CompTIA Updated SY0-701 Exam Questions and Answers by mae

The scenario describes a situation where a user unknowingly triggers an unwanted action, such as changing their password, by clicking a malicious link. This is indicative of a Cross-Site Request Forgery (CSRF) attack, where an attacker tricks the user into executing actions they did not intend to perform on a web application in which they are authenticated.

References = CompTIA Security+ SY0-701 study materials, particularly in the domain of web application security and common attack vectors like CSRF​​.

The best answer is C. Watering hole .

A watering hole attack occurs when attackers compromise a website that a targeted group commonly visits. The attacker expects the victims to access that site as part of their normal behavior, allowing malicious code or exploits to be delivered indirectly.

This exactly matches the scenario of a website that multiple employees frequently visit .

Why the other options are incorrect:

A. Supply chain A supply chain attack targets vendors, providers, or trusted third parties to affect downstream victims.

B. Typosquatting Typosquatting involves fake lookalike domains designed to trick users who mistype a web address.

D. Impersonation Impersonation involves pretending to be a trusted person or entity, not compromising a commonly visited site.

From a SY0-701 perspective, compromising a trusted site used by a target group is the definition of a watering hole attack.

The best answer is C. EDR logs.

EDR (Endpoint Detection and Response) tools are designed to monitor endpoint activity in detail, including process execution, command-line usage, script activity, file changes, persistence attempts, and suspicious behavior. Since the incident involves a PowerShell script, EDR logs are the most useful source for identifying whether the script attempted to compromise the system.

PowerShell is commonly abused by attackers for fileless malware, persistence, lateral movement, downloading payloads, and privilege escalation. EDR can capture this kind of endpoint-level behavior much more effectively than general network logs.

Why the other options are incorrect:

A. SNMP logsSNMP is mainly used for network device monitoring and management, not detailed endpoint script execution analysis.

B. Firewall logsFirewall logs can show allowed or blocked traffic, but they usually do not provide deep visibility into local PowerShell execution or endpoint compromise attempts.

D. IPS logsAn IPS may detect known malicious traffic patterns, but it is focused on network-based activity. It is not the best source for detailed analysis of a PowerShell script running on a host.

From a Security+ standpoint, when analyzing suspicious scripts or endpoint behavior, EDR provides the strongest visibility into actual compromise attempts.