300-220 Dumps with Practice Exam Questions Answers

The correct answer isendpoint memory access telemetry. Credential dumping often involves accessing sensitive memory regions, such as LSASS, rather than deploying obvious malware.

Modern attackers frequently use:

Legitimate tools

In-memory techniques

Living-off-the-land binaries

These methods bypass file-based detection entirely. Email, DNS, and firewall logs provide limited visibility into memory-level abuse.

Endpoint memory telemetry enables detection of:

Unauthorized LSASS access

Suspicious handle requests

Abnormal process injection

This telemetry is foundational for detectingcredential access techniquesin modern environments. Therefore, optionBis correct.

The correct answer isconverting hunt findings into permanent detection rules. This action reflects thehighest maturity outcomeof threat hunting.

Threat hunting is not complete until discoveries are:

Documented

Operationalized

Automated where appropriate

Without converting findings into detections, SOC teams repeatedly rediscover the same threats, wasting time and effort.

Options A and B increase noise and risk false positives. Option D improves experience but does not institutionalize knowledge.

Cisco’sCBRTHD blueprintemphasizes:

Continuous improvement

Detection engineering

Feedback loops between hunting and monitoring

By creating permanent detections, organizations:

Reduce dwell time

Improve consistency

Increase adversary cost

Therefore,Option Cis the correct and most Cisco-aligned answer.

The correct answer isC. Modifying this key requires administrative privileges, which the malware might not have.

The exhibit shows persistence established under the registry path:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

This registry key is aper-user startup location, meaning any executable listed there will automatically run whenthat specific userlogs in. Crucially,write access to HKEY_CURRENT_USER (HKCU) does not require administrative privileges—only the privileges of the compromised user account.

In contrast,

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

appliessystem-wideand causes programs to execute at startup forall users. However, modifying this key requireslocal administrator privileges. In many real-world breaches, attackers initially compromisestandard user accounts, not administrators. As a result, malware often chooses HKCU-based persistence mechanisms because they arereliable, stealthy, and achievable without privilege escalation.

Options A and D are incorrect because both registry paths are fully supported in modern versions of Windows and are explicitly designed for startup execution. Option B is incorrect because neither key automatically removes entries after a reboot—both are persistent by design.

From a threat hunting and endpoint detection perspective, this distinction is critical. HKCU persistence indicates:

User-level compromise

No confirmed administrative access (yet)

Potential precursor to privilege escalation attempts

This technique maps toMITRE ATT&CK – Persistence: Boot or Logon Autostart Execution (T1547.001). Mature SOC teams monitorboth HKCU and HKLM Run keys, but they interpret them differently when reconstructing attacker capability and progression.

In summary, the attacker usedHKCUbecause it enables persistencewithout requiring administrative privileges, makingOption Cthe correct and professionally accurate answer.

The correct next action is tosubmit the file for sandboxing. In professional security operations and threat hunting workflows, sandboxing is the most appropriate step when a file originates from an untrusted source and hash-based reputation checks return anunknownresult. An unknown hash means the file has not yet been classified as benign or malicious by threat intelligence databases, which is common with newly created malware or targeted attacks.

Sandboxing allows the security team to performdynamic analysisby executing the file in an isolated, controlled environment. This process observes runtime behaviors such as process creation, registry modification, network communications, command-and-control callbacks, file system changes, and exploit attempts. These behaviors provide high-fidelity indicators that static analysis or hash lookups cannot reveal.

Option B, reviewing the directory path, is useful for contextual awareness but does not determine whether the file is malicious. Option C, running a full malware scan, is premature; modern malware often evades signature-based scans, especially when the file is previously unknown. Option D, investigating the reputation of the website, is a supporting activity but does not assess the actual behavior or payload of the downloaded file.

From a threat hunting and incident response standpoint, sandboxing bridges the gap betweendetection and confirmation. If the sandbox analysis confirms malicious behavior, the team can escalate to containment actions such as isolating the endpoint, blocking hashes and domains, and performing scope analysis to identify other affected systems. Additionally, sandbox results can be used to create new SIEM detections and EDR behavioral rules, strengthening future defenses.

This approach aligns with professional best practices:unknown file + untrusted source = dynamic analysis first. It ensures accurate classification while minimizing unnecessary disruption to the user or environment.

The correct answer iscorrelating attacker behavior across multiple MITRE ATT&CK techniques. This approach focuses onbehavioral detection, which is the cornerstone of effective threat hunting and advanced security operations.

Attackers who abuse legitimate administrative tools—often referred to asliving-off-the-land techniques—intentionally avoid malware-based detections. File hashes, signatures, and known indicators provide minimal value because there may beno malicious files at all. Options A and D sit at the lowest levels of thePyramid of Pain, making them easy for adversaries to evade.

By correlating behavior across multiple ATT&CK techniques—such as credential access, lateral movement, privilege escalation, and command execution—defenders detecthowthe attacker operates rather thanwhat toolsthey use. This forces adversaries to fundamentally change tradecraft, which is costly, risky, and time-consuming.

Option C improves visibility but does not inherently raise attacker cost. Threat intelligence feeds are reactive and often lag behind active campaigns.

From a professional threat hunting perspective, correlating multiple low-signal behaviors into ahigh-confidence attack patternis how mature SOCs detect stealthy intrusions. This method also supports scalable detection engineering, improved alert fidelity, and reduced false positives.

This strategy directly aligns with higher tiers of theThreat Hunting Maturity Modeland the top of thePyramid of Pain, making optionBthe correct answer.