312-39 Sample Questions Answers

Unstructured hunting is best suited when you have a weak but concerning signal (like unusual encrypted bursts to an unfamiliar IP) without a clear hypothesis tied to a known technique or indicator. In this scenario, there are no known IoCs and no alert from traditional tools, so the hunt starts from an intuition-driven anomaly and develops into hypotheses through exploration: examining which hosts are involved, what processes initiate connections, whether destinations vary, whether the behavior aligns with legitimate business tooling, and whether there are associated persistence or credential access signals. This is characteristic of unstructured hunts—analyst-driven exploration based on suspicious observations. Structured hunting typically starts with a defined hypothesis or known adversary behavior mapped to a framework and uses planned queries to confirm or refute it. Situational/entity-driven hunting focuses on a specific entity (a VIP user, crown-jewel server) or a known incident context. Reactive hunting is driven by alerts or confirmed incidents. Here, the hunt is prompted by an anomaly without predefined IoCs or alerts, making unstructured hunting the most appropriate approach to uncover IoAs and then map findings to adversary behaviors.

Networksniffing is the process of monitoring and capturing all data packets passing through a given network. This is typically done using specialized software or hardware tools designed for this purpose. Here’s a detailed explanation of the process:

Monitoring Traffic: Network sniffing involves using a tool to monitor the data flowing over the network. This can include all types of data packets, regardless of where they come from or where they are going.

Capturing Packets: The tool captures each packet that passes through the network. This includes the packet’s header, which contains information about the packet’s source, destination, and other metadata, as well as the payload, which is the actual data being transmitted.

Analysis: Once captured, the packets can be analyzed for various purposes, such as troubleshooting network issues, monitoring network performance, or detecting security threats.

Tools Used: There are many tools available for network sniffing, with Wireshark being one of the most popular and widely used due to its powerful features and flexibility1.

A DHCP Starvation Attack is a type of network attack that aims to deplete the pool of available IP addresses on the DHCP server. The attacker floods the DHCP server with fake DHCP DISCOVER messages using spoofed MAC addresses. If successful, the server will exhaust its address space, denying IP configuration to legitimate clients. This can lead to a denial of service (DoS) for new devices attempting to join the network. Additionally, the attacker may set up a rogue DHCP server to issue malicious IP configurations to clients, potentially redirecting traffic or causing further disruption1.

The Incident Response Procedures contain the performance measures and proper project and time management details. These procedures are designed to guide the incident response team through each phase of incident management, ensuring that all activities are performed efficiently and effectively. They include specific steps to follow, roles and responsibilities, timelines, and performance metrics to measure the effectiveness of the response.

Cleanup is the phase where adversaries attempt to cover their tracks and reduce the chance of detection or attribution. The described behaviors—altering logs, wiping forensic artifacts, modifying timestamps, and tampering with monitoring tools—are classic defense evasion and anti-forensic actions. In SOC investigations, these actions indicate the attacker is prioritizing stealth and persistence after completing objectives, making reconstruction more difficult. Search and exfiltration focuses on locating valuable data and transferring it out; while that happened earlier, the key activities described are about removing evidence and obscuring the timeline. Initial intrusion refers to the first entry (phishing, exploit, stolen credentials). Expansion refers to broadening access (lateral movement, privilege escalation) across the environment. The scenario explicitly emphasizes manipulating logs and monitoring to hide activity and prevent alerts, which aligns most closely with cleanup. For defenders, this phase drives urgency: isolate affected systems, preserve volatile data quickly, validate logging pipelines, and use independent telemetry sources (network flows, cloud control-plane logs, immutable logging) to rebuild the attack chain despite tampering.

 The choice of SIEM architecture is influenced by several factors that impact how the SIEM system willcollect, manage, and analyze data. Among the options provided, Network Topology is the most relevant factor. It determines the layout of the network, including the arrangement of nodes and the connections between them, which directly affects how the SIEM system will be integrated into the environment. A well-designed network topology ensures that the SIEM system can efficiently collect and correlate data from across the network.

SMTP Configuration, DHCP Configuration, and DNS Configuration are related to specific services and protocols that may be monitored by a SIEM, but they do not determine the choice of SIEM architecture itself.

To monitor and visualize Tor traffic hitting the network, John would need data sources that can provide detailed information about the source IP addresses of incoming traffic, as well as the capability to resolve these IP addresses to more identifiable information such as hostnames or geographical locations. DHCP logs, or other log sources capable of maintaining detailed IP address records and facilitating IP-to-Name resolution, would be suitable for this purpose. This data would allow John to create a dashboard in the SIEM system that maps the source IP addresses of Tor traffic to their corresponding locations or identities, providing insights into where the Tor traffic is originating. While web server logs (options B, C, and D) can provide IP addresses, they might not offer the same level of detail or resolution capabilities as DHCP logs or similar network-level logs for this specific use case.

Once the event sources are validated, the next logical step is to define the detection logic—correlation rules and conditions that represent privilege escalation patterns. In SOC engineering, validated sources mean you have the raw ingredients; now you must specify what “bad” looks like in those logs. For privilege escalation on Windows, this might include abnormal group membership changes, creation of new privileged accounts, suspicious privilege assignment events, UAC bypass indicators, or admin logons from non-admin workstations. Defining correlation rules also includes setting time windows, selecting strong pivots (account, host, SID), and incorporating context to reduce noise (approved admin accounts, maintenance windows, known tooling). Defining response actions is important, but it should follow detection logic so you don’t automate reactions to unstable or noisy detections. Testing immediately in production is risky; best practice is to test in a controlled manner or pilot mode first to avoid operational disruption and excessive false positives. Collecting historical logs can help tune baselines, but the scenario states sources are already validated; the next step is to codify the conditions that detect the targeted behavior.

The attack demonstrated in the scenario is a Cross-site Scripting (XSS) attack. This is evident from the attacker’s action of inserting a