Cisco 300-220 - Conducting Threat Hunting and Defending using Cisco Technologies for Cybersecurity 300-220 CBRTHD

The correct answer isC. Modifying this key requires administrative privileges, which the malware might not have.

The exhibit shows persistence established under the registry path:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

This registry key is aper-user startup location, meaning any executable listed there will automatically run whenthat specific userlogs in. Crucially,write access to HKEY_CURRENT_USER (HKCU) does not require administrative privileges—only the privileges of the compromised user account.

In contrast,

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

appliessystem-wideand causes programs to execute at startup forall users. However, modifying this key requireslocal administrator privileges. In many real-world breaches, attackers initially compromisestandard user accounts, not administrators. As a result, malware often chooses HKCU-based persistence mechanisms because they arereliable, stealthy, and achievable without privilege escalation.

Options A and D are incorrect because both registry paths are fully supported in modern versions of Windows and are explicitly designed for startup execution. Option B is incorrect because neither key automatically removes entries after a reboot—both are persistent by design.

From a threat hunting and endpoint detection perspective, this distinction is critical. HKCU persistence indicates:

User-level compromise

No confirmed administrative access (yet)

Potential precursor to privilege escalation attempts

This technique maps toMITRE ATT&CK – Persistence: Boot or Logon Autostart Execution (T1547.001). Mature SOC teams monitorboth HKCU and HKLM Run keys, but they interpret them differently when reconstructing attacker capability and progression.

In summary, the attacker usedHKCUbecause it enables persistencewithout requiring administrative privileges, makingOption Cthe correct and professionally accurate answer.

The correct answer isreduction in attacker dwell time. Dwell time measures how long an attacker remains undetected in the environment.

As threat hunting maturity increases:

Detection becomes faster

Behavioral coverage improves

Attackers are identified earlier in the kill chain

Metrics such as alert volume or blocked IPs (Options A and D) do not reflect effectiveness and may even indicate excessive noise. Option B measures inputs, not outcomes.

Cisco’sCBRTHD blueprintfocuses onoutcomes, not activity. Reduced dwell time demonstrates:

Effective hunting

Better visibility

Stronger detection engineering

This metric directly correlates with reduced breach impact and improved resilience.

Therefore,Option Cis the correct and Cisco-aligned answer.

The correct answers areUse of Windows Remote Management (C)andUse of tools and commands to connect to remote shares (E). Both are core mechanisms attackers leverage forlateral movementafter gaining valid credentials through techniques such as pass-the-hash or pass-the-ticket.

Windows Remote Management (WinRM) is a legitimate administrative service used for remote command execution and system management. However, attackers frequently abuse WinRM to move laterally by executing commands on remote endpoints using stolen credentials. From a threat hunting perspective, abnormal WinRM usage—such as execution outside normal administrative hours, from unusual source hosts, or by non-administrative user accounts—is a strong indicator of lateral movement activity.

Similarly, the use of tools and commands to connect to remote shares (such as net use, wmic, SMB-based access, or mounting administrative shares like C$) is a classic lateral movement technique. Attackers use remote shares to transfer tools, stage payloads, and execute malware across systems. Monitoring these activities at the endpoint level helps identify suspicious authentication attempts, unexpected share access, and abnormal file transfers.

Option A (runas) relates more to privilege escalation than lateral movement. Option B is specific to Linux privilege persistence and is not relevant to endpoint lateral movement hunting in this context. Option D (scheduled task creation) is primarily associated with persistence rather than movement between systems.

By monitoring WinRM activity and remote share usage, security teams gain visibility intocredential-based movement, which remains one of the most common and dangerous attacker behaviors in enterprise environments. Effective lateral movement hunting focuses onhow credentials are used, not just how they are stolen.

The correct answer isMonitoring failed AWS console login attempts. The Bash script shown in the exhibit is clearly designed toparse AWS CloudTrail logsand extract specific authentication-related events.

Breaking down the script behavior from a professional cloud security perspective:

gunzip -c *.json.gz indicates the script is processingcompressed CloudTrail log files, which are typically stored in .json.gz format.

jq -c '.Records[]' parses individual CloudTrail records, a common approach when analyzing AWS activity logs.

The filter conditions explicitly check for:

eventSource == "signin.amazonaws.com"

eventName == "ConsoleLogin"

responseElements.ConsoleLogin == "Failure"

These fields are definitive indicators offailed AWS Management Console login attempts. Additionally, the script extracts contextual fields such as:

Event time

Source IP address

Error message

AWS region

Username

MFA usage status

This data is exactly what security teams use to detectcredential abuse, password spraying, brute-force attempts, and compromised IAM accounts. Monitoring failed console logins is a foundational cloud threat hunting activity, especially for identifying early stages of account takeover.

Option B is incorrect because the script does not establish AWS CLI sessions or authenticate to accounts. Option C is incorrect because instance errors would involve services like ec2.amazonaws.com and different event names. Option D is incorrect because the script is analyzing—not archiving—records, and it applies filtering logic rather than storage or lifecycle management.

From a threat hunting and cloud security standpoint, this script supportsidentity-focused detection, which is critical in AWS environments where IAM misuse is one of the most common initial access vectors. It aligns withMITRE ATT&CK – Credential Access and Initial Access, particularly techniques involving valid account abuse.

In summary, the script’s clear purpose is tomonitor failed AWS console login attempts, makingOption Athe correct and professionally validated answer.

The correct answer isit highlights consistent attacker tradecraft. Attribution depends on recognizingbehavioral patternsthat persist across campaigns.

Attackers frequently change malware, infrastructure, and exploits, but they are far less likely to changehow they prefer to operate. Consistent use of SMB for lateral movement and deliberate avoidance of PowerShell reflect conscious operational choices.

Option A is unrelated to lateral movement behavior. Option B assumes malware development, which may not exist. Option D addresses impact, not attribution.

Cisco-aligned threat hunting usesMITRE ATT&CK technique mappingto correlate observed behaviors with known threat actor profiles. These behavioral fingerprints provide far stronger attribution confidence than low-level indicators.

Therefore,Option Cis the correct answer.

The correct answer isC. Host 10.201.3.99 is attempting to contact the C2 server to retrieve the payload.

Cisco Secure Network Analytics (Stealthwatch) detectsCommand-and-Control (C2)activity by analyzingnetwork behavior, not by relying solely on known malicious indicators. In the exhibit, the critical investigative clue is theHTTP payload containing a suspicious external URL, which strongly suggests outbound communication from an internal host to an external command-and-control infrastructure.

The internal IP address10.201.3.99belongs to a workstation group (“Desktops”), indicating it is an internal endpoint, not a C2 server. This immediately rules out option B. Instead, the endpoint is acting as acompromised host (zombie)attempting to reach a remote server controlled by an attacker. This outbound beaconing behavior is a classic hallmark of C2 communication.

Option A is incorrect because packet count alone does not confirm C2 activity. C2 traffic is oftenlow-and-slow, intentionally designed to blend in with normal traffic patterns. Option D is also incorrect because the payload does not describe the zombie endpoint; rather, it shows aremote URL, which is likely part of malware staging or command retrieval.

From a threat hunting and SOC perspective, the most valuable information isdirectionality and intent:

Internal host → external suspicious domain

HTTP-based communication over an unusual port

Low data volume consistent with beaconing or payload retrieval

This aligns withMITRE ATT&CK – Command and Control (TA0011)techniques such asApplication Layer Protocols (T1071). Identifying which internal host is reaching out—and why—is essential for containment, endpoint isolation, and scope expansion.

Professionally, this insight enables the analyst to:

Quarantine host 10.201.3.99

Pivot to EDR telemetry on that endpoint

Block the external domain or IP

Hunt for similar beaconing patterns across the environment

In summary, the investigation is aided most by understanding thatan internal host is actively communicating with a C2 server, makingOption Cthe correct and operationally meaningful answer.

The correct answer isbehavioral analysis of outbound traffic patterns. Advanced attackers intentionally usestandard protocols such as HTTP and HTTPSto blend exfiltration traffic with normal activity.

Hash-based and signature-based methods are ineffective because:

No malware may be present

Traffic appears legitimate

Infrastructure is frequently rotated

Behavioral analysis detects anomalies such as:

Unusual data transfer volumes

Abnormal session timing

Beaconing patterns

Rare destinations

This approach aligns withnetwork threat hunting best practicesand forces attackers to significantly alter behavior, increasing adversary cost.

Therefore, optionBis correct.

The correct answer islegitimate system processes executing encoded commands. Fileless malware avoids writing binaries to disk and instead abuses trusted processes such as PowerShell, WMI, or rundll32.

Encoded or obfuscated commands executed by legitimate binaries are a strong indicator offileless execution and defense evasion. Cisco Secure Endpoint provides deep visibility into command-line arguments and process behavior, enabling detection of this technique.

Option A is normal behavior. Option B may indicate suspicious execution but still involves files. Option D relies on file presence, which fileless attacks intentionally avoid.

This technique aligns withMITRE ATT&CK – Command and Scripting Interpreter and Defense Evasionand is directly relevant toCBRTHD exam objectivesrelated to endpoint-based threat hunting.

Therefore,Option Cis the correct answer.

The correct answer isconsistent attacker tradecraft mapped to MITRE ATT&CK. Attribution at a professional level relies onbehavioral consistency, not superficial artifacts.

Advanced threat actors routinely rotate infrastructure, recompile malware, and vary filenames specifically to defeat attribution efforts. As a result, indicators such as IP addresses, hashes, and timestamps are unreliable and sit low on thePyramid of Pain.

What attackers cannot easily change ishow they operate. This includes:

Initial access techniques

Credential harvesting methods

Lateral movement patterns

Persistence mechanisms

Command-and-control behaviors

When these behaviors remain consistent across incidents, they form abehavioral fingerprint. Mapping these observations toMITRE ATT&CK techniquesallows analysts to compare activity against known threat group profiles maintained by intelligence providers and national CERTs.

Option A and B are weak indicators easily altered by attackers. Option D provides almost no attribution value, as timing alone is coincidental and unreliable.

Professional attribution requires correlating TTPs across campaigns and validating them against historical threat actor intelligence. This method supports high-confidence attribution used in legal, executive, and geopolitical contexts.

Therefore,Option Cis the correct and defensible answer.