistence | d. | Lateral
movement |
|
|
|
46.
|
(1 point) An attacker disables antivirus software
after gaining entry. Which phase is this action most closely associated with?
a. | Reconnaissance | b. | Taking action | c. | Initial
access | d. | Evading detection |
|
|
|
47.
|
(1 point) Security tools detect privilege escalation
attempts from a compromised account. Which phase is most likely occurring?
a. | Persistence | b. | Lateral movement | c. | Reconnaissance | d. | Initial access |
|
|
|
48.
|
(1 point) A distributed denial-of-service attack
disrupts online banking services. Which phase does this represent?
a. | Taking action | b. | Reconnaissance | c. | Persistence | d. | Evading
detection |
|
|
|
49.
|
(1 point) Analysts observe multiple failed login
attempts before any successful breach. Which earlier phase may have preceded this?
a. | Evading detection | b. | Taking action | c. | Persistence | d. | Reconnaissance |
|
|
|
50.
|
(1 point) After reconnaissance, what is typically
the next phase an attacker attempts?
a. | Lateral movement | b. | Initial access | c. | Evading
detection | d. | Taking action |
|