CompTIA CS0-003 Free Practice Questions — Page 3

Q: A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?

C. Delivery. The actor has already gained access via social engineering and now wants to maintain that access — this is the Exploitation stage, where the attacker leverages their foothold. Note: maintaining persistence is sometimes associated with "Installation" in some Kill Chain models, but among the given options, Exploitation is the closest match for active use of gained access. Weaponization (A) is pre-attack preparation. Reconnaissance (B) is pre-intrusion information gathering. Delivery (C) is sending the attack vector — already completed via social engineering.

Q: An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets. Which of the following steps of an attack framework is the analyst witnessing?

B. Reconnaissance. Running network and vulnerability scans against external-facing assets is classic Reconnaissance — the attacker is gathering information about targets before launching an attack. Exploitation (A) means actively taking advantage of a vulnerability — not yet happening. Command and control (C) involves communication with compromised systems. Actions on objectives (D) is the final stage where the attacker achieves their goal.

Q: An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. Which of the following best describes what is happening? (Choose two.)

C. Social engineering attack. Targeting only administrators is a spear-phishing social engineering attack (C) — a targeted, role-specific manipulation attempt. The concealed URL is an obfuscated link (E) — hiding the true destination to trick users into clicking. Beaconing (A) is malware phoning home, not email-based. DNS hijacking (B) redirects DNS resolution — not described here. On-path attack (D) requires network interception, not email delivery. ARP poisoning (F) is a local network attack, unrelated to email URLs.

Q: An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?

A. Proprietary systems. Proprietary systems are vendor-controlled appliances where the organization has no access to patch or modify the underlying software — exactly the scenario described. Legacy systems (B) are outdated systems still in use but are typically owned and accessible. Unsupported OS (C) means the vendor stopped releasing patches — different from access restriction. Lack of maintenance windows (D) is a scheduling problem, not a vendor access restriction problem.

Question 1

A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?

Answer

Show Answer & Explanation

Correct Answer: C. Delivery

The actor has already gained access via social engineering and now wants to maintain that access — this is the Exploitation stage, where the attacker leverages their foothold. Note: maintaining persistence is sometimes associated with "Installation" in some Kill Chain models, but among the given options, Exploitation is the closest match for active use of gained access. Weaponization (A) is pre-attack preparation. Reconnaissance (B) is pre-intrusion information gathering. Delivery (C) is sending the attack vector — already completed via social engineering.

Question 2

An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets. Which of the following steps of an attack framework is the analyst witnessing?

Answer

Show Answer & Explanation

Correct Answer: B. Reconnaissance

Running network and vulnerability scans against external-facing assets is classic Reconnaissance — the attacker is gathering information about targets before launching an attack. Exploitation (A) means actively taking advantage of a vulnerability — not yet happening. Command and control (C) involves communication with compromised systems. Actions on objectives (D) is the final stage where the attacker achieves their goal.

Question 3

An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. Which of the following best describes what is happening? (Choose two.)

Answer

Show Answer & Explanation

Correct Answer: C. Social engineering attack

Targeting only administrators is a spear-phishing social engineering attack (C) — a targeted, role-specific manipulation attempt. The concealed URL is an obfuscated link (E) — hiding the true destination to trick users into clicking. Beaconing (A) is malware phoning home, not email-based. DNS hijacking (B) redirects DNS resolution — not described here. On-path attack (D) requires network interception, not email delivery. ARP poisoning (F) is a local network attack, unrelated to email URLs.

Question 4

During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?

Answer

Show Answer & Explanation

Correct Answer: C. Use application security scanning as part of the pipeline for the CI/CD flow

Integrating application security scanning into the CI/CD pipeline catches vulnerabilities early and repeatedly during development — preventing the same flaws from reaching production repeatedly. This directly addresses the SDLC phase. Red team exercises (A) happen post-deployment and are reactive. Checking libraries (B) helps with dependencies but doesn't fix recurring code-level issues. Input validation (D) fixes one specific vulnerability type, not the systemic root cause of recurring findings.

Question 5

An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?

Answer

Show Answer & Explanation

Correct Answer: A. Proprietary systems

Proprietary systems are vendor-controlled appliances where the organization has no access to patch or modify the underlying software — exactly the scenario described. Legacy systems (B) are outdated systems still in use but are typically owned and accessible. Unsupported OS (C) means the vendor stopped releasing patches — different from access restriction. Lack of maintenance windows (D) is a scheduling problem, not a vendor access restriction problem.

CompTIA CS0-003 Free Practice Questions — Page 3

Ready for the Full CS0-003 Experience?