Selected 300-215 CyberOps Professional Questions Answers

From the Wireshark capture:

A (iraniansk.com): This domain is not a known legitimate resource and is hosting a suspicious file named “Fy.exe,” strongly indicative of a malware distribution domain.

D (Fy.exe): The Content-Disposition: attachment; filename="Fy.exe" header explicitly signals a binary executable download, a key indicator in Emotet campaigns.

While Content-Type: application/octet-stream (E) is typical of binary data transfers, it is not unique to malware and cannot by itself serve as a strong IoC. The nginx server (B) and cookie/hash string (C) similarly do not uniquely indicate compromise.

Since the phishing email originates from a known compromised cloud provider (XYZCloud), the correct immediate action for the security analyst is to determine the broader scope of exposure. This involves checking whether other users in the organization received similar emails from the same potentially malicious source. Therefore, querying for emails from the IP address ranges or SMTP domains linked to XYZCloud is essential for identifying other possible attack vectors.

This step aligns with the containment phase of the incident response lifecycle, as outlined in the CyberOps Technologies (CBRFIR) 300-215 study guide, where threat hunting and log analysis are used to determine the extent of compromise and prevent lateral movement or further exposure. Only after the scope is understood should remediation or reporting actions follow.

In cloud environments, investigators typically do not have access to the physical storage devices where the data resides. This restricts traditional forensic processes, such as imaging or direct disk access, which are commonly used in on-premises investigations.