Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Cisco 300-215 Exam - Topic 9 Question 108 Discussion

Actual exam question for Cisco's 300-215 exam
Question #: 108
Topic #: 9
[All 300-215 Questions]

An incident responder reviews a log entry that shows a Microsoft Word process initiating an outbound network connection followed by PowerShell execution with obfuscated commands. Considering the machine's role in a sensitive data department, what is the most critical action for the responder to take next to analyze this output for potential indicators of compromise?

Show Suggested Answer Hide Answer
Suggested Answer: C

When dealing with suspected malicious activity involving obfuscated PowerShell scripts---especially when launched from Microsoft Word documents---behavioral analysis is the most critical next step. This approach helps in determining if the process chain is part of a known attack pattern, such as a phishing attempt using malicious macros that launch PowerShell for data exfiltration or payload download.

As highlighted in the CyberOps Technologies (CBRFIR) 300-215 study guide, understanding behavior and deobfuscating PowerShell scripts is an essential part of the forensic and incident response process. Specifically:

During the detection and analysis phase, if PowerShell is used with obfuscated or encoded commands, responders should investigate the intent and behavior of the command.

Deobfuscation allows analysts to see what the script is doing (e.g., downloading files, creating persistence mechanisms, or opening a reverse shell).

The guide states:

''For example, if the threat is malware, the compromised system should be immediately isolated and the malware should be placed in a sandbox or a detonation chamber to understand what it is trying to do''.

This confirms that understanding execution behavior (such as what the PowerShell script intends to perform) is key to uncovering indicators of compromise (IoCs).

Thus, option C---conducting a behavioral analysis and deobfuscating PowerShell---is the most critical and effective response at this stage.


by Tegan at Jan 28, 2026, 09:39 PM

Limited Time Offer

25%

Off

Get Premium 300-215 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Charisse
4 days ago
I feel like we should also consider running a memory analysis to see if there are any remnants of the obfuscated commands still active.
upvoted 0 times
...
Ellen
10 days ago
This reminds me of a practice question where we had to analyze similar PowerShell activity. I think checking for known malicious signatures could be key here.
upvoted 0 times
...
Caitlin
1 month ago
I'm not entirely sure, but I think we should look for any unusual outbound connections in the logs to identify if there's a pattern.
upvoted 0 times
...
Suzan
1 month ago
I remember we discussed the importance of isolating the machine first to prevent any potential data exfiltration.
upvoted 0 times
...
Bettina
1 month ago
Okay, this sounds like a classic case of potential malware or unauthorized access. I'd prioritize collecting forensic data like memory dumps and network captures to really understand what's going on under the hood.
upvoted 0 times
...
Wilson
2 months ago
First thing I'd do is isolate the machine to prevent any further potential spread. Then I'd start analyzing the process and network activity to see if I can identify any malicious behavior.
upvoted 0 times
...
Lisbeth
2 months ago
Whoa, this is a tricky one. I'd need to dig into the log entries in more detail to understand the full context and timeline of events before deciding the best next steps.
upvoted 0 times
...
Sylvie
2 months ago
Okay, the key things here are the Word process initiating an outbound connection and the obfuscated PowerShell commands. I'd focus on investigating those to see if there are any signs of compromise.
upvoted 0 times
...
Golda
2 months ago
Hmm, this sounds like a potential security incident. I'd want to quickly capture a memory dump and network traffic to analyze further for any malicious activity.
upvoted 0 times
...

Save Cancel