CompTIA CySA+ (CS0-003) — Question 251

An analyst is investigating a phishing incident and has retrieved the following as part of the investigation:

cmd.exe /c c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -
EncodedCommand

Which of the following should the analyst use to gather more information about the purpose of this command?

Answer options

• A. Echo the command payload content into ‘base64 -d‘.
• B. Execute the command from a Windows VM.
• C. Use a command console with administrator privileges to execute the code.
• D. Run the command as an unprivileged user from the analyst workstation.

Correct answer: A

Explanation

Option A is correct because decoding the command payload will reveal its actual contents and intentions. Options B and C pose risks as executing potentially harmful commands can compromise the system, and option D would also be unsafe as it does not provide the necessary privileges to analyze the command effectively.