Cisco 300-220 Conducting Threat Hunting and Defending using Cisco Technologies for Cybersecurity 300-220 CBRTHD Exam Practice Test

The correct answer isObservation of repeated failed logins followed by a successful login from a new location. This scenario represents anIndicator of Attack (IOA)because it reflectsattacker behavior in progress, not confirmed compromise.

IOAs focus onpatterns of malicious intent, such as credential abuse, reconnaissance, or lateral movement, even when no malware or known indicators are present. In this case, the sequence of failed authentication attempts followed by a successful login from an unusual location strongly suggestspassword spraying or credential stuffing, both common initial access techniques.

Options A, B, and D are classicIndicators of Compromise (IOCs). Hashes, domains, and IP addresses are static artifacts that indicate a systemhas already been compromised. These indicators sit low on thePyramid of Painand are easy for attackers to change.

Cisco’sCBRTHD blueprintemphasizes hunting forIOAsbecause they enable:

Earlier detection

Reduced dwell time

Higher attacker cost

Cisco tools such asSecure Network Analytics,Secure Endpoint, and SIEM platforms are designed to correlate behavioral signals like authentication anomalies rather than relying solely on known bad indicators.

Therefore,Option Cis the correct and Cisco-aligned answer.

The correct answer isstandardizing hunt documentation and hypotheses. Mature threat hunting programs move beyond ad-hoc, intuition-driven efforts.

Standardization enables:

Knowledge sharing

Consistent methodology

Repeatable hunts

Easier onboarding of new analysts

Option A and B support operations but do not improve hunting maturity. Option D is unrealistic and risky.

By documenting hypotheses, data sources, queries, findings, and outcomes, organizations institutionalize knowledge and continuously improve detection capabilities.

This is a defining characteristic ofhigh-maturity threat hunting programs.

Therefore, optionCis correct.

The correct answer isconsistent attacker tradecraft mapped to MITRE ATT&CK. Attribution at a professional level relies onbehavioral consistency, not superficial artifacts.

Advanced threat actors routinely rotate infrastructure, recompile malware, and vary filenames specifically to defeat attribution efforts. As a result, indicators such as IP addresses, hashes, and timestamps are unreliable and sit low on thePyramid of Pain.

What attackers cannot easily change ishow they operate. This includes:

Initial access techniques

Credential harvesting methods

Lateral movement patterns

Persistence mechanisms

Command-and-control behaviors

When these behaviors remain consistent across incidents, they form abehavioral fingerprint. Mapping these observations toMITRE ATT&CK techniquesallows analysts to compare activity against known threat group profiles maintained by intelligence providers and national CERTs.

Option A and B are weak indicators easily altered by attackers. Option D provides almost no attribution value, as timing alone is coincidental and unreliable.

Professional attribution requires correlating TTPs across campaigns and validating them against historical threat actor intelligence. This method supports high-confidence attribution used in legal, executive, and geopolitical contexts.

Therefore,Option Cis the correct and defensible answer.

The correct answer isattack path analysis using identity relationships. Cloud breaches increasingly occur throughmisconfigured identity permissions, not software flaws.

Attack path analysis mapstrust relationships, role assumptions, permissions, and access boundariesto understand how attackers can pivot through identity systems. This is especially relevant in cloud environments where:

Roles can assume other roles

Permissions are inherited

Overprivileged identities are common

Option A is too abstract and does not capture privilege chaining. Option B assumes malware execution, which is unnecessary in identity-based attacks. Option D measures severity but does not model attacker movement.

Professional threat hunters and cloud security teams rely on attack path analysis to:

Identify privilege escalation paths

Detect identity blast radius

Prioritize remediation of high-risk relationships

This directly supports proactive hunting and aligns withidentity-first security principles.

Therefore, optionCis correct.

The correct answer isC. Modifying this key requires administrative privileges, which the malware might not have.

The exhibit shows persistence established under the registry path:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

This registry key is aper-user startup location, meaning any executable listed there will automatically run whenthat specific userlogs in. Crucially,write access to HKEY_CURRENT_USER (HKCU) does not require administrative privileges—only the privileges of the compromised user account.

In contrast,

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

appliessystem-wideand causes programs to execute at startup forall users. However, modifying this key requireslocal administrator privileges. In many real-world breaches, attackers initially compromisestandard user accounts, not administrators. As a result, malware often chooses HKCU-based persistence mechanisms because they arereliable, stealthy, and achievable without privilege escalation.

Options A and D are incorrect because both registry paths are fully supported in modern versions of Windows and are explicitly designed for startup execution. Option B is incorrect because neither key automatically removes entries after a reboot—both are persistent by design.

From a threat hunting and endpoint detection perspective, this distinction is critical. HKCU persistence indicates:

User-level compromise

No confirmed administrative access (yet)

Potential precursor to privilege escalation attempts

This technique maps toMITRE ATT&CK – Persistence: Boot or Logon Autostart Execution (T1547.001). Mature SOC teams monitorboth HKCU and HKLM Run keys, but they interpret them differently when reconstructing attacker capability and progression.

In summary, the attacker usedHKCUbecause it enables persistencewithout requiring administrative privileges, makingOption Cthe correct and professionally accurate answer.

The correct answer isSimple. The exhibit shows an EDR query filtering onspecific IPv4 addresses, which are classicIndicators of Compromise (IOCs). Within thePyramid of Painmodel, IP addresses sit at thelowest level, representing the least painful indicators for adversaries to change.

The Pyramid of Pain categorizes detection indicators by how costly they are for attackers to replace:

Simple→ Hashes, IP addresses, domain names

Easy→ Network artifacts (URI patterns, user-agent strings)

Challenging→ Host artifacts (registry keys, file paths, mutexes)

Tough→ Tactics, Techniques, and Procedures (TTPs)

In this scenario, the threat-hunting team is querying EDR telemetry for outbound connections toknown C2 IP addresses. While this is a valid and common detection technique—especially for rapid containment—it provides minimal long-term defensive value. Attackers can easily rotate C2 infrastructure by changing IPs, using cloud hosting, fast-flux DNS, or proxy networks.

Option C (Easy) would apply if the team were hunting fornetwork artifacts, such as suspicious URI paths or protocol misuse. Option B (Challenging) would involvehost-based artifacts, like malware persistence keys or file system changes. Option A (Tough) represents the highest maturity—detectingadversary behavior and techniques, such as beaconing patterns, lateral movement workflows, or credential abuse—none of which are present here.

From a professional threat-hunting standpoint, IP-based detections are best used asshort-term controlsfor blocking known threats or scoping an incident. Mature organizations use them as a starting point, then pivot toward higher-fidelity detections that sit higher on the Pyramid of Pain and impose greater operational cost on attackers.

In summary, querying known C2IP addressescorresponds to theSimplelevel of the Pyramid of Pain, makingOption Dthe correct answer.

The correct answer islegitimate system processes executing encoded commands. Fileless malware avoids writing binaries to disk and instead abuses trusted processes such as PowerShell, WMI, or rundll32.

Encoded or obfuscated commands executed by legitimate binaries are a strong indicator offileless execution and defense evasion. Cisco Secure Endpoint provides deep visibility into command-line arguments and process behavior, enabling detection of this technique.

Option A is normal behavior. Option B may indicate suspicious execution but still involves files. Option D relies on file presence, which fileless attacks intentionally avoid.

This technique aligns withMITRE ATT&CK – Command and Scripting Interpreter and Defense Evasionand is directly relevant toCBRTHD exam objectivesrelated to endpoint-based threat hunting.

Therefore,Option Cis the correct answer.

The correct next action is tosubmit the file for sandboxing. In professional security operations and threat hunting workflows, sandboxing is the most appropriate step when a file originates from an untrusted source and hash-based reputation checks return anunknownresult. An unknown hash means the file has not yet been classified as benign or malicious by threat intelligence databases, which is common with newly created malware or targeted attacks.

Sandboxing allows the security team to performdynamic analysisby executing the file in an isolated, controlled environment. This process observes runtime behaviors such as process creation, registry modification, network communications, command-and-control callbacks, file system changes, and exploit attempts. These behaviors provide high-fidelity indicators that static analysis or hash lookups cannot reveal.

Option B, reviewing the directory path, is useful for contextual awareness but does not determine whether the file is malicious. Option C, running a full malware scan, is premature; modern malware often evades signature-based scans, especially when the file is previously unknown. Option D, investigating the reputation of the website, is a supporting activity but does not assess the actual behavior or payload of the downloaded file.

From a threat hunting and incident response standpoint, sandboxing bridges the gap betweendetection and confirmation. If the sandbox analysis confirms malicious behavior, the team can escalate to containment actions such as isolating the endpoint, blocking hashes and domains, and performing scope analysis to identify other affected systems. Additionally, sandbox results can be used to create new SIEM detections and EDR behavioral rules, strengthening future defenses.

This approach aligns with professional best practices:unknown file + untrusted source = dynamic analysis first. It ensures accurate classification while minimizing unnecessary disruption to the user or environment.

The correct answer isit reveals operational discipline and intent. Attribution relies heavily on understandinghow attackers think and operate, not just the tools they use.

Operational discipline—such as careful reconnaissance, avoiding noisy exploitation, and operating during business hours—is ahuman behavioral pattern. These patterns are far more stable than infrastructure or malware and often correlate strongly with specific threat actor groups.

Option A and D focus on tooling, which changes frequently. Option B relates to persistence, not attribution.

Threat intelligence professionals use operational characteristics to distinguish between opportunistic criminals and advanced adversaries. Business-hour activity, careful lateral movement, and deliberate escalation often indicatetargeted intrusions, espionage, or financially motivated but sophisticated actors.

This information helps analysts align observed behavior with known threat actor profiles, improving attribution confidence. Thus, optionCis correct.

The correct answer isC. Use a Base64-encoded VBScript that is decoded and executed on the endpoint. The exhibit clearly shows aVBScript-based attack chainthat relies onBase64 encodingto obfuscate malicious content and evade basic detection mechanisms.

In the code snippet, the function call afghhha("aHR0cHM6Ly9z...") contains a string that is visiblyBase64-encoded. When decoded, Base64 strings commonly reveal URLs, commands, or additional script logic. The script then uses WinHttpReq.Open and WinHttpReq.Send to retrieve remote content over HTTP, extracts a specific portion of the response using string manipulation (InStr, Mid), and executes it dynamically using the execute() function. This is a strong indicator ofliving-off-the-land scripting abuse, where native Windows scripting engines are leveraged for malicious purposes.

From a MITRE ATT&CK perspective, this behavior aligns withCommand and Scripting Interpreter (T1059), specificallyVBScript (T1059.005), and includes elements ofObfuscated/Encoded Files or Information (T1027). Encoding payloads in Base64 helps attackers bypass signature-based detection tools and makes static analysis more difficult.

Option A is incorrect because the script does not perform checks to determine prior compromise; instead, it actively retrieves and executes payloads. Option B is incorrect because no batch file creation is shown. Option D is also incorrect, as there is no evidence of persistence mechanisms such as Startup folder modification or shortcut creation. The wscript.Sleep function indicates periodic execution or beaconing, but persistence itself is not established in the shown code.

For threat hunters and SOC analysts, this technique highlights the importance of monitoringscript interpreter usage,encoded command execution,suspicious WinHTTP requests, anddynamic code execution via execute(). Detecting encoded scripts and abnormal scripting behavior is critical, as these techniques are widely used in phishing payloads, malware loaders, and initial access tooling.

In professional environments, defenders should combine EDR behavioral detections, script block logging, AMSI integration, and network telemetry to effectively identify and disrupt this attack technique.

The correct answer issmall, periodic outbound connections to a rare destination. Beaconing is a hallmark of command-and-control (C2) communication, particularly in stealthy malware campaigns.

Attackers design C2 channels to:

Minimize bandwidth usage

Blend into normal traffic

Avoid triggering threshold-based alerts

As a result, beaconing traffic often consists oflow-volume, regular intervalsconnecting to the same external destination. Cisco Secure Network Analytics is purpose-built to detect this type ofbehavioral anomalyusing NetFlow and telemetry analysis.

Option A suggests data exfiltration rather than beaconing. Option B is too broad and unspecific. Option D relates to denial-of-service or scanning activity, not C2.

This hunting technique aligns withMITRE ATT&CK – Command and Controland is explicitly covered in theCBRTHD blueprintunder network-based threat hunting. Detecting beaconing behavior forces attackers to significantly alter their communication strategy, increasing their operational cost.

Therefore,Option Cis the correct and Cisco-aligned answer.

The correct answer isUnauthorized penetration test. Based on the scenario provided, there is no indication that the observed activity was planned, approved, or coordinated by the organization. Instead, the evidence points tomalicious, unauthorized accessusing a valid user account, followed by destructive actions on the file server.

The exhibit showsmultiple file deletions and modificationsoccurring within a very short time window after asuccessful remote sign-in. From a professional SOC and threat hunting perspective, this sequence strongly suggestsaccount compromisefollowed byintentional malicious activity, such as data destruction, ransomware staging, or anti-forensics behavior. Intrusion Prevention System alerts further reinforce that the activity violated security policies, which would not be the case during a sanctioned test.

Option A (White box penetration test) and Option D (Black box penetration test) both describetesting methodologies, not threat types. White box testing is conducted with full internal knowledge and explicit authorization, while black box testing is performed with limited knowledge but still under a formal, approved engagement. In both cases, SOC teams are typically informed ahead of time to prevent unnecessary incident escalation.

Option B (Authorized penetration test) is also incorrect because authorized tests are documented, scoped, and approved by management. They do not involve real user account compromise without prior notification, nor do they trigger IPS alerts treated as genuine incidents.

In contrast,unauthorized penetration testingrefers to real-world attacker behavior where an adversary attempts to compromise systems without permission. Even if the attacker’s techniques resemble penetration testing tools or methods, the lack of authorization makes it a true security incident.

From a threat hunting and incident response standpoint, this classification is critical. Treating unauthorized activity as a live threat ensures proper containment actions, such as account disabling, credential resets, forensic preservation, and scope expansion. Misclassifying such activity as a test could lead to delayed response and increased damage.

In short,authorization—not technique—determines intent. Since no authorization exists in this scenario, the activity represents anunauthorized penetration attempt, making optionCthe correct answer.

The correct answer isdocumenting findings and updating detection logic. Threat hunting delivers long-term value only when discoveries are operationalized.

Options A and B are necessary incident response actions but do not improve future detection. Option D delays remediation and risks further damage.

Within theCBRTHD threat hunting lifecycle, confirmed malicious activity should result in:

Detailed documentation of attacker techniques

Identification of detection gaps

Creation or refinement of SIEM, EDR, or NDR rules

This process ensures that similar behavior will be detected automatically in the future, reducing reliance on manual hunts. It also increases organizational maturity by institutionalizing knowledge.

Cisco emphasizes this feedback loop as a core principle of effective threat hunting. Without it, SOC teams repeatedly rediscover the same threats.

Thus,Option Cis the correct and professionally validated answer.

The correct answer isConnection status. In this scenario, the key challenge for the security team is differentiatinglegitimate outbound trafficfrommalicious or DDoS-related trafficoriginating from the same web server. Since both types of traffic coexist in the logs, analysts must rely on an attribute that meaningfully distinguishes normal behavior from abnormal patterns.

The exhibit shows numerous TCP connections from the web server to many different external IP addresses, with varyingTCP statessuch as ESTABLISHED, TIME_WAIT, and FIN_WAIT. These connection states are highly valuable for threat hunting and network analysis. During DDoS activity—especially reflected or amplification-style attacks, or when a server is abused as part of an attack—connections often remain half-open, rapidly transition to TIME_WAIT, or fail to fully establish. In contrast, legitimate web traffic typically results in stable, short-lived ESTABLISHED sessions that follow predictable patterns.

Option B (destination port) is not useful here because most web traffic—both legitimate and malicious—commonly uses ports 80 or 443. Option C (IP address of the web server) provides no filtering value because all traffic already originates from that server. Option D (protocol) is also ineffective, as both normal and DDoS traffic in this case use TCP.

From a professional SOC and threat hunting standpoint,connection state analysisis a foundational technique for detecting volumetric attacks, beaconing behavior, and abnormal session churn. By filtering logs based on connection status, analysts can quickly isolate suspicious patterns such as excessive short-lived connections, abnormal teardown behavior, or asymmetric session states that are characteristic of DDoS-related activity.

This approach aligns with mature threat hunting practices:when indicators overlap, pivot to behavioral attributes. Connection status provides the necessary behavioral signal to separate expected traffic from attack traffic and supports faster, more accurate incident response.

The correct answer isUse Deep Packet Inspection (DPI) to block malicious domains. The key detail in this scenario is that the endpoint is makingcontinuous outbound TCP connections to a known Command-and-Control (C2) server over port 80, which strongly indicates active malware beaconing or payload retrieval.

Deep Packet Inspection enables security controls—such as next-generation firewalls or network security analytics platforms—to inspectapplication-layer content, including HTTP headers, URLs, domains, and payload characteristics. This allows defenders to block C2 communicationbased on domain names, URL patterns, or behavioral signatures, even if attackers change IP addresses. Since C2 infrastructure is frequently rotated, IP-based blocking alone is insufficient for long-term mitigation.

Option A (browser extension deny list) may help prevent a specific initial infection vector, but it does not addresspost-compromise C2 traffic, especially if malware communicates independently of the browser. Option B (antivirus quarantine) is reactive and limited by signature coverage; modern malware often evades AV detection. Option D (IDS) can detect similar connections but typically does notblocktraffic unless integrated with an IPS or firewall, making it less effective for mitigation.

From a professional threat hunting and SOC standpoint, blocking C2 communication at thenetwork layer using DPIis a high-impact defensive control. It disrupts attacker command channels, prevents data exfiltration, and buys time for endpoint remediation and forensic investigation.

This aligns withMITRE ATT&CK – Command and Control (TA0011)mitigation strategies and reflects a mature security posture:detect at the endpoint, disrupt at the network. Therefore, optionCis the most effective action to mitigate similar connections in the future.

The correct answer isB. Using "SecurityScan/2.5" to access all /admin endpoints. This log entry most clearly aligns with anauthorized security assessmentactivity designed to test weaknesses previously exploited during a breach.

Authorized security assessments—such as penetration tests or red team exercises—are typicallycontrolled, scoped, and intentional. They focus on validating security controls by probing sensitive areas (like administrative interfaces) while avoiding destructive actions. The user-agent string"SecurityScan/2.5"strongly suggests a purpose-built security scanning tool, which is commonly used by internal security teams or third-party assessors during sanctioned testing.

Option A is incorrect because performing login attempts at scale usingleaked credentialswould constitute real-world malicious behavior unless explicitly approved and tightly controlled. Even in authorized tests, credential stuffing with known leaked credentials is highly sensitive and would be explicitly documented; the wording here implies adversary behavior rather than assessment activity.

Option C is clearly malicious and inappropriate for an authorized assessment. Executing ashutdown commandis a destructive action and would violate standard rules of engagement for professional security testing. Such activity would be classified as adversarial exploitation, not a controlled delivery method.

Option D represents benign reconnaissance. A genericweb crawler gathering public-facing informationis typically associated with search engines or basic reconnaissance and does not directly test weaknesses related to a prior breach. While reconnaissance is part of assessments, it is not a strong indicator of a targeted, authorized delivery method.

From a threat hunting and SOC perspective, recognizing authorized assessment activity is critical to avoid misclassifying tests as incidents. Indicators include identifiable scanner user agents, predictable request patterns, limited scope targeting (such as /admin paths), and non-destructive behavior. This scenario reinforces an important operational lesson:context, intent, and tooling matter. Among the options,SecurityScan/2.5 targeting administrative endpointsbest reflects a legitimate, authorized security assessment delivery method.

The correct answer isreduction in attacker dwell time. Dwell time measures how long an attacker remains undetected after initial compromise.

As threat hunting maturity increases:

Behavioral coverage improves

Detection occurs earlier in the attack lifecycle

Attackers are identified before achieving objectives

Options A and C measure activity, not effectiveness. Option D measures inputs, not outcomes.

Cisco’sCBRTHD blueprintemphasizes outcome-driven metrics. Reduced dwell time directly correlates with lower business impact, reduced data loss, and improved resilience.

Therefore,Option Bis the most meaningful and Cisco-aligned metric.

The correct answer isdetecting abnormal authentication behavior across VPN and cloud access. This outcome targetsbehavioral detection, which sits significantly higher on the Pyramid of Pain than static indicators.

Options A and C rely on domains and hashes, which attackers can trivially change. Option D is a response action, not a hunting outcome.

Credential misuse is one of themost common initial access vectors, especially in cloud and remote-access environments. Detecting abnormal authentication behavior—such as:

Impossible travel

Unusual login times

Excessive failed logins

Geographic anomalies

forces attackers tochange how they operate, not just what infrastructure they use.

Cisco tools such as:

Secure Network Analytics

Secure Endpoint

Secure Firewall

Identity telemetry via VPN and SSO

enable this higher-fidelity detection approach. This aligns directly withCBRTHD blueprint objectivesfocused onidentity-based threat hunting.

Therefore,Option Bis correct.