Pass the Cisco Certified Specialist - Threat Hunting and Defending 300-220 Questions and answers with ExamsMirror

The correct answer isCredential Access. In the MITRE ATT&CK framework,password sprayingis classified under theCredential Access tactic (TA0006), specifically techniqueT1110.003 – Password Spraying. This classification is based on the attacker’s primary objective:gaining valid credentialsby systematically attempting a small number of common or weak passwords across many user accounts.

Password spraying differs from brute-force attacks in that it intentionally avoids rapid or repeated attempts against a single account, thereby evading account lockout controls and basic detection mechanisms. Instead, attackers “spray” one password (for example,Winter2025!orPassword123) across a large number of users, exploiting the likelihood that at least one account will use that password.

Although successful password spraying often leads toinitial access, MITRE classifies it underCredential Accessbecause the technique’s defining action is theacquisition of credentials, not the system entry itself. Initial access is the outcome, while credential theft is the method. This distinction is critical for threat hunters, as it guides where detections and controls should be focused.

From a professional threat hunting perspective, defenders monitor authentication telemetry such as failed and successful logins across identity providers, VPNs, cloud services, and email platforms. Indicators include multiple authentication failures across many accounts from a single source IP, followed by one or more successful logins. Identity-centric logging and anomaly detection are foundational here, reinforcing the principle thatidentity is the primary attack surface in modern environments.

Understanding password spraying as a credential access technique helps organizations prioritize protections such as strong password policies, MFA enforcement, adaptive authentication, and detection logic tuned for low-and-slow authentication abuse.

The correct answers areB. Processes in nonstandard file pathsandC. Common processes with modified names. These two detection rules are highly effective for identifyingmalicious processes spawned by phishing-delivered malware.

Phishing payloads commonly drop executables intononstandard directoriessuch as AppData, Temp, Downloads, or user profile subfolders. Legitimate Windows binaries rarely execute from these locations. Monitoring for process execution from such paths is a proven technique for detecting malware loaders, credential stealers, and post-exploitation tooling.

Additionally, attackers frequentlymasquerade malware as legitimate processesby using slightly modified names, such as lsasss.exe, svch0st.exe, or expl0rer.exe. These tactics are designed to evade casual inspection and basic allowlisting. Detecting common Windows process names with anomalies—such as incorrect spelling, unexpected parent processes, or abnormal execution paths—is a high-fidelity behavioral signal.

Option A is too broad; nearly all processes are created by users directly or indirectly, making it noisy. Option D (process ownership changes) and Option E (startup time changes) are less relevant to detecting credential-harvesting processes at execution time and may miss the initial malicious activity.

From a threat hunting and detection engineering perspective, optionsB and Calign withMITRE ATT&CK – Defense Evasion and Credential Accesstechniques. These rules focus onbehavioral detection, not static indicators, making them resilient against attacker variation.

In short, detectingwhere a process runs fromandwhat it pretends to beprovides strong coverage against phishing-delivered malware, makingB and Cthe correct and professionally validated choices.

The correct answer ismapping trust relationships between identity systems. Hybrid identity environments introduce complex trust boundaries that attackers routinely exploit.

Modern breaches increasingly involveidentity pivoting, where attackers compromise a cloud identity and abuse synchronization, federation, or conditional access misconfigurations to escalate into on-prem Active Directory. These attack paths often do not rely on software vulnerabilities at all.

Option A is too narrow and focuses only on technical exploits. Option C measures severity but does not model movement. Option D analyzes traffic but does not explain privilege escalation pathways.

By mapping trust relationships—such as Azure AD Connect synchronization, service principals, hybrid admin roles, and conditional access exclusions—defenders can identifychained attack pathsthat enable privilege escalation without exploiting code.

From a threat hunting standpoint, this modeling enables:

Hypothesis-driven hunts

Detection of abnormal role assumptions

Visibility into identity abuse

This approach aligns withattack path modeling, a critical evolution of traditional threat modeling for identity-centric environments. Therefore, optionBis correct.

The correct answers areUse of Windows Remote Management (C)andUse of tools and commands to connect to remote shares (E). Both are core mechanisms attackers leverage forlateral movementafter gaining valid credentials through techniques such as pass-the-hash or pass-the-ticket.

Windows Remote Management (WinRM) is a legitimate administrative service used for remote command execution and system management. However, attackers frequently abuse WinRM to move laterally by executing commands on remote endpoints using stolen credentials. From a threat hunting perspective, abnormal WinRM usage—such as execution outside normal administrative hours, from unusual source hosts, or by non-administrative user accounts—is a strong indicator of lateral movement activity.

Similarly, the use of tools and commands to connect to remote shares (such as net use, wmic, SMB-based access, or mounting administrative shares like C$) is a classic lateral movement technique. Attackers use remote shares to transfer tools, stage payloads, and execute malware across systems. Monitoring these activities at the endpoint level helps identify suspicious authentication attempts, unexpected share access, and abnormal file transfers.

Option A (runas) relates more to privilege escalation than lateral movement. Option B is specific to Linux privilege persistence and is not relevant to endpoint lateral movement hunting in this context. Option D (scheduled task creation) is primarily associated with persistence rather than movement between systems.

By monitoring WinRM activity and remote share usage, security teams gain visibility intocredential-based movement, which remains one of the most common and dangerous attacker behaviors in enterprise environments. Effective lateral movement hunting focuses onhow credentials are used, not just how they are stolen.

The correct answer isdocumenting findings and updating detection logic. This represents thepost-hunt operationalization phase, which is critical for long-term security improvement.

While options A and C are necessary response actions, they address only thecurrent incident. Threat hunting’s strategic value comes from transforming discoveries intorepeatable detections, playbooks, and controls.

Professional threat hunting programs ensure that:

Successful hunts produce new SIEM rules

Detection gaps are closed

Findings are documented for future analysts

Lessons learned inform security architecture decisions

Option D continues exploration but fails to institutionalize knowledge. Without operationalizing results, organizations repeatedly rediscover the same threats.

This phase directly increases maturity in theThreat Hunting Maturity Model, shifting organizations from hero-driven hunting to scalable, resilient detection. It also moves defendersup the Pyramid of Pain, forcing adversaries to change tactics rather than indicators.

Therefore, optionBis the correct and most strategically important answer.

The correct answer isObservation of repeated failed logins followed by a successful login from a new location. This scenario represents anIndicator of Attack (IOA)because it reflectsattacker behavior in progress, not confirmed compromise.

IOAs focus onpatterns of malicious intent, such as credential abuse, reconnaissance, or lateral movement, even when no malware or known indicators are present. In this case, the sequence of failed authentication attempts followed by a successful login from an unusual location strongly suggestspassword spraying or credential stuffing, both common initial access techniques.

Options A, B, and D are classicIndicators of Compromise (IOCs). Hashes, domains, and IP addresses are static artifacts that indicate a systemhas already been compromised. These indicators sit low on thePyramid of Painand are easy for attackers to change.

Cisco’sCBRTHD blueprintemphasizes hunting forIOAsbecause they enable:

Earlier detection

Reduced dwell time

Higher attacker cost

Cisco tools such asSecure Network Analytics,Secure Endpoint, and SIEM platforms are designed to correlate behavioral signals like authentication anomalies rather than relying solely on known bad indicators.

Therefore,Option Cis the correct and Cisco-aligned answer.

Thepass-the-hash (PtH)technique is classified underCredential Accessin the MITRE ATT&CK framework. Specifically, it aligns with theCredential Access tactic (TA0006)and the techniqueUse Alternate Authentication Material (T1550), sub-techniquePass the Hash (T1550.002). This classification is based on the attacker’s primary objective: abusing stolen credential material—in this case, NTLM password hashes—to authenticate to systems without knowing the actual plaintext password.

From a professional cybersecurity and threat hunting perspective, PtH exploits weaknesses in how Windows authentication mechanisms handle credential storage and reuse. When users authenticate to a system, password hashes may be cached in memory or stored in places such as LSASS (Local Security Authority Subsystem Service). If an attacker gains administrative or SYSTEM-level access to a host, they can extract these hashes and reuse them to authenticate to other systems across the environment.

Although pass-the-hash isoften observed during lateral movement, MITRE intentionally classifies it underCredential Accessbecause the defining action is thetheft and misuse of credential material, not the movement itself. Lateral movement is a downstream outcome enabled by the stolen credentials, but the core technique is about accessing and abusing authentication secrets.

This distinction is important for threat hunters and detection engineers. When hunting for PtH activity, defenders focus on indicators such as abnormal NTLM authentication events, logons using NTLM where Kerberos is expected, reuse of the same hash across multiple systems, and suspicious access to LSASS memory. Endpoint telemetry, Windows Security Event Logs (e.g., Event IDs 4624 and 4672), and EDR memory access alerts are commonly used data sources.

Understanding PtH as acredential access techniquehelps security teams prioritize protections such as credential guard, LSASS hardening, disabling NTLM where possible, enforcing least privilege, and monitoring authentication anomalies. This classification also reinforces a core professional principle:identity is the new perimeter, and protecting credential material is foundational to modern threat hunting and defense.

The correct answer isearlier detection of attacks before data exfiltration. This outcome directly translates toreduced business impact, which is the ultimate goal of threat hunting.

Alert volume (Option A) and false-positive reduction (Option B) measure operational efficiency, not security effectiveness. Option D measures spending, not outcomes.

Early detection:

Reduces dwell time

Prevents data loss

Limits operational disruption

Increases attacker cost

Cisco’sCBRTHD blueprintemphasizes outcome-driven security metrics, with early detection being one of the strongest indicators of threat hunting maturity.

Therefore,Option Cis the correct and executive-level answer.