300-220 Questions and Answers

The correct answer isendpoint process execution and memory access events. During thedata collection and processing phase, the goal is to gatherhigh-fidelity telemetrythat supports hypothesis validation.

Credential harvesting often occurswithout dropping malwareand instead relies on:

Memory scraping

LSASS access

Credential dumping tools

In-memory execution

Cisco Secure Endpoint provides deep visibility into:

Process creation and parent-child relationships

Memory access attempts

Privilege abuse

Fileless execution

Option A provides enrichment but not raw behavioral evidence. Option C supports context but does not replace endpoint telemetry. Option D is reactive and unreliable for structured hunts.

Within theCBRTHD threat hunting lifecycle, this phase emphasizesevidence over indicators. Without endpoint execution and memory telemetry, hunters cannot reliably confirm credential access techniques.

This aligns withMITRE ATT&CK Credential Accesstactics and Cisco’s emphasis onendpoint behavioral analytics.

Thus,Option Bis the correct answer.

The correct answer isanalyzing authentication behavior anomalies across users and devices. Credential abuse is one of the most common and effective techniques used by modern attackers because it allows them to blend in with legitimate activity and bypass malware-based defenses.

Options A and B rely on malware indicators, which are often absent in credential-based attacks. Option D addresses only one potential delivery or command-and-control vector and does not detect misuse of valid credentials.

By analyzing authentication behavior, threat hunters can detect:

Impossible travel scenarios

Abnormal login times

Excessive failed logins followed by success

Logins from unusual devices or locations

Cisco tools such asCisco Secure Network Analytics, VPN telemetry, and identity logs provide rich data sources for this type of hunting. This approach focuses onIndicators of Attack (IOAs)rather than Indicators of Compromise (IOCs), pushing detection higher on thePyramid of Pain.

Within theCBRTHD blueprint, hunting for credential misuse is a core competency, especially in cloud and remote-access environments. Detecting these behaviors early significantly reduces attacker dwell time and limits the blast radius of compromise.

Therefore,Option Cis the most effective and Cisco-aligned answer.

The correct answer isit reveals consistent attacker tradecraft across incidents. Attribution relies onbehavioral consistency, not on malware samples or exploits.

Avoiding malware and abusing legitimate tools (living-off-the-land techniques) reflects adeliberate operational strategy. These behaviors tend to remain consistent across campaigns and are frequently documented in threat intelligence profiles.

Options A and D are incorrect because no exploit or ransomware is involved. Option B is incorrect; living-off-the-land techniques are modern, not outdated.

Cisco-aligned threat hunting emphasizesMITRE ATT&CK mappingand behavioral analysis to support attribution efforts. This approach is far more reliable than artifact-based attribution.

Thus,Option Cis the correct answer.

The correct answer isformulating a hypothesis to search for credential misuse without alerts. This activity is the defining characteristic ofthreat hunting.

Threat hunting isproactive and hypothesis-driven, meaning analysts intentionally search for attacker behavior that has not yet triggered alerts. Detection engineering, on the other hand, focuses on building and tuning automated rules that respond to known patterns.

Options A, B, and D all representreactive or preventative security operations. They rely on known indicators or alerts and are foundational but insufficient against stealthy adversaries who abuse valid credentials and native tools.

Cisco’sCBRTHD blueprintexplicitly emphasizes hypothesis-based hunting as a core competency. Hunters ask questions like:

“If credentials were stolen, how would that look in our telemetry?”

“What behavior would indicate lateral movement without malware?”

This approach aligns with detectingIndicators of Attack (IOAs)and operating higher on thePyramid of Pain, forcing adversaries to change tactics instead of infrastructure.

Therefore,Option Cis the correct and Cisco-aligned answer.

The correct answer isconverting hunt findings into permanent detections. Threat hunting is only effective when discoveries areoperationalized.

Without converting findings into SIEM, EDR, or NDR detections, organizations repeatedly identify the same attacker behaviors, wasting time and resources. Options A, B, and D improve capacity but do not eliminate blind spots.

Mature threat hunting programs ensure that:

Hunts produce detection rules

Alerts are tuned and validated

Knowledge is institutionalized

This is a defining trait ofhigh-maturity security organizationsand directly improves resilience. Therefore, optionCis correct.

The correct answer isConnection status. In this scenario, the key challenge for the security team is differentiatinglegitimate outbound trafficfrommalicious or DDoS-related trafficoriginating from the same web server. Since both types of traffic coexist in the logs, analysts must rely on an attribute that meaningfully distinguishes normal behavior from abnormal patterns.

The exhibit shows numerous TCP connections from the web server to many different external IP addresses, with varyingTCP statessuch as ESTABLISHED, TIME_WAIT, and FIN_WAIT. These connection states are highly valuable for threat hunting and network analysis. During DDoS activity—especially reflected or amplification-style attacks, or when a server is abused as part of an attack—connections often remain half-open, rapidly transition to TIME_WAIT, or fail to fully establish. In contrast, legitimate web traffic typically results in stable, short-lived ESTABLISHED sessions that follow predictable patterns.

Option B (destination port) is not useful here because most web traffic—both legitimate and malicious—commonly uses ports 80 or 443. Option C (IP address of the web server) provides no filtering value because all traffic already originates from that server. Option D (protocol) is also ineffective, as both normal and DDoS traffic in this case use TCP.

From a professional SOC and threat hunting standpoint,connection state analysisis a foundational technique for detecting volumetric attacks, beaconing behavior, and abnormal session churn. By filtering logs based on connection status, analysts can quickly isolate suspicious patterns such as excessive short-lived connections, abnormal teardown behavior, or asymmetric session states that are characteristic of DDoS-related activity.

This approach aligns with mature threat hunting practices:when indicators overlap, pivot to behavioral attributes. Connection status provides the necessary behavioral signal to separate expected traffic from attack traffic and supports faster, more accurate incident response.

The correct answers areB. Processes in nonstandard file pathsandC. Common processes with modified names. These two detection rules are highly effective for identifyingmalicious processes spawned by phishing-delivered malware.

Phishing payloads commonly drop executables intononstandard directoriessuch as AppData, Temp, Downloads, or user profile subfolders. Legitimate Windows binaries rarely execute from these locations. Monitoring for process execution from such paths is a proven technique for detecting malware loaders, credential stealers, and post-exploitation tooling.

Additionally, attackers frequentlymasquerade malware as legitimate processesby using slightly modified names, such as lsasss.exe, svch0st.exe, or expl0rer.exe. These tactics are designed to evade casual inspection and basic allowlisting. Detecting common Windows process names with anomalies—such as incorrect spelling, unexpected parent processes, or abnormal execution paths—is a high-fidelity behavioral signal.

Option A is too broad; nearly all processes are created by users directly or indirectly, making it noisy. Option D (process ownership changes) and Option E (startup time changes) are less relevant to detecting credential-harvesting processes at execution time and may miss the initial malicious activity.

From a threat hunting and detection engineering perspective, optionsB and Calign withMITRE ATT&CK – Defense Evasion and Credential Accesstechniques. These rules focus onbehavioral detection, not static indicators, making them resilient against attacker variation.

In short, detectingwhere a process runs fromandwhat it pretends to beprovides strong coverage against phishing-delivered malware, makingB and Cthe correct and professionally validated choices.

The correct answer isCollect and process intelligence and data. In this scenario, theinitial threat hunting phaseoccurred when the SOC team received the alert and began analyzing SIEM logs to validate whether the activity was legitimate or malicious. This aligns directly with the first phase of the threat hunting lifecycle, which focuses on gathering, normalizing, and analyzing security-relevant data.

Threat hunting is a structured, hypothesis-driven process, but it always begins withdata collection and intelligence processing. This includes ingesting logs from identity providers, authentication systems, cloud platforms, VPNs, and endpoint telemetry into a SIEM. In this case, the alert regarding a sign-in from an unusual country triggered analysts to examine historical login patterns and geolocation data. By confirming that the user had never authenticated from that country, the team established that the event was anomalous and likely malicious.

Option B (Response and resolution) occurredafterthe initial phase, when the IT administrator reset the user’s password to contain the threat. Option C (Hypothesis) would involve formulating a theory such as “the account may be compromised due to credential theft,” but this step requires validated data first. Option D (Post-incident review) only happens after the incident has been fully resolved and lessons learned are documented.

From a professional cybersecurity operations perspective, this phase is critical becausehigh-quality data determines hunt effectiveness. Poor log coverage or incomplete identity telemetry would prevent analysts from confidently confirming the anomaly. This example also highlights why identity-related telemetry is foundational to modern threat hunting—compromised credentials remain one of the most common initial access vectors.

In short, before a SOC can hypothesize, respond, or improve controls, it must firstcollect and process accurate intelligence and data, making option A the correct answer.

The correct answer isC. Use a Base64-encoded VBScript that is decoded and executed on the endpoint. The exhibit clearly shows aVBScript-based attack chainthat relies onBase64 encodingto obfuscate malicious content and evade basic detection mechanisms.

In the code snippet, the function call afghhha("aHR0cHM6Ly9z...") contains a string that is visiblyBase64-encoded. When decoded, Base64 strings commonly reveal URLs, commands, or additional script logic. The script then uses WinHttpReq.Open and WinHttpReq.Send to retrieve remote content over HTTP, extracts a specific portion of the response using string manipulation (InStr, Mid), and executes it dynamically using the execute() function. This is a strong indicator ofliving-off-the-land scripting abuse, where native Windows scripting engines are leveraged for malicious purposes.

From a MITRE ATT&CK perspective, this behavior aligns withCommand and Scripting Interpreter (T1059), specificallyVBScript (T1059.005), and includes elements ofObfuscated/Encoded Files or Information (T1027). Encoding payloads in Base64 helps attackers bypass signature-based detection tools and makes static analysis more difficult.

Option A is incorrect because the script does not perform checks to determine prior compromise; instead, it actively retrieves and executes payloads. Option B is incorrect because no batch file creation is shown. Option D is also incorrect, as there is no evidence of persistence mechanisms such as Startup folder modification or shortcut creation. The wscript.Sleep function indicates periodic execution or beaconing, but persistence itself is not established in the shown code.

For threat hunters and SOC analysts, this technique highlights the importance of monitoringscript interpreter usage,encoded command execution,suspicious WinHTTP requests, anddynamic code execution via execute(). Detecting encoded scripts and abnormal scripting behavior is critical, as these techniques are widely used in phishing payloads, malware loaders, and initial access tooling.

In professional environments, defenders should combine EDR behavioral detections, script block logging, AMSI integration, and network telemetry to effectively identify and disrupt this attack technique.

The correct answer isdocument findings and operationalize detections. In Cisco’s threat hunting methodology, confirmation of malicious activity isnot the end of the hunt.

The most critical next step is to:

Document attacker behavior

Identify detection gaps

Create or improve SIEM, EDR, or NDR detection rules

This ensures the organization does not repeatedly rediscover the same threat. Options C and D are incident response and communication activities, not threat hunting lifecycle steps. Option A skips the crucial improvement phase.

TheCBRTHD blueprintstrongly emphasizes:

Continuous improvement

Feedback loops

Detection engineering

By operationalizing findings, the SOC increases maturity and forces adversaries to change tactics.

Therefore,Option Bis correct.

The correct answer ismapping trust relationships between identity systems. Hybrid identity environments introduce complex trust boundaries that attackers routinely exploit.

Modern breaches increasingly involveidentity pivoting, where attackers compromise a cloud identity and abuse synchronization, federation, or conditional access misconfigurations to escalate into on-prem Active Directory. These attack paths often do not rely on software vulnerabilities at all.

Option A is too narrow and focuses only on technical exploits. Option C measures severity but does not model movement. Option D analyzes traffic but does not explain privilege escalation pathways.

By mapping trust relationships—such as Azure AD Connect synchronization, service principals, hybrid admin roles, and conditional access exclusions—defenders can identifychained attack pathsthat enable privilege escalation without exploiting code.

From a threat hunting standpoint, this modeling enables:

Hypothesis-driven hunts

Detection of abnormal role assumptions

Visibility into identity abuse

This approach aligns withattack path modeling, a critical evolution of traditional threat modeling for identity-centric environments. Therefore, optionBis correct.

The correct answer isExploit public-facing application. The log excerpt in the exhibit clearly shows amalicious HTTP GET requesttargeting aWordPress plugin PHP filewith a craftedSQL injection payload:

UNION ALL SELECT CONCAT(...)

This syntax is a classic indicator ofSQL injection, a well-documented attack technique used to exploit insufficient input validation in web applications. According to the MITRE ATT&CK framework, this behavior maps to theInitial Access tactic (TA0001)and the techniqueExploit Public-Facing Application (T1190). The attacker is directly interacting with a publicly accessible web service and abusing a vulnerability in the application code to gain unauthorized access.

From a threat hunting and forensic standpoint, this is a textbook example of how attackers commonly achieve initial access to web servers. The attacker did not authenticate via remote services (such as SSH or RDP), nor did they rely on user interaction (as in a drive-by compromise). Instead, they sent a specially crafted request to a vulnerable endpoint exposed to the internet. This makes option B incorrect becauseExternal Remote Servicesrequires legitimate service access mechanisms. Option C is also incorrect becauseCommand and Scripting Interpreteris typically usedafterinitial access, once code execution is already achieved. Option D does not apply because there is no evidence of malicious content being delivered to end users.

The forensic team’s actions—isolating the server, cloning the disk, and analyzing logs—are standard post-incident procedures to reconstruct the attack chain. Web server access logs are especially valuable in these cases, as they often reveal malicious payloads, attacker IP addresses, targeted endpoints, and timestamps.

For defenders and threat hunters, this scenario reinforces the importance of monitoring web logs for anomalous query strings, enforcing secure coding practices, conducting regular vulnerability scans, and promptly patching third-party plugins. Public-facing applications remain one of themost exploited initial access vectors, making this technique a critical focus area in modern threat hunting programs.

The correct answer isconsistent attacker tradecraft mapped to MITRE ATT&CK. Attribution at a professional level relies onbehavioral consistency, not superficial artifacts.

Advanced threat actors routinely rotate infrastructure, recompile malware, and vary filenames specifically to defeat attribution efforts. As a result, indicators such as IP addresses, hashes, and timestamps are unreliable and sit low on thePyramid of Pain.

What attackers cannot easily change ishow they operate. This includes:

Initial access techniques

Credential harvesting methods

Lateral movement patterns

Persistence mechanisms

Command-and-control behaviors

When these behaviors remain consistent across incidents, they form abehavioral fingerprint. Mapping these observations toMITRE ATT&CK techniquesallows analysts to compare activity against known threat group profiles maintained by intelligence providers and national CERTs.

Option A and B are weak indicators easily altered by attackers. Option D provides almost no attribution value, as timing alone is coincidental and unreliable.

Professional attribution requires correlating TTPs across campaigns and validating them against historical threat actor intelligence. This method supports high-confidence attribution used in legal, executive, and geopolitical contexts.

Therefore,Option Cis the correct and defensible answer.