Practice Free 300-220 Conducting Threat Hunting and Defending using Cisco Technologies for Cybersecurity 300-220 CBRTHD Exam Questions Answers With Explanation

The correct answer isIndicators of attack (IOAs). Unstructured threat hunting is typically triggered byweak signals, anomalies, or suspicious behaviorsthat do not yet meet the threshold of confirmed compromise. These early signals are best described as indicators of attack rather than indicators of compromise.

To understand this distinction, it’s important to separateIOAsfromIOCs. Indicators of compromise (Option A) include confirmed artifacts such as malicious hashes, known bad IP addresses, or identified malware. When IOCs are present, the organization is already reacting to a known or validated threat, which aligns more closely withstructured threat huntingor incident response—not unstructured hunting.

Unstructured threat hunting is exploratory in nature. It is often initiated when analysts notice something “off,” such as unusual login behavior, abnormal process execution, unexpected network traffic patterns, or deviations from baseline behavior. These observations suggestattacker intent or activity in progress, but without definitive proof of compromise. That uncertainty is precisely what drives unstructured hunts.

Option B (tactics, techniques, and procedures) is incorrect because TTPs are typically used to formhypothesis-driven, structured huntsbased on known adversary behavior frameworks like MITRE ATT&CK. Option C (customized threat identification) is vague and not a recognized trigger within professional threat hunting models.

From a SOC and threat hunting maturity perspective, unstructured hunting commonly occurs inlower to mid maturity environments, where hunters rely on intuition, experience, and anomaly detection rather than predefined hypotheses. It often serves as thestarting pointfor discovering new attack patterns, which can later be formalized into structured hunts and detection logic.

In short, unstructured threat hunting begins when defenders detectindicators of attack—signals that something malicious may be happening, even if there is no confirmed compromise yet. This makesOption Dthe correct and professionally accurate answer.

The correct answer isit reflects the attacker’s operational preferences. Attribution relies on understandinghow attackers operate, not just what tools they use.

Operational preferences—such as avoiding PowerShell logging, disabling AMSI, and favoring WMI—arebehavioral signatures. These patterns often persist across campaigns and are documented in threat intelligence reports associated with specific adversaries.

Option A is incorrect because malware families change frequently. Option B is unreliable due to infrastructure rotation. Option D is unrelated to post-access tradecraft.

Professional attribution focuses on:

Execution methods

Defensive evasion choices

Tooling preferences

Workflow consistency

Mapping these behaviors toMITRE ATT&CK techniquesenables analysts to compare findings against known threat actor profiles. This provides higher confidence attribution than artifact-based indicators.

Thus, optionCis the correct answer.

The correct answer isanalyzing authentication behavior anomalies across users and devices. Credential abuse is one of the most common and effective techniques used by modern attackers because it allows them to blend in with legitimate activity and bypass malware-based defenses.

Options A and B rely on malware indicators, which are often absent in credential-based attacks. Option D addresses only one potential delivery or command-and-control vector and does not detect misuse of valid credentials.

By analyzing authentication behavior, threat hunters can detect:

Impossible travel scenarios

Abnormal login times

Excessive failed logins followed by success

Logins from unusual devices or locations

Cisco tools such asCisco Secure Network Analytics, VPN telemetry, and identity logs provide rich data sources for this type of hunting. This approach focuses onIndicators of Attack (IOAs)rather than Indicators of Compromise (IOCs), pushing detection higher on thePyramid of Pain.

Within theCBRTHD blueprint, hunting for credential misuse is a core competency, especially in cloud and remote-access environments. Detecting these behaviors early significantly reduces attacker dwell time and limits the blast radius of compromise.

Therefore,Option Cis the most effective and Cisco-aligned answer.

The correct answer isit highlights consistent attacker tradecraft. Attribution depends on recognizingbehavioral patternsthat persist across campaigns.

Attackers frequently change malware, infrastructure, and exploits, but they are far less likely to changehow they prefer to operate. Consistent use of SMB for lateral movement and deliberate avoidance of PowerShell reflect conscious operational choices.

Option A is unrelated to lateral movement behavior. Option B assumes malware development, which may not exist. Option D addresses impact, not attribution.

Cisco-aligned threat hunting usesMITRE ATT&CK technique mappingto correlate observed behaviors with known threat actor profiles. These behavioral fingerprints provide far stronger attribution confidence than low-level indicators.

Therefore,Option Cis the correct answer.

The correct answer isreduction in attacker dwell time. Dwell time measures how long an attacker remains undetected after initial compromise.

As threat hunting maturity increases:

Behavioral coverage improves

Detection occurs earlier in the attack lifecycle

Attackers are identified before achieving objectives

Options A and C measure activity, not effectiveness. Option D measures inputs, not outcomes.

Cisco’sCBRTHD blueprintemphasizes outcome-driven metrics. Reduced dwell time directly correlates with lower business impact, reduced data loss, and improved resilience.

Therefore,Option Bis the most meaningful and Cisco-aligned metric.

The correct answer isdocumenting findings and updating detection logic. Threat hunting delivers long-term value only when discoveries are operationalized.

Options A and B are necessary incident response actions but do not improve future detection. Option D delays remediation and risks further damage.

Within theCBRTHD threat hunting lifecycle, confirmed malicious activity should result in:

Detailed documentation of attacker techniques

Identification of detection gaps

Creation or refinement of SIEM, EDR, or NDR rules

This process ensures that similar behavior will be detected automatically in the future, reducing reliance on manual hunts. It also increases organizational maturity by institutionalizing knowledge.

Cisco emphasizes this feedback loop as a core principle of effective threat hunting. Without it, SOC teams repeatedly rediscover the same threats.

Thus,Option Cis the correct and professionally validated answer.

The correct answer isC. Modifying this key requires administrative privileges, which the malware might not have.

The exhibit shows persistence established under the registry path:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

This registry key is aper-user startup location, meaning any executable listed there will automatically run whenthat specific userlogs in. Crucially,write access to HKEY_CURRENT_USER (HKCU) does not require administrative privileges—only the privileges of the compromised user account.

In contrast,

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

appliessystem-wideand causes programs to execute at startup forall users. However, modifying this key requireslocal administrator privileges. In many real-world breaches, attackers initially compromisestandard user accounts, not administrators. As a result, malware often chooses HKCU-based persistence mechanisms because they arereliable, stealthy, and achievable without privilege escalation.

Options A and D are incorrect because both registry paths are fully supported in modern versions of Windows and are explicitly designed for startup execution. Option B is incorrect because neither key automatically removes entries after a reboot—both are persistent by design.

From a threat hunting and endpoint detection perspective, this distinction is critical. HKCU persistence indicates:

User-level compromise

No confirmed administrative access (yet)

Potential precursor to privilege escalation attempts

This technique maps toMITRE ATT&CK – Persistence: Boot or Logon Autostart Execution (T1547.001). Mature SOC teams monitorboth HKCU and HKLM Run keys, but they interpret them differently when reconstructing attacker capability and progression.

In summary, the attacker usedHKCUbecause it enables persistencewithout requiring administrative privileges, makingOption Cthe correct and professionally accurate answer.

The correct answer ismapping trust relationships between identity systems. Hybrid identity environments introduce complex trust boundaries that attackers routinely exploit.

Modern breaches increasingly involveidentity pivoting, where attackers compromise a cloud identity and abuse synchronization, federation, or conditional access misconfigurations to escalate into on-prem Active Directory. These attack paths often do not rely on software vulnerabilities at all.

Option A is too narrow and focuses only on technical exploits. Option C measures severity but does not model movement. Option D analyzes traffic but does not explain privilege escalation pathways.

By mapping trust relationships—such as Azure AD Connect synchronization, service principals, hybrid admin roles, and conditional access exclusions—defenders can identifychained attack pathsthat enable privilege escalation without exploiting code.

From a threat hunting standpoint, this modeling enables:

Hypothesis-driven hunts

Detection of abnormal role assumptions

Visibility into identity abuse

This approach aligns withattack path modeling, a critical evolution of traditional threat modeling for identity-centric environments. Therefore, optionBis correct.

The correct answer isdocument findings and operationalize detections. In Cisco’s threat hunting methodology, confirmation of malicious activity isnot the end of the hunt.

The most critical next step is to:

Document attacker behavior

Identify detection gaps

Create or improve SIEM, EDR, or NDR detection rules

This ensures the organization does not repeatedly rediscover the same threat. Options C and D are incident response and communication activities, not threat hunting lifecycle steps. Option A skips the crucial improvement phase.

TheCBRTHD blueprintstrongly emphasizes:

Continuous improvement

Feedback loops

Detection engineering

By operationalizing findings, the SOC increases maturity and forces adversaries to change tactics.

Therefore,Option Bis correct.

The correct answer isconverting hunt findings into permanent detections. Threat hunting is only effective when discoveries areoperationalized.

Without converting findings into SIEM, EDR, or NDR detections, organizations repeatedly identify the same attacker behaviors, wasting time and resources. Options A, B, and D improve capacity but do not eliminate blind spots.

Mature threat hunting programs ensure that:

Hunts produce detection rules

Alerts are tuned and validated

Knowledge is institutionalized

This is a defining trait ofhigh-maturity security organizationsand directly improves resilience. Therefore, optionCis correct.

The correct answer isendpoint process execution and memory access events. During thedata collection and processing phase, the goal is to gatherhigh-fidelity telemetrythat supports hypothesis validation.

Credential harvesting often occurswithout dropping malwareand instead relies on:

Memory scraping

LSASS access

Credential dumping tools

In-memory execution

Cisco Secure Endpoint provides deep visibility into:

Process creation and parent-child relationships

Memory access attempts

Privilege abuse

Fileless execution

Option A provides enrichment but not raw behavioral evidence. Option C supports context but does not replace endpoint telemetry. Option D is reactive and unreliable for structured hunts.

Within theCBRTHD threat hunting lifecycle, this phase emphasizesevidence over indicators. Without endpoint execution and memory telemetry, hunters cannot reliably confirm credential access techniques.

This aligns withMITRE ATT&CK Credential Accesstactics and Cisco’s emphasis onendpoint behavioral analytics.

Thus,Option Bis the correct answer.

The correct answer isObservation of repeated failed logins followed by a successful login from a new location. This scenario represents anIndicator of Attack (IOA)because it reflectsattacker behavior in progress, not confirmed compromise.

IOAs focus onpatterns of malicious intent, such as credential abuse, reconnaissance, or lateral movement, even when no malware or known indicators are present. In this case, the sequence of failed authentication attempts followed by a successful login from an unusual location strongly suggestspassword spraying or credential stuffing, both common initial access techniques.

Options A, B, and D are classicIndicators of Compromise (IOCs). Hashes, domains, and IP addresses are static artifacts that indicate a systemhas already been compromised. These indicators sit low on thePyramid of Painand are easy for attackers to change.

Cisco’sCBRTHD blueprintemphasizes hunting forIOAsbecause they enable:

Earlier detection

Reduced dwell time

Higher attacker cost

Cisco tools such asSecure Network Analytics,Secure Endpoint, and SIEM platforms are designed to correlate behavioral signals like authentication anomalies rather than relying solely on known bad indicators.

Therefore,Option Cis the correct and Cisco-aligned answer.

The correct answer isB. Using "SecurityScan/2.5" to access all /admin endpoints. This log entry most clearly aligns with anauthorized security assessmentactivity designed to test weaknesses previously exploited during a breach.

Authorized security assessments—such as penetration tests or red team exercises—are typicallycontrolled, scoped, and intentional. They focus on validating security controls by probing sensitive areas (like administrative interfaces) while avoiding destructive actions. The user-agent string"SecurityScan/2.5"strongly suggests a purpose-built security scanning tool, which is commonly used by internal security teams or third-party assessors during sanctioned testing.

Option A is incorrect because performing login attempts at scale usingleaked credentialswould constitute real-world malicious behavior unless explicitly approved and tightly controlled. Even in authorized tests, credential stuffing with known leaked credentials is highly sensitive and would be explicitly documented; the wording here implies adversary behavior rather than assessment activity.

Option C is clearly malicious and inappropriate for an authorized assessment. Executing ashutdown commandis a destructive action and would violate standard rules of engagement for professional security testing. Such activity would be classified as adversarial exploitation, not a controlled delivery method.

Option D represents benign reconnaissance. A genericweb crawler gathering public-facing informationis typically associated with search engines or basic reconnaissance and does not directly test weaknesses related to a prior breach. While reconnaissance is part of assessments, it is not a strong indicator of a targeted, authorized delivery method.

From a threat hunting and SOC perspective, recognizing authorized assessment activity is critical to avoid misclassifying tests as incidents. Indicators include identifiable scanner user agents, predictable request patterns, limited scope targeting (such as /admin paths), and non-destructive behavior. This scenario reinforces an important operational lesson:context, intent, and tooling matter. Among the options,SecurityScan/2.5 targeting administrative endpointsbest reflects a legitimate, authorized security assessment delivery method.