Exam CAS-005 Topic 2 Question 146 Discussion
Actual exam question for CompTIA's CAS-005 exam
Question #: 146
Topic #: 2
Question #: 146
Topic #: 2
A security analyst receives the following SIEM alert for review:
Time | Event
03/07/2025 UTC 13:54:06 | MACHINE: hr_talent_01.corp.local " cd " SUCCESS
03/07/2025 UTC 13:54:07 | MACHINE: hr_talent_01.corp.local " cd ../../ " SUCCESS
03/07/2025 UTC 13:54:08 | MACHINE: hr_talent_01.corp.local " sudo cat /etc/shadow " SUCCESS Which of the following best describes the incident that occurred on the device?
Time | Event
03/07/2025 UTC 13:54:06 | MACHINE: hr_talent_01.corp.local " cd " SUCCESS
03/07/2025 UTC 13:54:07 | MACHINE: hr_talent_01.corp.local " cd ../../ " SUCCESS
03/07/2025 UTC 13:54:08 | MACHINE: hr_talent_01.corp.local " sudo cat /etc/shadow " SUCCESS Which of the following best describes the incident that occurred on the device?
Suggested Answer: B Vote an answer
The best answer is B. An attacker viewed password hashes on the device . The decisive event is sudo cat /etc
/shadow SUCCESS . On Linux systems, /etc/shadow stores password hashes and related account password data. The log therefore indicates successful privileged access to that file and successful viewing of its contents. CompTIA's SecurityX Security Operations domain includes analysis of indicators of malicious activity and investigation of suspicious system behavior; this command sequence is consistent with credential- access activity.
Why the other options are not best:
A is incorrect because there is no evidence of file injection. C is not supported because the logs show file access, not confirmed data transfer or exfiltration. D is tempting because of cd ../../ , but that is only navigation. The key security-relevant action is the successful reading of /etc/shadow , which means password hashes were viewed.
References:
CompTIA SecurityX official exam objectives summary, Security Operations domain.
/shadow SUCCESS . On Linux systems, /etc/shadow stores password hashes and related account password data. The log therefore indicates successful privileged access to that file and successful viewing of its contents. CompTIA's SecurityX Security Operations domain includes analysis of indicators of malicious activity and investigation of suspicious system behavior; this command sequence is consistent with credential- access activity.
Why the other options are not best:
A is incorrect because there is no evidence of file injection. C is not supported because the logs show file access, not confirmed data transfer or exfiltration. D is tempting because of cd ../../ , but that is only navigation. The key security-relevant action is the successful reading of /etc/shadow , which means password hashes were viewed.
References:
CompTIA SecurityX official exam objectives summary, Security Operations domain.
by Scott at Jun 12, 2026, 07:25 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).