CompTIA CySA+ Practice Questions: Threat Management

53 free, exam-style CompTIA CySA+ (CS0-003) practice questions covering Threat Management. Each question shows the correct answer and a clear explanation. Ready for the real thing? Take the full timed quiz below.

🚀 Take the full CompTIA CySA+ quiz 📘 CompTIA CySA+ study guide

Q1. Which attack involves injecting malicious scripts into trusted websites? (Q-627fe1)

Explanation: XSS attacks inject client-side scripts into web pages. Learn more.

Q2. Which of the following is a post-exploitation framework? (Q-627fe3)

Explanation: Metasploit includes post-exploitation modules. Learn more.

Q3. What type of malware encrypts files and demands payment? (Q-924434)

Explanation: Ransomware encrypts data for ransom. Learn more.

Q4. Which file format is MOST likely to contain a macro virus? (Q-627fe5)

Explanation: Microsoft Office files (.docx) are common macro virus vectors. Learn more.

Q5. What does the 'A' in 'APT' stand for? (Q-924436)

Explanation: APT = Advanced Persistent Threat. Learn more.

Q6. What is the MAIN purpose of a honeypot? (Q-924439)

Explanation: Honeypots deceive attackers for analysis. Learn more.

Q7. What does IOC stand for in threat intelligence? (Q-627feb)

Explanation: IOCs are artifacts that indicate a potential security breach. Learn more.

Q8. What is the main risk of using default credentials? (Q-627fec)

Explanation: Default credentials are well-known and easily exploited by attackers. Learn more.

Q9. Which attack intercepts communication between two parties? (Q-924445)

Explanation: MITM attacks secretly intercept and potentially alter communications. Learn more.

Q10. Which type of testing involves simulating an attack without prior knowledge? (Q-924447)

Explanation: Black-box testing simulates an external attacker's perspective. Learn more.

Q11. What does the 'D' in 'DDoS' stand for? (Q-627ff3)

Explanation: DDoS = Distributed Denial of Service. Learn more.

Q12. Which of the following is a key characteristic of heuristic analysis in antivirus software? (Q-924450)

Explanation: Heuristic analysis identifies new malware by analyzing behavior patterns rather than known signatures. Learn more.

Q13. What is the primary purpose of a sandbox in malware analysis? (Q-627ff4)

Explanation: Sandboxes provide a secure, isolated environment to analyze malware behavior. Learn more.

Q14. What is the PRIMARY goal of penetration testing? (Q-627ff6)

Explanation: Penetration tests simulate attacks to uncover security weaknesses. Learn more.

Q15. Which tool would you use to analyze memory dumps for malware? (Q-924454)

Explanation: Volatility is a framework for memory forensics. Learn more.

Q16. Which attack exploits session management vulnerabilities? (Q-924455)

Explanation: Session hijacking steals authenticated sessions to impersonate users. Learn more.

Q17. Which attack involves overwhelming a service with fake requests? (Q-924459)

Explanation: DDoS attacks flood targets with traffic to disrupt services. Learn more.

Q18. Which of the following is an example of social engineering? (Q-924461)

Explanation: Phishing manipulates humans into revealing sensitive information. Learn more.

Q19. Which attack involves modifying data in transit? (Q-924463)

Explanation: MITM attacks can intercept and alter communications. Learn more.

Q20. Which type of malware replicates itself across networks? (Q-924466)

Explanation: Worms self-propagate without user interaction. Learn more.

Q21. Which tool is used for password cracking? (Q-924468)

Explanation: John the Ripper is a popular offline password-cracking tool. Learn more.

Q22. Which tool is used for intercepting HTTP traffic? (Q-924473)

Explanation: Burp Suite is a web proxy for testing and intercepting HTTP traffic. Learn more.

Q23. Which attack involves manipulating database queries? (Q-924475)

Explanation: SQL injection inserts malicious queries to manipulate databases. Learn more.

Q24. What is the PRIMARY purpose of a threat feed? (Q-628016)

Explanation: Threat feeds deliver updated indicators of compromise (IOCs). Learn more.

Q25. What is the MAIN purpose of a red team exercise? (Q-628017)

Explanation: Red teams simulate real-world attacks to test defenses. Learn more.

Q26. Which of the following is a key characteristic of a fileless malware attack? (Q-924481)

Explanation: Fileless malware operates in memory without writing files to disk, evading traditional AV scans. Learn more.

Q27. Which tool would you use to analyze a suspicious PowerShell script? (Q-924483)

Explanation: PowerShell ISE allows debugging and analysis of PowerShell scripts. Learn more.

Q28. What is the MAIN security concern with IoT devices? (Q-628025)

Explanation: IoT devices often ship with weak defaults and lack update mechanisms. Learn more.

Q29. What is the PRIMARY purpose of a purple team exercise? (Q-628026)

Explanation: Purple teams combine offensive (red) and defensive (blue) tactics for continuous improvement. Learn more.

Q30. What is the MAIN security risk of QR codes? (Q-628029)

Explanation: QR codes can hide malicious URLs since users can't preview the destination. Learn more.

Q31. Which of the following is a characteristic of a supply chain attack? (Q-924494)

Explanation: Supply chain attacks exploit trust in vendors to distribute malware. Learn more.

Q32. What is the PRIMARY purpose of a reverse shell? (Q-628032)

Explanation: Reverse shells establish connections from victim to attacker, evading inbound firewall rules. Learn more.

Q33. Which of the following is a characteristic of a watering hole attack? (Q-924498)

Explanation: Watering hole attacks compromise sites visited by target groups. Learn more.

Q34. Which tool would you use to analyze suspicious PDF files? (Q-924502)

Explanation: PDFid detects potentially malicious elements in PDFs. Learn more.

Q35. Which of the following is a characteristic of a pass-the-hash attack? (Q-924504)

Explanation: Pass-the-hash exploits NTLM/LM hashes to authenticate without cracking passwords. Learn more.

Q36. Which of the following is a characteristic of a living-off-the-land (LOTL) attack? (Q-924508)

Explanation: LOTL attacks abuse built-in tools (e.g., PowerShell, WMI) to evade detection. Learn more.

Q37. Which of the following is a characteristic of a golden ticket attack? (Q-924512)

Explanation: Golden tickets exploit Kerberos authentication for persistent domain access. Learn more.

Q38. Which of the following BEST describes a cold boot attack? (Q-924514)

Explanation: Cold boot attacks recover encryption keys from residual memory after abrupt power loss. Learn more.

Q39. Which of the following is a characteristic of a DLL sideloading attack? (Q-924515)

Explanation: DLL sideloading places malicious DLLs in paths where legitimate apps search for dependencies. Learn more.

Q40. Which of the following is a characteristic of a reflective amplification attack? (Q-924518)

Explanation: Reflective attacks abuse protocols (e.g., DNS, NTP) to amplify traffic toward victims. Learn more.

Q41. Which of the following is a characteristic of a pass-the-ticket attack? (Q-924522)

Explanation: Pass-the-ticket reuses Kerberos TGS tickets for lateral movement. Learn more.

Q42. Which of the following is a characteristic of a golden SAML attack? (Q-924526)

Explanation: Golden SAML forges claims to impersonate users in federated environments. Learn more.

Q43. Which of the following is a characteristic of a golden ticket attack? (Q-924530)

Explanation: Golden tickets exploit Kerberos for persistent domain access. Learn more.

Q44. Which of the following is a characteristic of a pass-the-hash attack? (Q-924532)

Explanation: Pass-the-hash exploits NTLM/LM hashes to authenticate without cracking passwords. Learn more.

Q45. Which of the following is a characteristic of a living-off-the-land (LOTL) attack? (Q-924536)

Explanation: LOTL attacks abuse built-in tools (e.g., PowerShell, WMI) to evade detection. Learn more.

Q46. Which of the following is a characteristic of a golden ticket attack? (Q-924540)

Explanation: Golden tickets exploit Kerberos for persistent domain access. Learn more.

Q47. Which of the following is a characteristic of a pass-the-hash attack? (Q-924542)

Explanation: Pass-the-hash exploits NTLM/LM hashes to authenticate without cracking passwords. Learn more.

Q48. Which of the following is a characteristic of a living-off-the-land (LOTL) attack? (Q-924546)

Explanation: LOTL attacks abuse built-in tools (e.g., PowerShell, WMI) to evade detection. Learn more.

Q49. Which of the following is a characteristic of a golden ticket attack? (Q-924550)

Explanation: Golden tickets exploit Kerberos for persistent domain access. Learn more.

Q50. Which attack technique involves an adversary using legitimate credentials to move from one system to another within a network?

Explanation: Lateral movement is the technique used by attackers to move deeper into a network in search of sensitive data. Learn more.

Q51. A threat hunter starts with the idea that attackers may abuse PowerShell remoting. What is this starting point called?

Explanation: Threat hunting often begins with a hypothesis that guides data collection and analysis. Learn more.

Q52. Mapping an attacker technique to T1059 helps align findings with which framework?

Explanation: MITRE ATT&CK uses technique identifiers such as T1059 for command and scripting interpreter activity. Learn more.

Q53. Which term describes a collection of related incidents likely caused by the same adversary campaign?

Explanation: Grouping related events helps analysts understand scope, common indicators, and adversary behavior. Learn more.

More CompTIA CySA+ practice topics