300-220 Cisco Conducting Threat Hunting and Defending using Cisco Technologies for Cybersecurity 300-220 CBRTHD Free Practice Exam Questions (2026 Updated)

The correct answer isattack path analysis using identity relationships. Cloud breaches increasingly occur throughmisconfigured identity permissions, not software flaws.

Attack path analysis mapstrust relationships, role assumptions, permissions, and access boundariesto understand how attackers can pivot through identity systems. This is especially relevant in cloud environments where:

Roles can assume other roles

Permissions are inherited

Overprivileged identities are common

Option A is too abstract and does not capture privilege chaining. Option B assumes malware execution, which is unnecessary in identity-based attacks. Option D measures severity but does not model attacker movement.

Professional threat hunters and cloud security teams rely on attack path analysis to:

Identify privilege escalation paths

Detect identity blast radius

Prioritize remediation of high-risk relationships

This directly supports proactive hunting and aligns withidentity-first security principles.

Therefore, optionCis correct.

The correct answer isbehavioral analysis of outbound traffic patterns. Advanced attackers intentionally usestandard protocols such as HTTP and HTTPSto blend exfiltration traffic with normal activity.

Hash-based and signature-based methods are ineffective because:

No malware may be present

Traffic appears legitimate

Infrastructure is frequently rotated

Behavioral analysis detects anomalies such as:

Unusual data transfer volumes

Abnormal session timing

Beaconing patterns

Rare destinations

This approach aligns withnetwork threat hunting best practicesand forces attackers to significantly alter behavior, increasing adversary cost.

Therefore, optionBis correct.

The correct answers areUse of Windows Remote Management (C)andUse of tools and commands to connect to remote shares (E). Both are core mechanisms attackers leverage forlateral movementafter gaining valid credentials through techniques such as pass-the-hash or pass-the-ticket.

Windows Remote Management (WinRM) is a legitimate administrative service used for remote command execution and system management. However, attackers frequently abuse WinRM to move laterally by executing commands on remote endpoints using stolen credentials. From a threat hunting perspective, abnormal WinRM usage—such as execution outside normal administrative hours, from unusual source hosts, or by non-administrative user accounts—is a strong indicator of lateral movement activity.

Similarly, the use of tools and commands to connect to remote shares (such as net use, wmic, SMB-based access, or mounting administrative shares like C$) is a classic lateral movement technique. Attackers use remote shares to transfer tools, stage payloads, and execute malware across systems. Monitoring these activities at the endpoint level helps identify suspicious authentication attempts, unexpected share access, and abnormal file transfers.

Option A (runas) relates more to privilege escalation than lateral movement. Option B is specific to Linux privilege persistence and is not relevant to endpoint lateral movement hunting in this context. Option D (scheduled task creation) is primarily associated with persistence rather than movement between systems.

By monitoring WinRM activity and remote share usage, security teams gain visibility intocredential-based movement, which remains one of the most common and dangerous attacker behaviors in enterprise environments. Effective lateral movement hunting focuses onhow credentials are used, not just how they are stolen.

The correct answer isdetecting abnormal authentication behavior across VPN and cloud access. This outcome targetsbehavioral detection, which sits significantly higher on the Pyramid of Pain than static indicators.

Options A and C rely on domains and hashes, which attackers can trivially change. Option D is a response action, not a hunting outcome.

Credential misuse is one of themost common initial access vectors, especially in cloud and remote-access environments. Detecting abnormal authentication behavior—such as:

Impossible travel

Unusual login times

Excessive failed logins

Geographic anomalies

forces attackers tochange how they operate, not just what infrastructure they use.

Cisco tools such as:

Secure Network Analytics

Secure Endpoint

Secure Firewall

Identity telemetry via VPN and SSO

enable this higher-fidelity detection approach. This aligns directly withCBRTHD blueprint objectivesfocused onidentity-based threat hunting.

Therefore,Option Bis correct.

The correct answer isit indicates disciplined and methodical tradecraft. Attribution relies on understandingattacker behavior patterns, not just tools or infrastructure.

Consistent operational discipline—such as cautious discovery, avoidance of noisy actions, and deliberate escalation—reflectshuman decision-making, which is difficult to change and often persists across campaigns.

Options A, B, and D focus on artifacts or infrastructure, which attackers frequently rotate. Behavioral patterns, however, form atradecraft fingerprint.

Cisco-aligned threat hunting usesMITRE ATT&CK technique mappingand behavioral consistency to support attribution, making this observation highly valuable.

Thus,Option Cis correct.

The correct answer isExploit public-facing application. The log excerpt in the exhibit clearly shows amalicious HTTP GET requesttargeting aWordPress plugin PHP filewith a craftedSQL injection payload:

UNION ALL SELECT CONCAT(...)

This syntax is a classic indicator ofSQL injection, a well-documented attack technique used to exploit insufficient input validation in web applications. According to the MITRE ATT&CK framework, this behavior maps to theInitial Access tactic (TA0001)and the techniqueExploit Public-Facing Application (T1190). The attacker is directly interacting with a publicly accessible web service and abusing a vulnerability in the application code to gain unauthorized access.

From a threat hunting and forensic standpoint, this is a textbook example of how attackers commonly achieve initial access to web servers. The attacker did not authenticate via remote services (such as SSH or RDP), nor did they rely on user interaction (as in a drive-by compromise). Instead, they sent a specially crafted request to a vulnerable endpoint exposed to the internet. This makes option B incorrect becauseExternal Remote Servicesrequires legitimate service access mechanisms. Option C is also incorrect becauseCommand and Scripting Interpreteris typically usedafterinitial access, once code execution is already achieved. Option D does not apply because there is no evidence of malicious content being delivered to end users.

The forensic team’s actions—isolating the server, cloning the disk, and analyzing logs—are standard post-incident procedures to reconstruct the attack chain. Web server access logs are especially valuable in these cases, as they often reveal malicious payloads, attacker IP addresses, targeted endpoints, and timestamps.

For defenders and threat hunters, this scenario reinforces the importance of monitoring web logs for anomalous query strings, enforcing secure coding practices, conducting regular vulnerability scans, and promptly patching third-party plugins. Public-facing applications remain one of themost exploited initial access vectors, making this technique a critical focus area in modern threat hunting programs.

The correct answer isdocumenting findings and updating detection logic. Threat hunting delivers long-term value only when discoveries are operationalized.

Options A and B are necessary incident response actions but do not improve future detection. Option D delays remediation and risks further damage.

Within theCBRTHD threat hunting lifecycle, confirmed malicious activity should result in:

Detailed documentation of attacker techniques

Identification of detection gaps

Creation or refinement of SIEM, EDR, or NDR rules

This process ensures that similar behavior will be detected automatically in the future, reducing reliance on manual hunts. It also increases organizational maturity by institutionalizing knowledge.

Cisco emphasizes this feedback loop as a core principle of effective threat hunting. Without it, SOC teams repeatedly rediscover the same threats.

Thus,Option Cis the correct and professionally validated answer.

The correct next action is tosubmit the file for sandboxing. In professional security operations and threat hunting workflows, sandboxing is the most appropriate step when a file originates from an untrusted source and hash-based reputation checks return anunknownresult. An unknown hash means the file has not yet been classified as benign or malicious by threat intelligence databases, which is common with newly created malware or targeted attacks.

Sandboxing allows the security team to performdynamic analysisby executing the file in an isolated, controlled environment. This process observes runtime behaviors such as process creation, registry modification, network communications, command-and-control callbacks, file system changes, and exploit attempts. These behaviors provide high-fidelity indicators that static analysis or hash lookups cannot reveal.

Option B, reviewing the directory path, is useful for contextual awareness but does not determine whether the file is malicious. Option C, running a full malware scan, is premature; modern malware often evades signature-based scans, especially when the file is previously unknown. Option D, investigating the reputation of the website, is a supporting activity but does not assess the actual behavior or payload of the downloaded file.

From a threat hunting and incident response standpoint, sandboxing bridges the gap betweendetection and confirmation. If the sandbox analysis confirms malicious behavior, the team can escalate to containment actions such as isolating the endpoint, blocking hashes and domains, and performing scope analysis to identify other affected systems. Additionally, sandbox results can be used to create new SIEM detections and EDR behavioral rules, strengthening future defenses.

This approach aligns with professional best practices:unknown file + untrusted source = dynamic analysis first. It ensures accurate classification while minimizing unnecessary disruption to the user or environment.

The correct answers areB. Processes in nonstandard file pathsandC. Common processes with modified names. These two detection rules are highly effective for identifyingmalicious processes spawned by phishing-delivered malware.

Phishing payloads commonly drop executables intononstandard directoriessuch as AppData, Temp, Downloads, or user profile subfolders. Legitimate Windows binaries rarely execute from these locations. Monitoring for process execution from such paths is a proven technique for detecting malware loaders, credential stealers, and post-exploitation tooling.

Additionally, attackers frequentlymasquerade malware as legitimate processesby using slightly modified names, such as lsasss.exe, svch0st.exe, or expl0rer.exe. These tactics are designed to evade casual inspection and basic allowlisting. Detecting common Windows process names with anomalies—such as incorrect spelling, unexpected parent processes, or abnormal execution paths—is a high-fidelity behavioral signal.

Option A is too broad; nearly all processes are created by users directly or indirectly, making it noisy. Option D (process ownership changes) and Option E (startup time changes) are less relevant to detecting credential-harvesting processes at execution time and may miss the initial malicious activity.

From a threat hunting and detection engineering perspective, optionsB and Calign withMITRE ATT&CK – Defense Evasion and Credential Accesstechniques. These rules focus onbehavioral detection, not static indicators, making them resilient against attacker variation.

In short, detectingwhere a process runs fromandwhat it pretends to beprovides strong coverage against phishing-delivered malware, makingB and Cthe correct and professionally validated choices.

The correct answer isendpoint memory access telemetry. Credential dumping often involves accessing sensitive memory regions, such as LSASS, rather than deploying obvious malware.

Modern attackers frequently use:

Legitimate tools

In-memory techniques

Living-off-the-land binaries

These methods bypass file-based detection entirely. Email, DNS, and firewall logs provide limited visibility into memory-level abuse.

Endpoint memory telemetry enables detection of:

Unauthorized LSASS access

Suspicious handle requests

Abnormal process injection

This telemetry is foundational for detectingcredential access techniquesin modern environments. Therefore, optionBis correct.

The correct answers areA. Service and version of the web serverandC. Technology used by the application. The error message shown in the exhibit is a classic example ofverbose error handling, which unintentionally discloses sensitive internal details about the web application stack.

First, the error page explicitly referencesApache Tomcat/6.0.16at the bottom. This directly exposes theweb server/service and its exact version, makingOption Acorrect. From an attacker’s perspective, this is valuable intelligence because it allows them to search forknown vulnerabilities, exploits, or misconfigurationsspecific to that version of Tomcat. Older versions of Tomcat, in particular, have a long history of publicly documented security flaws.

Second, the stack trace references components such as:

org.apache.jasper.compiler.*

.jsp files (e.g., /user/left.jsp)

javax.servlet.http.HttpServlet

These details clearly reveal thetechnology stack used by the application, namelyJava Server Pages (JSP)running onApache Tomcat with Apache Jasper. This confirmsOption Cas correct. Exposing application technology helps attackers tailor attacks such as deserialization exploits, JSP injection attempts, or framework-specific vulnerabilities.

Option B is incorrect because the error message doesnotstate or imply that Apache Jasper is vulnerable to path injection; it merely shows a compilation/runtime error. Option D is incorrect because the error page provides no information about theclient-side browser version—all disclosed details relate to server-side processing.

From a professional security and threat hunting perspective, verbose error messages significantlyincrease attack surface visibility. Best practices dictate that production systems should returngeneric error messagesto users while logging detailed stack traces internally. This scenario reinforces why proper error handling and information disclosure controls are critical defensive measures.

In summary, the penetration test error message exposes:

Theweb server service and version

Theapplication technology stack

Therefore, the correct answers areA and C.

The correct answer isSimple. The exhibit shows an EDR query filtering onspecific IPv4 addresses, which are classicIndicators of Compromise (IOCs). Within thePyramid of Painmodel, IP addresses sit at thelowest level, representing the least painful indicators for adversaries to change.

The Pyramid of Pain categorizes detection indicators by how costly they are for attackers to replace:

Simple→ Hashes, IP addresses, domain names

Easy→ Network artifacts (URI patterns, user-agent strings)

Challenging→ Host artifacts (registry keys, file paths, mutexes)

Tough→ Tactics, Techniques, and Procedures (TTPs)

In this scenario, the threat-hunting team is querying EDR telemetry for outbound connections toknown C2 IP addresses. While this is a valid and common detection technique—especially for rapid containment—it provides minimal long-term defensive value. Attackers can easily rotate C2 infrastructure by changing IPs, using cloud hosting, fast-flux DNS, or proxy networks.

Option C (Easy) would apply if the team were hunting fornetwork artifacts, such as suspicious URI paths or protocol misuse. Option B (Challenging) would involvehost-based artifacts, like malware persistence keys or file system changes. Option A (Tough) represents the highest maturity—detectingadversary behavior and techniques, such as beaconing patterns, lateral movement workflows, or credential abuse—none of which are present here.

From a professional threat-hunting standpoint, IP-based detections are best used asshort-term controlsfor blocking known threats or scoping an incident. Mature organizations use them as a starting point, then pivot toward higher-fidelity detections that sit higher on the Pyramid of Pain and impose greater operational cost on attackers.

In summary, querying known C2IP addressescorresponds to theSimplelevel of the Pyramid of Pain, makingOption Dthe correct answer.

The correct answer isC. Use a Base64-encoded VBScript that is decoded and executed on the endpoint. The exhibit clearly shows aVBScript-based attack chainthat relies onBase64 encodingto obfuscate malicious content and evade basic detection mechanisms.

In the code snippet, the function call afghhha("aHR0cHM6Ly9z...") contains a string that is visiblyBase64-encoded. When decoded, Base64 strings commonly reveal URLs, commands, or additional script logic. The script then uses WinHttpReq.Open and WinHttpReq.Send to retrieve remote content over HTTP, extracts a specific portion of the response using string manipulation (InStr, Mid), and executes it dynamically using the execute() function. This is a strong indicator ofliving-off-the-land scripting abuse, where native Windows scripting engines are leveraged for malicious purposes.

From a MITRE ATT&CK perspective, this behavior aligns withCommand and Scripting Interpreter (T1059), specificallyVBScript (T1059.005), and includes elements ofObfuscated/Encoded Files or Information (T1027). Encoding payloads in Base64 helps attackers bypass signature-based detection tools and makes static analysis more difficult.

Option A is incorrect because the script does not perform checks to determine prior compromise; instead, it actively retrieves and executes payloads. Option B is incorrect because no batch file creation is shown. Option D is also incorrect, as there is no evidence of persistence mechanisms such as Startup folder modification or shortcut creation. The wscript.Sleep function indicates periodic execution or beaconing, but persistence itself is not established in the shown code.

For threat hunters and SOC analysts, this technique highlights the importance of monitoringscript interpreter usage,encoded command execution,suspicious WinHTTP requests, anddynamic code execution via execute(). Detecting encoded scripts and abnormal scripting behavior is critical, as these techniques are widely used in phishing payloads, malware loaders, and initial access tooling.

In professional environments, defenders should combine EDR behavioral detections, script block logging, AMSI integration, and network telemetry to effectively identify and disrupt this attack technique.

The correct answer iscorrelating attacker behavior across multiple MITRE ATT&CK techniques. This approach focuses onbehavioral detection, which is the cornerstone of effective threat hunting and advanced security operations.

Attackers who abuse legitimate administrative tools—often referred to asliving-off-the-land techniques—intentionally avoid malware-based detections. File hashes, signatures, and known indicators provide minimal value because there may beno malicious files at all. Options A and D sit at the lowest levels of thePyramid of Pain, making them easy for adversaries to evade.

By correlating behavior across multiple ATT&CK techniques—such as credential access, lateral movement, privilege escalation, and command execution—defenders detecthowthe attacker operates rather thanwhat toolsthey use. This forces adversaries to fundamentally change tradecraft, which is costly, risky, and time-consuming.

Option C improves visibility but does not inherently raise attacker cost. Threat intelligence feeds are reactive and often lag behind active campaigns.

From a professional threat hunting perspective, correlating multiple low-signal behaviors into ahigh-confidence attack patternis how mature SOCs detect stealthy intrusions. This method also supports scalable detection engineering, improved alert fidelity, and reduced false positives.

This strategy directly aligns with higher tiers of theThreat Hunting Maturity Modeland the top of thePyramid of Pain, making optionBthe correct answer.

The correct answer isreduction in attacker dwell time. Dwell time measures how long an attacker remains undetected after initial compromise.

As threat hunting maturity increases:

Behavioral coverage improves

Detection occurs earlier in the attack lifecycle

Attackers are identified before achieving objectives

Options A and C measure activity, not effectiveness. Option D measures inputs, not outcomes.

Cisco’sCBRTHD blueprintemphasizes outcome-driven metrics. Reduced dwell time directly correlates with lower business impact, reduced data loss, and improved resilience.

Therefore,Option Bis the most meaningful and Cisco-aligned metric.

The correct answer isdocument findings and create permanent detections. While containment actions are necessary, they areincident response tasks, not threat hunting outcomes.

Cisco’s threat hunting lifecycle emphasizes that once malicious behavior is confirmed, teams must:

Document attacker techniques

Identify detection gaps

Convert findings into automated detections

Options A and B are tactical responses that address the current incident but do not prevent recurrence. Option D delays improvement and increases risk.

Operationalizing hunt findings ensures:

Repeated attacker behavior is detected automatically

Future dwell time is reduced

SOC maturity increases

This step directly aligns with theCBRTHD blueprint’s focus on continuous improvement and feedback loopsbetween hunting and monitoring.

Therefore,Option Cis the correct answer.

The correct answer isObservation of repeated failed logins followed by a successful login from a new location. This scenario represents anIndicator of Attack (IOA)because it reflectsattacker behavior in progress, not confirmed compromise.

IOAs focus onpatterns of malicious intent, such as credential abuse, reconnaissance, or lateral movement, even when no malware or known indicators are present. In this case, the sequence of failed authentication attempts followed by a successful login from an unusual location strongly suggestspassword spraying or credential stuffing, both common initial access techniques.

Options A, B, and D are classicIndicators of Compromise (IOCs). Hashes, domains, and IP addresses are static artifacts that indicate a systemhas already been compromised. These indicators sit low on thePyramid of Painand are easy for attackers to change.

Cisco’sCBRTHD blueprintemphasizes hunting forIOAsbecause they enable:

Earlier detection

Reduced dwell time

Higher attacker cost

Cisco tools such asSecure Network Analytics,Secure Endpoint, and SIEM platforms are designed to correlate behavioral signals like authentication anomalies rather than relying solely on known bad indicators.

Therefore,Option Cis the correct and Cisco-aligned answer.