CompTIA CS0-003 Online Practice
Questions and Exam Preparation
CS0-003 Exam Details
Exam Code
:CS0-003
Exam Name
:CompTIA Cybersecurity Analyst (CySA+)
Certification
:CompTIA Certifications
Vendor
:CompTIA
Total Questions
:680 Q&As
Last Updated
:Jul 12, 2026
CompTIA CS0-003 Online Questions &
Answers
Question 1:
SIMULATION
Approximately 100 employees at your company have received a phishing email. As a security analyst, you have been tasked with handling this situation. INSTRUCTIONS Review the information provided and determine the following:
1. How many employees clicked on the link in the phishing email?
2. On how many workstations was the malware installed?
3. What is the executable file name of the malware?
If at any time you would like to bring back the initial state of the simulation. please click the Reset All button.
Select and Place:
Question 2:
A security analyst receives an alert for suspicious activity on a company laptop An excerpt of the log is shown below:
Which of the following has most likely occurred?
A. An Office document with a malicious macro was opened. B. A credential-stealing website was visited. C. A phishing link in an email was clicked D. A web browser vulnerability was exploited.
A. An Office document with a malicious macro was opened.
Explanation
for the suspicious activity on the company laptop, as it reflects the common technique of using macros to execute PowerShell commands that download and run malware. A macro is a piece of code that can automate tasks or perform actions in an Office document, such as a Word file or an Excel spreadsheet. Macros can be useful and legitimate, but they can also be abused by threat actors to deliver malware or perform malicious actions on the system. A malicious macro can be embedded in an Office document that is sent as an attachment in a phishing email or hosted on a compromised website. When the user opens the document, they may be prompted to enable macros or content, which will trigger the execution of the malicious code.
The malicious macro can then use PowerShell, which is a scripting language and command-line shell that is built into Windows, to perform various tasks, such as downloading and running malware from a remote URL, bypassing security controls, or establishing persistence on the system. The log excerpt shows that PowerShell was used to download a string from a URL using the WebClient.DownloadString method, which is a common way to fetch and execute malicious code from the internet. The log also shows that PowerShell was used to invoke an expression (iex) that contains obfuscated code, which is another common way to evade detection and analysis. The other options are not as likely as an Office document with a malicious macro was opened, as they do not match the evidence in the log excerpt. A credential-stealing website was visited is possible, but it does not explain why PowerShell was used to download and execute code from a URL. A phishing link in an email was clicked is also possible, but it does not explain what happened after the link was clicked or how PowerShell was involved. A web browser vulnerability was exploited is unlikely, as it does not explain why PowerShell was used to download and execute code from a URL.
Question 3:
A security analyst reviews the following extract of a vulnerability scan that was performed against the web server:
Which of the following recommendations should the security analyst provide to harden the web server?
A. Remove the version information on http-server-header. B. Disable tcp_wrappers. C. Delete the /wp-login.php folder. D. Close port 22.
A. Remove the version information on http-server-header.
Explanation
The vulnerability scan shows that the version information is visible in the http-server-header, which can be exploited by attackers to identify vulnerabilities specific to that version. Removing or obfuscating this information can enhance security.
An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system.
Which of the following steps of the process does this describe?
A. Eradication B. Recovery C. Containment D. Preparation
A. Eradication
Explanation
Eradication is a step in the incident response process that involves removing any traces or remnants of the incident from the affected systems or networks, such as malware, backdoors, compromised accounts, or malicious files. Eradication also involves restoring the systems or networks to their normal or secure state, as well as verifying that the incident is completely eliminated and cannot recur. In this case, the analyst is remediating items associated with a recent incident by isolating the vulnerability and actively removing it from the system. This describes the eradication step of the incident response process.
Question 5:
A junior security analyst opened ports on the company's firewall, and the company experienced a data breach.
Which of the following most likely caused the data breach?
A. Environmental hacktivist B. Accidental insider threat C. Nation-state D. Organized crime group
B. Accidental insider threat
Question 6:
A security analyst is trying to identify anomalies on the network routing.
Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?
A. function x() { info=$(geoiplookup $1) && echo "$1 | $info" } B. function x() { info=$(ping -c 1 $1 | awk -F "/" 'END{print $5}') && echo "$1 | $info" } C. function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" '{print $1} ').origin.asn.cymru.com TXT +short) && echo "$1 | $info" } D. function x() { info=$(traceroute -m 40 $1 | awk `END{print $1}') && echo "$1 | $info" }
D. function x() { info=$(traceroute -m 40 $1 | awk `END{print $1}') && echo "$1 | $info" }
Question 7:
A systems administrator receives several reports about emails containing phishing links. The hosting domain is always different, but the URL follows a specific pattern of characters.
Which of the following is the best way for the administrator to find more messages that were not reported?
A. Search email logs for a regular expression B. Open a support ticket with the email hosting provider C. Send a memo to all staff asking them to report suspicious emails D. Query firewall logs for any traffic with a suspicious website
A. Search email logs for a regular expression
Question 8:
The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program.
Which of the following is the best priority based on common attack frameworks?
A. Reduce the administrator and privileged access accounts B. Employ a network-based IDS C. Conduct thorough incident response D. Enable SSO to enterprise applications
A. Reduce the administrator and privileged access accounts
Explanation
The best priority based on common attack frameworks for a new program to reduce attack surface risks and threats as part of a zero trust approach is to reduce the administrator and privileged access accounts. Administrator and privileged access accounts are accounts that have elevated permissions or capabilities to perform sensitive or critical tasks on systems or networks, such as installing software, changing configurations, accessing data, or granting access. Reducing the administrator and privileged access accounts can help minimize the attack surface, as it can limit the number of potential targets or entry points for attackers, as well as reduce the impact or damage of an attack if an account is compromised.
Question 9:
A security manager reviews the permissions for the approved users of a shared folder and finds accounts that are not on the approved access list. While investigating an incident, a user discovers data discrepancies in the file.
Which of the following best describes this activity?
A. Filesystem anomaly B. Illegal software C. Unauthorized changes D. Data exfiltration
C. Unauthorized changes
Explanation
The discovery of unapproved accounts accessing shared data, along with data discrepancies, strongly indicates unauthorized changes.
Indicators of Unauthorized Changes:
Why Not Other Options?
To prevent unauthorized changes, security teams should use: File Integrity Monitoring (FIM) to detect unauthorized modifications. Access control audits to verify correct user permissions.
SIEM tools to analyze logs for anomalies.
Question 10:
A security analyst reviews the following results of a Nikto scan:
Which of the following should the security administrator investigate next?
A. tiki B. phpList C. shtml.exe D. sshome
C. shtml.exe
Explanation
The security administrator should investigate shtml.exe next, as it is a potential vulnerability that allows remote code execution on the web server. Nikto scan results indicate that the web server is running Apache on Windows, and that the shtml.exe file is accessible in the /scripts/ directory. This file is part of the Server Side Includes (SSI) feature, which allows dynamic content generation on web pages. However, if the SSI feature is not configured properly, it can allow attackers to execute arbitrary commands on the web server by injecting malicious code into the URL or the web page 12. Therefore, the security administrator should check the SSI configuration and permissions, and remove or disable the shtml.exe file if it is not needed.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only CompTIA exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your CS0-003 exam preparations
and CompTIA certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.