Free Cisco 300-220 Practice Exam with Questions & Answers | Set: 2

The correct answer isdocumenting findings and updating detection logic. Threat hunting delivers long-term value only when discoveries are operationalized.

Options A and B are necessary incident response actions but do not improve future detection. Option D delays remediation and risks further damage.

Within theCBRTHD threat hunting lifecycle, confirmed malicious activity should result in:

Detailed documentation of attacker techniques

Identification of detection gaps

Creation or refinement of SIEM, EDR, or NDR rules

This process ensures that similar behavior will be detected automatically in the future, reducing reliance on manual hunts. It also increases organizational maturity by institutionalizing knowledge.

Cisco emphasizes this feedback loop as a core principle of effective threat hunting. Without it, SOC teams repeatedly rediscover the same threats.

Thus,Option Cis the correct and professionally validated answer.

The correct answer isB. Using "SecurityScan/2.5" to access all /admin endpoints. This log entry most clearly aligns with anauthorized security assessmentactivity designed to test weaknesses previously exploited during a breach.

Authorized security assessments—such as penetration tests or red team exercises—are typicallycontrolled, scoped, and intentional. They focus on validating security controls by probing sensitive areas (like administrative interfaces) while avoiding destructive actions. The user-agent string"SecurityScan/2.5"strongly suggests a purpose-built security scanning tool, which is commonly used by internal security teams or third-party assessors during sanctioned testing.

Option A is incorrect because performing login attempts at scale usingleaked credentialswould constitute real-world malicious behavior unless explicitly approved and tightly controlled. Even in authorized tests, credential stuffing with known leaked credentials is highly sensitive and would be explicitly documented; the wording here implies adversary behavior rather than assessment activity.

Option C is clearly malicious and inappropriate for an authorized assessment. Executing ashutdown commandis a destructive action and would violate standard rules of engagement for professional security testing. Such activity would be classified as adversarial exploitation, not a controlled delivery method.

Option D represents benign reconnaissance. A genericweb crawler gathering public-facing informationis typically associated with search engines or basic reconnaissance and does not directly test weaknesses related to a prior breach. While reconnaissance is part of assessments, it is not a strong indicator of a targeted, authorized delivery method.

From a threat hunting and SOC perspective, recognizing authorized assessment activity is critical to avoid misclassifying tests as incidents. Indicators include identifiable scanner user agents, predictable request patterns, limited scope targeting (such as /admin paths), and non-destructive behavior. This scenario reinforces an important operational lesson:context, intent, and tooling matter. Among the options,SecurityScan/2.5 targeting administrative endpointsbest reflects a legitimate, authorized security assessment delivery method.

The correct answer isdocument findings and operationalize detections. In Cisco’s threat hunting methodology, confirmation of malicious activity isnot the end of the hunt.

The most critical next step is to:

Document attacker behavior

Identify detection gaps

Create or improve SIEM, EDR, or NDR detection rules

This ensures the organization does not repeatedly rediscover the same threat. Options C and D are incident response and communication activities, not threat hunting lifecycle steps. Option A skips the crucial improvement phase.

TheCBRTHD blueprintstrongly emphasizes:

Continuous improvement

Feedback loops

Detection engineering

By operationalizing findings, the SOC increases maturity and forces adversaries to change tactics.

Therefore,Option Bis correct.

The correct answer isFiles are encrypted. The exhibit shows a collection of API calls and strings that strongly indicatecryptographic operations associated with file encryption, a common behavior in ransomware and data-encrypting malware.

Key indicators in the script include multiple Windows Cryptographic API function calls such as:

CryptAcquireContextW

CryptCreateHash

CryptHashData

CryptDeriveKey

CryptEncrypt

CryptDecrypt

CryptDestroyKey

CryptReleaseContext

These APIs are part of theWindows CryptoAPI, which is explicitly used to generate cryptographic keys, hash data, and encrypt or decrypt content. The presence of ADVAPI32.dll further confirms cryptographic functionality, as this library provides access to Windows security and encryption services.

Additionally, registry-related APIs such as RegSetValueExA, RegOpenKeyExA, and references to:

Software\Microsoft\Windows\CurrentVersion\Run

indicate that the script may also establishpersistence, ensuring the encryption routine executes again after reboot. However, persistence is secondary; the primary functional behavior shown is encryption.

Option A is incorrect because there are no APIs related to disabling networking (such as InternetSetOption or firewall manipulation). Option B is incorrect because retrieving host version information would involve system query APIs like GetVersionEx, which are not present. Option C is incorrect because although the word sleep appears, it is commonly used by malware to delay execution or evade sandboxes—not to place the system into sleep mode.

From a threat hunting and malware analysis perspective, the combination ofCryptoAPI usage, registry modification, and internet-related APIs (InternetReadFile, InternetQueryDataAvailable) is a classic ransomware pattern: retrieve data or keys, encrypt local files, and possibly communicate with command-and-control infrastructure.

Professional defenders recognize these API patterns ashigh-confidence malicious indicators, often mapped toMITRE ATT&CK – Impact: Data Encrypted for Impact (T1486). Detecting such behavior early is critical to prevent widespread data loss and operational disruption.

In summary, the script’s API usage clearly indicates thatits execution results in file encryption, makingOption Dthe correct answer.

The correct answer isstandardizing hunt documentation and hypotheses. Mature threat hunting programs move beyond ad-hoc, intuition-driven efforts.

Standardization enables:

Knowledge sharing

Consistent methodology

Repeatable hunts

Easier onboarding of new analysts

Option A and B support operations but do not improve hunting maturity. Option D is unrealistic and risky.

By documenting hypotheses, data sources, queries, findings, and outcomes, organizations institutionalize knowledge and continuously improve detection capabilities.

This is a defining characteristic ofhigh-maturity threat hunting programs.

Therefore, optionCis correct.

The correct answer issmall, periodic outbound connections to a rare destination. Beaconing is a hallmark of command-and-control (C2) communication, particularly in stealthy malware campaigns.

Attackers design C2 channels to:

Minimize bandwidth usage

Blend into normal traffic

Avoid triggering threshold-based alerts

As a result, beaconing traffic often consists oflow-volume, regular intervalsconnecting to the same external destination. Cisco Secure Network Analytics is purpose-built to detect this type ofbehavioral anomalyusing NetFlow and telemetry analysis.

Option A suggests data exfiltration rather than beaconing. Option B is too broad and unspecific. Option D relates to denial-of-service or scanning activity, not C2.

This hunting technique aligns withMITRE ATT&CK – Command and Controland is explicitly covered in theCBRTHD blueprintunder network-based threat hunting. Detecting beaconing behavior forces attackers to significantly alter their communication strategy, increasing their operational cost.

Therefore,Option Cis the correct and Cisco-aligned answer.

The correct answer ismapping trust relationships between identity systems. Hybrid identity environments introduce complex trust boundaries that attackers routinely exploit.

Modern breaches increasingly involveidentity pivoting, where attackers compromise a cloud identity and abuse synchronization, federation, or conditional access misconfigurations to escalate into on-prem Active Directory. These attack paths often do not rely on software vulnerabilities at all.

Option A is too narrow and focuses only on technical exploits. Option C measures severity but does not model movement. Option D analyzes traffic but does not explain privilege escalation pathways.

By mapping trust relationships—such as Azure AD Connect synchronization, service principals, hybrid admin roles, and conditional access exclusions—defenders can identifychained attack pathsthat enable privilege escalation without exploiting code.

From a threat hunting standpoint, this modeling enables:

Hypothesis-driven hunts

Detection of abnormal role assumptions

Visibility into identity abuse

This approach aligns withattack path modeling, a critical evolution of traditional threat modeling for identity-centric environments. Therefore, optionBis correct.

The correct answer isit indicates disciplined and methodical tradecraft. Attribution relies on understandingattacker behavior patterns, not just tools or infrastructure.

Consistent operational discipline—such as cautious discovery, avoidance of noisy actions, and deliberate escalation—reflectshuman decision-making, which is difficult to change and often persists across campaigns.

Options A, B, and D focus on artifacts or infrastructure, which attackers frequently rotate. Behavioral patterns, however, form atradecraft fingerprint.

Cisco-aligned threat hunting usesMITRE ATT&CK technique mappingand behavioral consistency to support attribution, making this observation highly valuable.

Thus,Option Cis correct.