Changed 300-220 Exam Questions

The correct answer isCredential Access. In the MITRE ATT&CK framework,password sprayingis classified under theCredential Access tactic (TA0006), specifically techniqueT1110.003 – Password Spraying. This classification is based on the attacker’s primary objective:gaining valid credentialsby systematically attempting a small number of common or weak passwords across many user accounts.

Password spraying differs from brute-force attacks in that it intentionally avoids rapid or repeated attempts against a single account, thereby evading account lockout controls and basic detection mechanisms. Instead, attackers “spray” one password (for example,Winter2025!orPassword123) across a large number of users, exploiting the likelihood that at least one account will use that password.

Although successful password spraying often leads toinitial access, MITRE classifies it underCredential Accessbecause the technique’s defining action is theacquisition of credentials, not the system entry itself. Initial access is the outcome, while credential theft is the method. This distinction is critical for threat hunters, as it guides where detections and controls should be focused.

From a professional threat hunting perspective, defenders monitor authentication telemetry such as failed and successful logins across identity providers, VPNs, cloud services, and email platforms. Indicators include multiple authentication failures across many accounts from a single source IP, followed by one or more successful logins. Identity-centric logging and anomaly detection are foundational here, reinforcing the principle thatidentity is the primary attack surface in modern environments.

Understanding password spraying as a credential access technique helps organizations prioritize protections such as strong password policies, MFA enforcement, adaptive authentication, and detection logic tuned for low-and-slow authentication abuse.

The correct answer iscorrelating attacker behavior across multiple MITRE ATT&CK techniques. This approach focuses onbehavioral detection, which is the cornerstone of effective threat hunting and advanced security operations.

Attackers who abuse legitimate administrative tools—often referred to asliving-off-the-land techniques—intentionally avoid malware-based detections. File hashes, signatures, and known indicators provide minimal value because there may beno malicious files at all. Options A and D sit at the lowest levels of thePyramid of Pain, making them easy for adversaries to evade.

By correlating behavior across multiple ATT&CK techniques—such as credential access, lateral movement, privilege escalation, and command execution—defenders detecthowthe attacker operates rather thanwhat toolsthey use. This forces adversaries to fundamentally change tradecraft, which is costly, risky, and time-consuming.

Option C improves visibility but does not inherently raise attacker cost. Threat intelligence feeds are reactive and often lag behind active campaigns.

From a professional threat hunting perspective, correlating multiple low-signal behaviors into ahigh-confidence attack patternis how mature SOCs detect stealthy intrusions. This method also supports scalable detection engineering, improved alert fidelity, and reduced false positives.

This strategy directly aligns with higher tiers of theThreat Hunting Maturity Modeland the top of thePyramid of Pain, making optionBthe correct answer.

The correct answer is SQL injection. The decoded HTTP request shown in the exhibit contains multiple unmistakable indicators of a SQL injection attack, including the use of SQL keywords and functions such as SELECT, CASE, SUBSTRING, ASCII, BIN, and conditional SLEEP() statements. These elements are characteristic of time-based blind SQL injection, a technique attackers use to extract database information when direct query results are not visible.

From a professional cybersecurity perspective, the presence of expressions like:

SELECT (CASE WHEN … THEN SLEEP(x))

SUBSTRING(password,1,1)

ASCII() and binary conversions

indicates that the attacker is probing the backend database character by character and using response timing to infer whether conditions are true or false. This is a well-known exploitation method used when error messages or query output are suppressed by the application.

The use of Base64 encoding does not represent the attack itself but rather an obfuscation technique to evade basic web application firewall (WAF) signatures and logging visibility. Encoding payloads allows attackers to bypass simple pattern-matching defenses, but once decoded, the underlying SQL injection becomes evident.

Option A (Unicode encoding) is incorrect because Unicode is commonly used for evasion, not exploitation. Option C (directory traversal) typically involves sequences like ../ to access filesystem paths, which are not present. Option D (XSS) targets client-side script execution and would include JavaScript payloads rather than database-focused logic.

According to the MITRE ATT&CK framework, this activity maps to Initial Access – Exploit Public-Facing Application (T1190). SQL injection remains one of the most exploited vulnerabilities in public-facing applications due to poor input validation and insecure coding practices.

For threat hunters and defenders, this scenario reinforces the importance of deep payload inspection, decoding obfuscated requests, monitoring for anomalous database query behavior, and enforcing secure development practices such as parameterized queries and input sanitization. SQL injection continues to be a high-impact, real-world attack vector despite being well understood, making it a critical focus area in web application threat hunting.

The correct answer isconverting hunt findings into permanent detections. Threat hunting is only effective when discoveries areoperationalized.

Without converting findings into SIEM, EDR, or NDR detections, organizations repeatedly identify the same attacker behaviors, wasting time and resources. Options A, B, and D improve capacity but do not eliminate blind spots.

Mature threat hunting programs ensure that:

Hunts produce detection rules

Alerts are tuned and validated

Knowledge is institutionalized

This is a defining trait ofhigh-maturity security organizationsand directly improves resilience. Therefore, optionCis correct.