According to the CyberOps Technologies (CBRFIR) 300-215 study guide curriculum, when analyzing suspicious behavior—especially when scripts or shell commands are executed from applications like Word (which is uncommon)—the encoded PowerShell payload must be decoded to determine if malicious intent is present. Deobfuscation is a critical step in identifying command-and-control behavior, persistence, or malware execution paths.

—

The metadata in the exhibit reveals a strong indicator that this .LNK file (shortcut) is malicious:

The shortcut file is named " ds7002.pdf " but actually points to the execution of PowerShell: → Full path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Arguments include: → -noni -ep bypass $z = ' ... ' ; indicating an attempt to run a PowerShell script with execution policy bypassed (a known tactic for fileless malware delivery).

The file is masked as a PDF (common social engineering technique), and PowerShell execution via .LNK is a signature technique used by many malware families to initiate second-stage payloads or scripts.

Given this, the correct and safest course of action is to:

→ Open the .LNK file in a sandbox environment (D).

This enables safe behavioral analysis to observe what actions it attempts upon execution without endangering live systems.

Other options are inappropriate:

A (ignoring the threat due to extension) is dangerous — .LNKs can trigger code.

B (upload to virus engine) is only helpful for known malware and lacks behavioral context.

C (quarantine) is preventive but not investigative — sandboxing provides visibility.

Cisco Firepower Management Center (FMC), when configured with Snort rules, classifies attacks with signature categories such as FILE-OFFICE for Microsoft Office-based exploits. One of the critical threats involving Microsoft Office is a known vector involving Microsoft Graphics, which attackers exploit for remote code execution (RCE) . RCE vulnerabilities enable attackers to execute arbitrary commands or code on the target machine—making this classification high-severity.

The alert " FILE-OFFICE Microsoft Graphics remote code execution attempt " is consistent with what Cisco and Snort define for such threats and appears in rulesets addressing vulnerabilities like CVE-2017-0001.

Hex Fiend is a hex editor that allows analysts to examine the raw byte content of files. One key use case is identifying and extracting byte-level patterns or signatures that can be translated into YARA rules for detecting malware. These hex patterns can be used to define precise signature-based detections.

To prepare a post-incident report, the cause of the incident (what enabled it) and the effect (what damage was done) are the primary components analyzed first. This allows teams to understand vulnerabilities exploited and the consequences, forming the basis for corrective action.

The Cisco CyberOps guide recommends beginning with root cause analysis followed by impact assessment to guide future prevention strategies.

The key goal during lateral movement analysis is to determine whether the malware spread or attempted to spread beyond the initially compromised system. This is crucial for containment and scoping of the incident. Logs, sandbox behavior, or network activity may show if Patient 0 initiated outbound connections to other systems, potentially propagating malware across the environment.

Correct answer: D. if Patient 0 tried to connect to another workstation.

The eradication phase in incident response involves eliminating the root cause of the incident and strengthening defenses to prevent reoccurrence. In this case:

Intrusion Prevention System (D) : Adding new rules to the IPS to detect and block malicious activity on TCP/135 is a direct eradication step to remove the threat’s entry point and prevent future attacks.

Centralized User Management (C) : Hardening user accounts, removing unnecessary permissions, and applying tighter authentication/authorization measures helps eliminate the possibility that threat actors could exploit weak or mismanaged accounts to continue accessing the system.

Although anti-malware software (A) and enterprise block listing (E) are valuable, the most direct eradication steps here specifically involve managing network access (via IPS) and strengthening user controls (via centralized user management), especially when TCP/135 (MSRPC endpoint mapper) can be used to enumerate services and potentially access vulnerable endpoints remotely.

This aligns with best practices outlined in incident response frameworks (such as the NIST SP 800-61 and referenced resources), which emphasize closing the exploited entry points (in this case, TCP/135) and removing any lingering access points through user management and network control enhancements.

The exhibit shows multiple ARP reply packets with the same IP addresses ( 192.168.51.105 and 192.168.51.201 ) being mapped to different MAC addresses , which triggers the message: " duplicate use of [IP] detected " . This is a strong indicator of an ARP spoofing (or poisoning) attack.

ARP spoofing occurs when a malicious actor sends falsified ARP messages to associate their MAC address with the IP address of another host. This misleads other devices on the network and allows interception or redirection of traffic.

The Cisco CyberOps Associate guide specifically recommends configuring port security on switches as a method to mitigate ARP spoofing , by limiting the number of MAC addresses allowed per port or statically assigning legitimate MAC addresses to switch ports.

YARA rules are designed to identify files that match specific patterns, strings, or binary characteristics.

The Cisco CyberOps guide states:

“YARA helps researchers and analysts identify and classify malware samples based on textual or binary patterns”.

The command in the image uses schtasks /create with the ONLOGON schedule and System user context to execute test.exe . This is a well-documented persistence technique, where an attacker ensures that a malicious executable is launched automatically at each system logon. This kind of scheduled task creation aligns with persistence techniques in the MITRE ATT & CK framework (T1053).

—