Free Cisco 300-215 Practice Questions 2026 | Conducting Forensic Analysis and Incident Response Using Cisco CyberOps Technologies (CBRFIR)

Refer to the exhibit.

What does the exhibit indicate?

A. The new file is created under the Software\Classes disk folder.

B. A UAC bypass is created by modifying user-accessible registry settings.

C. A scheduled task named "DelegateExecute" is created.

D. The shell software is modified via PowerShell.

Refer to the exhibit.

Which two actions should be taken as a result of this information? (Choose two.)

A. Update the AV to block any file with hash “cf2b3ad32a8a4cfb05e9dfc45875bd70”.

B. Block all emails sent from an @state.gov address.

C. Block all emails with pdf attachments.

D. Block emails sent from Admin@state.net with an attached pdf file with md5 hash “cf2b3ad32a8a4cfb05e9dfc45875bd70”.

E. Block all emails with subject containing “cf2b3ad32a8a4cfb05e9dfc45875bd70”.

Which tool should be used for dynamic malware analysis?

A. Decompiler

B. Unpacker

C. Disassembler

D. Sandbox

A cybersecurity analyst detects fileless malware activity on secure endpoints. What should be done next?

A. Immediately quarantine the endpoints containing the suspicious files and consider the issue resolved

B. Isolate the affected endpoints and conduct a detailed memory analysis to identify fileless malware execution.

C. Delete the suspicious files and monitor the endpoints for any further signs of compromise.

D. Share the findings with other government agencies for collaborative threat analysis and response.

A workstation uploads encrypted traffic to a known clean domain over TCP port 80. What type of attack is occurring, according to the MITRE ATT&CK matrix?

A. Exfiltration Over Web Service

B. Exfiltration Over C2 Channel

C. Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

D. Command and Control Activity

An organization experienced a ransomware attack that resulted in the successful infection of their workstations within their network. As part of the incident response process, the organization's cybersecurity team must prepare a comprehensive root cause analysis report. This report aims to identify the primary factor or factors responsible for the successful ransomware attack and to formulate effective strategies to prevent similar incidents in the future. In this context, what should the cybersecurity engineer emphasize in the root cause analysis report to demonstrate the underlying cause of the incident?

A. evaluation of user awareness and training programs aimed at preventing ransomware attacks

B. analysis of the organization's network architecture and security infrastructure

C. detailed examination of the ransomware variant, its encryption techniques, and command-and-control servers

D. vulnerabilities present in the organization's software and systems that were exploited by the ransomware

During a routine inspection of system logs, a security analyst notices an entry where Microsoft Word initiated a PowerShell command with encoded arguments. Given that the user's role does not involve scripting or advanced document processing, which action should the analyst take to analyze this output for potential indicators of compromise?

A. Monitor the Microsoft Word startup times to ensure they align with business hours.

B. Confirm that the Microsoft Word license is valid and the application is updated to the latest version.

C. Validate the frequency of PowerShell usage across all hosts to establish a baseline.

D. Review the encoded PowerShell arguments to decode and determine the intent of the script.

An engineer received a report of a suspicious email from an employee. The employee had already opened the attachment, which was an empty Word document. The engineer cannot identify any clear signs of compromise but while reviewing running processes, observes that PowerShell.exe was spawned by cmd.exe with a grandparent winword.exe process. What is the recommended action the engineer should take?

A. Upload the file signature to threat intelligence tools to determine if the file is malicious.

B. Monitor processes as this is standard behavior of Word macro embedded documents.

C. Contain the threat for further analysis as this is an indication of suspicious activity.

D. Investigate the sender of the email and communicate with the employee to determine the motives.

What describes the first step in performing a forensic analysis of infrastructure network devices?

A. immediately disconnecting the device from the network

B. initiating an immediate full system scan

C. resetting the device to factory settings and analyzing the difference

D. producing an accurate, forensic-grade duplicate of the device's data

Which issue is related to gathering evidence from cloud vendors?

A. Deleted data cannot be recovered in cloud services.

B. There is limited access to physical media.

C. Forensics tools do not apply on cloud services.

D. The chain of custody does not apply on cloud services.