DoD Cyber Operator (CVA/H)

what command can be used to "replay" the third entry in your shell history?

!3

which of the following is the correct way to write "REGEX" queries in Kibana? a. /REGEX QUERY HERE/ b. dns.answers: "REGEX QUERY HERE" c. _regex_: "REGEX QUERY HERE" d. dns.answers: \REGEX QUERY HERE\

/REGEX QUERY HERE/

what directory is used to store system and application configuration files?

/etc

what is the default top level directory that Zeek utilizes for scripts on CENTOS?

/usr/share/zeek

what is the default time interval for Zeek log file rotation (how often a new file is started)?

1 hour

which numeric permissions value allows only the user (owner) to execute a file? a. 644 b. 700 c. 755

700

what is the default port used to comunicate with Elasticsearch via its RESTFUL API?

9200

how do you exclude traffic when utilizing Zeek?

BPF filters

what does BPF stand for?

Berkeley Packet Filter

what Global Schema does Elastic use?

ECS

which tools allows you to visualize data inside Elasticsearch?

Kibana

which tool from the Elastic Stack allows you to modify and enrich data?

Logstash

which of the following Kibana queries shows logs that are missing the dns.answers field? a. dns.answers: NULL b. _MISSING_FIELD_: dns.answers c. NOT _exists_: dns.answers d. dns.answers: ()

NOT _exists_: dns.answers

what Global Schema does The Hunting ELK (HELK) use?

OSSEM

which of the following is NOT true about PCAP? a. allows the analyst to reconstruct what actually happened b. PCAP scales well... the more the better! c. contains all the raw data

PCAP scales well

even when Zeek observes a connection that it doesn't know how to categorize, it is still recorded in which log?

conn log

every log will correlate to a unique ID (UUID). which log is this ID generated in?

conn log

which of the following commands utilizes a relative file path in the last argument? a. cp /home/admin/file1 /home/Desktop/working b. cp /home/admin/file1 ./Desktop/working

cp /home/admin/file1 ./Desktop/working

which Elasticsearch node role allows for storage of indices?

data

what are the three phases of the Intelligence Feedback Loop?

data intelligence information

what happens when Zeek sees a file and the "file extraction" script is enabled?

extract files

what happens when Zeek sees a file and the "file extraction" script is enabled?

extracts the file

True or False: In Kibana when using parentheses with multiple terms inside of them implies the "AND" operator (Example: @meta.resp_port: (443 80)

false

true or false: Endgame would be considered an "agentless" endpoint solution

false

true or false: Zeek uses file extensions to determine the file type

false

true or false: Zeek's File Framework IS NOT capable of tracking files even if they are over multiple connections like torrent?

false

true or false: meta-settings in a rule affect Suricata's inspection.

false

true or false: replaying PCAP through Zeek rewrites the timestamps.

false

true or false: zeek logs are larger and more verbose than a PCAP file.

false

true or false: given that x003A is equivalent to a colon (:), the string EVIL:stuff will match for content: "evil|3A|stuff";

false, capitalization

Given the following rule: content: "GET"; http_uri; Will this match the following payload? GET /index.html HTTP/1.0/r/n

false, http.method not http.uri

which of the following statements about the unix environment are false? a. naming is case sensitive b. file extensions are required c. everything is a file d. hierarchical tree structure

file extensions are required

which Elastic Beat would you use to collect Linux system logs?

filebeat

stenographer is written in what language?

go

which Kibana application doesn't consider time?

graph

which of these is NOT a type of zeek log? -network -file -detection -host -diagnostic -miscellaneous

host

what purpose does an "intrusion detection system" like Suricata serve? a. identify things that are normally missed by analyst b. identify unknown anamolies c. identify known bad d. utilizes signatures to identify known good

identify known bad

what function does the "-C" flag serve in the following command? "zeek -Cr path/to/pcap"

ignore checksum

give an example of the threat model.

killchain att&ck diamond pyramid of pain

what visualization in Kibana is best utilized for displaying data over time?

line/bar chart

which of the following best describes what happens when using the "?" wildcard in a Kibana query? a. looks for zero or one of the previous character b. looks for any single character to replace the question mark in the supplied query c. looks for any number of characters to replace the question mark as long as it's the same character d. none - the question mark can only be used in REGEX queries

looks for any single character to replace the question mark in the supplied query

what are the four node types available when creating an Elasticsearch cluster?

master data ingest machine learning

when building a visualization in Kibana, if you wanted to use the "SUM" option, this would be located under what option?

metric

zeek is a powerful NSM tool. which of the following best describes what Bro is? a. message Queue b. tapping Interface c. Network Protocol Analyzer

network protocol analyzer

what protocol options are available for inspection when referring to Suricata?

not SQL

what command will live-follow any updates of a (log) file?

tail -f

what are the four pieces required to build a Watcher alert in Kibana?

trigger input action condition

true or false: BPF is more efficient than text filtering tools, like grep.

true

true or false: Kibana Dashboards are capable of updating dynamically and in real time

true

true or false: Stenographers indexed packets on disk are not in tcpdump format because they have an additional 4 byte header.

true

true or false: When using the "PROXIMITY" search in Kibana the order you specify your terms matters

true

true or false: Zeek is an event driven language.

true

true or false: Zeek's Intel Framework works differently than Suricata's alerts by allowing us to search for an indicator across multiple locations instead of a specific location/pattern.

true

true or false: given the following Suricata rule: content: "/index"; http_uri; content: "html"; http_uri; within:5; This will match the following payload: GET /index.html HTTP/1.0\r\n

true

true or false: one of the differences between Suricata and snort is that Suricata is multithreaded

true

true or false: snort rules can be used in Suricata.

true

true or false: the MITRE ATT&CK framework shows the data source you'd need to collect to identify specific techniques.

true

true or false: when querying Stenograper for packets, you can use tcpdump filters.

true

what is the name of the PowerShell function that allows parallel (or multi-threaded) operations?

workflow

analyzing PCAP is a memory intensive task. what is the general memory usage multiplier?

x4

which filetype is most commonly used, in exports/imports, to retain PowerShell object properties?

xml

what format does Elasticsearch store its configuration files? (ex. /etc/elasticsearch/elasticsearch.___)

yaml

what command line utility is available to display Zeek logs in a more readable way?

zeek-cut

which of the following is a valid bash navigation shortcut? a. \ b. ~ c. // d. ...

~

what built-in solution allows you to forward Windows logs?

WEF

what is the foundation of the Elastic stack?

Elasticsearch

which "Beat" is used to interact with Microsoft OS log files?

WinLogBeat

in the signature header, how can you describe 10.0.0.0/24 and exclude 10.0.0.11 and 10.0.0.12?

[10.0.0.0/24], !{.11,.12}

when utilizing Zeek, if you used a load statement to load a directory, what is required for Zeek to accomplish this?

__load__zeek

what three parts make up a Suricata signature?

action header role options

what are the four corners of the Diamond model?

adversary infrastructure victim capabilities

what are the two approaches to threat detection?

alerting hunting

which of the following places can you utilize search? Kibana Discover Tab When building a new visualization Graph Kibana Dashboards Watcher (Alerting)

all of the above

which shell is most commonly used?

bash

which of the following is an additional query option that is available in Stenographer but not available in tcpdump? a. before 2012-11-03T11:05:00Z b. host 1.1.1.1 c. tcp[tcpflags] & (tcp-syn|tcp-fin) d. 2.2.2.2/24

before 2012-11-03T11:05:00Z

an Elasticsearch shard is the same as what?

one instance of a Lucene index

what type of host-based detection technique would PowerShell be classified under? -Point-in-time -Historical -Real-time

point-in-time

choose all that apply: Zeek can do which of the following for encrypted connections: a. record certificates b. record ciphers used c. full decryption if keys are available d. record encryption software used e. nothing - Zeek is blind to encrypted traffic

records certificates, record ciphers used, record encryption software used

what is Docket?

rest API for Stenographer

what command would return all properties from a PowerShell object?

select*

what allows for interaction with a unix-based computer?

shell

which tool allows you to query Stenographer's indexed packets?

stenoread

what command uses systemd to stop the sshd service (logged in as user)?

sudo kill -9 (process id)

Zeek's Intel Framework utilizes ".dat" files for indicators. these files are extremely picky about whitespace. What whitespace delimiter is required in these files?

tab