Online Access Free CompTIA.CAS-004.v2024-05-02.q315 Practice Test (Page 29)

CAS-004 Exam Question 136

A penetration tester obtained root access on a Windows server and, according to the rules of engagement, is permitted to perform post-exploitation for persistence.
Which of the following techniques would BEST support this?

A.Creating a backdoor

B.Exploiting an arbitrary code execution exploit

C.Configuring systemd services to run automatically at startup

D.Moving laterally to a more authoritative server/service

CAS-004 Exam Question 137

Due to adverse events, a medium-sized corporation suffered a major operational disruption that caused its servers to crash and experience a major power outage. Which of the following should be created to prevent this type of issue in the future?

A.SLA

B.BIA

C.BCM

D.BCP

E.RTO

CAS-004 Exam Question 138

A cybersecurity analyst receives a ticket that indicates a potential incident is occurring. There has been a large in log files generated by a generated by a website containing a ''Contact US'' form. The analyst must determine if the increase in website traffic is due to a recent marketing campaign of if this is a potential incident. Which of the following would BEST assist the analyst?

A.Deploy a WAF in front of the public website

B.Checking for new rules from the inbound network IPS vendor

C.Running the website log files through a log reduction and analysis tool

D.Ensuring proper input validation is configured on the ''Contact US'' form

CAS-004 Exam Question 139

A company recently deployed a SIEM and began importing logs from a firewall, a file server, a domain controller a web server, and a laptop. A security analyst receives a series of SIEM alerts and prepares to respond. The following is the alert information:

Which of the following should the security analyst do FIRST?

A.Disable Administrator on abc-uaa-fsl, the local account is compromised

B.Shut down the abc-usa-fsl server, a plaintext credential is being used

C.Disable the jdoe account, it is likely compromised

D.Shut down abc-usa-fw01; the remote access VPN vulnerability is exploited

Correct Answer: C

Explanation
Based on the SIEM alerts, the security analyst should first disable the jdoe account, as it is likely compromised by an attacker. The alerts show that the jdoe account successfully logged on to the abc-usa-fsl server, which is a file server, and then initiated SMB (445) traffic to the abc-web01 server, which is a web server. This indicates that the attacker may be trying to exfiltrate data from the file server to the web server. Disabling the jdoe account would help stop this unauthorized activity and prevent further damage.
Disabling Administrator on abc-usa-fsl, the local account is compromised, is not the first action to take, as it is not clear from the alerts if the local account is compromised or not. The alert shows that there was a successful logon event for Administrator on abc-usa-fsl, but it does not specify if it was a local or domain account, or if it was authorized or not. Moreover, disabling the local account would not stop the SMB traffic from jdoe to abc-web01.
Shutting down the abc-usa-fsl server, a plaintext credential is being used, is not the first action to take, as it is not clear from the alerts if a plaintext credential is being used or not. The alert shows that there was RDP (3389) traffic from abc-admin1-logon to abc-usa-fsl, but it does not specify if the credential was encrypted or not. Moreover, shutting down the file server would disrupt its normal operations and affect other users.
Shutting down abc-usa-fw01; the remote access VPN vulnerability is exploited, is not the first action to take, as it is not clear from the alerts if the remote access VPN vulnerability is exploited or not. The alert shows that there was FTP (21) traffic from abc-usa-dcl to abc-web01, but it does not specify if it was related to the VPN or not. Moreover, shutting down the firewall would expose the network to other threats and affect other services. References: What is SIEM? | Microsoft Security, What is a SIEM Alert? | Cofense

CAS-004 Exam Question 140

A SOC analyst is reviewing malicious activity on an external, exposed web server. During the investigation, the analyst determines specific traffic is not being logged, and there is no visibility from the WAF for the web application.
Which of the following is the MOST likely cause?

A.The user agent client is not compatible with the WAF.

B.A certificate on the WAF is expired.

C.HTTP traffic is not forwarding to HTTPS to decrypt.

D.Old, vulnerable cipher suites are still being used.

Other Version: 2843CompTIA.CAS-004.v2025-04-16.q409; 1269CompTIA.CAS-004.v2024-02-08.q162; 1616CompTIA.CAS-004.v2023-10-26.q155; 2435CompTIA.CAS-004.v2023-09-11.q196; 1483CompTIA.CAS-004.v2023-07-04.q118; 1621CompTIA.CAS-004.v2023-04-04.q100; 1429CompTIA.CAS-004.v2023-03-18.q82; 1369CompTIA.CAS-004.v2023-03-08.q83; 1679CompTIA.CAS-004.v2023-02-06.q91; 1181CompTIA.CAS-004.v2023-01-23.q73; 1407CompTIA.CAS-004.v2023-01-21.q71; 1363CompTIA.CAS-004.v2023-01-09.q75; 1752CompTIA.CAS-004.v2022-05-27.q44; 1553CompTIA.CAS-004.v2022-05-18.q62; 74CompTIA.Actual4dumps.CAS-004.v2022-04-25.by.norma.44q.pdf

Latest Upload: 160CompTIA.220-1202.v2026-06-16.q110; 112TheInstitutes.CPCU-500.v2026-06-16.q25; 156ACAMS.CAMS7-CN.v2026-06-16.q170; 183CBIC.CIC.v2026-06-15.q123; 128Peoplecert.ITIL-4-Specialist-High-velocity-IT.v2026-06-15.q16; 220HashiCorp.Terraform-Associate-004.v2026-06-15.q126; 130Peoplecert.ITILFNDv5.v2026-06-15.q26; 129Workday.Workday-Pro-HCM-Reporting.v2026-06-15.q28; 129Fortinet.NSE5_SSE_AD-7.6.v2026-06-15.q17; 326PMI.PMI-ACP.v2026-06-15.q523

CAS-004 Exam Question 136

CAS-004 Exam Question 137

CAS-004 Exam Question 138

CAS-004 Exam Question 139

CAS-004 Exam Question 140

Download PDF File